This repository is a template for a Go CLI tool or service. It is quite opinionated about security and release engineering, but hopefully in a good way.

It comes pre-configured for integration with GitHub-specific features such as Dependabot security tooling, CodeQL, and branch protection. It also automatically builds and tests your code using GitHub Actions.

• Use GoReleaser to automatically build and create GitHub Releases and container images on merge to main.

  • This uses the Conventional Commits Versioner to automatically version each release.

• Lint your commit messages, Go code, GitHub Actions, and Dockerfiles.

• Test Pull Requests using go test.

• Build container images from Pull Requests and push them to the GitHub container registry for manual testing and review.

• Static code analysis using CodeQL and Go Report Card.

• Coverage analysis using the go-test-coverage action.

• Security analysis using OpenSSF.

• Signed binary and container release artifacts using artifact attestations.

• SBOM generation for both release artifacts and container images, with image SBOMs pushed to the container registry.

First set up the GitHub repo

1. Create a new empty GitHub repository.

Then push some code to main:

1. Install gonew and run this command, replacing the last argument with the name of your new module:

   gonew github.com/smlx/go-cli-github@main github.com/smlx/newproject

2. Create the git repo and push to main (which will become the default branch):

   cd newproject git init . git branch -M main git remote add origin [email protected]:smlx/newproject.git git add . git commit -am 'chore: create repository from template' git push -u origin main

3. Create the badges branch for storing the README coverage badge.

   git checkout --orphan badges git rm -rf . rm -f .gitignore echo'This branch exists only to store the coverage badge in the README on `main`.'> README.md git add README.md git commit -m 'chore: initialize the badges branch' git push origin badges

Then customize the code for your repository:

1. Check out a new branch to set up the repo git checkout -b setup main

2. Update the code for your project:

   • rename cmd/go-cli-github to cmd/$YOUR_COMMAND
   • update .github/workflows/build.yaml, replacing go-cli-github with $YOUR_COMMAND.
   • update .goreleaser.yaml to build cmd/$YOUR_COMMAND
   • update the links at the top of README.md
   • update the contact email in SECURITY.md

3. Commit and push:

   git add . git commit -am 'chore: update template for new project' git push -u origin setup

4. Open a PR, wait until all the checks go green, then merge the PR.

Configure the repository:

1. Go to repository Settings > General:

   1. Releases

      • Enable release immutability

   2. Features

      • Disable wiki and projects (unless you plan to use them!)

   3. Pull Requests

      • Allow merge commits only for Pull Requests
      • Allow auto-merge
      • Automatically delete head branches

2. Go to repository Settings > Advanced Security, and enable:

   • Private vulnerability reporting

   • Dependabot

     • Dependabot alerts
     • Dependabot security updates
     • Grouped security updates
     • Dependabot on Actions runners

   • Code Scanning

     • CodeQL analysis > Set up > Default

   • Secret Protection

     • Push protection

3. Go to repository Settings > Rules > Rulesets, and import the protect-default-branch.json ruleset.

That's it.

Issues are welcome.

PRs are also welcome, but keep in mind that this is a very opinionated template, so not all changes will be accepted. PRs also need to ensure that test coverage remains high, and best practices are followed.