Skip to content

fix: address CodeRabbit follow-up feedback from PRs #121 and #122 #58

fix: address CodeRabbit follow-up feedback from PRs #121 and #122

fix: address CodeRabbit follow-up feedback from PRs #121 and #122 #58

Workflow file for this run

name: Engine CI
on:
push:
branches: [main]
paths:
- 'packages/engine/**'
- 'go.work'
pull_request:
paths:
- 'packages/engine/**'
- 'go.work'
defaults:
run:
working-directory: packages/engine
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- run: go test -race ./...
vet:
name: Vet
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- run: go vet ./...
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install golangci-lint
run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
- name: Run golangci-lint
run: golangci-lint run
govulncheck:
name: Govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: |
# Known unfixable vulnerabilities — excluded from enforcement:
#
# Indirect test-only dependency (docker/docker via testcontainers); no upstream fix:
# GO-2026-4887, GO-2026-4883
#
# Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07).
# Reachable in go < 1.25.9 via the listed call chains:
# GO-2026-4865 (html/template: XSS via JS template literals) — grpc→net/trace→html/template
# GO-2026-4869 (archive/tar: unbounded memory in sparse GNU tar archives) — docker/docker→archive/tar
# GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock) — EmailSendConnector→crypto/tls
# GO-2026-4946 (crypto/x509: policy-validation DoS) — EmailSendConnector→crypto/tls→crypto/x509
# GO-2026-4947 (crypto/x509: certificate chain-building DoS) — EmailSendConnector→crypto/tls→crypto/x509
# Remove these five exclusions once go-version in this workflow is >= 1.25.9.
OUTPUT=$(govulncheck ./... 2>&1 || true)
echo "$OUTPUT"
# Emit each actionable vulnerability ID as a GHA error annotation for visibility.
ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
echo "govulncheck IDs found: ${ALL_IDS:-none}"
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true)
for ID in $ACTIONABLE_IDS; do
echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"
done
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true)
if [ -n "$ACTIONABLE" ]; then
exit 1
fi
gosec:
name: Gosec
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec
run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./...
spec:
name: Spec Freshness
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install swag
run: go install github.com/swaggo/swag/cmd/swag@v1.16.6
- name: Regenerate spec
run: |
swag init \
-g docs.go \
--dir internal/server,internal/workflow,internal/budget \
--output internal/server/docs \
--outputTypes json,yaml \
--parseInternal \
--requiredByDefault
- name: Check for drift
run: git diff --exit-code internal/server/docs/