Merge branch 'main' into dependabot/github_actions/google-github-acti…

…ons/auth-2.1.8

.github/scripts/work-init.sh

@@ -36,20 +36,20 @@ case $component in
     echo "[INFO] skipping for leaf package"
     ;;
   sdk)
-    rm go.work go.work.sum &&
+    rm -f go.work go.work.sum &&
       go work init &&
       go work use ./sdk &&
       go work use ./service &&
       go work use ./examples
     ;;
   service)
-    rm go.work go.work.sum &&
+    rm -f go.work go.work.sum &&
       go work init &&
       go work use ./service &&
       go work use ./examples
     ;;
   examples)
-    rm go.work go.work.sum &&
+    rm -f go.work go.work.sum &&
       go work init &&
       go work use ./examples
     ;;

.github/workflows/auto-approve-version-bumps.yaml

@@ -15,9 +15,9 @@ jobs:
           bad_files=$(gh pr view --json files | jq '[.files[].path | select(endswith("go.mod") or endswith("go.sum") | not)] | length')
           if [ "$bad_files" -ne 0 ]; then
             echo "Found $bad_files files that are not go.mod or go.sum. Will not auto approve."
-            echo "bad_files_found=true" >> $GITHUB_ENV
+            echo "bad_files_found=true" >>"$GITHUB_ENV"
           else
-            echo "bad_files_found=false" >> $GITHUB_ENV
+            echo "bad_files_found=false" >>"$GITHUB_ENV"
             echo "Only go.mod and go.sum files found. Continuing Workflow."
           fi
       - uses: hmarr/auto-approve-action@v4

.github/workflows/checks.yaml

@@ -63,9 +63,9 @@ jobs:
         if: env.IS_RELEASE_BRANCH == 'true'
         working-directory: ${{ matrix.directory }}
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8
+        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837
         with:
-          version: v1.61
+          version: v1.64
           working-directory: ${{ matrix.directory }}
           skip-cache: true
           args: --out-format=colored-line-number
@@ -79,7 +79,7 @@ jobs:
         run: |-
           go mod tidy
           go fmt ./...
-          git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum"
+          git restore go.sum
         working-directory: ${{ matrix.directory }}
       - run: git diff
       - run: git diff-files --ignore-submodules
@@ -283,7 +283,7 @@ jobs:
         run: |-
           cd protocol/go
           go mod tidy
-          git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum"
+          git restore go.sum
       - run: git diff
       - run: git diff-files --ignore-submodules
       - name: Check that make proto-generate has run before PR submission; see above for error details

.github/workflows/friendly-reminders.yaml

@@ -12,7 +12,7 @@ jobs:
       - name: Extract go version
         id: go-version
         run: |
-          echo "go-version=$(go work edit --json | jq -r '.Go')" >>$GITHUB_OUTPUT
+          echo "go-version=$(go work edit --json | jq -r '.Go')" >>"$GITHUB_OUTPUT"
       - uses: actions/setup-go@v5
         with:
           go-version: ${{ steps.go-version.outputs.go-version }}
@@ -21,11 +21,11 @@ jobs:
         id: go-mod-tidy
         run: |
           # iterate over work file, cd and run go mod tidy
-          for line in $(go work edit --json | jq -r '.Use.[].DiskPath'); do
-            (cd $line && go mod tidy)
-          done
+          while IFS="" read -r line || [ -n "$line" ]; do
+            (cd "$line" && go mod tidy)
+          done < <(go work edit --json | jq -r '.Use.[].DiskPath')
           # check if any changes were made
-          echo $(git status --porcelain) >> $GITHUB_OUTPUT
+          git status --porcelain >>"$GITHUB_OUTPUT"
 
       - name: Post comment if go.mod was changed
         if: steps.go-mod-tidy.outputs.stdout != ''

.github/workflows/nightly-build.yaml

@@ -39,7 +39,7 @@ jobs:
           password: ${{ steps.gcp-auth.outputs.access_token }}
 
       - id: docker_meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
         with:
           images: ${{ secrets.DOCKER_REPO }}
           tags: |
@@ -59,8 +59,8 @@ jobs:
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
           TAGS: ${{ steps.docker_meta.outputs.tags }}
         run: |
-          images=""
+          images=()
           for tag in ${TAGS}; do
-            images+="${tag}@${DIGEST} "
+            images+=("${tag}@${DIGEST}")
           done
-          cosign sign --yes --recursive ${images}
+          cosign sign --yes --recursive "${images[@]}"

.github/workflows/release-build.yaml

@@ -45,7 +45,7 @@ jobs:
           password: ${{ steps.gcp-auth.outputs.access_token }}
 
       - id: docker_meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
         with:
           images: ${{ secrets.DOCKER_REPO }}
           tags: |

.github/workflows/release.yaml

@@ -30,7 +30,7 @@ jobs:
       - id: todo
         if: fromJson(steps.release-please.outputs.releases_created)
         run: |
-          for x in ${{join(fromJson(steps.release-please.outputs.paths_released), ' ')}}; do
+          <<<"$RELEASED_PATHS" jq -r '.[]'| while IFS= read -r x; do
             case "$x" in
               lib/ocrypto)
                 echo "TO_UPDATE=['examples','sdk','service']">>"$GITHUB_OUTPUT"
@@ -49,7 +49,7 @@ jobs:
               sdk)
                 echo "TO_UPDATE=['examples','service']">>"$GITHUB_OUTPUT"
                 ;;
-              services)
+              service)
                 # examples does not import service, but assumes it is running separately
                 ;;
               examples)
@@ -60,7 +60,8 @@ jobs:
                 ;;
             esac
           done
-
+        env:
+          RELEASED_PATHS: ${{ steps.release-please.outputs.paths_released }}
   update-go-mods:
     runs-on: ubuntu-latest
     needs: 
@@ -78,15 +79,15 @@ jobs:
       - run: |
           git checkout -b update-go-mods-for-${{matrix.path}}
           git push -f -u origin update-go-mods-for-${{matrix.path}}
-          cd ${{matrix.path}}
-          for x in ${{join(fromJson(needs.release-please.outputs.paths_released), ' ')}}; do
-            export pkg=github.com/opentdf/platform/${x}
+          cd ${{matrix.path}} || exit 1
+          <<<"$RELEASED_PATHS" jq -r '.[]'| while IFS= read -r x; do
+            export pkg="github.com/opentdf/platform/${x}"
             if go mod edit --json | jq -e '.Replace[] | select(.Old.Path == env.pkg)'; then
-              go mod edit --dropreplace=$pkg
+              go mod edit --dropreplace="$pkg"
             fi
             echo "Should we update [${pkg}] in [${{ matrix.path }}]?"
             if go mod edit --json | jq -e '.Require[] | select(.Path == env.pkg)'; then
-              ver=$(jq -r .\[\"${x}\"\] < "${GITHUB_WORKSPACE}/.release-please-manifest.json")
+              ver="$(jq -r --arg x "$x" '.[$x]' <"${GITHUB_WORKSPACE}"/.release-please-manifest.json)"
               echo "go get ${pkg}@v${ver}"
               go get "${pkg}@v${ver}"
             fi
@@ -99,6 +100,7 @@ jobs:
           git diff
         env:
           GONOSUMDB: github.com/opentdf/platform/${{join(fromJson(needs.release-please.outputs.paths_released), ',github.com/opentdf/platform/')}}
+          RELEASED_PATHS: ${{ needs.release-please.outputs.paths_released }}
       - uses: planetscale/ghcommit-action@d4176bfacef926cc2db351eab20398dfc2f593b5
         with:
           commit_message: "fix(core): Autobump ${{ matrix.path }}"

.github/workflows/sonarcloud.yml

@@ -23,7 +23,7 @@ jobs:
       - name: 'Setup Go'
         uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:
-          go-version: '1.22.11'
+          go-version: '1.22.12'
           check-latest: false
           cache-dependency-path: |
             service/go.sum

.github/workflows/stale.yaml

@@ -10,7 +10,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639
         with:
           days-before-stale: 120
           # negative number means they will never be closed automatically [https://github.com/actions/stale#days-before-close]

.github/workflows/traffic.yaml

@@ -13,11 +13,10 @@ jobs:
       matrix:
         repo-values:
           - {repo: platform, event: ""}
-          - {repo: otdfctl, event: backend-}
-          - {repo: spec, event: frontend-}
+          - {repo: otdfctl, event: otdfctl-}
+          - {repo: spec, event: spec-}
           - {repo: tests, event: tests-}
-          - {repo: client-web, event: clientweb-}
-          - {repo: client-cpp, event: cpp-sdk-}
+          - {repo: web-sdk, event: web-sdk-}
           - {repo: java-sdk, event: java-sdk-}
           - {repo: charts, event: charts-}
           - {repo: nifi, event: nifi-}
@@ -34,7 +33,7 @@ jobs:
 
     - id: get-date
       name: Set current date as env variable
-      run: echo "DATE=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
+      run: echo "DATE=$(date +'%Y%m%d')" >>"$GITHUB_OUTPUT"
 
     - name: Get Traffic
       uses: actions/github-script@v7

.github/workflows/vulnerability-check.yaml

@@ -22,5 +22,5 @@ jobs:
       - name: govluncheck
         uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee
         with:
-          go-version-input: "1.22.11"
+          go-version-input: "1.22.12"
           work-dir: ${{ matrix.directory }}

.gitignore

@@ -35,6 +35,7 @@ tmp-gen/
 /sdkjava/target
 /serviceapp
 /service/opentdf
+/go.work.sum
 service/rttests/*.tdf
 coverage.out
 coverage.lcov

.golangci.yaml

@@ -9,8 +9,6 @@ linters-settings:
     # Such cases aren't reported by default.
     # Default: false
     check-type-assertions: true
-    # https://github.com/golangci/golangci-lint/issues/4743
-    ignore: ''
 
   exhaustive:
     # Program elements to check for exhaustiveness.
@@ -138,7 +136,7 @@ linters:
     - errname # checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error
     - errorlint # finds code that will cause problems with the error wrapping scheme introduced in Go 1.13
     - exhaustive # checks exhaustiveness of enum switch statements
-    # - exportloopref # checks for pointers to enclosing loop variables Since Go1.22 (loopvar) this linter is no longer relevant. Replaced by copyloopvar."
+    - exptostd # Added in 1.63. Checks for usages of the deprecated experimental packages
     # - fatcontext
     - forbidigo # forbids identifiers
     - forcetypeassert # finds forced type assertions
@@ -173,14 +171,14 @@ linters:
     # - spancheck # checks for incorrect usage of opentracing.Span # Added in golangci-lint 1.56
     - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
     - stylecheck # is a replacement for golint
-    - tenv # detects using os.Setenv instead of t.Setenv since Go1.17
     - testableexamples # checks if examples are testable (have an expected output)
     - testifylint
     #- testpackage # makes you use a separate _test package
     - tparallel # detects inappropriate usage of t.Parallel() method in your Go test codes
     - unconvert # removes unnecessary type conversions
     - unparam # reports unused function parameters
     - usestdlibvars # detects the possibility to use variables/constants from the Go standard library
+    - usetesting # Replaced tenv in golangci-lint 1.63
     - wastedassign # finds wasted assignment statements
     - whitespace # detects leading and trailing whitespace
 

.release-please-manifest.json

@@ -1,8 +1,8 @@
 {
   "lib/fixtures": "0.2.10",
-  "lib/ocrypto": "0.1.7",
+  "lib/ocrypto": "0.1.8",
   "lib/flattening": "0.1.3",
-  "protocol/go": "0.2.25",
-  "sdk": "0.3.26",
+  "protocol/go": "0.2.27",
+  "sdk": "0.3.27",
   "service": "0.4.38"
 }

Dockerfile

@@ -10,7 +10,7 @@ COPY lib/flattening lib/flattening
 COPY lib/fixtures lib/fixtures
 COPY service/ service/
 COPY examples/ examples/
-COPY go.work go.work.sum ./
+COPY go.work ./
 RUN cd service \
     && go mod download \
     && go mod verify

Makefile

@@ -17,9 +17,9 @@ all: toolcheck clean build lint license test
 toolcheck:
 	@echo "Checking for required tools..."
 	@which buf > /dev/null || (echo "buf not found, please install it from https://docs.buf.build/installation" && exit 1)
-	@which golangci-lint > /dev/null || (echo "golangci-lint not found, run  'go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0'" && exit 1)
+	@which golangci-lint > /dev/null || (echo "golangci-lint not found, run  'go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.5'" && exit 1)
 	@which protoc-gen-doc > /dev/null || (echo "protoc-gen-doc not found, run 'go install github.com/pseudomuto/protoc-gen-doc/cmd/[email protected]'" && exit 1)
-	@golangci-lint --version | grep "version v\?1.6[123]" > /dev/null || (echo "golangci-lint version must be v1.61 or later [$$(golangci-lint --version)]" && exit 1)
+	@golangci-lint --version | grep "version v\?1.6[456]" > /dev/null || (echo "golangci-lint version must be v1.64 or later [$$(golangci-lint --version)]" && exit 1)
 	@which goimports >/dev/null || (echo "goimports not found, run 'go install golang.org/x/tools/cmd/goimports@latest'")
 
 fix: tidy fmt
@@ -45,8 +45,12 @@ proto-lint:
 		fi)
 
 go-lint:
-	for m in $(HAND_MODS); do (cd $$m && golangci-lint run $(LINT_OPTIONS) --path-prefix=$$m) || exit 1; done
-
+	status=0; \
+	for m in $(HAND_MODS); do \
+		echo "Linting module: $$m"; \
+		(cd "$$m" && golangci-lint run $(LINT_OPTIONS) --path-prefix="$$m" ) || status=1; \
+	done; \
+	exit $$status
 proto-generate:
 	rm -rf protocol/go/[a-fh-z]* docs/grpc docs/openapi
 	buf generate service

README.md

@@ -24,19 +24,19 @@
   - [Podman Compose](https://github.com/containers/podman-compose)
 - [Buf](https://buf.build/docs/ecosystem/cli-overview) is used for managing protobuf files.
   Required for developing services.
+- [golangci-lint](https://golangci-lint.run/) is used for ensuring good coding practices. 
+  Use `make go-lint` to run it before submitting a PR
 
 On macOS, these can be installed with [brew](https://docs.brew.sh/Installation)
 
 ```sh
-brew install buf go
+brew install buf go golangci-lint
 ```
 
 #### Optional tools
 
 - _Optional_ [Air](https://github.com/cosmtrek/air) is used for hot-reload development
   - install with `go install github.com/cosmtrek/air@latest`  
-- _Optional_ [golangci-lint](https://golangci-lint.run/) is used for ensuring good coding practices
-  - install with `brew install golangci-lint`
 - _Optional_ [grpcurl](https://github.com/fullstorydev/grpcurl) is used for testing gRPC services
   - install with `brew install grpcurl`
 - _Optional_ [openssl](https://www.openssl.org/) is used for generating certificates

buf.lock

@@ -2,11 +2,11 @@
 version: v2
 deps:
   - name: buf.build/bufbuild/protovalidate
-    commit: e097f827e65240ac9fd4b1158849a8fc
-    digest: b5:beda657a164abf9d1bac222e352f14d9a4a8c913ccdb7e5c3dfeda097690f60e8edb27b518c2d8e73b70aecb6ac47fdc3654a1f62b9e09c3566cd4e620628cfd
+    commit: 63bb56e204954558946a641ef0d68910
+    digest: b5:ec5661b2855484eca2043fe61d27eb22673ab926ccd0e849531752eb17b08402fae1382705cee7f7b42d4d9ec56aff72bba7ec6835902cf6f86323c9ac682d16
   - name: buf.build/googleapis/googleapis
-    commit: a86849a25cc04f4dbe9b15ddddfbc488
-    digest: b5:a77a2082c596ee6800a23d8cecd021d316eb10565d6cb94532f2d7c567fe6c9a177b5bb123b51a3acb4f1f18d4f54a6da883afcb682919a137a8a37c020509a2
+    commit: 83c0f6c19b2f4ea0b0fd84a80e753659
+    digest: b5:e9d077ad9d2eaa08a056108a15292a69548880d3a935781c498f2e591e60e531e49e1f5fc1d7356e5f989d3a8540e9885a02df18cb0cecc4ffa439fa4438a09e
   - name: buf.build/grpc-ecosystem/grpc-gateway
-    commit: 3f42134f4c564983838425bc43c7a65f
-    digest: b5:291b947d8ac09492517557e4e72e294788cb8201afc7d0df7bda80fa10931adb60d4d669208a7696bf24f1ecb2a33a16d4c1e766e6f31809248b00343119569b
+    commit: 4c5ba75caaf84e928b7137ae5c18c26a
+    digest: b5:c113e62fb3b29289af785866cae062b55ec8ae19ab3f08f3004098928fbca657730a06810b2012951294326b95669547194fa84476b9e9b688d4f8bf77a0691d

docs/Contributing.md

@@ -27,4 +27,5 @@ Run `go run github.com/opentdf/platform/service provision fixtures -h` for more
 
 ## Advice for Code Contributors
 
+* Make sure to run our linters with `make lint`
 * Follow our [Error Guidelines](./Contributing-errors.md)