fix: address CodeRabbit follow-up feedback from PRs #121 and #122 #52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Engine CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| pull_request: | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| defaults: | |
| run: | |
| working-directory: packages/engine | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go test -race ./... | |
| vet: | |
| name: Vet | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go vet ./... | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install golangci-lint | |
| run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest | |
| - name: Run golangci-lint | |
| run: golangci-lint run | |
| govulncheck: | |
| name: Govulncheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck | |
| run: | | |
| # Known unfixable vulnerabilities in indirect test-only dependencies (docker/docker via testcontainers): | |
| # GO-2026-4887, GO-2026-4883 | |
| # Fixed in: N/A — no upstream fix available. Remove exclusions when a patched release ships. | |
| OUTPUT=$(govulncheck ./... 2>&1 || true) | |
| echo "$OUTPUT" | |
| # Emit each actionable vulnerability ID as a GHA error annotation for visibility. | |
| ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true) | |
| echo "govulncheck IDs found: ${ALL_IDS:-none}" | |
| ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883)$' || true) | |
| for ID in $ACTIONABLE_IDS; do | |
| echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency" | |
| done | |
| ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883' || true) | |
| if [ -n "$ACTIONABLE" ]; then | |
| exit 1 | |
| fi | |
| gosec: | |
| name: Gosec | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| - name: Run gosec | |
| run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./... | |
| spec: | |
| name: Spec Freshness | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install swag | |
| run: go install github.com/swaggo/swag/cmd/swag@v1.16.6 | |
| - name: Regenerate spec | |
| run: | | |
| swag init \ | |
| -g docs.go \ | |
| --dir internal/server,internal/workflow,internal/budget \ | |
| --output internal/server/docs \ | |
| --outputTypes json,yaml \ | |
| --parseInternal \ | |
| --requiredByDefault | |
| - name: Check for drift | |
| run: git diff --exit-code internal/server/docs/ |