{"id":21338265,"url":"https://github.com/smlx/go-cli-github","last_synced_at":"2026-01-16T10:53:42.970Z","repository":{"id":46188456,"uuid":"515154418","full_name":"smlx/go-cli-github","owner":"smlx","description":"Template repository with deep GitHub integration for a Go CLI tool or service.","archived":false,"fork":false,"pushed_at":"2026-01-14T10:14:45.000Z","size":490,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-14T13:44:24.834Z","etag":null,"topics":["ci","github-actions","go","golang","release-engineering","security","template"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/smlx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-07-18T11:23:58.000Z","updated_at":"2026-01-14T10:14:23.000Z","dependencies_parsed_at":"2024-01-04T13:37:21.710Z","dependency_job_id":"b4a48f1c-8ffa-4225-ae4d-40ac212280c7","html_url":"https://github.com/smlx/go-cli-github","commit_stats":{"total_commits":221,"total_committers":2,"mean_commits":110.5,"dds":0.330316742081448,"last_synced_commit":"6628bebde3834bd4ad44ea5baab871f076fc5931"},"previous_names":[],"tags_count":73,"template":false,"template_full_name":null,"purl":"pkg:github/smlx/go-cli-github","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smlx%2Fgo-cli-github","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smlx%2Fgo-cli-github/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smlx%2Fgo-cli-github/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smlx%2Fgo-cli-github/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/smlx","download_url":"https://codeload.github.com/smlx/go-cli-github/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/smlx%2Fgo-cli-github/sbom","scorecard":{"id":1238861,"data":{"date":"2025-10-16T05:40:09Z","repo":{"name":"github.com/smlx/go-cli-github","commit":"1ac9518b651cd9cda616b1f71c17244578c9e6fa"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":8,"checks":[{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":10,"reason":"20 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yaml:10","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yaml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yaml:72","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/coverage.yaml:10","Info: jobLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yaml:13","Info: jobLevel 'contents' permission set to 'read': .github/workflows/lint.yaml:13","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/lint.yaml:26","Info: jobLevel 'contents' permission set to 'read': .github/workflows/lint.yaml:25","Info: jobLevel 'contents' permission set to 'read': .github/workflows/lint.yaml:37","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ossf-analysis.yaml:11","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yaml:13","Info: found token with 'none' permissions: .github/workflows/build.yaml:1","Info: found token with 'none' permissions: .github/workflows/coverage.yaml:1","Info: found token with 'none' permissions: .github/workflows/dependency-review.yaml:1","Info: found token with 'none' permissions: .github/workflows/lint.yaml:1","Info: found token with 'none' permissions: .github/workflows/ossf-analysis.yaml:1","Info: found token with 'none' permissions: .github/workflows/release.yaml:1","Info: found token with 'none' permissions: .github/workflows/test.yaml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":0,"reason":"Found 0/2 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yaml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  24 out of  24 GitHub-owned GitHubAction dependencies pinned","Info:  13 out of  13 third-party GitHubAction dependencies pinned","Info:   1 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yaml:8"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: GoBuiltInFuzzer integration found: internal/server/serve_test.go:69"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.20.1 not signed: https://api.github.com/repos/smlx/go-cli-github/releases/221300235","Warn: release artifact v0.20.0 not signed: https://api.github.com/repos/smlx/go-cli-github/releases/218440605","Warn: release artifact v0.19.2 not signed: https://api.github.com/repos/smlx/go-cli-github/releases/218438776","Warn: release artifact v0.19.0 not signed: https://api.github.com/repos/smlx/go-cli-github/releases/188126106","Warn: release artifact v0.18.0 not signed: https://api.github.com/repos/smlx/go-cli-github/releases/179744614","Warn: release artifact v0.20.1 does not have provenance: https://api.github.com/repos/smlx/go-cli-github/releases/221300235","Warn: release artifact v0.20.0 does not have provenance: https://api.github.com/repos/smlx/go-cli-github/releases/218440605","Warn: release artifact v0.19.2 does not have provenance: https://api.github.com/repos/smlx/go-cli-github/releases/218438776","Warn: release artifact v0.19.0 does not have provenance: https://api.github.com/repos/smlx/go-cli-github/releases/188126106","Warn: release artifact v0.18.0 does not have provenance: https://api.github.com/repos/smlx/go-cli-github/releases/179744614"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Branch-Protection","score":5,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is not required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Contributors","score":6,"reason":"project has 2 contributing companies or organizations -- score normalized to 6","details":["Info: found contributions from: amazeeio, uselagoon"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"14 out of 14 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]},"last_synced_at":"2025-10-18T04:17:37.888Z","repository_id":46188456,"created_at":"2025-10-18T04:17:37.889Z","updated_at":"2025-10-18T04:17:37.889Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28478087,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T06:30:42.265Z","status":"ssl_error","status_checked_at":"2026-01-16T06:30:16.248Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","github-actions","go","golang","release-engineering","security","template"],"created_at":"2024-11-22T00:12:17.901Z","updated_at":"2026-01-16T10:53:42.962Z","avatar_url":"https://github.com/smlx.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Go CLI GitHub\n\n[![Go Reference](https://pkg.go.dev/badge/github.com/smlx/go-cli-github.svg)](https://pkg.go.dev/github.com/smlx/go-cli-github)\n[![Release](https://github.com/smlx/go-cli-github/actions/workflows/release.yaml/badge.svg)](https://github.com/smlx/go-cli-github/actions/workflows/release.yaml)\n[![coverage](https://raw.githubusercontent.com/smlx/go-cli-github/badges/.badges/main/coverage.svg)](https://github.com/smlx/go-cli-github/actions/workflows/coverage.yaml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/smlx/go-cli-github)](https://goreportcard.com/report/github.com/smlx/go-cli-github)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/smlx/go-cli-github/badge)](https://securityscorecards.dev/viewer/?uri=github.com/smlx/go-cli-github)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8168/badge)](https://www.bestpractices.dev/projects/8168)\n\nThis repository is a template for a Go CLI tool or service.\nIt is quite opinionated about security and release engineering, but hopefully in a good way.\n\nIt comes pre-configured for integration with GitHub-specific features such as [Dependabot security tooling](https://docs.github.com/en/code-security/dependabot), [CodeQL](https://codeql.github.com/), and [branch protection](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches).\nIt also automatically builds and tests your code using [GitHub Actions](https://docs.github.com/en/actions).\n\n## Features\n\n* Use [GoReleaser](https://goreleaser.com/) to automatically build and create GitHub Releases and container images on merge to `main`.\n\n    * This uses the [Conventional Commits Versioner](https://github.com/smlx/ccv) to automatically version each release.\n\n* Lint your commit messages, Go code, GitHub Actions, and Dockerfiles.\n* Test Pull Requests using `go test`.\n* Build container images from Pull Requests and push them to the GitHub container registry for manual testing and review.\n* Static code analysis using [CodeQL](https://codeql.github.com/) and [Go Report Card](https://goreportcard.com/).\n* Coverage analysis using the [go-test-coverage action](https://github.com/vladopajic/go-test-coverage).\n* Security analysis using [OpenSSF](https://securityscorecards.dev).\n* Signed binary and container release artifacts using [artifact attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).\n* SBOM generation for both release artifacts and container images, with image SBOMs pushed to the container registry.\n\n## How to use\n\nFirst set up the GitHub repo\n\n1. Create a new empty GitHub repository.\n\nThen push some code to main:\n\n1. Install [gonew](https://go.dev/blog/gonew) and run this command, replacing the last argument with the name of your new module:\n\n    ```bash\n    gonew github.com/smlx/go-cli-github@main github.com/smlx/newproject\n    ```\n\n1. Create the git repo and push to `main` (which will become the default branch):\n\n    ```bash\n    cd newproject\n    git init .\n    git branch -M main\n    git remote add origin git@github.com:smlx/newproject.git\n    git add .\n    git commit -am 'chore: create repository from template'\n    git push -u origin main\n    ```\n\n1. Create the `badges` branch for storing the README coverage badge.\n\n    ```bash\n    git checkout --orphan badges\n    git rm -rf .\n    rm -f .gitignore\n    echo 'This branch exists only to store the coverage badge in the README on `main`.' \u003e README.md\n    git add README.md\n    git commit -m 'chore: initialize the badges branch'\n    git push origin badges\n    ```\n\nThen customize the code for your repository:\n\n1. Check out a new branch to set up the repo `git checkout -b setup main`\n\n1. Update the code for your project:\n\n    * rename `cmd/go-cli-github` to `cmd/$YOUR_COMMAND`\n    * update `.github/workflows/build.yaml`, replacing `go-cli-github` with `$YOUR_COMMAND`.\n    * update `.goreleaser.yaml` to build `cmd/$YOUR_COMMAND`\n    * update the links at the top of `README.md`\n    * update the contact email in `SECURITY.md`\n\n1. Commit and push:\n\n    ```bash\n    git add .\n    git commit -am 'chore: update template for new project'\n    git push -u origin setup\n    ```\n1. Open a PR, wait until all the checks go green, then merge the PR.\n\nConfigure the repository:\n\n1. Go to repository Settings \u003e General:\n\n    1. Releases\n\n        * Enable release immutability\n\n    1. Features\n\n        * Disable wiki and projects (unless you plan to use them!)\n\n    1. Pull Requests\n\n        * Allow merge commits only for Pull Requests\n        * Allow auto-merge\n        * Automatically delete head branches\n\n1. Go to repository Settings \u003e Advanced Security, and enable:\n\n    * Private vulnerability reporting\n\n    * Dependabot\n\n        * Dependabot alerts\n        * Dependabot security updates\n        * Grouped security updates\n        * Dependabot on Actions runners\n\n    * Code Scanning\n\n        * CodeQL analysis \u003e Set up \u003e Default\n\n    * Secret Protection\n\n        * Push protection\n\n1. Go to repository Settings \u003e Rules \u003e Rulesets, and import the `protect-default-branch.json` ruleset.\n\nThat's it.\n\n## How to contribute\n\nIssues are welcome.\n\nPRs are also welcome, but keep in mind that this is a very opinionated template, so not all changes will be accepted.\nPRs also need to ensure that test coverage remains high, and best practices are followed.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsmlx%2Fgo-cli-github","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsmlx%2Fgo-cli-github","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsmlx%2Fgo-cli-github/lists"}