Merge pull request #412 from docker/ci/gomodguard

feat: add gomodguard check

Author: joe0BAB

.github/workflows/gomodguard.yml

@@ -0,0 +1,33 @@
+name: gomodguard
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  check:
+    name: Check for allowed dependencies per module
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
+      contents: write
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Hub login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERBUILDBOT_USERNAME }}
+          password: ${{ secrets.DOCKERBUILDBOT_WRITE_PAT }}
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: cloud
+          endpoint: "docker/secrets-engine"
+          install: true
+
+      - name: Lint
+        run: make BUILDER=${{ steps.buildx.outputs.name }} gomodguard

Dockerfile

@@ -85,6 +85,26 @@ RUN --mount=type=bind,target=.,ro \
     golangci-lint run -v $(go list -f '{{.Dir}}/...' -m | xargs)
 EOT
 
+FROM golang AS gomodguard
+ARG GOMODGUARD_VERSION=v1.4.1
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=tmpfs,target=/go/src/ \
+    go install "github.com/ryancurrah/gomodguard/cmd/gomodguard@${GOMODGUARD_VERSION}" \
+    && gomodguard -help
+
+FROM golang AS do-gomodguard
+COPY --link --from=gomodguard /go/bin/gomodguard /go/bin/gomodguard
+WORKDIR /modguard
+ENV PATH=/go/bin:$PATH
+RUN --mount=type=bind,target=.,ro <<EOT
+    set -euo pipefail
+    for dir in $(go list -f '{{.Dir}}' -m); do
+      if [ -f "$dir/.gomodguard.yaml" ]; then
+          (cd "$dir" && gomodguard)
+      fi
+    done
+EOT
 
 FROM golang AS gofumpt
 ARG GOFUMPT_VERSION=v0.8.0

Makefile

@@ -153,6 +153,10 @@ mod:
 	@go work sync
 	@go work vendor
 
+.PHONY: gomodguard
+gomodguard:
+	@docker buildx build $(DOCKER_BUILD_ARGS) --target=do-gomodguard .
+
 define HELP_BUMP
 Usage: make bump MOD=<module>
 

client/.gomodguard.yaml

@@ -0,0 +1,13 @@
+---
+blocked:
+  modules:
+    - github.com/docker/secrets-engine/engine:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/injector:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/pass:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/plugin:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/store:
+        reason: "Forbidden dependency"

engine/.gomodguard.yaml

@@ -0,0 +1,13 @@
+---
+blocked:
+  modules:
+#    - github.com/docker/secrets-engine/client:
+#        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/injector:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/pass:
+        reason: "Forbidden dependency"
+#    - github.com/docker/secrets-engine/plugin:
+#        reason: "Forbidden dependency"
+#    - github.com/docker/secrets-engine/store:
+#        reason: "Forbidden dependency"

injector/.gomodguard.yaml

@@ -0,0 +1,5 @@
+---
+blocked:
+  modules:
+    - github.com/docker/secrets-engine/store:
+        reason: "Forbidden dependency"

plugin/.gomodguard.yaml

@@ -0,0 +1,13 @@
+---
+blocked:
+  modules:
+    - github.com/docker/secrets-engine/client:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/engine:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/injector:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/pass:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/store:
+        reason: "Forbidden dependency"

store/.gomodguard.yaml

@@ -0,0 +1,13 @@
+---
+blocked:
+  modules:
+    - github.com/docker/secrets-engine/client:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/engine:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/injector:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/pass:
+        reason: "Forbidden dependency"
+    - github.com/docker/secrets-engine/plugin:
+        reason: "Forbidden dependency"