diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml index b6b23e50..263612c5 100644 --- a/.github/workflows/codecov.yml +++ b/.github/workflows/codecov.yml @@ -18,7 +18,7 @@ jobs: persist-credentials: false - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 with: go-version-file: 'go.mod' cache: false diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 69886af7..0b4ef47a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -30,7 +30,7 @@ jobs: persist-credentials: false - name: Set up Go (from go.mod) - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 with: go-version-file: 'go.mod' cache: false diff --git a/.github/workflows/race.yml b/.github/workflows/race.yml index 03c34486..46feb6f3 100644 --- a/.github/workflows/race.yml +++ b/.github/workflows/race.yml @@ -37,7 +37,7 @@ jobs: persist-credentials: false - name: Setup Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 with: go-version-file: go.mod cache: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cc57780e..c760e877 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -83,7 +83,7 @@ jobs: # SETUP GO ######################################## - name: Set up Go - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 with: go-version-file: 'go.mod' @@ -195,6 +195,6 @@ jobs: # BUILD PROVENANCE ATTESTATION ######################################## - name: Attest Build Provenance - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 with: subject-path: build/proxsave_* diff --git a/.github/workflows/security-ultimate.yml b/.github/workflows/security-ultimate.yml index a552c9c5..66709e85 100644 --- a/.github/workflows/security-ultimate.yml +++ b/.github/workflows/security-ultimate.yml @@ -27,7 +27,7 @@ jobs: # GO 1.25 — MAIN TOOLCHAIN ######################################## - name: Set up Go (from go.mod) - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 with: go-version-file: 'go.mod' cache: false diff --git a/internal/security/security.go b/internal/security/security.go index 98b2c522..6df17615 100644 --- a/internal/security/security.go +++ b/internal/security/security.go @@ -130,7 +130,7 @@ func Run(ctx context.Context, logger *logging.Logger, cfg *config.Config, config checker.verifyBinaryIntegrity() checker.verifyConfigFile() checker.verifySensitiveFiles() - checker.verifyDirectories() + checker.verifyDirectories(ctx) checker.verifySecureAccountFiles() checker.detectPrivateAgeKeys() @@ -491,7 +491,7 @@ func (c *Checker) verifySecureAccountFiles() { } } -func (c *Checker) verifyDirectories() { +func (c *Checker) verifyDirectories(ctx context.Context) { dirs := []struct { path string perm os.FileMode @@ -528,7 +528,7 @@ func (c *Checker) verifyDirectories() { continue } - if dir.allowBackup && c.shouldSkipPOSIXDirectoryChecks(dir.path) { + if dir.allowBackup && c.shouldSkipPOSIXDirectoryChecks(ctx, dir.path) { continue } @@ -848,13 +848,13 @@ func (c *Checker) shouldSkipOwnershipChecks(path string) bool { return false } -func (c *Checker) shouldSkipPOSIXDirectoryChecks(path string) bool { +func (c *Checker) shouldSkipPOSIXDirectoryChecks(ctx context.Context, path string) bool { path = strings.TrimSpace(path) if path == "" { return false } - fsInfo, err := c.detectFilesystemInfo(context.Background(), path) + fsInfo, err := c.detectFilesystemInfo(ctx, path) if err != nil { if c.logger != nil { c.logger.Debug("Security check: filesystem detection failed for %s; continuing with POSIX permission checks: %v", path, err) diff --git a/internal/security/security_test.go b/internal/security/security_test.go index c2483cec..91edd8b9 100644 --- a/internal/security/security_test.go +++ b/internal/security/security_test.go @@ -311,7 +311,7 @@ func TestVerifyDirectoriesCreatesMissing(t *testing.T) { SecureAccount: filepath.Join(baseDir, "secure_account"), } checker := newChecker(t, cfg) - checker.verifyDirectories() + checker.verifyDirectories(context.Background()) paths := []string{ cfg.BackupPath, @@ -1721,7 +1721,7 @@ func TestVerifyDirectoriesSkipOwnership(t *testing.T) { result: &Result{}, } - checker.verifyDirectories() + checker.verifyDirectories(context.Background()) // Should not have ownership warnings for backup dir when SetBackupPermissions=true // The function should skip ownership checks for this path @@ -1742,7 +1742,7 @@ func TestVerifyDirectoriesEmptyPath(t *testing.T) { result: &Result{}, } - checker.verifyDirectories() + checker.verifyDirectories(context.Background()) // Should not create directories for empty paths // Only identity dirs should be checked @@ -2083,7 +2083,7 @@ func TestVerifyDirectoriesWithAllPaths(t *testing.T) { result: &Result{}, } - checker.verifyDirectories() + checker.verifyDirectories(context.Background()) // All directories should be created paths := []string{ @@ -2337,7 +2337,7 @@ func TestVerifyDirectoriesWithExistingDir(t *testing.T) { result: &Result{}, } - checker.verifyDirectories() + checker.verifyDirectories(context.Background()) // Should have warning about wrong permissions hasPermWarning := false @@ -2369,7 +2369,7 @@ func TestVerifyDirectoriesSkipOwnershipForBackup(t *testing.T) { result: &Result{}, } - checker.verifyDirectories() + checker.verifyDirectories(context.Background()) // The backup directory should have ownership check skipped // Ownership warnings for backup path should not appear @@ -2412,7 +2412,7 @@ func TestVerifyDirectoriesSkipsPOSIXChecksOnCIFSBackupPath(t *testing.T) { }, } - checker.verifyDirectories() + checker.verifyDirectories(context.Background()) for _, issue := range checker.result.Issues { if strings.Contains(issue.Message, backupDir) && @@ -2647,7 +2647,7 @@ func TestVerifyDirectoriesStatOtherError(t *testing.T) { result: &Result{}, } - checker.verifyDirectories() + checker.verifyDirectories(context.Background()) // The function should handle this case (file exists but is not a directory) }