gilles/onvif-go
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add or update .codecov copy.yml

Browse Source
This commit is contained in:
ProtoTess
2026-01-16 04:11:59 +00:00
parent ef340c0e5a
commit 66f6a4e838
391 changed files with 131885 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github copy/workflows/README.md
+180
View File
@@ -0,0 +1,180 @@
# GitHub Actions Workflows
This directory contains all CI/CD workflows for the ONVIF Go library.
## Workflows
### 🔄 CI (`ci.yml`) - Main Pipeline
**Unified continuous integration workflow with fail-fast behavior.**
The CI pipeline runs sequentially - if any stage fails, subsequent stages are skipped:
```
fmt → lint → test → sonarcloud
↘ build
```
**Stages:**
| Stage | Description | Depends On |
|-------|-------------|------------|
| **fmt** | Format check using `gofmt -s` | - |
| **lint** | Static analysis with `go vet` and `golangci-lint` | fmt |
| **test** | Unit tests with race detector + coverage | lint |
| **sonarcloud** | Code quality & security analysis (push to master only) | test |
| **build** | Build verification for all packages | test |
| **ci-success** | Final status check | all |
**Features:**
- ✅ Fail-fast: stops immediately if any check fails
- ✅ Codecov integration for coverage reporting
- ✅ SonarCloud integration for code quality
- ✅ Go module caching for faster builds
- ✅ Concurrency control (cancels in-progress runs)
**Triggers:**
- Push to `master`, `main`
- All pull requests targeting `master`, `main`
**Required for PR Merge:**
All stages must pass before a PR can be merged. Configure branch protection rules in GitHub:
1. Go to **Settings → Branches → Branch protection rules**
2. Add rule for `master`
3. Enable **Require status checks to pass before merging**
4. Select these required checks:
- `Format Check`
- `Lint`
- `Test & Coverage`
- `SonarCloud Analysis`
- `Build Verification`
- `CI Success`
---
### 🧪 Extended Tests (`test.yml`)
Extended testing workflow for comprehensive test coverage.
**Jobs:**
- **test-older-versions** - Test on older Go versions (1.19, 1.20)
- **benchmark** - Run benchmark tests
- **race-detector** - Extended race detector tests
**Triggers:**
- Manual dispatch
- Weekly schedule (Sunday 2 AM UTC)
- Push to `master`/`main` when Go files change
---
### 🚀 Release (`release.yml`)
Automated release workflow for creating GitHub releases.
**Jobs:**
- **build** - Build binaries for all platforms (Linux, Windows, macOS, multiple architectures)
- **release** - Create GitHub release with artifacts
- **docker** - Build and push Docker images to GHCR
**Triggers:**
- Push tags matching `v*.*.*`
- Manual dispatch with version input
---
### 🔒 Security (`security.yml`)
Security scanning workflow.
**Jobs:**
- **gosec** - Security scanner
- **govulncheck** - Vulnerability checker
**Triggers:**
- Push to `master`/`main`
- Pull requests
- Weekly schedule
---
### 📚 Documentation (`docs.yml`)
Documentation validation workflow.
**Triggers:**
- Push to `master`/`main` when docs change
- Manual dispatch
---
### 🔐 Dependency Review (`dependency-review.yml`)
Dependency vulnerability review.
**Triggers:**
- Pull requests
---
## CI Pipeline Flow
```
┌─────────────────────────────────────────────────────────────────┐
│ CI PIPELINE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────────────────────┐ │
│ │ FMT │────▶│ LINT │────▶│ TEST + COVERAGE │ │
│ └─────────┘ └─────────┘ └───────────┬─────────────┘ │
│ │ │
│ ┌─────────┴─────────┐ │
│ ▼ ▼ │
│ ┌────────────┐ ┌───────────┐ │
│ │ SONARCLOUD │ │ BUILD │ │
│ │ (push only)│ └───────────┘ │
│ └────────────┘ │ │
│ │ │ │
│ └─────────┬─────────┘ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ CI SUCCESS │ │
│ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
❌ If any stage fails, the pipeline stops immediately (fail-fast)
️ SonarCloud only runs on push to master/main (skipped for PRs)
```
---
## SonarCloud Configuration
Security Hotspot analysis excludes:
- Test files (`**/*_test.go`)
- CI configuration (`**/.github/**`)
- Test utilities (`**/testing/**`, `**/testdata/**`)
- Example code (`**/examples/**`)
- CLI tools (`**/cmd/**`)
This ensures security analysis focuses on production library code.
---
## Required Secrets
| Secret | Required | Description |
|--------|----------|-------------|
| `CODECOV_TOKEN` | Yes | Coverage reporting to Codecov |
| `SONAR_TOKEN` | Yes | SonarCloud code analysis |
| `DOCKERHUB_USERNAME` | No | Docker Hub releases |
| `DOCKERHUB_TOKEN` | No | Docker Hub releases |
---
## Workflow Status
- ✅ Go 1.24 as primary version
- ✅ Unified fail-fast CI pipeline
- ✅ Go module caching for faster builds
- ✅ Artifact uploads for coverage and releases
- ✅ Concurrency control
---
*Last Updated: December 3, 2025*
.github copy/workflows/ci.yml
+255
View File
@@ -0,0 +1,255 @@
name: CI
on:
push:
branches: [master, main]
pull_request:
branches: [master, main]
types: [opened, synchronize, reopened]
permissions:
contents: read
checks: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
GO_VERSION: '1.24.x'
jobs:
# Stage 1: Format Check (fastest - fail immediately if code isn't formatted)
fmt:
name: Format Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Check formatting
run: |
unformatted=$(gofmt -s -l . | grep -v vendor || true)
if [ -n "$unformatted" ]; then
echo "❌ The following files are not properly formatted:"
echo "$unformatted"
echo ""
echo "Run 'gofmt -s -w .' to fix formatting issues"
exit 1
fi
echo "✅ All files are properly formatted"
# Stage 2: Lint (depends on fmt)
lint:
name: Lint
runs-on: ubuntu-latest
needs: fmt
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go modules
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: Download dependencies
run: go mod download
- name: Run go vet
run: go vet ./...
- name: Run golangci-lint
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v6.5.0
with:
version: v2.1.6
args: --timeout=5m
# Stage 3: Test with Coverage (depends on lint)
test:
name: Test & Coverage
runs-on: ubuntu-latest
needs: lint
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Full history for SonarCloud
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go modules
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: Download dependencies
run: go mod download
- name: Run tests with coverage
run: |
go test -v -race -covermode=atomic -coverprofile=coverage.out -json ./... > test-report.json 2>&1 || true
# Ensure coverage file exists even if tests fail
if [ ! -f coverage.out ]; then
echo "mode: atomic" > coverage.out
fi
- name: Display coverage summary
run: |
echo "📊 Coverage Summary:"
go tool cover -func=coverage.out | tail -20
- name: Upload coverage artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: coverage-reports
path: |
coverage.out
test-report.json
retention-days: 7
- name: Upload to Codecov
uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v4.6.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.out
flags: unittests
name: codecov-onvif-go
# Don't fail on PRs from forks where token may not be available
fail_ci_if_error: ${{ github.event_name == 'push' }}
verbose: true
# Stage 4: SonarCloud Analysis (depends on test)
# Only runs on push to master/main when SONAR_TOKEN is available
# Skipped for PRs from forks where secrets are not accessible
sonarcloud:
name: SonarCloud Analysis
runs-on: ubuntu-latest
needs: test
if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main') && github.repository == '0x524a/onvif-go'
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Full history for accurate blame information
- name: Download coverage reports
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: coverage-reports
- name: Verify coverage file
run: |
echo "📁 Downloaded files:"
ls -la
if [ -f coverage.out ]; then
echo "✅ Coverage file found"
head -5 coverage.out
else
echo "⚠️ Coverage file not found, creating empty one"
echo "mode: atomic" > coverage.out
fi
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 # v3.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# Stage 5: Build Verification (depends on test, runs in parallel with sonarcloud)
build:
name: Build Verification
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go modules
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: Download dependencies
run: go mod download
- name: Build library
run: go build -v ./...
- name: Build CLI tools
run: |
echo "🔨 Building CLI tools..."
go build -v -o bin/onvif-cli ./cmd/onvif-cli
go build -v -o bin/onvif-quick ./cmd/onvif-quick
go build -v -o bin/onvif-server ./cmd/onvif-server
go build -v -o bin/onvif-diagnostics ./cmd/onvif-diagnostics
echo "✅ All CLI tools built successfully"
# Final status check
ci-success:
name: CI Success
runs-on: ubuntu-latest
needs: [fmt, lint, test, sonarcloud, build]
if: always()
steps:
- name: Check all jobs status
run: |
if [[ "${{ needs.fmt.result }}" != "success" ]]; then
echo "❌ Format check failed"
exit 1
fi
if [[ "${{ needs.lint.result }}" != "success" ]]; then
echo "❌ Lint check failed"
exit 1
fi
if [[ "${{ needs.test.result }}" != "success" ]]; then
echo "❌ Tests failed"
exit 1
fi
# SonarCloud is optional - only fails if it ran and failed (not if skipped)
if [[ "${{ needs.sonarcloud.result }}" == "failure" ]]; then
echo "❌ SonarCloud analysis failed"
exit 1
fi
if [[ "${{ needs.sonarcloud.result }}" == "skipped" ]]; then
echo "️ SonarCloud analysis skipped (only runs on push to master/main)"
fi
if [[ "${{ needs.build.result }}" != "success" ]]; then
echo "❌ Build verification failed"
exit 1
fi
echo "✅ All CI checks passed successfully!"
.github copy/workflows/dependency-review.yml
+22
View File
@@ -0,0 +1,22 @@
name: Dependency Review
on:
pull_request:
branches: [ master, main, develop ]
permissions:
contents: read
jobs:
dependency-review:
name: Review Dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Dependency Review
uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
with:
fail-on-severity: moderate
.github copy/workflows/docs.yml
+33
View File
@@ -0,0 +1,33 @@
name: Documentation
on:
push:
branches: [ master, main ]
paths:
- 'docs/**'
- '*.md'
workflow_dispatch:
permissions:
contents: read
jobs:
docs-check:
name: Documentation Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Check for broken links
uses: lycheeverse/lychee-action@f81112d0d2814ded911bd23e3beaa9dda9093915 # v2.3.0
with:
args: --verbose --no-progress docs/ *.md
continue-on-error: true
- name: Validate markdown
uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2c8a4c84aa7067b5e06 # v19.0.0
with:
globs: 'docs/**/*.md'
continue-on-error: true
.github copy/workflows/release.yml
+286
View File
@@ -0,0 +1,286 @@
name: Release
on:
push:
tags:
- 'v*.*.*'
workflow_dispatch:
inputs:
version:
description: 'Release version (e.g., v1.2.3)'
required: true
permissions:
contents: write
jobs:
build:
name: Build Release Binaries
runs-on: ubuntu-latest
strategy:
matrix:
include:
# Linux
- goos: linux
goarch: amd64
- goos: linux
goarch: arm64
- goos: linux
goarch: arm
goarm: 7
# Windows
- goos: windows
goarch: amd64
- goos: windows
goarch: arm64
# macOS
- goos: darwin
goarch: amd64
- goos: darwin
goarch: arm64
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.24.x'
- name: Get version
id: version
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION=${GITHUB_REF#refs/tags/}
fi
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
echo "SHORT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
echo "Version: ${VERSION}"
- name: Build binaries
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
GOARM: ${{ matrix.goarm }}
CGO_ENABLED: 0
run: |
VERSION=${{ steps.version.outputs.VERSION }}
SHORT_SHA=${{ steps.version.outputs.SHORT_SHA }}
LDFLAGS="-s -w -X main.Version=${VERSION} -X main.Commit=${SHORT_SHA}"
# Set file extension for Windows
EXT=""
if [ "${{ matrix.goos }}" = "windows" ]; then
EXT=".exe"
fi
# Build all CLI tools
mkdir -p dist
echo "🔨 Building onvif-cli..."
go build -ldflags="${LDFLAGS}" -o "dist/onvif-cli-${{ matrix.goos }}-${{ matrix.goarch }}${EXT}" ./cmd/onvif-cli
echo "🔨 Building onvif-quick..."
go build -ldflags="${LDFLAGS}" -o "dist/onvif-quick-${{ matrix.goos }}-${{ matrix.goarch }}${EXT}" ./cmd/onvif-quick
echo "🔨 Building onvif-server..."
go build -ldflags="${LDFLAGS}" -o "dist/onvif-server-${{ matrix.goos }}-${{ matrix.goarch }}${EXT}" ./cmd/onvif-server
echo "🔨 Building onvif-diagnostics..."
go build -ldflags="${LDFLAGS}" -o "dist/onvif-diagnostics-${{ matrix.goos }}-${{ matrix.goarch }}${EXT}" ./cmd/onvif-diagnostics
- name: Create archive
run: |
VERSION=${{ steps.version.outputs.VERSION }}
PLATFORM="${{ matrix.goos }}-${{ matrix.goarch }}"
ARCHIVE_NAME="onvif-go-${VERSION}-${PLATFORM}"
mkdir -p releases staging
# Copy binaries with clean names (without platform suffix)
if [ "${{ matrix.goos }}" = "windows" ]; then
cp dist/onvif-cli-${{ matrix.goos }}-${{ matrix.goarch }}.exe staging/onvif-cli.exe
cp dist/onvif-quick-${{ matrix.goos }}-${{ matrix.goarch }}.exe staging/onvif-quick.exe
cp dist/onvif-server-${{ matrix.goos }}-${{ matrix.goarch }}.exe staging/onvif-server.exe
cp dist/onvif-diagnostics-${{ matrix.goos }}-${{ matrix.goarch }}.exe staging/onvif-diagnostics.exe
else
cp dist/onvif-cli-${{ matrix.goos }}-${{ matrix.goarch }} staging/onvif-cli
cp dist/onvif-quick-${{ matrix.goos }}-${{ matrix.goarch }} staging/onvif-quick
cp dist/onvif-server-${{ matrix.goos }}-${{ matrix.goarch }} staging/onvif-server
cp dist/onvif-diagnostics-${{ matrix.goos }}-${{ matrix.goarch }} staging/onvif-diagnostics
fi
# Copy documentation
cp README.md LICENSE staging/ 2>/dev/null || true
# Create archive from staging directory
if [ "${{ matrix.goos }}" = "windows" ]; then
cd staging
zip -r "../releases/${ARCHIVE_NAME}.zip" .
cd ..
else
cd staging
tar czf "../releases/${ARCHIVE_NAME}.tar.gz" .
cd ..
fi
echo "✅ Created ${ARCHIVE_NAME}.tar.gz"
- name: Generate checksums
run: |
cd releases
if command -v sha256sum >/dev/null 2>&1; then
sha256sum * > checksums-${{ matrix.goos }}-${{ matrix.goarch }}.txt
else
shasum -a 256 * > checksums-${{ matrix.goos }}-${{ matrix.goarch }}.txt
fi
- name: Upload artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: release-${{ matrix.goos }}-${{ matrix.goarch }}
path: releases/*
retention-days: 7
release:
name: Create GitHub Release
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Download all artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: all-releases
pattern: release-*
merge-multiple: true
- name: Generate combined checksums
run: |
cd all-releases
# Combine all checksum files
cat checksums-*.txt > checksums.txt 2>/dev/null || true
# Remove individual checksum files
rm -f checksums-*.txt
- name: Get version and changelog
id: version
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
else
VERSION=${GITHUB_REF#refs/tags/}
fi
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
# Generate changelog from commits since last tag
PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
if [ -n "$PREV_TAG" ]; then
echo "CHANGELOG<<EOF" >> $GITHUB_OUTPUT
git log --pretty=format:"- %s (%h)" ${PREV_TAG}..HEAD >> $GITHUB_OUTPUT
echo "" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
else
echo "CHANGELOG=Initial release" >> $GITHUB_OUTPUT
fi
- name: Create Release
uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.2
with:
files: all-releases/*
draft: false
prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}
generate_release_notes: true
make_latest: true
body: |
## Release ${{ steps.version.outputs.VERSION }}
### 📦 Installation
Download the appropriate binary for your platform below.
#### Linux/macOS
```bash
# Download and extract
wget https://github.com/${{ github.repository }}/releases/download/${{ steps.version.outputs.VERSION }}/onvif-go-${{ steps.version.outputs.VERSION }}-linux-amd64.tar.gz
tar xzf onvif-go-${{ steps.version.outputs.VERSION }}-linux-amd64.tar.gz
# Make executable and move to PATH
chmod +x onvif-cli
sudo mv onvif-cli /usr/local/bin/onvif-cli
```
#### Windows
Download the `.zip` file for your architecture and extract it.
#### Go Library
```bash
go get github.com/${{ github.repository }}@${{ steps.version.outputs.VERSION }}
```
### 🔐 Checksums
SHA256 checksums are available in `checksums.txt`
### 📝 Changes
${{ steps.version.outputs.CHANGELOG }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
docker:
name: Build and Push Docker Image
needs: build
runs-on: ubuntu-latest
if: (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.6.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Login to GitHub Container Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get version
id: version
run: |
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
VERSION="${{ github.event.inputs.version }}"
# Remove 'v' prefix if present
VERSION=${VERSION#v}
else
VERSION=${GITHUB_REF#refs/tags/v}
fi
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
- name: Build and push
uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v5.5.0
with:
context: .
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: true
tags: |
ghcr.io/${{ github.repository }}:latest
ghcr.io/${{ github.repository }}:${{ steps.version.outputs.VERSION }}
cache-from: type=gha
cache-to: type=gha,mode=max
.github copy/workflows/security.yml
+69
View File
@@ -0,0 +1,69 @@
name: Security Scan
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
schedule:
- cron: '0 0 * * 0' # Weekly on Sunday
permissions:
contents: read
security-events: write
jobs:
gosec:
name: Security Scan (gosec)
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.24.x'
- name: Install and run gosec
run: |
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec -no-fail -fmt json -out gosec-report.json ./... || true
- name: Upload gosec report
if: always()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: gosec-report
path: gosec-report.json
retention-days: 30
- name: Display gosec results
if: always()
run: |
if [ -f gosec-report.json ]; then
echo "📊 Gosec Security Scan Results:"
cat gosec-report.json | jq -r '.Stats // empty' || echo "No stats available"
echo ""
echo "Issues found:"
cat gosec-report.json | jq -r '.Issues[]? | "\(.severity | ascii_upcase): \(.rule_id) - \(.details)"' || echo "No issues found"
fi
govulncheck:
name: Vulnerability Check (govulncheck)
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.24.x'
- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./... || true
.github copy/workflows/test.yml
+108
View File
@@ -0,0 +1,108 @@
name: Extended Tests
on:
workflow_dispatch: # Manual trigger
schedule:
- cron: '0 2 * * 0' # Weekly on Sunday at 2 AM UTC
push:
branches: [ master, main ]
paths:
- '**.go'
- 'go.mod'
- 'go.sum'
jobs:
# Run tests on older Go versions
test-older-versions:
name: Test on Go ${{ matrix.go-version }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest]
go-version: ['1.20', '1.19']
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: ${{ matrix.go-version }}
- name: Cache Go modules
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ matrix.go-version }}-
- name: Download dependencies
run: go mod download
- name: Run tests
run: go test -v -race ./...
# Run benchmarks
benchmark:
name: Benchmark Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.24.x'
- name: Cache Go modules
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-1.24.x-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-1.24.x-
- name: Download dependencies
run: go mod download
- name: Run benchmarks
run: go test -bench=. -benchmem ./... -run=^$ || echo "⚠️ No benchmarks found"
# Test with race detector
race-detector:
name: Race Detector Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: '1.24.x'
- name: Cache Go modules
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-1.24.x-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-1.24.x-
- name: Download dependencies
run: go mod download
- name: Run tests with race detector
run: go test -race -timeout=10m ./...