Skip to content
CI

ci(deps): bump actions/cache from 5.0.1 to 5.0.2 #88

Sign in to view logs

ci(deps): bump actions/cache from 5.0.1 to 5.0.2

ci(deps): bump actions/cache from 5.0.1 to 5.0.2 #88

Workflow file for this run

.github/workflows/ci.yml at 20e0665
name: CI
on:
push:
branches: [main]
pull_request_target:
types: [opened, synchronize, reopened, labeled]
jobs:
# Security check for fork PRs - validates PR source before running workflows with secrets
security_check:
name: Security Check
runs-on: ubuntu-latest
if: github.event_name == 'pull_request_target'
outputs:
is_fork: ${{ steps.check.outputs.is_fork }}
is_safe: ${{ steps.check.outputs.is_safe }}
steps:
- name: Check PR source
id: check
run: |
IS_FORK="false"
IS_SAFE="false"
if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
IS_FORK="true"
echo "Fork PR detected from: ${{ github.event.pull_request.head.repo.full_name }}"
fi
# Check if PR has 'safe-to-test' label (maintainer approval)
if [ "${{ contains(github.event.pull_request.labels.*.name, 'safe-to-test') }}" = "true" ]; then
IS_SAFE="true"
echo "PR marked safe-to-test by maintainer"
fi
# Non-fork PRs are always safe
if [ "$IS_FORK" = "false" ]; then
IS_SAFE="true"
fi
echo "is_fork=$IS_FORK" >> $GITHUB_OUTPUT
echo "is_safe=$IS_SAFE" >> $GITHUB_OUTPUT
test:
name: Test
runs-on: ubuntu-latest
needs: [security_check]
if: |
always() &&
(github.event_name == 'push' ||
(github.event_name == 'pull_request_target' && needs.security_check.outputs.is_safe == 'true'))
permissions:
contents: read
strategy:
matrix:
go-version: ['1.24.x', '1.25.x']
steps:
- name: Checkout code
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5.2.0
with:
go-version: ${{ matrix.go-version }}
- name: Cache Go modules
uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ matrix.go-version }}-
- name: Download dependencies
run: go mod download
- name: Verify dependencies
run: go mod verify
- name: Build
run: go build -v ./...
- name: Run tests with coverage
run: |
# Exclude examples from coverage
go list ./... | grep -v /examples | xargs go test -v -race -coverprofile=coverage.out -covermode=atomic
- name: Upload coverage to Codecov
if: matrix.go-version == '1.25.x'
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v4.6.0
with:
files: ./coverage.out
flags: unittests
name: codecov-go-netconf
token: ${{ secrets.CODECOV_TOKEN }}
lint:
name: Lint
runs-on: ubuntu-latest
needs: [security_check]
if: |
always() &&
(github.event_name == 'push' ||
(github.event_name == 'pull_request_target' && needs.security_check.outputs.is_safe == 'true'))
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5.2.0
with:
go-version: '1.25.x'
- name: Run golangci-lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
version: latest
args: --timeout=5m
security:
name: Security
runs-on: ubuntu-latest
needs: [security_check]
if: |
always() &&
(github.event_name == 'push' ||
(github.event_name == 'pull_request_target' && needs.security_check.outputs.is_safe == 'true'))
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5.2.0
with:
go-version: '1.25.x'
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: govulncheck ./...
# License header check job
# Security: pull_request_target grants write access and secrets to fork PRs
# Malicious PR could exfiltrate secrets via modified Makefile targets
# Gated by security_check requiring 'safe-to-test' label from maintainer
# See security_check job for fork PR protection details
license:
name: License Check
runs-on: ubuntu-latest
needs: [security_check]
if: |
always() &&
(github.event_name == 'push' ||
(github.event_name == 'pull_request_target' && needs.security_check.outputs.is_safe == 'true'))
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Set up Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5.2.0
with:
go-version: '1.25.x'
- name: Cache Go modules
uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-1.25.x-addlicense-v1.1.1-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-1.25.x-addlicense-
- name: Install addlicense
run: go install github.com/google/addlicense@v1.1.1
- name: Check license headers
run: make check-license