ci: split workflows into CI, Lint, and Security

cpcloud · claude · cpcloud · commit 77d87aace320 · 2026-03-08T18:59:36.000-04:00
Move lint jobs (deadcode, golangci-lint, pre-commit) into lint.yml and security jobs (govulncheck, osv-scanner, trufflehog, CodeQL) into security.yml. Simplify CodeQL to build-mode: none (no build step needed) and drop its weekly cron schedule. CI workflow retains test, benchmarks, nix build, docs, and semantic release. closes #718 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -149,51 +149,6 @@ jobs:
       - name: Run smoke benchmarks
         run: go test -bench . -benchtime 1x -timeout 5m -run '^$' ./...
 
-  nix-tools:
-    name: ${{ matrix.name }}
-    runs-on: ubuntu-latest
-    concurrency:
-      group: ci-${{ matrix.tool }}-${{ github.ref }}
-      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-    strategy:
-      fail-fast: ${{ github.event_name == 'pull_request' }}
-      matrix:
-        include:
-          - tool: deadcode
-            name: Dead Code
-          - tool: golangci-lint
-            name: Lint
-          - tool: govulncheck
-            name: Vulnerability Check
-          - tool: osv-scanner
-            name: OSV Scan
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          persist-credentials: false
-
-      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
-
-      - name: Run ${{ matrix.tool }}
-        run: nix run '.#${{ matrix.tool }}'
-
-  pre-commit:
-    name: Pre-commit
-    runs-on: ubuntu-latest
-    concurrency:
-      group: ci-pre-commit-${{ github.ref }}
-      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
-
-      - name: Run pre-commit hooks
-        run: nix run '.#pre-commit' -- --from-ref 'origin/${{ github.base_ref || 'main' }}' --to-ref HEAD
-
   nix-build:
     name: Nix Build
     runs-on: ubuntu-latest
@@ -235,29 +190,13 @@ jobs:
       - name: Build docs
         run: nix run '.#docs'
 
-  secrets:
-    name: Secret Scan
-    runs-on: ubuntu-latest
-    concurrency:
-      group: ci-secrets-${{ github.ref }}
-      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - uses: trufflesecurity/trufflehog@7635b24fd512a2e817dd3e9dd661caaf035a079d # v3.93.1
-        with:
-          extra_args: --only-verified
-
   # ---------------------------------------------------------------------------
   # Semantic Release (dry-run on PRs, publish on main push)
   # ---------------------------------------------------------------------------
 
   semantic-release:
     name: Semantic Release
-    needs: [test, nix-tools, pre-commit, nix-build, docs, secrets]
+    needs: [test, nix-build, docs]
     runs-on: ubuntu-latest
     concurrency:
       group: semantic-release-${{ github.ref }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,55 @@
+# Copyright 2026 Phillip Cloud
+# Licensed under the Apache License, Version 2.0
+
+name: Lint
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  nix-lint:
+    name: ${{ matrix.name }}
+    runs-on: ubuntu-latest
+    concurrency:
+      group: lint-${{ matrix.tool }}-${{ github.ref }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    strategy:
+      fail-fast: ${{ github.event_name == 'pull_request' }}
+      matrix:
+        include:
+          - tool: deadcode
+            name: Dead Code
+          - tool: golangci-lint
+            name: Lint
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
+
+      - name: Run ${{ matrix.tool }}
+        run: nix run '.#${{ matrix.tool }}'
+
+  pre-commit:
+    name: Pre-commit
+    runs-on: ubuntu-latest
+    concurrency:
+      group: lint-pre-commit-${{ github.ref }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
+
+      - name: Run pre-commit hooks
+        run: nix run '.#pre-commit' -- --from-ref 'origin/${{ github.base_ref || 'main' }}' --to-ref HEAD
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,76 @@
+# Copyright 2026 Phillip Cloud
+# Licensed under the Apache License, Version 2.0
+
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  nix-security:
+    name: ${{ matrix.name }}
+    runs-on: ubuntu-latest
+    concurrency:
+      group: security-${{ matrix.tool }}-${{ github.ref }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    strategy:
+      fail-fast: ${{ github.event_name == 'pull_request' }}
+      matrix:
+        include:
+          - tool: govulncheck
+            name: Vulnerability Check
+          - tool: osv-scanner
+            name: OSV Scan
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31
+
+      - name: Run ${{ matrix.tool }}
+        run: nix run '.#${{ matrix.tool }}'
+
+  secrets:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+    concurrency:
+      group: security-secrets-${{ github.ref }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - uses: trufflesecurity/trufflehog@7635b24fd512a2e817dd3e9dd661caaf035a079d # v3.93.1
+        with:
+          extra_args: --only-verified
+
+  codeql:
+    name: CodeQL (Go)
+    runs-on: ubuntu-latest
+    concurrency:
+      group: security-codeql-${{ github.ref }}
+      cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
+        with:
+          languages: go
+          build-mode: none
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
