Skip to content

feat(connector): Discord, Elasticsearch, Datadog, Redis, and MongoDB connectors #105

feat(connector): Discord, Elasticsearch, Datadog, Redis, and MongoDB connectors

feat(connector): Discord, Elasticsearch, Datadog, Redis, and MongoDB connectors #105

Workflow file for this run

name: Engine CI
on:
push:
branches: [main]
paths:
- 'packages/engine/**'
- 'go.work'
pull_request:
paths:
- 'packages/engine/**'
- 'go.work'
defaults:
run:
working-directory: packages/engine
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- run: go test -race ./...
vet:
name: Vet
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- run: go vet ./...
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install golangci-lint
run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
- name: Run golangci-lint
run: golangci-lint run
govulncheck:
name: Govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: |
# Known unfixable vulnerabilities — excluded from enforcement:
#
# Indirect test-only dependency (docker/docker via testcontainers); no upstream fix:
# GO-2026-4887, GO-2026-4883
#
# Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07).
# Reachable in go < 1.25.9 via the listed call chains:
# GO-2026-4865 (html/template) — grpc->net/trace->html/template
# GO-2026-4869 (archive/tar) — docker/docker->archive/tar
# GO-2026-4870 (crypto/tls) — EmailSendConnector->crypto/tls
# GO-2026-4946 (crypto/x509) — EmailSendConnector->crypto/tls->crypto/x509
# GO-2026-4947 (crypto/x509) — EmailSendConnector->crypto/tls->crypto/x509
# Remove these five exclusions once go-version in this workflow is >= 1.25.9.
#
# Transitive dependencies of go-git (github.com/go-git/go-git/v5); govulncheck
# confirms code does not call the affected symbols. Track upstream and remove
# when go-git ships fixed transitive dependency versions:
# GO-2026-4918, GO-2026-4945, GO-2026-5013, GO-2026-5015, GO-2026-5017,
# GO-2026-5018, GO-2026-5019, GO-2026-5020, GO-2026-5021, GO-2026-5026
OUTPUT=$(govulncheck ./... 2>&1 || true)
echo "$OUTPUT"
# Emit each actionable vulnerability ID as a GHA error annotation for visibility.
ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
echo "govulncheck IDs found: ${ALL_IDS:-none}"
KNOWN='GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947|GO-2026-4918|GO-2026-4945|GO-2026-5013|GO-2026-5015|GO-2026-5017|GO-2026-5018|GO-2026-5019|GO-2026-5020|GO-2026-5021|GO-2026-5026'
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE "^($KNOWN)$" || true)
for ID in $ACTIONABLE_IDS; do
echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"
done
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE "$KNOWN" || true)
if [ -n "$ACTIONABLE" ]; then
exit 1
fi
gosec:
name: Gosec
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec
run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./...
spec:
name: Spec Freshness
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install spec tooling
run: |
go install github.com/swaggo/swag/cmd/swag@v1.16.6
python -m pip install yq
- name: Regenerate spec
run: make spec
- name: Check for drift
run: git diff --exit-code internal/server/docs/