fix: address CodeRabbit follow-up feedback from PRs #121 and #122 #56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Engine CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| pull_request: | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| defaults: | |
| run: | |
| working-directory: packages/engine | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go test -race ./... | |
| vet: | |
| name: Vet | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go vet ./... | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install golangci-lint | |
| run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest | |
| - name: Run golangci-lint | |
| run: golangci-lint run | |
| govulncheck: | |
| name: Govulncheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck | |
| run: | | |
| # Known unfixable vulnerabilities — excluded from enforcement: | |
| # | |
| # Indirect test-only dependency (docker/docker via testcontainers); no upstream fix: | |
| # GO-2026-4887, GO-2026-4883 | |
| # | |
| # Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07). | |
| # Reachable in go < 1.25.9 via the listed call chains: | |
| # GO-2026-4865 (html/template: XSS via JS template literals) — grpc→net/trace→html/template | |
| # GO-2026-4869 (archive/tar: unbounded memory in sparse GNU tar archives) — docker/docker→archive/tar | |
| # GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock) — EmailSendConnector→crypto/tls | |
| # GO-2026-4946 (crypto/x509: policy-validation DoS) — EmailSendConnector→crypto/tls→crypto/x509 | |
| # GO-2026-4947 (crypto/x509: certificate chain-building DoS) — EmailSendConnector→crypto/tls→crypto/x509 | |
| # Remove these five exclusions once CI upgrades to go >= 1.25.9. | |
| OUTPUT=$(govulncheck ./... 2>&1 || true) | |
| echo "$OUTPUT" | |
| # Emit each actionable vulnerability ID as a GHA error annotation for visibility. | |
| ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true) | |
| echo "govulncheck IDs found: ${ALL_IDS:-none}" | |
| ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true) | |
| for ID in $ACTIONABLE_IDS; do | |
| echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency" | |
| done | |
| ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true) | |
| if [ -n "$ACTIONABLE" ]; then | |
| exit 1 | |
| fi | |
| gosec: | |
| name: Gosec | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| - name: Run gosec | |
| run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./... | |
| spec: | |
| name: Spec Freshness | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install swag | |
| run: go install github.com/swaggo/swag/cmd/swag@v1.16.6 | |
| - name: Regenerate spec | |
| run: | | |
| swag init \ | |
| -g docs.go \ | |
| --dir internal/server,internal/workflow,internal/budget \ | |
| --output internal/server/docs \ | |
| --outputTypes json,yaml \ | |
| --parseInternal \ | |
| --requiredByDefault | |
| - name: Check for drift | |
| run: git diff --exit-code internal/server/docs/ |