build: update dependencies #43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6.0.2 | |
| - name: Setup Go | |
| uses: actions/setup-go@v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Lint | |
| uses: golangci/golangci-lint-action@v9.2.0 | |
| with: | |
| version: v2.11.1 | |
| - name: Install analyzers | |
| run: | | |
| go install honnef.co/go/tools/cmd/staticcheck@2025.1.1 | |
| go install mvdan.cc/gofumpt@v0.7.0 | |
| go install github.com/securego/gosec/v2/cmd/gosec@v2.22.9 | |
| - name: Vet | |
| run: go vet ./... | |
| - name: Staticcheck | |
| run: '"$(go env GOPATH)/bin/staticcheck" ./...' | |
| - name: Gofumpt | |
| run: | | |
| changed="$("$(go env GOPATH)/bin/gofumpt" -l .)" | |
| if [ -n "$changed" ]; then | |
| printf 'gofumpt wants changes in:\n%s\n' "$changed" | |
| exit 1 | |
| fi | |
| - name: Gosec | |
| run: | | |
| "$(go env GOPATH)/bin/gosec" -exclude=G101,G115,G202,G301,G304 ./... | |
| test: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6.0.2 | |
| - name: Setup Go | |
| uses: actions/setup-go@v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Test with coverage | |
| run: go test ./... -coverprofile=coverage.out | |
| - name: Test with race detector | |
| run: go test -race ./... | |
| - name: Enforce coverage floor | |
| run: | | |
| total="$(go tool cover -func=coverage.out | awk '/^total:/ { sub(/%$/, "", $3); print $3 }')" | |
| awk -v total="$total" 'BEGIN { | |
| if (total == "") { | |
| print "missing coverage total" | |
| exit 1 | |
| } | |
| if (total + 0 < 80.0) { | |
| printf("coverage %.1f%% is below 80%%\n", total + 0) | |
| exit 1 | |
| } | |
| printf("coverage %.1f%%\n", total + 0) | |
| }' | |
| - name: Build | |
| run: go build ./cmd/discrawl | |
| deps: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6.0.2 | |
| - name: Setup Go | |
| uses: actions/setup-go@v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Verify module cache | |
| run: go mod verify | |
| - name: Install govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |
| - name: Run govulncheck | |
| run: '"$(go env GOPATH)/bin/govulncheck" ./...' | |
| secrets: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Install gitleaks | |
| run: go install github.com/zricethezav/gitleaks/v8@v8.30.0 | |
| - name: Scan git history | |
| run: | | |
| "$(go env GOPATH)/bin/gitleaks" git --no-banner --redact | |
| - name: Scan working tree | |
| run: | | |
| "$(go env GOPATH)/bin/gitleaks" dir . --no-banner --redact |