Skip to content

Preserve SELinux labels for atomic file writes #879

Preserve SELinux labels for atomic file writes

Preserve SELinux labels for atomic file writes #879

Workflow file for this run

name: PR Checks
on:
pull_request:
branches:
- main
- dev
push:
branches:
- main
- dev
workflow_dispatch:
permissions:
contents: read
pull-requests: read
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
with:
go-version-file: go.mod
cache: true
- name: Verify dependencies
run: go mod verify
- name: Build for current platform
run: make build
- name: Build for all supported platforms
run: make build-all
test:
name: Test
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
with:
go-version-file: go.mod
cache: true
- name: Run tests
run: go test -v -race -coverprofile=coverage.out -covermode=atomic ./...
- name: Generate coverage report
run: go tool cover -html=coverage.out -o coverage.html
- name: Upload coverage to artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: coverage-report
path: |
coverage.out
coverage.html
- name: Check test coverage
run: |
coverage=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
echo "Total test coverage: ${coverage}%"
# Set minimum coverage threshold (can be adjusted)
threshold=30
if (( $(echo "$coverage < $threshold" | bc -l) )); then
echo "::warning::Test coverage ${coverage}% is below threshold ${threshold}%"
echo "Please consider adding more tests to improve coverage."
else
echo "✅ Test coverage ${coverage}% meets threshold ${threshold}%"
fi
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
with:
go-version-file: go.mod
cache: true
- name: Run golangci-lint
uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.3.0
with:
version: latest
args: --timeout=5m
only-new-issues: true
security:
name: Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
with:
go-version-file: go.mod
cache: true
- name: Run Gosec Security Scanner
uses: securego/gosec@9e6a9843d7a4a6e3e9a8539b02612c8a4aa3f889 # v2.27.1
with:
# we let the report trigger content trigger a failure using the GitHub Security features.
args: "-no-fail -fmt sarif -out results.sarif -exclude-dir=hack -exclude-generated ./..."
# Fix duplicate tags and null relationships in SARIF file (workaround for https://github.com/golang/go/issues/75890)
- name: Clean SARIF output
run: |
set -e
cat results.sarif
jq '
(.runs[].tool.driver.rules[]?.properties.tags) |= (unique) |
(.runs[].tool.driver.rules[]?.relationships) |= (if . then [.[] | select(. != null)] else . end)
' results.sarif > results-cleaned.sarif
mv results-cleaned.sarif results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
if: always()
with:
sarif_file: results.sarif
category: gosec
code-quality:
name: Code Quality Checks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
with:
go-version-file: go.mod
cache: true
- name: Check go fmt
run: |
UNFORMATTED=$(find . -name '*.go' -not -name '*.pb.go' -not -path './hack/*' | xargs gofmt -s -l)
if [ -n "$UNFORMATTED" ]; then
echo "❌ Go code is not formatted. Please run 'make fmt' or 'gofmt -s -w .'"
echo ""
echo "Unformatted files:"
echo "$UNFORMATTED"
exit 1
fi
echo "✅ All files are properly formatted"
- name: Check goimports
run: |
go install golang.org/x/tools/cmd/goimports@latest
UNFORMATTED=$(find . -name '*.go' -not -name '*.pb.go' -not -path './hack/*' | xargs goimports -l)
if [ -n "$UNFORMATTED" ]; then
echo "❌ Go imports are not properly formatted. Please run 'goimports -w .'"
echo ""
echo "Files with incorrect imports:"
echo "$UNFORMATTED"
exit 1
fi
echo "✅ All imports are properly formatted"
- name: Check go vet
run: go vet ./...
- name: Check for common mistakes with staticcheck
uses: dominikh/staticcheck-action@9716614d4101e79b4340dd97b10e54d68234e431 # v1.4.1
with:
version: "latest"
install-go: false
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
- name: Dependency Review
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
with:
fail-on-severity: moderate