set go from the dockerfile and apply best practices

Signed-off-by: Carlos Panato <[email protected]>

Author: cpanato

.github/workflows/go-test.yml

@@ -5,23 +5,33 @@ name: Go Tests (sourcetool)
 
 on:
   pull_request:
+    branches:
+      - main
+
+permissions: {}
 
 jobs:
   test:
+    runs-on: ubuntu-latest
+
     permissions:
       contents: read
-    runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
+
       - name: Set up Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GOVERSION }}
           check-latest: true
+          cache: false
 
       - name: Setup Buf
         uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
@@ -31,7 +41,7 @@ jobs:
 
       - name: Run Go tests
         run: |
-          go test ./...
+          go test -v ./...
 
       - name: Check generated fakes
         run: |

.github/workflows/golangci-lint.yaml

@@ -9,21 +9,28 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
+
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GOVERSION }}
+          check-latest: true
           cache: false
 
       - run: |
@@ -32,5 +39,4 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
-          version: v2.1
-
+          version: v2.4

.github/workflows/release.yaml

@@ -7,9 +7,9 @@ on:
   push:
     tags:
       - 'v*'
-permissions:
-  contents: read
-  
+
+permissions: {}
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -18,9 +18,9 @@ jobs:
       id-token: write # To sign attestations
       attestations: write # To push build provenance to attestations store
       contents: write # To create the release
-      
+
     steps:
-      
+
       - name: Setup bnd
         uses: carabiner-dev/actions/install/bnd@HEAD
 
@@ -30,9 +30,13 @@ jobs:
           persist-credentials: false
           fetch-depth: 1
 
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
+
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version-file: go.mod
+          go-version: ${{ env.GOVERSION }}
+          check-latest: true
           cache: false
 
       - name: Install tejolote
@@ -43,7 +47,7 @@ jobs:
       - name: Set tag output
         id: tag
         run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
-  
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         id: goreleaser
@@ -67,5 +71,4 @@ jobs:
             bnd pack attestations/ > sourcetool.intoto.jsonl
             gh release upload ${{ steps.tag.outputs.tag_name }} sourcetool.intoto.jsonl
             # Remove this once GitHub like the tejolote build predicate
-            # bnd push github ${{github.repository}} attestations/sourcetool-${{ steps.tag.outputs.tag_name }}.provenance.json 
-
+            # bnd push github ${{github.repository}} attestations/sourcetool-${{ steps.tag.outputs.tag_name }}.provenance.json