gosick/.gitea/workflows/push-validation.yml

name: Push Validation

on:
  push:
    branches:
      - "**"
    tags-ignore:
      - "*"

concurrency:
  group: ci-${{ github.ref_name }}
  cancel-in-progress: true

jobs:
  validate:
    runs-on: ubuntu-latest
    container: docker.io/catthehacker/ubuntu:act-latest
    defaults:
      run:
        shell: bash
    env:
      ARTEFACT_BUCKET_NAME: ${{ vars.ARTEFACT_BUCKET_NAME }}
      ARTEFACT_BUCKET_ENDPONT: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
      ARTEFACT_BUCKET_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_ACCESS_KEY_ID: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_KEY }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
      AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_EC2_METADATA_DISABLED: true
      GOTOOLCHAIN: auto
      SUMMARY_FILE: ${{ runner.temp }}/summary.md
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.26.1'
          check-latest: true
          cache: true
          cache-dependency-path: go.sum

      - name: Cache Go modules and build cache
        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
            ~/.cache/go-build
            ~/go/bin
          key: ${{ runner.os }}-go-cache-${{ hashFiles('**/go.mod', '**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-cache-

      - name: Verify module hygiene
        run: |
          set -euo pipefail
          go mod tidy
          git diff --exit-code go.mod go.sum
          go mod verify

      - name: Check code formatting
        run: |
          set -euo pipefail
          fmt_output=$(go fmt ./...)
          if [[ -n "$fmt_output" ]]; then
            echo "Code formatting check failed. The following files need formatting:" >&2
            echo "$fmt_output" >&2
            exit 1
          fi

      - name: Run Gosec Security Scanner
        run: |
          set -euo pipefail
          go install github.com/securego/gosec/v2/cmd/gosec@latest
          gosec ./...

      - name: Run Go Vulnerability Check
        uses: golang/govulncheck-action@v1.0.4
        with:
          go-package: ./...
          cache: true
          cache-dependency-path: go.sum

      - name: Install AWS CLI v2
        uses: ankurk91/install-aws-cli-action@v1

      - name: Verify AWS CLI
        run: aws --version

      - name: Prepare test runtime
        run: |
          set -euo pipefail
          apt-get update
          apt-get install -y ruby
          git config --global user.name "gitea-actions[bot]"
          git config --global user.email "gitea-actions[bot]@users.noreply.local"

      - name: Run full unit test suite with coverage
        id: coverage-tests
        run: |
          set -euo pipefail

          go test -covermode=atomic -coverprofile=coverage.out ./... | tee go-test-coverage.log
          go tool cover -html=coverage.out -o coverage.html

          total="$(go tool cover -func=coverage.out | awk '/^total:/ {sub(/%/, "", $3); print $3}')"
          printf '{\n  "total": "%s"\n}\n' "$total" > coverage-summary.json
          printf 'total=%s\n' "$total" >> "$GITHUB_OUTPUT"

          set +e
          awk '
            /^ok[[:space:]]/ && /coverage: [0-9.]+% of statements/ {
              pkg = $2
              cov = $0
              sub(/^.*coverage: /, "", cov)
              sub(/% of statements.*$/, "", cov)
              status = "target"
              if (cov + 0 < 50) {
                status = "fail"
                fail = 1
              } else if (cov + 0 < 65) {
                status = "high-risk"
              } else if (cov + 0 < 80) {
                status = "warning"
              }
              printf "%s %.1f %s\n", pkg, cov + 0, status
            }
            END {
              if (fail) {
                exit 2
              }
            }
          ' go-test-coverage.log > coverage-packages.raw
          package_gate_status=$?
          set -e

          {
            echo '| Package | Coverage | Status |'
            echo '| --- | ---: | --- |'
          } > coverage-packages.md

          while read -r pkg cov status; do
            case "$status" in
              fail)
                pretty='FAIL (<50%)'
                ;;
              high-risk)
                pretty='High risk (50%-64.99%)'
                ;;
              warning)
                pretty='Warning (65%-79.99%)'
                ;;
              *)
                pretty='Target (>=80%)'
                ;;
            esac
            printf '| `%s` | %.1f%% | %s |\n' "$pkg" "$cov" "$pretty" >> coverage-packages.md
          done < coverage-packages.raw

          if [[ "$package_gate_status" -ne 0 ]]; then
            echo "Per-package coverage gate failed: one or more packages are below 50%." >&2
            exit 1
          fi

      - name: Publish coverage artefacts
        id: coverage-badge
        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
        with:
          coverage-profile: coverage.out
          coverage-html: coverage.html
          coverage-badge: coverage-badge.svg
          coverage-summary: coverage-summary.json
          artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
          artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
          branch-name: ${{ github.ref_name }}
          repository-name: ${{ github.repository }}
          summary-file: ${{ env.SUMMARY_FILE }}

      - name: Run behavior suite on main pushes
        if: ${{ github.ref == 'refs/heads/main' }}
        run: ./script/run-behavior-suite-docker.sh

      - name: Summary
        if: ${{ always() }}
        run: |
          if [[ -f "$SUMMARY_FILE" ]]; then
            cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
          fi