-
Notifications
You must be signed in to change notification settings - Fork 0
121 lines (113 loc) · 3.8 KB
/
Copy pathengine-ci.yml
File metadata and controls
121 lines (113 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Engine CI
on:
push:
branches: [main]
paths:
- 'packages/engine/**'
- 'go.work'
pull_request:
paths:
- 'packages/engine/**'
- 'go.work'
defaults:
run:
working-directory: packages/engine
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- run: go test -race ./...
vet:
name: Vet
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- run: go vet ./...
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install golangci-lint
run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
- name: Run golangci-lint
run: golangci-lint run
govulncheck:
name: Govulncheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: |
# Known unfixable vulnerabilities — excluded from enforcement:
#
# Indirect test-only dependency (docker/docker via testcontainers); no upstream fix:
# GO-2026-4887, GO-2026-4883
#
# Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07).
# Reachable via crypto/tls (EmailSendConnector TLS handshake) in go < 1.25.9:
# GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock)
# GO-2026-4947 (crypto/x509: certificate chain-building DoS)
# Remove these two exclusions once CI upgrades to go >= 1.25.9.
OUTPUT=$(govulncheck ./... 2>&1 || true)
echo "$OUTPUT"
# Emit each actionable vulnerability ID as a GHA error annotation for visibility.
ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
echo "govulncheck IDs found: ${ALL_IDS:-none}"
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4870|GO-2026-4947)$' || true)
for ID in $ACTIONABLE_IDS; do
echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"
done
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4870|GO-2026-4947' || true)
if [ -n "$ACTIONABLE" ]; then
exit 1
fi
gosec:
name: Gosec
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec
run: gosec -exclude=G101,G104,G112,G115,G117,G202,G204,G301,G304,G306,G404,G703,G705,G706 ./...
spec:
name: Spec Freshness
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Install swag
run: go install github.com/swaggo/swag/cmd/swag@v1.16.6
- name: Regenerate spec
run: |
swag init \
-g docs.go \
--dir internal/server,internal/workflow,internal/budget \
--output internal/server/docs \
--outputTypes json,yaml \
--parseInternal \
--requiredByDefault
- name: Check for drift
run: git diff --exit-code internal/server/docs/