bd sync: 2025-11-24 18:07:18 #14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| env: | |
| GO_VERSION: '1.22' | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Cache go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Verify dependencies | |
| run: go mod verify | |
| - name: Run tests with race detection | |
| run: go test -v -race -coverprofile=coverage.out ./... | |
| - name: Run integration tests | |
| run: go test -v -race -tags=integration ./tests/... | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.out | |
| flags: unittests | |
| name: codecov-umbrella | |
| fail_ci_if_error: false | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Install golangci-lint | |
| uses: golangci/golangci-lint-action@v4 | |
| with: | |
| version: latest | |
| args: --timeout=5m | |
| - name: Run gofmt check | |
| run: | | |
| if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then | |
| echo "The following files are not formatted:" | |
| gofmt -s -l . | |
| exit 1 | |
| fi | |
| - name: Run go vet | |
| run: go vet ./... | |
| security: | |
| name: Security | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Install Gosec Security Scanner | |
| uses: securecodewarrior/github-action-gosec@master | |
| with: | |
| args: '-no-fail -fmt sarif -out results.sarif ./...' | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: results.sarif | |
| - name: Run GOSASS | |
| uses: zricethezav/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: [test, lint, security] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Cache go modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Build binary | |
| run: | | |
| CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags="-w -s" -o cortex ./cmd/router | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cortex-linux-amd64 | |
| path: cortex | |
| retention-days: 7 | |
| - name: Check binary size | |
| run: | | |
| size=$(stat -c%s cortex) | |
| echo "Binary size: $size bytes" | |
| # Warn if binary is larger than 50MB | |
| if [ $size -gt 52428800 ]; then | |
| echo "::warning::Binary size is larger than 50MB" | |
| fi | |
| code-quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Go mod tidy check | |
| run: | | |
| cp go.mod go.mod.bak | |
| cp go.sum go.sum.bak | |
| go mod tidy | |
| diff go.mod go.mod.bak || (echo "go.mod is not tidy" && exit 1) | |
| diff go.sum go.sum.bak || (echo "go.sum is not tidy" && exit 1) | |
| - name: Check for TODO/FIXME comments | |
| run: | | |
| if grep -r "TODO\|FIXME" --include="*.go" . | grep -v "_test.go"; then | |
| echo "::warning::Found TODO/FIXME comments in production code" | |
| fi | |
| - name: Run ineffassign | |
| run: | | |
| go install github.com/gordonklaus/ineffassign@latest | |
| ineffassign ./... | |
| deps: | |
| name: Dependency Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Run go list to check for module issues | |
| run: go list -json -m all | jq . > deps.json | |
| - name: Check for direct dependencies with no license | |
| run: | | |
| go mod download | |
| # Check main dependencies | |
| go list -m all | grep -v indirect | while read module version; do | |
| echo "Checking $module@$version" | |
| # This is a simple check - in production you might want to use a more sophisticated license checker | |
| if ! go mod download -json "$module@$version" 2>/dev/null; then | |
| echo "::warning::Could not download $module@$version" | |
| fi | |
| done |