miller
miller copied to clipboard
johnkerl
Look into static-analysis options for Miller 6 / Go port
@johnkerl There is https://github.com/praetorian-inc/gokart if you have not looked into it before.
Other tooling that might be a consideration for implementing (I can submit pull requests):
- pyroscope (useful for profiling for long running jobs). Other tools in this area: prodfiler, parca etc.
- super-linter (this can lint per commit but will require tuning)
- https://goreportcard.com/report/github.com/johnkerl/miller
- codespell (this caught a few typos for me)
- CodeQL
- Semgrep
- goreleaser (for when you eventually cut a Go release)
Also, with 1.18beta/gotip, you can set up fuzzing although I have not tried this myself yet.
[Also https://staticcheck.io]
Originally posted by @jauderho in https://github.com/johnkerl/miller/issues/802#issuecomment-1002355606
Add Goreleaser - PR #821 #822
I'll have to do this somewhat sequentially since PRs that deal with GHA do not behave the same way as normal PRs.
@johnkerl Now that you have merged release.yml, you might want to disable the artifact upload in go.yml
@johnkerl Now that you have merged release.yml, you might want to disable the artifact upload in go.yml
@jauderho good call! I think I'll leave that upload in place until there is a 6.0.0 release. Thank you! :)
Add CodeQL - PR #838
On a related note, I also tried adding Snyk integration into my fork and it identified a number of other issues. Snyk is a little different in that there is no GH action. You have to go to the snyk.io website and add your repo to it.
Snyk identified 3 potential Path Traversal issues.
In Submariner we’ve been using golangci-lint for a while and are quite happy with it, with a tweaked configuration as might be expected. The only inconvenience is that it can be slow when lots of linters are enabled, unsurprisingly; but it’s quick enough to run unobtrusively when integrated in a development environment (VSCodium in my case).
