Skip to content

ci: address CodeRabbit pre-existing review findings #31

ci: address CodeRabbit pre-existing review findings

ci: address CodeRabbit pre-existing review findings #31

Workflow file for this run

name: Engine CI
on:
push:
branches: [main]
paths:
- 'packages/engine/**'
- 'go.work'
pull_request:
paths:
- 'packages/engine/**'
- 'go.work'
defaults:
run:
working-directory: packages/engine
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- run: go test -race ./...
vet:
name: Vet
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- run: go vet ./...
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install golangci-lint
run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
- name: Run golangci-lint
run: golangci-lint run
govulncheck:
name: Govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: |
# GO-2026-4887 and GO-2026-4883 are in docker/docker (testcontainers test dep only).
# Fixed in: N/A — no upstream fix available. Remove exclusions when a patched release ships.
OUTPUT=$(govulncheck ./... 2>&1 || true)
echo "$OUTPUT"
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883')
if [ -n "$ACTIONABLE" ]; then
echo "FAIL: unfixed actionable vulnerabilities found"
exit 1
fi
gosec:
name: Gosec
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec
run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./...