node condtion remediation #466
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Checks | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - dev | |
| push: | |
| branches: | |
| - main | |
| - dev | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| security-events: write | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Verify dependencies | |
| run: go mod verify | |
| - name: Build for current platform | |
| run: make build | |
| - name: Build for all supported platforms | |
| run: make build-all | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Run tests | |
| run: go test -v -race -coverprofile=coverage.out -covermode=atomic ./... | |
| - name: Generate coverage report | |
| run: go tool cover -html=coverage.out -o coverage.html | |
| - name: Upload coverage to artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage-report | |
| path: | | |
| coverage.out | |
| coverage.html | |
| - name: Check test coverage | |
| run: | | |
| coverage=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//') | |
| echo "Total test coverage: ${coverage}%" | |
| # Set minimum coverage threshold (can be adjusted) | |
| threshold=30 | |
| if (( $(echo "$coverage < $threshold" | bc -l) )); then | |
| echo "::warning::Test coverage ${coverage}% is below threshold ${threshold}%" | |
| echo "Please consider adding more tests to improve coverage." | |
| else | |
| echo "✅ Test coverage ${coverage}% meets threshold ${threshold}%" | |
| fi | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@v9 | |
| with: | |
| version: latest | |
| args: --timeout=5m | |
| only-new-issues: true | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Run Gosec Security Scanner | |
| uses: securego/gosec@master | |
| with: | |
| # we let the report trigger content trigger a failure using the GitHub Security features. | |
| args: "-no-fail -fmt sarif -out results.sarif -exclude-dir=hack -exclude-generated ./..." | |
| # Fix duplicate tags and null relationships in SARIF file (workaround for https://github.com/golang/go/issues/75890) | |
| - name: Clean SARIF output | |
| run: | | |
| set -e | |
| cat results.sarif | |
| jq ' | |
| (.runs[].tool.driver.rules[]?.properties.tags) |= (unique) | | |
| (.runs[].tool.driver.rules[]?.relationships) |= (if . then [.[] | select(. != null)] else . end) | |
| ' results.sarif > results-cleaned.sarif | |
| mv results-cleaned.sarif results.sarif | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: results.sarif | |
| category: gosec | |
| code-quality: | |
| name: Code Quality Checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Check go fmt | |
| run: | | |
| UNFORMATTED=$(find . -name '*.go' -not -name '*.pb.go' -not -path './hack/*' | xargs gofmt -s -l) | |
| if [ -n "$UNFORMATTED" ]; then | |
| echo "❌ Go code is not formatted. Please run 'make fmt' or 'gofmt -s -w .'" | |
| echo "" | |
| echo "Unformatted files:" | |
| echo "$UNFORMATTED" | |
| exit 1 | |
| fi | |
| echo "✅ All files are properly formatted" | |
| - name: Check goimports | |
| run: | | |
| go install golang.org/x/tools/cmd/goimports@latest | |
| UNFORMATTED=$(find . -name '*.go' -not -name '*.pb.go' -not -path './hack/*' | xargs goimports -l) | |
| if [ -n "$UNFORMATTED" ]; then | |
| echo "❌ Go imports are not properly formatted. Please run 'goimports -w .'" | |
| echo "" | |
| echo "Files with incorrect imports:" | |
| echo "$UNFORMATTED" | |
| exit 1 | |
| fi | |
| echo "✅ All imports are properly formatted" | |
| - name: Check go vet | |
| run: go vet ./... | |
| - name: Check for common mistakes with staticcheck | |
| uses: dominikh/staticcheck-action@v1 | |
| with: | |
| version: "latest" | |
| install-go: false | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: moderate |