diff --git a/.github/actions/parse-env/action.yml b/.github/actions/parse-env/action.yml index 0ee3e0a..0a61650 100644 --- a/.github/actions/parse-env/action.yml +++ b/.github/actions/parse-env/action.yml @@ -36,12 +36,11 @@ runs: # -------------------------------------------------------------------- - name: ๐Ÿ”ง Parse environment variables shell: bash + env: + ENV_JSON: ${{ inputs.env-json }} run: | echo "๐Ÿ“‹ Setting environment variables..." - # Get the input JSON - ENV_JSON='${{ inputs.env-json }}' - # Validate JSON format before processing if ! echo "$ENV_JSON" | jq empty 2>/dev/null; then echo "โŒ ERROR: Invalid JSON format in env-json input!" >&2 diff --git a/.github/actions/setup-go-with-cache/action.yml b/.github/actions/setup-go-with-cache/action.yml index 11d1b25..44fe6fc 100644 --- a/.github/actions/setup-go-with-cache/action.yml +++ b/.github/actions/setup-go-with-cache/action.yml @@ -47,6 +47,10 @@ inputs: description: "Enable multi-module mode - uses pattern **/go.sum to hash all go.sum files for cache keys, skips root go.sum validation" required: false default: "false" + github-token: + description: "GitHub token for private module authentication (only used when GOPRIVATE is set in environment)" + required: false + default: "" outputs: go-version-actual: @@ -443,6 +447,29 @@ runs: go-version: ${{ inputs.go-version }} cache: false # we handle caches ourselves + # -------------------------------------------------------------------- + # Configure git authentication for private Go modules (conditional) + # Only runs when GOPRIVATE is set AND a github-token is provided + # -------------------------------------------------------------------- + - name: ๐Ÿ” Configure private module authentication + if: ${{ inputs.github-token != '' && env.GOPRIVATE != '' }} + shell: bash + env: + PRIVATE_MODULE_TOKEN: ${{ inputs.github-token }} + run: | + echo "๐Ÿ” Configuring git authentication for private Go modules..." + echo "๐Ÿ“‹ GOPRIVATE=$GOPRIVATE" + + # Configure git to use the token for HTTPS URLs + git config --global url."https://x-access-token:${PRIVATE_MODULE_TOKEN}@github.com/".insteadOf "https://github.com/" + + # Set GONOSUMDB to match GOPRIVATE if not explicitly set + if [ -z "$GONOSUMDB" ]; then + echo "GONOSUMDB=$GOPRIVATE" >> $GITHUB_ENV + fi + + echo "โœ… Private module authentication configured" + # -------------------------------------------------------------------- # Summary and validation # -------------------------------------------------------------------- diff --git a/.github/actions/warm-cache/action.yml b/.github/actions/warm-cache/action.yml index 979ba25..3441e38 100644 --- a/.github/actions/warm-cache/action.yml +++ b/.github/actions/warm-cache/action.yml @@ -53,6 +53,10 @@ inputs: description: "Enable multi-module mode - uses hash of all go.sum files for cache keys" required: false default: "false" + github-token: + description: "GitHub token for private module authentication (only used when GOPRIVATE is set)" + required: false + default: "" runs: using: "composite" @@ -96,6 +100,7 @@ runs: go-secondary-version: ${{ inputs.go-secondary-version }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ inputs.enable-multi-module }} + github-token: ${{ inputs.github-token }} # โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ # Setup MAGE-X (required for magex commands in cache warming) diff --git a/.github/env/00-core.env b/.github/env/00-core.env index 41885c3..70e0ac8 100644 --- a/.github/env/00-core.env +++ b/.github/env/00-core.env @@ -29,7 +29,7 @@ GO_PRIMARY_VERSION=1.24.x GO_SECONDARY_VERSION=1.24.x # Govulncheck-specific Go version for vulnerability scanning -GOVULNCHECK_GO_VERSION=1.26.0 +GOVULNCHECK_GO_VERSION=1.26.1 # ================================================================================================ # ๐Ÿ“ฆ GO MODULE CONFIGURATION @@ -41,6 +41,13 @@ GO_SUM_FILE=go.sum # Multi-module monorepo support ENABLE_MULTI_MODULE_TESTING=false +# Private Go module support (opt-in) +# Set GOPRIVATE in 90-project.env to enable private module authentication +# Example: github.com/myorg/*,github.com/otherorg/* +GOPRIVATE= +GONOSUMCHECK= +GONOSUMDB= + # ================================================================================================ # ๐Ÿ–ฅ๏ธ RUNNER CONFIGURATION # ================================================================================================ diff --git a/.github/env/10-mage-x.env b/.github/env/10-mage-x.env index a16e3d2..f42ce31 100644 --- a/.github/env/10-mage-x.env +++ b/.github/env/10-mage-x.env @@ -61,7 +61,7 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea MAGE_X_GITLEAKS_VERSION=8.30.0 MAGE_X_GOFUMPT_VERSION=v0.9.2 -MAGE_X_GOLANGCI_LINT_VERSION=v2.10.1 +MAGE_X_GOLANGCI_LINT_VERSION=v2.11.1 MAGE_X_GORELEASER_VERSION=v2.14.1 MAGE_X_GOVULNCHECK_VERSION=v1.1.4 MAGE_X_GO_SECONDARY_VERSION=1.24.x diff --git a/.github/env/10-pre-commit.env b/.github/env/10-pre-commit.env index 7a20e6b..f6da610 100644 --- a/.github/env/10-pre-commit.env +++ b/.github/env/10-pre-commit.env @@ -26,7 +26,7 @@ # ๐Ÿช PRE-COMMIT TOOL VERSION # ================================================================================================ -GO_PRE_COMMIT_VERSION=v1.6.2 +GO_PRE_COMMIT_VERSION=v1.7.0 GO_PRE_COMMIT_USE_LOCAL=false # ================================================================================================ @@ -52,7 +52,7 @@ GO_PRE_COMMIT_ALL_FILES=true # ๐Ÿ› ๏ธ TOOL VERSIONS # ================================================================================================ -GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.10.1 +GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.11.1 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2 GO_PRE_COMMIT_GOIMPORTS_VERSION=latest GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7e949fe..609d9f8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,7 +46,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5 + uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -57,7 +57,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5 + uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 # โ„น๏ธ Command-line programs to run using the OS shell. # ๐Ÿ“š https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # uses a compiled language - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5 + uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 diff --git a/.github/workflows/fortress-benchmarks.yml b/.github/workflows/fortress-benchmarks.yml index 6208934..db91c7a 100644 --- a/.github/workflows/fortress-benchmarks.yml +++ b/.github/workflows/fortress-benchmarks.yml @@ -144,6 +144,7 @@ jobs: go-secondary-version: ${{ inputs.go-secondary-version }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path diff --git a/.github/workflows/fortress-code-quality.yml b/.github/workflows/fortress-code-quality.yml index 63d92e6..3c76388 100644 --- a/.github/workflows/fortress-code-quality.yml +++ b/.github/workflows/fortress-code-quality.yml @@ -94,6 +94,7 @@ jobs: go-secondary-version: ${{ inputs.go-primary-version }} go-sum-file: ${{ env.GO_SUM_FILE }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path @@ -316,6 +317,7 @@ jobs: go-secondary-version: ${{ inputs.go-primary-version }} go-sum-file: ${{ env.GO_SUM_FILE }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path @@ -596,6 +598,7 @@ jobs: go-secondary-version: ${{ inputs.go-primary-version }} go-sum-file: ${{ env.GO_SUM_FILE }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path diff --git a/.github/workflows/fortress-coverage.yml b/.github/workflows/fortress-coverage.yml index bfc1331..08d2947 100644 --- a/.github/workflows/fortress-coverage.yml +++ b/.github/workflows/fortress-coverage.yml @@ -176,6 +176,7 @@ jobs: go-secondary-version: ${{ env.GO_SECONDARY_VERSION }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path diff --git a/.github/workflows/fortress-pre-commit.yml b/.github/workflows/fortress-pre-commit.yml index 6169215..f739f07 100644 --- a/.github/workflows/fortress-pre-commit.yml +++ b/.github/workflows/fortress-pre-commit.yml @@ -33,6 +33,10 @@ on: description: "Path to go.sum file for dependency verification" required: true type: string + secrets: + github-token: + description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)" + required: false outputs: pre-commit-version: description: "Version of go-pre-commit used" @@ -87,6 +91,7 @@ jobs: go-secondary-version: ${{ inputs.go-primary-version }} go-sum-file: ${{ env.GO_SUM_FILE }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path @@ -690,6 +695,14 @@ jobs: if [ "${CHECKS_EXIT:-0}" -ne 0 ]; then echo "โŒ Pre-commit checks failed with exit code: ${CHECKS_EXIT}" + # Persist cleaned output to log file for summary and artifact upload + # Use printf to avoid echo misinterpreting leading -n/-e in output + printf '%s\n' "$CHECKS_OUTPUT" | \ + sed -E 's/\x1b\[[0-9;]*[mGKH]//g' | \ + sed 's/\xc2\x9b\[[0-9;]*[mGKH]//g' | \ + sed 's/๏ฟฝ\[[0-9;]*[mGKH]//g' | \ + sed 's/๏ฟฝ//g' | \ + tr -d '\033' > pre-commit-output.log # Emit GitHub annotation for visibility at top of summary echo "::error title=Pre-commit Checks Failed::Code quality issues detected - formatting, linting, or other pre-commit checks failed" exit ${CHECKS_EXIT} @@ -843,15 +856,35 @@ jobs: fi done echo "" >> $GITHUB_STEP_SUMMARY - if [[ "${{ env.GO_PRE_COMMIT_ALL_FILES }}" == "true" ]]; then - echo "๐ŸŽฏ **All pre-commit checks passed successfully on all repository files.**" >> $GITHUB_STEP_SUMMARY - elif [[ "${{ steps.detect-files.outputs.files_found }}" == "true" ]]; then - FILE_COUNT=$(echo "${{ steps.detect-files.outputs.changed_files }}" | wc -l | tr -d ' ') - echo "๐ŸŽฏ **All pre-commit checks passed successfully on $FILE_COUNT changed files.**" >> $GITHUB_STEP_SUMMARY + # Show failure details or success summary based on run-checks outcome + log presence + if [[ -f pre-commit-output.log ]]; then + # Normal failure: log file was created, show full error details + echo "### ๐Ÿšจ Error Details" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY - echo "โšก **Performance**: Fast CI execution by checking only changed files instead of entire repository." >> $GITHUB_STEP_SUMMARY + echo "
" >> $GITHUB_STEP_SUMMARY + echo "Click to expand full output" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + head -200 pre-commit-output.log >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + echo "
" >> $GITHUB_STEP_SUMMARY + elif [[ "${{ steps.run-checks.outcome }}" == "failure" ]]; then + # Early failure: step failed before the log file could be written + # (e.g. invalid binary path, mktemp failure, etc.) + echo "### ๐Ÿšจ Error Details" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Pre-commit checks failed before an output log could be generated. Review the **Run pre-commit checks** step logs for details." >> $GITHUB_STEP_SUMMARY else - echo "๐ŸŽฏ **Pre-commit checks completed (no files required checking).**" >> $GITHUB_STEP_SUMMARY + if [[ "${{ env.GO_PRE_COMMIT_ALL_FILES }}" == "true" ]]; then + echo "๐ŸŽฏ **All pre-commit checks passed successfully on all repository files.**" >> $GITHUB_STEP_SUMMARY + elif [[ "${{ steps.detect-files.outputs.files_found }}" == "true" ]]; then + FILE_COUNT=$(echo "${{ steps.detect-files.outputs.changed_files }}" | wc -l | tr -d ' ') + echo "๐ŸŽฏ **All pre-commit checks passed successfully on $FILE_COUNT changed files.**" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "โšก **Performance**: Fast CI execution by checking only changed files instead of entire repository." >> $GITHUB_STEP_SUMMARY + else + echo "๐ŸŽฏ **Pre-commit checks completed (no files required checking).**" >> $GITHUB_STEP_SUMMARY + fi fi else echo "### โš ๏ธ Fallback Mode" >> $GITHUB_STEP_SUMMARY @@ -860,6 +893,18 @@ jobs: echo "- โœ… magex tidy" >> $GITHUB_STEP_SUMMARY fi + # -------------------------------------------------------------------- + # Upload pre-commit results (only present on failure) + # -------------------------------------------------------------------- + - name: ๐Ÿ“ค Upload pre-commit results + if: always() + uses: ./.github/actions/upload-artifact-resilient + with: + artifact-name: pre-commit-results + artifact-path: pre-commit-output.log + retention-days: "7" + if-no-files-found: ignore + # -------------------------------------------------------------------- # Collect cache statistics # -------------------------------------------------------------------- diff --git a/.github/workflows/fortress-release.yml b/.github/workflows/fortress-release.yml index 28edefa..97eacde 100644 --- a/.github/workflows/fortress-release.yml +++ b/.github/workflows/fortress-release.yml @@ -91,6 +91,7 @@ jobs: go-secondary-version: ${{ inputs.go-primary-version }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Validate version tag format diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml index 0e9d477..fe7dbe8 100644 --- a/.github/workflows/fortress-security-scans.yml +++ b/.github/workflows/fortress-security-scans.yml @@ -99,6 +99,7 @@ jobs: go-secondary-version: ${{ inputs.go-primary-version }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path @@ -297,6 +298,7 @@ jobs: go-secondary-version: ${{ inputs.go-primary-version }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path @@ -506,6 +508,7 @@ jobs: if: ${{ inputs.enable-gitleaks }} permissions: contents: read + pull-requests: write steps: # -------------------------------------------------------------------- # Checkout code (required for local actions) @@ -561,7 +564,7 @@ jobs: continue-on-error: true uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 env: - GITHUB_TOKEN: ${{ secrets.github-token }} + GITHUB_TOKEN: ${{ github.token }} GITLEAKS_LICENSE: ${{ secrets.gitleaks-license }} GITLEAKS_NOTIFY_USER_LIST: ${{ env.GITLEAKS_NOTIFY_USER_LIST }} GITLEAKS_ENABLE_COMMENTS: "true" diff --git a/.github/workflows/fortress-setup-config.yml b/.github/workflows/fortress-setup-config.yml index 45db5cb..da9aece 100644 --- a/.github/workflows/fortress-setup-config.yml +++ b/.github/workflows/fortress-setup-config.yml @@ -568,6 +568,13 @@ jobs: echo "| **Features** | $ENABLED_FEATURES enabled ยท $DISABLED_FEATURES disabled |" >> $GITHUB_STEP_SUMMARY echo "| **Test Matrix** | $MATRIX_COUNT combinations |" >> $GITHUB_STEP_SUMMARY echo "| **Go Versions** | $(echo "$UNIQUE_GO_VERSIONS" | jq -r 'join(", ")') |" >> $GITHUB_STEP_SUMMARY + + # Show private module status if GOPRIVATE is configured + GOPRIVATE_VAL=$(echo "$ENV_JSON" | jq -r '.GOPRIVATE // ""') + if [ -n "$GOPRIVATE_VAL" ]; then + echo "| **Private Modules** | \`$GOPRIVATE_VAL\` |" >> $GITHUB_STEP_SUMMARY + fi + echo "" >> $GITHUB_STEP_SUMMARY # Fork PR Warning (if applicable) - this stays visible diff --git a/.github/workflows/fortress-test-fuzz.yml b/.github/workflows/fortress-test-fuzz.yml index a184b63..0b1d54f 100644 --- a/.github/workflows/fortress-test-fuzz.yml +++ b/.github/workflows/fortress-test-fuzz.yml @@ -44,6 +44,10 @@ on: description: "Path to go.sum file for dependency verification" required: true type: string + secrets: + github-token: + description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)" + required: false # Security: Restrict default permissions (jobs must explicitly request what they need) permissions: {} @@ -88,6 +92,7 @@ jobs: go-secondary-version: ${{ inputs.go-secondary-version }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path diff --git a/.github/workflows/fortress-test-matrix.yml b/.github/workflows/fortress-test-matrix.yml index e2bcd22..a7cb04f 100644 --- a/.github/workflows/fortress-test-matrix.yml +++ b/.github/workflows/fortress-test-matrix.yml @@ -97,6 +97,10 @@ on: description: "Path to go.sum file for dependency verification" required: true type: string + secrets: + github-token: + description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)" + required: false # Security: Restrict default permissions (jobs must explicitly request what they need) permissions: {} @@ -151,6 +155,7 @@ jobs: go-secondary-version: ${{ inputs.go-secondary-version }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }} + github-token: ${{ secrets.github-token }} # -------------------------------------------------------------------- # Extract Go module directory from GO_SUM_FILE path diff --git a/.github/workflows/fortress-test-suite.yml b/.github/workflows/fortress-test-suite.yml index dc89029..45e302e 100644 --- a/.github/workflows/fortress-test-suite.yml +++ b/.github/workflows/fortress-test-suite.yml @@ -145,6 +145,8 @@ jobs: redis-health-timeout: ${{ inputs.redis-health-timeout }} redis-trust-service-health: ${{ inputs.redis-trust-service-health }} go-sum-file: ${{ inputs.go-sum-file }} + secrets: + github-token: ${{ secrets.github-token }} # ---------------------------------------------------------------------------------- # Fuzz Testing Execution (Primary platform only) @@ -162,6 +164,8 @@ jobs: go-secondary-version: ${{ inputs.go-secondary-version }} fuzz-testing-enabled: ${{ inputs.fuzz-testing-enabled }} go-sum-file: ${{ inputs.go-sum-file }} + secrets: + github-token: ${{ secrets.github-token }} # ---------------------------------------------------------------------------------- # Test Results Validation (Aggregate all test results) diff --git a/.github/workflows/fortress-warm-cache.yml b/.github/workflows/fortress-warm-cache.yml index 94e6c01..5e253af 100644 --- a/.github/workflows/fortress-warm-cache.yml +++ b/.github/workflows/fortress-warm-cache.yml @@ -48,6 +48,10 @@ on: description: "Path to go.sum file for dependency verification" required: true type: string + secrets: + github-token: + description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)" + required: false # Security: Restrict default permissions (jobs must explicitly request what they need) permissions: {} @@ -153,3 +157,4 @@ jobs: redis-cache-force-pull: ${{ inputs.redis-cache-force-pull }} go-sum-file: ${{ inputs.go-sum-file }} enable-multi-module: ${{ steps.extract.outputs.enable_multi_module }} + github-token: ${{ secrets.github-token }} diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml index 1ea2f75..a4008c6 100644 --- a/.github/workflows/fortress.yml +++ b/.github/workflows/fortress.yml @@ -30,8 +30,10 @@ # This workflow intelligently handles fork PRs by detecting fork status during setup # and conditionally skipping jobs that require repository secrets. Jobs are categorized: # -# FORK-SAFE (Always run - no secrets required): +# FORK-SAFE (Always run - secrets optional for private module auth): # โœ… setup, test-magex, warm-cache, code-quality, pre-commit, benchmarks, status-check +# Note: These jobs receive github-token for private Go module authentication (GOPRIVATE). +# On fork PRs, private module auth is skipped but jobs still run for public dependencies. # # FORK-UNSAFE (Skipped on fork PRs - require secrets): # โ›” security (OSSI_TOKEN, OSSI_USERNAME, GITLEAKS_LICENSE) @@ -116,7 +118,7 @@ jobs: env-file-count: ${{ needs.load-env.outputs.env-file-count }} var-count: ${{ needs.load-env.outputs.var-count }} secrets: - github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }} # ---------------------------------------------------------------------------------- # Test MAGE-X # ---------------------------------------------------------------------------------- @@ -130,7 +132,7 @@ jobs: env-json: ${{ needs.load-env.outputs.env-json }} primary-runner: ${{ needs.setup.outputs.primary-runner }} # ---------------------------------------------------------------------------------- - # Warm Go Caches (FORK-SAFE: No secrets required) + # Warm Go Caches (Secrets optional: only needed when GOPRIVATE is set for private modules) # ---------------------------------------------------------------------------------- warm-cache: name: ๐Ÿ’พ Warm Cache @@ -148,6 +150,8 @@ jobs: redis-version: ${{ needs.setup.outputs.redis-version }} redis-cache-force-pull: ${{ needs.setup.outputs.redis-cache-force-pull }} go-sum-file: ${{ needs.setup.outputs.go-sum-file }} + secrets: + github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }} # ---------------------------------------------------------------------------------- # Security Scans (FORK-UNSAFE: Requires secrets - skipped on fork PRs) # ---------------------------------------------------------------------------------- @@ -163,6 +167,7 @@ jobs: needs.setup.outputs.is-fork-pr != 'true' permissions: contents: read # Read repository content for security scanning + pull-requests: write # Required: gitleaks needs to create PR comments uses: ./.github/workflows/fortress-security-scans.yml with: env-json: ${{ needs.load-env.outputs.env-json }} @@ -173,12 +178,12 @@ jobs: primary-runner: ${{ needs.setup.outputs.primary-runner }} go-sum-file: ${{ needs.setup.outputs.go-sum-file }} secrets: - github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }} gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }} ossi-token: ${{ secrets.OSSI_TOKEN }} ossi-username: ${{ secrets.OSSI_USERNAME }} # ---------------------------------------------------------------------------------- - # Pre-commit Checks (FORK-SAFE: No secrets required) + # Pre-commit Checks (Secrets optional: only needed when GOPRIVATE is set for private modules) # ---------------------------------------------------------------------------------- pre-commit: name: ๐Ÿช Pre-commit Checks @@ -198,8 +203,10 @@ jobs: go-primary-version: ${{ needs.setup.outputs.go-primary-version }} pre-commit-enabled: ${{ needs.setup.outputs.pre-commit-enabled }} go-sum-file: ${{ needs.setup.outputs.go-sum-file }} + secrets: + github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }} # ---------------------------------------------------------------------------------- - # Code Quality Checks (FORK-SAFE: No secrets required) + # Code Quality Checks (Secrets optional: only needed when GOPRIVATE is set for private modules) # ---------------------------------------------------------------------------------- code-quality: name: ๐Ÿ“Š Code Quality @@ -221,7 +228,7 @@ jobs: static-analysis-enabled: ${{ needs.setup.outputs.static-analysis-enabled }} go-sum-file: ${{ needs.setup.outputs.go-sum-file }} secrets: - github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }} # ---------------------------------------------------------------------------------- # Test Suite (FORK-UNSAFE: Requires CODECOV_TOKEN for coverage - skipped on fork PRs) # ---------------------------------------------------------------------------------- @@ -264,10 +271,10 @@ jobs: redis-trust-service-health: ${{ needs.setup.outputs.redis-trust-service-health }} go-sum-file: ${{ needs.setup.outputs.go-sum-file }} secrets: - github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }} CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} # ---------------------------------------------------------------------------------- - # Benchmark Suite (FORK-SAFE: No secrets required) + # Benchmark Suite (Secrets optional: only needed when GOPRIVATE is set for private modules) # ---------------------------------------------------------------------------------- benchmarks: name: ๐Ÿƒ Benchmarks @@ -298,7 +305,7 @@ jobs: redis-trust-service-health: ${{ needs.setup.outputs.redis-trust-service-health }} go-sum-file: ${{ needs.setup.outputs.go-sum-file }} secrets: - github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }} # ---------------------------------------------------------------------------------- # Final Status Check # ---------------------------------------------------------------------------------- @@ -492,7 +499,7 @@ jobs: golangci-lint-version: ${{ needs.code-quality.outputs.golangci-lint-version }} go-sum-file: ${{ needs.setup.outputs.go-sum-file }} secrets: - github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }} + github-token: ${{ github.event.pull_request.head.repo.fork != true && (secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN) || '' }} slack-webhook: ${{ secrets.SLACK_WEBHOOK || '' }} permissions: contents: write # Required: goreleaser needs to create GitHub releases diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 4c9cf3b..fa4e267 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,9 +32,8 @@ jobs: security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read + # Needed to checkout the repository. + contents: read steps: - name: "Checkout code" @@ -77,6 +76,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable the upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5 + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: sarif_file: results.sarif