🔄 synced file(s) with PaddleHQ/go-library-template #85
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # DO NOT EDIT: This file should only be modified in the `go-library-template` repo. | |
| name: Run code validation checks | |
| on: | |
| pull_request: | |
| env: | |
| # Required to enable support for synctest.Run | |
| # This will be removed once we update to go 1.25 | |
| GOEXPERIMENT: synctest | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| security-events: write | |
| actions: write # required for `workflow-dispatch` to trigger the automerge workflow | |
| jobs: | |
| validate: | |
| name: Run code validation checks | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| persist-credentials: false | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: ./.github/actions/setup-go | |
| id: setup-go | |
| with: | |
| owner: ${{ github.repository_owner }} | |
| private: ${{ github.event.repository.private }} | |
| private-key: ${{ secrets.PRIVATE_GO_CI_PRIVATE_KEY }} | |
| - name: Cache go modules | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-validate-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/*.go') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-validate-${{ hashFiles('**/go.sum') }}- | |
| ${{ runner.os }}-go-validate- | |
| - name: Install `govulncheck` and `gopls` | |
| run: | | |
| go install golang.org/x/vuln/cmd/[email protected] | |
| go install golang.org/x/tools/gopls/internal/analysis/modernize/cmd/[email protected] | |
| go install github.com/PaddleHQ/[email protected] | |
| - name: Setup test databases | |
| uses: ./.github/actions/setup-databases | |
| # -- | |
| # Run validations | |
| - name: Verify dependencies | |
| run: go mod verify | |
| - name: Validate go.mod | |
| env: | |
| GOTOOLCHAIN: local | |
| run: | | |
| go mod tidy -go=${{ steps.setup-go.outputs.go-mod-version }} | |
| git diff --exit-code || \ | |
| ( | |
| echo '::error file=go.mod,line=1,endLine=1,title=Incorrect dependencies::Please run "go mod tidy"' \ | |
| && exit 1 | |
| ) | |
| - name: Check for toolchain | |
| run: | | |
| LINE=$(grep -n 'toolchain go' go.mod | cut -f1 -d:) | |
| if [ -n "$LINE" ]; then | |
| echo "::error file=go.mod,line=$LINE,endLine=$LINE,title=Toolchain::go.mod contains a toolchain directive. This should be removed before merge" | |
| exit 1 | |
| fi | |
| - name: Validate go.mod blocks | |
| env: | |
| GOTOOLCHAIN: local | |
| run: | | |
| modfmt --replace | |
| git diff --exit-code || \ | |
| ( | |
| echo '::error file=go.mod,line=1,endLine=1,title=Incorrect formatting of go.mod::Please run "go run github.com/PaddleHQ/modfmt@latest --replace"' \ | |
| && exit 1 | |
| ) | |
| - name: Go Format | |
| run: | | |
| gofmt -s -w . | |
| git diff --exit-code || | |
| (echo '::error title=Incorrect Go Format::Please run "gofmt -s -w ."' && exit 1) | |
| - name: Go Generate | |
| run: | | |
| go generate ./... | |
| git diff --exit-code || \ | |
| (echo '::error title=Incorrect Generated Files::Please run "go generate ./..."' && exit 1) | |
| # -- | |
| # Go Vulncheck | |
| - name: Run `govulncheck` | |
| id: govulncheck | |
| shell: bash {0} # disable fast fail / set -e | |
| run: | | |
| result=$(govulncheck ./...) | |
| retVal=$? | |
| if [ ${retVal} -ne 0 ]; then | |
| { | |
| echo 'result<<EOF' | |
| echo "${result}" | awk '{print "> "$0}' | |
| echo EOF | |
| } >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Comment PR with vulnerabilities | |
| uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3 | |
| with: | |
| comment-tag: govulncheck | |
| mode: ${{ steps.govulncheck.outputs.result != '' && 'upsert' || 'delete' }} | |
| message: | | |
| > [!IMPORTANT] | |
| > ## :warning: Found vulnerabilities :warning: | |
| > ``` | |
| ${{ steps.govulncheck.outputs.result }} | |
| > ``` | |
| # -- | |
| # Gopls | |
| - name: Run `modernize (part of gopls)` | |
| run: | | |
| modernize -test ./... 2>&1 | awk -F ":" '{print "::notice file="$1",line="$2",title=gopls: "$4"::Use `go run golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest -test -fix ./...` to automatically fix"}' | |
| - name: Vet | |
| run: go vet ./... | |
| # -- | |
| # Breaking changes | |
| - name: Check for multiple major versions of dependencies | |
| run: | | |
| if git diff --quiet origin/${{ github.event.repository.default_branch }} -- 'go.mod'; then | |
| echo "No changes in go.mod - skipping validation of major changes" | |
| exit 0 | |
| fi | |
| # 1. get all PaddleHQ dependencies | |
| # 2. change : to space | |
| # 3. remove anything after the last space | |
| # 4. remove /v[0-9] from the end of the line | |
| # 5. sort by dependency name | |
| # 6. find duplicates | |
| # 7. print line number and dependency name | |
| DUPLICATES=$(\ | |
| grep -Eon "github.com\/PaddleHQ\/[0-9a-z\-]+.*\s" go.mod \ | |
| | sed 's/:/ /' \ | |
| | awk '{print $1 " " $2}' \ | |
| | sed 's/\/v[0-9]$//' \ | |
| | sort -k2 \ | |
| | uniq -f1 -cd \ | |
| | awk '{print $2 " " $3}' \ | |
| ) | |
| if [ -n "${DUPLICATES}" ]; then | |
| echo "${DUPLICATES}" | while read line ; do | |
| LINE=$(echo $line | cut -f1 -d ' ') | |
| REPO=$(echo $line | cut -f2 -d ' ') | |
| cat <<- EOF | |
| ::error file=go.mod,line=${LINE},endLine=${LINE},title=Duplicate dependencies::There are multiple \ | |
| different major versions of ${REPO} in this repo. This may cause problems. We strongly recommend \ | |
| reaching out to the AppEx team to discuss before merging. | |
| EOF | |
| done | |
| fi | |
| - name: Automerge | |
| uses: ./.github/actions/trigger-automerge | |
| with: | |
| event: ${{ toJSON(github.event) }} | |
| hasAutoApproverPrivateKey: ${{ secrets.AUTO_APPROVER_PRIVATE_KEY != '' }} |