chore: update golangci-lint configuration and improve CI workflow documentation

- Increased thresholds for funlen and lll linters to accommodate complex functions. - Added exclusions for dupl linter in specific files and directories to reduce false positives. - Updated CI workflow documentation to clarify triggers and requirements for SonarCloud analysis. - Removed unnecessary linter directives in several files for improved readability.
2025-12-02 22:57:34 -05:00
parent 306c69ba89
commit 2c0250d29a
11 changed files with 94 additions and 67 deletions
@@ -21,7 +21,7 @@ fmt → lint → test → sonarcloud
 | **fmt** | Format check using `gofmt -s` | - |
 | **lint** | Static analysis with `go vet` and `golangci-lint` | fmt |
 | **test** | Unit tests with race detector + coverage | lint |
-| **sonarcloud** | Code quality & security analysis | test |
+| **sonarcloud** | Code quality & security analysis (push to master only) | test |
 | **build** | Build verification for all packages | test |
 | **ci-success** | Final status check | all |

@@ -33,8 +33,21 @@ fmt → lint → test → sonarcloud
 - ✅ Concurrency control (cancels in-progress runs)

 **Triggers:**
- Push to `master`, `main`, `develop`
- Pull requests to `master`, `main`, `develop`
+- Push to `master`, `main`
+- All pull requests targeting `master`, `main`
+
+**Required for PR Merge:**
+All stages must pass before a PR can be merged. Configure branch protection rules in GitHub:
+1. Go to **Settings → Branches → Branch protection rules**
+2. Add rule for `master`
+3. Enable **Require status checks to pass before merging**
+4. Select these required checks:
+   - `Format Check`
+   - `Lint`
+   - `Test & Coverage`
+   - `SonarCloud Analysis`
+   - `Build Verification`
+   - `CI Success`

 ---

@@ -113,7 +126,8 @@ Dependency vulnerability review.
 │                                    ▼                   ▼       │
 │                            ┌────────────┐      ┌───────────┐   │
 │                            │ SONARCLOUD │      │   BUILD   │   │
-│                            └────────────┘      └───────────┘   │
+│                            │ (push only)│      └───────────┘   │
+│                            └────────────┘              │       │
 │                                    │                   │       │
 │                                    └─────────┬─────────┘       │
 │                                              ▼                 │
@@ -124,6 +138,7 @@ Dependency vulnerability review.
 └─────────────────────────────────────────────────────────────────┘

 ❌ If any stage fails, the pipeline stops immediately (fail-fast)
+ℹ️ SonarCloud only runs on push to master/main (skipped for PRs)
 ```

 ---
@@ -2,9 +2,10 @@ name: CI

 on:
  push:
-    branches: [master, main, develop]
+    branches: [master, main]
  pull_request:
-    branches: [master, main, develop]
+    branches: [master, main]
+    types: [opened, synchronize, reopened]

 permissions:
  contents: read
@@ -12,7 +13,7 @@ permissions:
  pull-requests: write

 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

 env:
@@ -138,14 +139,18 @@ jobs:
          files: ./coverage.out
          flags: unittests
          name: codecov-onvif-go
-          fail_ci_if_error: true
+          # Don't fail on PRs from forks where token may not be available
+          fail_ci_if_error: ${{ github.event_name == 'push' }}
          verbose: true

  # Stage 4: SonarCloud Analysis (depends on test)
+  # Only runs on push to master/main when SONAR_TOKEN is available
+  # Skipped for PRs from forks where secrets are not accessible
  sonarcloud:
    name: SonarCloud Analysis
    runs-on: ubuntu-latest
    needs: test
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main') && github.repository == '0x524a/onvif-go'
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -235,10 +240,14 @@ jobs:
            echo "❌ Tests failed"
            exit 1
          fi
-          if [[ "${{ needs.sonarcloud.result }}" != "success" ]]; then
+          # SonarCloud is optional - only fails if it ran and failed (not if skipped)
+          if [[ "${{ needs.sonarcloud.result }}" == "failure" ]]; then
            echo "❌ SonarCloud analysis failed"
            exit 1
          fi
+          if [[ "${{ needs.sonarcloud.result }}" == "skipped" ]]; then
+            echo "ℹ️ SonarCloud analysis skipped (only runs on push to master/main)"
+          fi
          if [[ "${{ needs.build.result }}" != "success" ]]; then
            echo "❌ Build verification failed"
            exit 1