[StepSecurity] ci: Harden GitHub Actions (#3304) #10076

	name: QAN

	on:
	push:
	branches:
	- main
	- pmm-*
	tags:
	- v[0-9]+.[0-9]+.[0-9]+*

	pull_request:
	paths-ignore:
	- "admin/**"
	- "agent/**"
	- "api-tests/**"
	- "cli-tests/**"
	- "docs/**"
	- "managed/**"
	- "update/**"
	- "vmproxy/**"

	permissions:
	contents: read

	jobs:
	test:
	name: Tests
	runs-on: ubuntu-22.04
	strategy:
	fail-fast: false

	defaults:
	run:
	working-directory: ${{ github.workspace }}/qan-api2

	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Set up Go release
	uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
	with:
	go-version-file: ${{ github.workspace }}/go.mod
	cache: false

	- name: Enable Go build cache
	uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
	with:
	path: ~/.cache/go-build
	key: ${{ runner.os }}-go-build-${{ github.ref }}-${{ hashFiles('**') }}
	restore-keys: \|
	${{ runner.os }}-go-build-${{ github.ref }}-
	${{ runner.os }}-go-build-

	- name: Enable Go modules cache
	uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
	with:
	path: ~/go/pkg/mod
	key: ${{ runner.os }}-go-modules-${{ hashFiles('**/go.sum') }}
	restore-keys: ${{ runner.os }}-go-modules-

	- name: Download Go modules
	run: go mod download -x

	- name: Build and install
	run: make install

	- name: Initialize CI environment
	run: make test-env-up

	- name: Run Tests
	run: \|
	make test-race
	make test-cover

	- name: Run debug commands on failure
	if: ${{ failure() }}
	run: \|
	env
	go version
	go env
	pwd
	git status

Provide feedback