# GitHub Actions Workflows This directory contains all CI/CD workflows for the ONVIF Go library. ## Workflows ### πŸ”„ CI (`ci.yml`) - Main Pipeline **Unified continuous integration workflow with fail-fast behavior.** The CI pipeline runs sequentially - if any stage fails, subsequent stages are skipped: ``` fmt β†’ lint β†’ test β†’ sonarcloud β†˜ build ``` **Stages:** | Stage | Description | Depends On | |-------|-------------|------------| | **fmt** | Format check using `gofmt -s` | - | | **lint** | Static analysis with `go vet` and `golangci-lint` | fmt | | **test** | Unit tests with race detector + coverage | lint | | **sonarcloud** | Code quality & security analysis (push to master only) | test | | **build** | Build verification for all packages | test | | **ci-success** | Final status check | all | **Features:** - βœ… Fail-fast: stops immediately if any check fails - βœ… Codecov integration for coverage reporting - βœ… SonarCloud integration for code quality - βœ… Go module caching for faster builds - βœ… Concurrency control (cancels in-progress runs) **Triggers:** - Push to `master`, `main` - All pull requests targeting `master`, `main` **Required for PR Merge:** All stages must pass before a PR can be merged. Configure branch protection rules in GitHub: 1. Go to **Settings β†’ Branches β†’ Branch protection rules** 2. Add rule for `master` 3. Enable **Require status checks to pass before merging** 4. Select these required checks: - `Format Check` - `Lint` - `Test & Coverage` - `SonarCloud Analysis` - `Build Verification` - `CI Success` --- ### πŸ§ͺ Extended Tests (`test.yml`) Extended testing workflow for comprehensive test coverage. **Jobs:** - **test-older-versions** - Test on older Go versions (1.19, 1.20) - **benchmark** - Run benchmark tests - **race-detector** - Extended race detector tests **Triggers:** - Manual dispatch - Weekly schedule (Sunday 2 AM UTC) - Push to `master`/`main` when Go files change --- ### πŸš€ Release (`release.yml`) Automated release workflow for creating GitHub releases. **Jobs:** - **build** - Build binaries for all platforms (Linux, Windows, macOS, multiple architectures) - **release** - Create GitHub release with artifacts - **docker** - Build and push Docker images to GHCR **Triggers:** - Push tags matching `v*.*.*` - Manual dispatch with version input --- ### πŸ”’ Security (`security.yml`) Security scanning workflow. **Jobs:** - **gosec** - Security scanner - **govulncheck** - Vulnerability checker **Triggers:** - Push to `master`/`main` - Pull requests - Weekly schedule --- ### πŸ“š Documentation (`docs.yml`) Documentation validation workflow. **Triggers:** - Push to `master`/`main` when docs change - Manual dispatch --- ### πŸ” Dependency Review (`dependency-review.yml`) Dependency vulnerability review. **Triggers:** - Pull requests --- ## CI Pipeline Flow ``` β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ CI PIPELINE β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ FMT │────▢│ LINT │────▢│ TEST + COVERAGE β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β–Ό β–Ό β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ SONARCLOUD β”‚ β”‚ BUILD β”‚ β”‚ β”‚ β”‚ (push only)β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β–Ό β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ CI SUCCESS β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ❌ If any stage fails, the pipeline stops immediately (fail-fast) ℹ️ SonarCloud only runs on push to master/main (skipped for PRs) ``` --- ## SonarCloud Configuration Security Hotspot analysis excludes: - Test files (`**/*_test.go`) - CI configuration (`**/.github/**`) - Test utilities (`**/testing/**`, `**/testdata/**`) - Example code (`**/examples/**`) - CLI tools (`**/cmd/**`) This ensures security analysis focuses on production library code. --- ## Required Secrets | Secret | Required | Description | |--------|----------|-------------| | `CODECOV_TOKEN` | Yes | Coverage reporting to Codecov | | `SONAR_TOKEN` | Yes | SonarCloud code analysis | | `DOCKERHUB_USERNAME` | No | Docker Hub releases | | `DOCKERHUB_TOKEN` | No | Docker Hub releases | --- ## Workflow Status - βœ… Go 1.24 as primary version - βœ… Unified fail-fast CI pipeline - βœ… Go module caching for faster builds - βœ… Artifact uploads for coverage and releases - βœ… Concurrency control --- *Last Updated: December 3, 2025*