aether/gosick
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
710fe049f5350e7a6eb1a26c54511a289b10edaf
gosick/.gitea/workflows/pr-validation.yml
Micheal Wilkinson 2294bb940b ci(pr-validation): harden decoration and summary fallback
2026-03-21 23:02:46 +00:00

248 lines
7.7 KiB
YAML
Raw Blame History

name: Pull Request Validation
on:
pull_request:
types:
- opened
- synchronize
- reopened
concurrency:
group: ci-${{ github.head_ref }}
cancel-in-progress: true
jobs:
validate:
runs-on: ubuntu-latest
container: docker.io/catthehacker/ubuntu:act-latest
defaults:
run:
shell: bash
env:
ARTEFACT_BUCKET_NAME: ${{ vars.ARTEFACT_BUCKET_NAME }}
ARTEFACT_BUCKET_ENDPONT: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
ARTEFACT_BUCKET_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
AWS_EC2_METADATA_DISABLED: true
GOTOOLCHAIN: auto
SUMMARY_FILE: ${{ runner.temp }}/summary.md
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.26.1'
check-latest: true
cache: true
cache-dependency-path: go.sum
- name: Cache Go modules and build cache
uses: actions/cache@v4
with:
path: |
~/go/pkg/mod
~/.cache/go-build
~/go/bin
key: ${{ runner.os }}-go-cache-${{ hashFiles('**/go.mod', '**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-cache-
- name: Verify module hygiene
run: |
set -euo pipefail
go mod tidy
git diff --exit-code go.mod go.sum
go mod verify
- name: Prepare test runtime
run: |
set -euo pipefail
apt-get update
apt-get install -y ruby
git config --global user.name "gitea-actions[bot]"
git config --global user.email "gitea-actions[bot]@users.noreply.local"
- name: Run full unit test suite with coverage
id: coverage
run: |
set -euo pipefail
go test -covermode=atomic -coverprofile=coverage.out ./... | tee go-test-coverage.log
set +e
awk '
/^ok[[:space:]]/ && /coverage: [0-9.]+% of statements/ {
pkg = $2
cov = $0
sub(/^.*coverage: /, "", cov)
sub(/% of statements.*$/, "", cov)
status = "target"
if (cov + 0 < 50) {
status = "fail"
fail = 1
} else if (cov + 0 < 65) {
status = "high-risk"
} else if (cov + 0 < 80) {
status = "warning"
}
printf "%s %.1f %s\n", pkg, cov + 0, status
}
END {
if (fail) {
exit 2
}
}
' go-test-coverage.log > coverage-packages.raw
package_gate_status=$?
set -e
{
echo '| Package | Coverage | Status |'
echo '| --- | ---: | --- |'
} > coverage-packages.md
while read -r pkg cov status; do
case "$status" in
fail)
pretty='FAIL (<50%)'
;;
high-risk)
pretty='High risk (50%-64.99%)'
;;
warning)
pretty='Warning (65%-79.99%)'
;;
*)
pretty='Target (>=80%)'
;;
esac
printf '| `%s` | %.1f%% | %s |\n' "$pkg" "$cov" "$pretty" >> coverage-packages.md
done < coverage-packages.raw
if [[ "$package_gate_status" -ne 0 ]]; then
echo "Per-package coverage gate failed: one or more packages are below 50%." >&2
exit 1
fi
- name: Check code formatting
run: |
set -euo pipefail
fmt_output=$(go fmt ./...)
if [[ -n "$fmt_output" ]]; then
echo "Code formatting check failed. The following files need formatting:" >&2
echo "$fmt_output" >&2
exit 1
fi
- name: Run Gosec Security Scanner
run: |
set -euo pipefail
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...
- name: Run Go Vulnerability Check
uses: golang/govulncheck-action@v1.0.4
with:
go-package: ./...
cache: true
cache-dependency-path: go.sum
- name: Check coverage artefacts
id: coverage-files
if: ${{ always() && steps.coverage.outcome == 'success' }}
run: |
set -euo pipefail
if [[ -f coverage.out ]]; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
echo "coverage.out was not produced; skipping coverage badge upload." >> "$GITHUB_STEP_SUMMARY"
fi
- name: Upload coverage badge
id: badge
if: ${{ always() && steps.coverage.outcome == 'success' && steps.coverage-files.outputs.exists == 'true' }}
uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
with:
coverage-profile: coverage.out
artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
- name: Validate changelog gate
if: ${{ always() }}
run: |
set -euo pipefail
if ! awk '
/^## \[Unreleased\]/ { in_unreleased=1; next }
/^## \[/ && in_unreleased { exit 0 }
in_unreleased && /^- / { found=1 }
END { exit found ? 0 : 1 }
' CHANGELOG.md; then
echo "Missing changelog entry under [Unreleased]." >&2
exit 1
fi
- name: Decorate PR
if: ${{ always() && github.server_url == 'https://github.com' && steps.badge.outcome == 'success' }}
uses: https://git.hrafn.xyz/aether/vociferate/decorate-pr@v1.1.0
continue-on-error: true
with:
coverage-percentage: ${{ steps.badge.outputs.total }}
badge-url: ${{ steps.badge.outputs.badge-url }}
enable-changelog-gate: 'false'
- name: Skip external PR decoration on non-GitHub runners
if: ${{ always() && github.server_url != 'https://github.com' }}
run: |
set -euo pipefail
echo "Skipping decorate-pr action on ${GITHUB_SERVER_URL}; external composite action is not stable on this runner." >> "$GITHUB_STEP_SUMMARY"
- name: Add coverage summary
if: ${{ always() }}
run: |
set -euo pipefail
total="${{ steps.badge.outputs.total }}"
report_url="${{ steps.badge.outputs.report-url }}"
badge_url="${{ steps.badge.outputs.badge-url }}"
if [[ -z "$total" ]]; then
total="n/a"
fi
if [[ -z "$report_url" ]]; then
report_url="n/a"
fi
if [[ -z "$badge_url" ]]; then
badge_url="n/a"
fi
{
echo '## Coverage'
echo
echo "- Total: ${total}%"
echo "- Report: ${report_url}"
echo "- Badge: ${badge_url}"
echo
echo '### Package Coverage'
if [[ -f coverage-packages.md ]]; then
cat coverage-packages.md
else
echo '_Package coverage details unavailable for this run._'
fi
} >> "$SUMMARY_FILE"
- name: Run behavior suite
run: ./script/run-behavior-suite-docker.sh
- name: Summary
if: ${{ always() }}
run: |
if [[ -f "$SUMMARY_FILE" ]]; then
cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
fi
Reference in New Issue View Git Blame Copy Permalink