diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..c5f15c6 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,116 @@ +name: CI + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + contents: read + +concurrency: + group: ci-${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + build: + name: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + - run: go vet ./... + - run: go build ./... + + test: + name: test (warn-only) + runs-on: ubuntu-latest + continue-on-error: true + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + - name: Unit tests with race detector + run: | + go test -race -shuffle=on -count=1 -timeout=15m \ + -coverprofile=coverage.out -covermode=atomic ./... + - name: Upload coverage profile + if: always() + uses: actions/upload-artifact@v4 + with: + name: coverage + path: coverage.out + if-no-files-found: ignore + + lint: + name: lint (warn-only) + runs-on: ubuntu-latest + continue-on-error: true + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + - uses: golangci/golangci-lint-action@v6 + with: + version: v1.61.0 + args: --timeout=5m + + coverage: + name: coverage (warn-only) + needs: test + runs-on: ubuntu-latest + continue-on-error: true + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + - name: Download coverage profile + uses: actions/download-artifact@v4 + with: + name: coverage + - name: Enforce coverage thresholds + run: | + go install github.com/vladopajic/go-test-coverage/v2@v2.11.4 + go-test-coverage --config .testcoverage.yml + + vulncheck: + name: vulncheck (warn-only) + runs-on: ubuntu-latest + continue-on-error: true + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + - name: govulncheck + run: | + go install golang.org/x/vuln/cmd/govulncheck@latest + govulncheck ./... + + gosec: + name: gosec (warn-only) + runs-on: ubuntu-latest + continue-on-error: true + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + - name: gosec + run: | + go install github.com/securego/gosec/v2/cmd/gosec@v2.21.4 + gosec -quiet -severity=medium -confidence=medium ./...