Skip to content
Go CI / CD

feat: add security breakdown endpoint support #27

Sign in to view logs

feat: add security breakdown endpoint support

feat: add security breakdown endpoint support #27

Workflow file for this run

.github/workflows/ci.yml at 84fb7f9
name: Go CI / CD
on:
push:
branches:
- main
- master
pull_request:
permissions:
contents: read
jobs:
lint:
name: Lint Code
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: v1.64.5
# Only report issues introduced in the PR.
only-new-issues: true
security:
name: Security Scans
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
args: '-no-fail -fmt sarif -out results.sarif ./...'
- name: govulncheck
# Upstream hedera-sdk-go transitively pulls go-ethereum with known
# vulns we cannot fix. Report but do not block the pipeline.
continue-on-error: true
uses: golang/govulncheck-action@v1
with:
go-version-file: go.mod
- name: Run Trivy vulnerability scanner
continue-on-error: true
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Gosec SARIF
if: always() && hashFiles('results.sarif') != ''
continue-on-error: true
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: gosec
- name: Upload Trivy SARIF
if: always() && hashFiles('trivy-results.sarif') != ''
continue-on-error: true
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
category: trivy
test:
name: Test and Coverage
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Run Tests
run: go test -v -coverprofile=coverage.out ./...
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v4
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
build:
name: Build Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Verify Build
run: go build -v ./...
- name: Verify go.mod / go.sum are tidy
run: |
go mod tidy
git diff --exit-code go.mod go.sum
- name: Run go vet
run: go vet ./...
release:
name: Publish Release
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- lint
- security
- test
- build
runs-on: ubuntu-latest
permissions:
contents: write
concurrency:
group: release-main
cancel-in-progress: false
env:
MODULE_PATH: github.com/hashgraph-online/standards-sdk-go
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Determine release tag
id: release_tag
shell: bash
run: |
set -euo pipefail
git fetch --tags --force
existing_tag="$(git tag --points-at "${GITHUB_SHA}" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -n1 || true)"
if [ -n "${existing_tag}" ]; then
echo "tag=${existing_tag}" >> "${GITHUB_OUTPUT}"
echo "created=false" >> "${GITHUB_OUTPUT}"
exit 0
fi
latest_tag="$(git tag --list 'v[0-9]*.[0-9]*.[0-9]*' --sort=-version:refname | head -n1)"
if [ -z "${latest_tag}" ]; then
latest_tag="v0.0.0"
fi
version_without_v="${latest_tag#v}"
IFS='.' read -r major minor patch <<< "${version_without_v}"
next_tag="v${major}.${minor}.$((patch + 1))"
echo "tag=${next_tag}" >> "${GITHUB_OUTPUT}"
echo "created=true" >> "${GITHUB_OUTPUT}"
- name: Create git tag and GitHub release
if: steps.release_tag.outputs.created == 'true'
env:
GH_TOKEN: ${{ github.token }}
shell: bash
run: |
set -euo pipefail
tag="${{ steps.release_tag.outputs.tag }}"
git tag "${tag}" "${GITHUB_SHA}"
git push origin "${tag}"
gh release create "${tag}" \
--title "${tag}" \
--generate-notes \
--target "${GITHUB_SHA}"
- name: Wait for pkg.go.dev index
id: pkg_index
continue-on-error: true
env:
RELEASE_TAG: ${{ steps.release_tag.outputs.tag }}
shell: bash
run: |
python3 - <<'PY'
import os
import sys
import time
import urllib.error
import urllib.request
module_path = os.environ["MODULE_PATH"]
release_tag = os.environ["RELEASE_TAG"]
url = f"https://pkg.go.dev/{module_path}@{release_tag}"
attempts = 40
delay_seconds = 15
timeout_seconds = 20
print(f"Polling {url} for {release_tag}")
for attempt in range(1, attempts + 1):
try:
with urllib.request.urlopen(url, timeout=timeout_seconds) as response:
body = response.read().decode("utf-8", "ignore")
ok = response.status == 200 and release_tag in body
print(f"attempt {attempt:02d}: status={response.status} indexed={ok}")
if ok:
sys.exit(0)
except urllib.error.HTTPError as error:
print(f"attempt {attempt:02d}: status={error.code} indexed=False")
except Exception as error:
print(f"attempt {attempt:02d}: error={error} indexed=False")
time.sleep(delay_seconds)
raise SystemExit(
f"Timed out waiting for pkg.go.dev to index {module_path}@{release_tag}"
)
PY
- name: Report pkg.go.dev indexing delay
if: steps.pkg_index.outcome == 'failure'
env:
RELEASE_TAG: ${{ steps.release_tag.outputs.tag }}
GITHUB_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
shell: bash
run: |
echo "::warning::pkg.go.dev indexing timed out for ${MODULE_PATH}@${RELEASE_TAG}. Release was published; recheck later. Run: ${GITHUB_RUN_URL}"