fix: address CodeRabbit follow-up feedback from PRs #121 and #122 #53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Engine CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| pull_request: | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| defaults: | |
| run: | |
| working-directory: packages/engine | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go test -race ./... | |
| vet: | |
| name: Vet | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go vet ./... | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install golangci-lint | |
| run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest | |
| - name: Run golangci-lint | |
| run: golangci-lint run | |
| govulncheck: | |
| name: Govulncheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck | |
| run: | | |
| # Known unfixable vulnerabilities — excluded from enforcement: | |
| # | |
| # Indirect test-only dependency (docker/docker via testcontainers); no upstream fix: | |
| # GO-2026-4887, GO-2026-4883 | |
| # | |
| # Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07). | |
| # Reachable via crypto/tls (EmailSendConnector TLS handshake) in go < 1.25.9: | |
| # GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock) | |
| # GO-2026-4947 (crypto/x509: certificate chain-building DoS) | |
| # Remove these two exclusions once CI upgrades to go >= 1.25.9. | |
| OUTPUT=$(govulncheck ./... 2>&1 || true) | |
| echo "$OUTPUT" | |
| # Emit each actionable vulnerability ID as a GHA error annotation for visibility. | |
| ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true) | |
| echo "govulncheck IDs found: ${ALL_IDS:-none}" | |
| ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4870|GO-2026-4947)$' || true) | |
| for ID in $ACTIONABLE_IDS; do | |
| echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency" | |
| done | |
| ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4870|GO-2026-4947' || true) | |
| if [ -n "$ACTIONABLE" ]; then | |
| exit 1 | |
| fi | |
| gosec: | |
| name: Gosec | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| - name: Run gosec | |
| run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./... | |
| spec: | |
| name: Spec Freshness | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install swag | |
| run: go install github.com/swaggo/swag/cmd/swag@v1.16.6 | |
| - name: Regenerate spec | |
| run: | | |
| swag init \ | |
| -g docs.go \ | |
| --dir internal/server,internal/workflow,internal/budget \ | |
| --output internal/server/docs \ | |
| --outputTypes json,yaml \ | |
| --parseInternal \ | |
| --requiredByDefault | |
| - name: Check for drift | |
| run: git diff --exit-code internal/server/docs/ |