ci: provide SLSA-L3 builds

.dockerignore

@@ -0,0 +1,9 @@
+build/
+dist/
+.git/
+metadata/
+private.key
+private-key.pem
+wireguard.key
+protonwire.key
+protonvpn.key

.editorconfig

@@ -34,3 +34,7 @@ insert_final_newline = false
 
 [Vagrantfile]
 indent_size = 2
+
+[metadata/**/*]
+insert_final_newline = false
+trim_trailing_whitespace = false

.github/ISSUE_TEMPLATE/bugreport.yml

@@ -27,7 +27,7 @@ body:
           required: true
         - label: I have verified that my generated Wireguard private keys are valid and have required features (Netshield Ad-blocker, VPN accelerator etc) are enabled.
           required: true
-        - label: I am using a valid server name (either fully qualified DNS name like `nl-free-127.protonvpn.net` or server name like `NL#1`) as mentioned in the docs.
+        - label: I am using a valid server name (either fully qualified DNS name like `nl-free-127.protonvpn.net` or server IP) as mentioned in the docs.
           required: true
 
   - type: input

.github/dependabot.yml

@@ -14,31 +14,33 @@ updates:
     pull-request-branch-name:
       separator: "-"
 
-  - package-ecosystem: docker
+  - package-ecosystem: github-actions
     labels:
       - "dependabot"
-      - "dep/docker"
+      - "dep/github-actions"
       - "luna/autoupdate"
-    target-branch: release/7.2
     commit-message:
-      prefix: "chore(deps):"
+      prefix: "ci(deps):"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "saturday"
     pull-request-branch-name:
       separator: "-"
 
-  - package-ecosystem: github-actions
+  # For go, Only builders use the deps it is note a runtime
+  # dependency, so only apply security updates.
+  - package-ecosystem: gomod
+    directory: /
     labels:
-      - "dependabot"
-      - "dep/github-actions"
-      - "luna/autoupdate"
-    commit-message:
-      prefix: "ci(deps):"
-    directory: "/"
+      - "bot/dependabot"
+      - "deps/go"
     schedule:
       interval: "weekly"
       day: "saturday"
+    commit-message:
+      prefix: "deps(go):"
     pull-request-branch-name:
       separator: "-"
+    # Disable version updates and only apply security updates.
+    open-pull-requests-limit: 0

.github/workflows/build.yml

@@ -1,36 +1,64 @@
 name: build
 on:
   push:
+    tags-ignore:
+      - "**"
   pull_request:
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
-  shellcheck:
+  lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+
+      - name: Install Task
+        run: go install github.com/go-task/task/v3/cmd/task@latest
+
       - name: Shellcheck
-        run: make shellcheck
+        run: task --verbose shellcheck
+
+      - name: Update README
+        run: task --verbose update-readme
+
+      - name: Check if README is up-to date
+        run: git diff --exit-code README.md
+
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           persist-credentials: false
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+      - name: Setup Go
+        uses: actions/setup-go@v5
         with:
-          version: latest
-          install-only: true
+          go-version: stable
+
+      - name: Install Task
+        run: go install github.com/go-task/task/v3/cmd/task@latest
 
-      - name: Install help2man
-        run: sudo apt-get install -y help2man
+      - name: Install crane
+        run: go install github.com/google/go-containerregistry/cmd/crane@latest
 
-      - name: Run GoReleaser
-        run: make snapshot
+      - name: Build Images
+        run: task --verbose build-images

.github/workflows/metadata.yml

@@ -11,17 +11,19 @@ on:
         - "yes"
         - "no"
   push:
-    branches:
-      - "**"
+    branches-ignore:
+      - "slsa-verify*"
+      - "dependabot*"
+      - "dependabot/**"
     tags-ignore:
       - "**"
   schedule:
     - cron: "30 * * * *"
 jobs:
   metadata:
     runs-on: ubuntu-latest
-    # exclude dependabot from running this workflow.
-    if: ${{ github.actor != 'dependabot[bot]' }}
+    permissions:
+      id-token: write
     steps:
       - name: Checkout project repo
         uses: actions/checkout@v4
@@ -47,21 +49,21 @@ jobs:
         uses: actions/create-github-app-token@v1
         id: bot-token
         with:
-          app-id: ${{ vars.METADATA_BOT_APP_ID }}
-          repositories: ${{ vars.METADATA_REPO_NAME }}
           owner: ${{ vars.METADATA_REPO_OWNER }}
+          app-id: ${{ vars.METADATA_BOT_APP_ID }}
           private-key: ${{ secrets.METADATA_BOT_APP_PRIVATE_KEY }}
+          repositories: ${{ vars.METADATA_REPO_NAME }}
 
-      - name: Checkout metadata repo to protonwire-api-deploy
+      - name: Checkout metadata repo to protonwire-api
         uses: actions/checkout@v4
         with:
-          repository: ${{ vars.METADATA_REPO }}
-          path: protonwire-api-deploy
+          path: protonwire-api
           token: ${{ steps.bot-token.outputs.token }}
+          repository: ${{ vars.METADATA_REPO }}
           persist-credentials: true
 
       - name: Configure git and remove stale data
-        working-directory: protonwire-api-deploy
+        working-directory: protonwire-api
         run: |
           git config user.name ${{ vars.METADATA_BOT_GIT_USERNAME }}
           git config user.email ${{ vars.METADATA_BOT_GIT_EMAIL }}
@@ -73,10 +75,10 @@ jobs:
             --archive \
             --human-readable \
             ./metadata/ \
-            ${GITHUB_WORKSPACE}/protonwire-api-deploy/
+            ${GITHUB_WORKSPACE}/protonwire-api/
 
       - name: Push Metadata (if on master)
-        working-directory: protonwire-api-deploy
+        working-directory: protonwire-api
         if: github.ref == 'refs/heads/master'
         run: |
           git add --all