sync: update 8 files from source repository (#264)

mrz1836 · web-flow · commit 6aaa6a7bb273 · 2026-01-29T11:31:50.000-05:00
diff --git a/.github/actions/cancel-workflow-on-failure/action.yml b/.github/actions/cancel-workflow-on-failure/action.yml
@@ -1,6 +1,13 @@
 # ------------------------------------------------------------------------------------
 #  Cancel Workflow On Failure (Composite Action) (GoFortress)
 #
+#  NOTE: This action is currently NOT IN USE. It was disabled because GitHub's
+#  cancel API overwrites the "failed" status with "cancelled" on the job that
+#  triggered it, making it impossible to identify which job actually failed.
+#
+#  The action is kept for potential future use in scenarios where the trade-off
+#  (faster cancellation vs clear failure visibility) is acceptable.
+#
 #  Purpose: Provide a reusable action that cancels the entire workflow run when
 #  a critical job fails. This prevents wasting CI resources on parallel jobs
 #  that will ultimately be invalidated by an earlier failure.
diff --git a/.github/workflows/fortress-code-quality.yml b/.github/workflows/fortress-code-quality.yml
@@ -66,7 +66,6 @@ jobs:
     runs-on: ${{ inputs.primary-runner }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -270,19 +269,6 @@ jobs:
           echo "❌ Go vet detected static analysis issues"
           exit 1
 
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Go vet static analysis failed"
-          failed-job: "Go Vet Static Analysis"
-          failed-step: "🔍 Go vet (sequential)"
-          failure-tool: "go vet"
-          failure-summary: "Static analysis issues detected"
-
   # ----------------------------------------------------------------------------------
   # Lint (Code Linting)
   # ----------------------------------------------------------------------------------
@@ -293,7 +279,6 @@ jobs:
     runs-on: ${{ inputs.primary-runner }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     outputs:
       golangci-lint-version: ${{ steps.golangci-lint-version.outputs.version }}
     steps:
@@ -572,19 +557,6 @@ jobs:
           echo "❌ Lint detected code quality issues"
           exit 1
 
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Code linting (golangci-lint) failed"
-          failed-job: "Lint Code"
-          failed-step: "✨ Run golangci-lint"
-          failure-tool: "golangci-lint"
-          failure-summary: "Linting issues detected"
-
   # ----------------------------------------------------------------------------------
   # YAML/JSON Format Validation (MAGE-X)
   # ----------------------------------------------------------------------------------
@@ -594,7 +566,6 @@ jobs:
     runs-on: ${{ inputs.primary-runner }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     outputs:
       yamlfmt-version: ${{ steps.yamlfmt-version.outputs.version }}
     steps:
@@ -809,16 +780,3 @@ jobs:
         run: |
           echo "❌ Format check detected YAML/JSON formatting issues"
           exit 1
-
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "YAML/JSON format validation failed"
-          failed-job: "YAML/JSON Format Validation"
-          failed-step: "🔍 Check YAML/JSON formatting with MAGE-X"
-          failure-tool: "yamlfmt"
-          failure-summary: "Formatting issues detected"
diff --git a/.github/workflows/fortress-pre-commit.yml b/.github/workflows/fortress-pre-commit.yml
@@ -54,7 +54,6 @@ jobs:
     runs-on: ${{ inputs.primary-runner }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     outputs:
       pre-commit-version: ${{ steps.pre-commit-version.outputs.version }}
       checks-executed: ${{ steps.run-checks.outputs.executed }}
@@ -885,16 +884,3 @@ jobs:
           artifact-name: cache-stats-pre-commit
           artifact-path: cache-stats-pre-commit.json
           retention-days: 1
-
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Pre-commit checks failed"
-          failed-job: "Pre-commit Checks"
-          failed-step: "🚀 Run pre-commit checks"
-          failure-tool: "go-pre-commit"
-          failure-summary: "Pre-commit validation failed"
diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml
@@ -71,7 +71,6 @@ jobs:
     if: ${{ inputs.enable-nancy }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -259,19 +258,6 @@ jobs:
           echo "❌ Nancy detected vulnerabilities in dependencies"
           exit 1
 
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Nancy dependency security check failed"
-          failed-job: "Ask Nancy (Dependency Checks)"
-          failed-step: "🔍 Ask Nancy"
-          failure-tool: "nancy"
-          failure-summary: "Vulnerabilities detected in dependencies"
-
   # ----------------------------------------------------------------------------------
   # Govulncheck (Vulnerability Checks)
   # ----------------------------------------------------------------------------------
@@ -281,7 +267,6 @@ jobs:
     if: ${{ inputs.enable-govulncheck }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -512,19 +497,6 @@ jobs:
           echo "❌ Govulncheck detected vulnerabilities in dependencies"
           exit 1
 
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Govulncheck vulnerability scan failed"
-          failed-job: "Run govulncheck (Vulnerability Scan)"
-          failed-step: "🔐 Run govulncheck"
-          failure-tool: "govulncheck"
-          failure-summary: "Go vulnerabilities detected"
-
   # ----------------------------------------------------------------------------------
   # Gitleaks (Secret Scanning)
   # ----------------------------------------------------------------------------------
@@ -534,7 +506,6 @@ jobs:
     if: ${{ inputs.enable-gitleaks }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -657,16 +628,3 @@ jobs:
         run: |
           echo "❌ Gitleaks detected secrets in the repository"
           exit 1
-
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Gitleaks secret scan failed"
-          failed-job: "Run Gitleaks (Secret Scan)"
-          failed-step: "🔍 Run gitleaks scan"
-          failure-tool: "gitleaks"
-          failure-summary: "Secrets detected in repository"
diff --git a/.github/workflows/fortress-test-fuzz.yml b/.github/workflows/fortress-test-fuzz.yml
@@ -58,7 +58,6 @@ jobs:
     timeout-minutes: 15 # Fuzz tests have shorter timeout
     permissions:
       contents: read # Read repository content for testing
-      actions: write # Required for workflow cancellation on failure
     runs-on: ${{ inputs.primary-runner }}
 
     steps:
@@ -260,16 +259,3 @@ jobs:
             fuzz-output.log
           retention-days: 1
           if-no-files-found: ignore
-
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Fuzz tests failed"
-          failed-job: "Fuzz Tests"
-          failed-step: "🧪 Run fuzz tests"
-          failure-tool: "go test -fuzz"
-          failure-summary: "Fuzz testing detected issues"
diff --git a/.github/workflows/fortress-test-matrix.yml b/.github/workflows/fortress-test-matrix.yml
@@ -110,7 +110,6 @@ jobs:
     timeout-minutes: 30 # Prevent hung tests
     permissions:
       contents: read # Read repository content for testing
-      actions: write # Required for workflow cancellation on failure
     strategy:
       fail-fast: true
       matrix: ${{ fromJSON(inputs.test-matrix) }}
@@ -443,16 +442,3 @@ jobs:
           name: coverage-data
           path: coverage.txt
           retention-days: 1
-
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Test matrix failed (${{ matrix.name }})"
-          failed-job: "Test (${{ matrix.name }})"
-          failed-step: "🧪 Run tests"
-          failure-tool: "go test"
-          failure-summary: "Test failures detected on ${{ matrix.os }} Go ${{ matrix.go-version }}"
diff --git a/.github/workflows/fortress-test-suite.yml b/.github/workflows/fortress-test-suite.yml
@@ -127,7 +127,6 @@ jobs:
     if: inputs.go-tests-enabled == 'true'
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     uses: ./.github/workflows/fortress-test-matrix.yml
     with:
       env-json: ${{ inputs.env-json }}
@@ -155,7 +154,6 @@ jobs:
     if: inputs.go-tests-enabled == 'true' && inputs.fuzz-testing-enabled == 'true'
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     uses: ./.github/workflows/fortress-test-fuzz.yml
     with:
       env-json: ${{ inputs.env-json }}
diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml
@@ -170,7 +170,6 @@ jobs:
       needs.setup.outputs.is-fork-pr != 'true'
     permissions:
       contents: read # Read repository content for security scanning
-      actions: write # Required for workflow cancellation on failure
     uses: ./.github/workflows/fortress-security-scans.yml
     with:
       env-json: ${{ needs.load-env.outputs.env-json }}
@@ -199,7 +198,6 @@ jobs:
       needs.setup.outputs.pre-commit-enabled == 'true'
     permissions:
       contents: read # Read repository content for pre-commit checks
-      actions: write # Required for workflow cancellation on failure
     uses: ./.github/workflows/fortress-pre-commit.yml
     with:
       env-json: ${{ needs.load-env.outputs.env-json }}
@@ -220,7 +218,6 @@ jobs:
       (needs.warm-cache.result == 'success' || needs.warm-cache.result == 'skipped')
     permissions:
       contents: read # Read repository content for code quality checks
-      actions: write # Required for workflow cancellation on failure
     uses: ./.github/workflows/fortress-code-quality.yml
     with:
       env-json: ${{ needs.load-env.outputs.env-json }}
@@ -251,7 +248,7 @@ jobs:
       pages: write # Required: Coverage workflow needs to deploy to GitHub Pages
       id-token: write # Required: Coverage workflow needs GitHub Pages authentication
       statuses: write # Required: Coverage workflow needs to create commit status checks
-      actions: write # Required: Manage/cancel child test workflows (test matrix & fuzz tests); artifact access only needs actions: read
+      actions: read # Required: Coverage workflow needs to access artifacts from workflow runs
     uses: ./.github/workflows/fortress-test-suite.yml
     with:
       code-coverage-enabled: ${{ needs.setup.outputs.code-coverage-enabled }}
@@ -321,25 +318,87 @@ jobs:
     runs-on: ${{ needs.setup.outputs.primary-runner }}
     steps:
       # --------------------------------------------------------------------
-      # Build a summary table for the UI (always runs)
+      # Build results summary showing job statuses
       # --------------------------------------------------------------------
       - name: 📊 Build results summary
+        env:
+          SETUP_RESULT: ${{ needs.setup.result }}
+          MAGEX_RESULT: ${{ needs.test-magex.result }}
+          CACHE_RESULT: ${{ needs.warm-cache.result }}
+          SECURITY_RESULT: ${{ needs.security.result }}
+          QUALITY_RESULT: ${{ needs.code-quality.result }}
+          PRECOMMIT_RESULT: ${{ needs.pre-commit.result }}
+          TESTS_RESULT: ${{ needs.test-suite.result }}
+          BENCH_RESULT: ${{ needs.benchmarks.result }}
+          CACHE_ENABLED: ${{ needs.setup.outputs.cache-warming-enabled }}
+          PRECOMMIT_ENABLED: ${{ needs.setup.outputs.pre-commit-enabled }}
+          TESTS_ENABLED: ${{ needs.setup.outputs.go-tests-enabled }}
         run: |
           {
             echo "## 🚦 Workflow Results"
             echo ""
             echo "| Component | Result | Status |"
             echo "|-----------|--------|--------|"
-            echo "| 🎯 Setup | ${{ needs.setup.result }} | Required |"
-            echo "| 🪄 MAGE-X | ${{ needs.test-magex.result }} | Required |"
-            echo "| 💾 Warm Cache | ${{ needs.warm-cache.result }} | ${{ needs.setup.outputs.cache-warming-enabled == 'true' && 'Required' || 'Disabled' }} |"
-            echo "| 🔒 Security | ${{ needs.security.result }} | Required |"
-            echo "| 📊 Code Quality | ${{ needs.code-quality.result }} | Required |"
-            echo "| 🪝 Pre-commit | ${{ needs.pre-commit.result }} | ${{ needs.setup.outputs.pre-commit-enabled == 'true' && 'Required' || 'Skipped' }} |"
-            echo "| 🧪 Test Suite | ${{ needs.test-suite.result }} | ${{ needs.setup.outputs.go-tests-enabled == 'true' && 'Required' || 'Skipped' }} |"
-            echo "| 🏃 Benchmarks | ${{ needs.benchmarks.result }} | Optional ⚠️ |"
+
+            # Helper function to determine result display
+            get_result_display() {
+              local result="$1"
+
+              if [[ "$result" == "failure" ]]; then
+                echo "❌ **FAILED**"
+              elif [[ "$result" == "cancelled" ]]; then
+                echo "⏹️ cancelled"
+              elif [[ "$result" == "skipped" ]]; then
+                echo "⏭️ skipped"
+              elif [[ "$result" == "success" ]]; then
+                echo "✅ success"
+              else
+                echo "$result"
+              fi
+            }
+
+            # Setup
+            SETUP_DISPLAY=$(get_result_display "$SETUP_RESULT")
+            echo "| 🎯 Setup | $SETUP_DISPLAY | Required |"
+
+            # MAGE-X
+            MAGEX_DISPLAY=$(get_result_display "$MAGEX_RESULT")
+            echo "| 🪄 MAGE-X | $MAGEX_DISPLAY | Required |"
+
+            # Warm Cache
+            CACHE_REQ="Disabled"
+            [[ "$CACHE_ENABLED" == "true" ]] && CACHE_REQ="Required"
+            CACHE_DISPLAY=$(get_result_display "$CACHE_RESULT")
+            echo "| 💾 Warm Cache | $CACHE_DISPLAY | $CACHE_REQ |"
+
+            # Security
+            SECURITY_DISPLAY=$(get_result_display "$SECURITY_RESULT")
+            echo "| 🔒 Security | $SECURITY_DISPLAY | Required |"
+
+            # Code Quality
+            QUALITY_DISPLAY=$(get_result_display "$QUALITY_RESULT")
+            echo "| 📊 Code Quality | $QUALITY_DISPLAY | Required |"
+
+            # Pre-commit
+            PRECOMMIT_REQ="Skipped"
+            [[ "$PRECOMMIT_ENABLED" == "true" ]] && PRECOMMIT_REQ="Required"
+            PRECOMMIT_DISPLAY=$(get_result_display "$PRECOMMIT_RESULT")
+            echo "| 🪝 Pre-commit | $PRECOMMIT_DISPLAY | $PRECOMMIT_REQ |"
+
+            # Test Suite
+            TESTS_REQ="Skipped"
+            [[ "$TESTS_ENABLED" == "true" ]] && TESTS_REQ="Required"
+            TESTS_DISPLAY=$(get_result_display "$TESTS_RESULT")
+            echo "| 🧪 Test Suite | $TESTS_DISPLAY | $TESTS_REQ |"
+
+            # Benchmarks (always optional)
+            BENCH_DISPLAY=$(get_result_display "$BENCH_RESULT")
+            echo "| 🏃 Benchmarks | $BENCH_DISPLAY | Optional ⚠️ |"
+
             echo ""
-            if [[ "${{ needs.benchmarks.result }}" == "failure" ]]; then
+
+            # Add explanatory note if benchmarks failed
+            if [[ "$BENCH_RESULT" == "failure" ]]; then
               echo "⚠️ **Note**: Benchmarks failed but are currently non-blocking."
             fi
           } >> "$GITHUB_STEP_SUMMARY"
