CI #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CI testing pipeline | |
| # | |
| # This workflow MUST be audited with zizmor. | |
| # This workflow MUST be using pinned action refs. | |
| # This workflow's pinned action refs SHOULD be updated using 'pinact' | |
| # | |
| # Security notes: | |
| # - Top-level permissions are empty; each job declares only what it needs. | |
| # - All third-party actions are SHA-pinned. Run `pinact run` to reverify. | |
| # | |
| # Non-GitHub actions (add to repo Settings > Actions > Allowed actions): | |
| # - go-task/setup-task | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| workflow_dispatch: # let someone trigger the CI on their branch without a PR | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-slim | |
| permissions: | |
| contents: read # we clone the repo | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: false | |
| - uses: go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44 # v2.0.0 | |
| with: | |
| version: 3.x | |
| - name: Run checks | |
| run: task check |