Merge branch 'main' into lint-cleanup

Author: dlevy-msft-sql

.github/copilot-instructions.md

@@ -0,0 +1,44 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Enable version updates for Go modules
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "go"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    groups:
+      go-dependencies:
+        patterns:
+          - "*"
+
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/dependabot.yml

@@ -4,17 +4,23 @@ on:
     branches:
       - main
   pull_request:
+
+permissions:
+  contents: read
+
 jobs:
   golangci-pr:
     name: lint-pr-changes
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: stable
-      - uses: actions/checkout@v4
+          go-version: '1.25.9'
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        # Pinned to commit SHA for supply chain security (CWE-829)
+        # Verify: gh api repos/golangci/golangci-lint-action/git/ref/tags/v9 --jq '.object.sha'
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.0.0
         with:
           version: latest
           only-new-issues: true

.github/workflows/golangci-lint.yml

@@ -0,0 +1,31 @@
+name: PR Title Check
+on:
+  pull_request_target:
+    types: [opened, edited, synchronize]
+
+permissions:
+  pull-requests: read
+
+jobs:
+  validate:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            feat
+            fix
+            docs
+            chore
+            deps
+            ci
+            test
+            refactor
+            perf
+            build
+          requireScope: false
+          subjectPattern: ^[a-z].+$
+          subjectPatternError: "Subject must start with a lowercase letter"

.github/workflows/pr-title.yml

@@ -5,15 +5,18 @@ on:
     branches:
     - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Setup go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
-        go-version: '1.22'
+        go-version: '1.25.9'
     - name: Run tests against Linux SQL
       run: |
         go version
@@ -23,5 +26,20 @@ jobs:
         export SQLCMDPASSWORD=$(date +%s|sha256sum|base64|head -c 32)
         export SQLCMDUSER=sa
         docker run -m 2GB -e ACCEPT_EULA=1 -d --name sql2022 -p:1433:1433 -e SA_PASSWORD=$SQLCMDPASSWORD mcr.microsoft.com/mssql/server:2022-latest
+        echo "Waiting for SQL Server to be ready..."
+        READY=0
+        for i in {1..60}; do
+          if docker exec sql2022 /opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P "$SQLCMDPASSWORD" -C -Q "SELECT 1" &>/dev/null; then
+            echo "SQL Server is ready!"
+            READY=1
+            break
+          fi
+          echo "Attempt $i: SQL Server not ready yet, waiting..."
+          sleep 2
+        done
+        if [ $READY -eq 0 ]; then
+          echo "ERROR: SQL Server failed to become ready within 2 minutes"
+          exit 1
+        fi
         cd ../..
         go test -v ./...

.github/workflows/pr-validation.yml

@@ -0,0 +1,22 @@
+name: release-please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions: {}
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        with:
+          token: ${{ secrets.RELEASE_PLEASE_TOKEN }}

.github/workflows/release-please.yml

@@ -0,0 +1,38 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+name: Security Scanning
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    # Run weekly on Monday at 9:00 AM UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  govulncheck:
+    name: Go Vulnerability Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: go.mod
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...

.github/workflows/security.yml

@@ -19,7 +19,8 @@ steps:
       packageSourceAuth: patAuth
       dependencyPackageSource: 'https://pkgs.dev.azure.com/msdata/_packaging/SQLDS_SSMS/nuget/v3/index.json'
       patVariable: $(System.AccessToken)
-
+      isAutoCompletePrSelected: false
+      isShouldReusePrSelected: true
   - task: PublishPipelineArtifact@1
     inputs:
       targetPath: '$(Build.ArtifactStagingDirectory)'

.pipelines/LocBuild.yml

@@ -1,7 +1,7 @@
 steps: 
   - task: GoTool@0
     inputs:
-      version: '1.22.10'
+      version: '1.25.7'
   - task: Go@0
     displayName: 'Go: get dependencies'
     inputs:
@@ -18,18 +18,10 @@ steps:
       workingDirectory: '$(System.DefaultWorkingDirectory)'
 
   - task: Go@0
-    displayName: 'Go: install github.com/axw/gocov/gocov'
+    displayName: 'Go: install github.com/boumenot/gocover-cobertura'
     inputs:
       command: 'custom'
       customCommand: 'install'
-      arguments: 'github.com/axw/gocov/gocov@latest'
-      workingDirectory: '$(System.DefaultWorkingDirectory)'
-  
-  - task: Go@0
-    displayName: 'Go: install github.com/axw/gocov/gocov'
-    inputs:
-      command: 'custom'
-      customCommand: 'install'
-      arguments: 'github.com/AlekSi/gocov-xml@latest'
+      arguments: 'github.com/boumenot/gocover-cobertura@latest'
       workingDirectory: '$(System.DefaultWorkingDirectory)'
 

.pipelines/include-install-go-tools.yml

@@ -16,8 +16,7 @@ parameters:
 steps:
   - script: |
       ~/go/bin/gotestsum --junitfile "${{ parameters.RunName }}.testresults.xml" -- ./... -coverprofile="${{ parameters.RunName }}.coverage.txt" -covermode count
-      ~/go/bin/gocov convert "${{ parameters.RunName }}.coverage.txt" > "${{ parameters.RunName }}.coverage.json"
-      ~/go/bin/gocov-xml < "${{ parameters.RunName }}.coverage.json" > ${{ parameters.RunName }}.coverage.xml
+      ~/go/bin/gocover-cobertura < "${{ parameters.RunName }}.coverage.txt" > ${{ parameters.RunName }}.coverage.xml
       mkdir -p coverage
     workingDirectory: '$(Build.SourcesDirectory)'
     displayName: 'run tests'