chore(release): bump engine to v0.5.0 #125
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Engine CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| pull_request: | |
| paths: | |
| - 'packages/engine/**' | |
| - 'go.work' | |
| defaults: | |
| run: | |
| working-directory: packages/engine | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go test -race ./... | |
| vet: | |
| name: Vet | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - run: go vet ./... | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install golangci-lint | |
| run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest | |
| - name: Run golangci-lint | |
| run: golangci-lint run | |
| govulncheck: | |
| name: Govulncheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
| - name: Run govulncheck | |
| run: | | |
| # Known unfixable vulnerabilities — excluded from enforcement: | |
| # | |
| # Indirect test-only dependency (docker/docker via testcontainers); no upstream fix: | |
| # GO-2026-4887, GO-2026-4883 | |
| # | |
| # Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07). | |
| # Reachable in go < 1.25.9 via the listed call chains: | |
| # GO-2026-4865 (html/template) — grpc->net/trace->html/template | |
| # GO-2026-4869 (archive/tar) — docker/docker->archive/tar | |
| # GO-2026-4870 (crypto/tls) — EmailSendConnector->crypto/tls | |
| # GO-2026-4946 (crypto/x509) — EmailSendConnector->crypto/tls->crypto/x509 | |
| # GO-2026-4947 (crypto/x509) — EmailSendConnector->crypto/tls->crypto/x509 | |
| # Remove these five exclusions once go-version in this workflow is >= 1.25.9. | |
| # | |
| # Transitive dependencies of go-git (github.com/go-git/go-git/v5); govulncheck | |
| # confirms code does not call the affected symbols. Track upstream and remove | |
| # when go-git ships fixed transitive dependency versions: | |
| # GO-2026-4918, GO-2026-4945, GO-2026-5013, GO-2026-5015, GO-2026-5017, | |
| # GO-2026-5018, GO-2026-5019, GO-2026-5020, GO-2026-5021, GO-2026-5026 | |
| OUTPUT=$(govulncheck ./... 2>&1 || true) | |
| echo "$OUTPUT" | |
| # Emit each actionable vulnerability ID as a GHA error annotation for visibility. | |
| ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true) | |
| echo "govulncheck IDs found: ${ALL_IDS:-none}" | |
| KNOWN='GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947|GO-2026-4918|GO-2026-4945|GO-2026-5013|GO-2026-5015|GO-2026-5017|GO-2026-5018|GO-2026-5019|GO-2026-5020|GO-2026-5021|GO-2026-5026' | |
| ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE "^($KNOWN)$" || true) | |
| for ID in $ACTIONABLE_IDS; do | |
| echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency" | |
| done | |
| ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE "$KNOWN" || true) | |
| if [ -n "$ACTIONABLE" ]; then | |
| exit 1 | |
| fi | |
| gosec: | |
| name: Gosec | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| - name: Run gosec | |
| run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./... | |
| spec: | |
| name: Spec Freshness | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Install spec tooling | |
| run: | | |
| go install github.com/swaggo/swag/cmd/swag@v1.16.6 | |
| python -m pip install yq | |
| - name: Regenerate spec | |
| run: make spec | |
| - name: Check for drift | |
| run: git diff --exit-code internal/server/docs/ |