fix: address CodeRabbit follow-up feedback from PRs #121 and #122 #50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Engine CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| pull_request: | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| defaults: | |
| run: | |
| working-directory: packages/engine | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go test -race ./... | |
| vet: | |
| name: Vet | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go vet ./... | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install golangci-lint | |
| run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest | |
| - name: Run golangci-lint | |
| run: golangci-lint run | |
| govulncheck: | |
| name: Govulncheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck | |
| run: | | |
| # Known unfixable vulnerabilities in indirect test-only dependencies (docker/docker via testcontainers): | |
| # GO-2026-4887, GO-2026-4883 | |
| # Fixed in: N/A — no upstream fix available. Remove exclusions when a patched release ships. | |
| OUTPUT=$(govulncheck ./... 2>&1 || true) | |
| echo "$OUTPUT" | |
| # Extract and log all found IDs so failures are easy to diagnose. | |
| ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true) | |
| echo "--- govulncheck: all vulnerability IDs found: ${ALL_IDS:-none} ---" | |
| ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883' || true) | |
| if [ -n "$ACTIONABLE" ]; then | |
| echo "FAIL: unfixed actionable vulnerabilities found:" | |
| echo "$ACTIONABLE" | |
| exit 1 | |
| fi | |
| gosec: | |
| name: Gosec | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| - name: Run gosec | |
| run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./... | |
| spec: | |
| name: Spec Freshness | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install swag | |
| run: go install github.com/swaggo/swag/cmd/swag@v1.16.6 | |
| - name: Regenerate spec | |
| run: | | |
| swag init \ | |
| -g docs.go \ | |
| --dir internal/server,internal/workflow,internal/budget \ | |
| --output internal/server/docs \ | |
| --outputTypes json,yaml \ | |
| --parseInternal \ | |
| --requiredByDefault | |
| - name: Check for drift | |
| run: git diff --exit-code internal/server/docs/ |