chore(ci): replace manual security tools with marketplace actions and add go fmt check

- Replace `go install` of gosec/govulncheck with secureCodeBox/gosec-action and golang/govulncheck-action - Actions handle their own caching; remove explicit security tools cache step - Add code formatting check using `go fmt ./...` to reject pushes/PRs with incorrect formatting - Formatting check runs before security scanning for faster feedback
2026-03-21 13:22:25 +00:00
parent c36b738240
commit 3cc90ff54e
2 changed files with 30 additions and 32 deletions
--- a/.gitea/workflows/push-validation.yml
+++ b/.gitea/workflows/push-validation.yml
@@ -45,16 +45,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-modules-

-      - name: Cache security tools
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/bin
-          key: ${{ runner.os }}-go-security-tools-${{ hashFiles('**/go.mod', '**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-security-tools-
-
      - name: Verify module hygiene
        run: |
          set -euo pipefail
@@ -62,11 +52,23 @@ jobs:
          git diff --exit-code go.mod go.sum
          go mod verify

-      - name: Install security tools
+      - name: Check code formatting
        run: |
          set -euo pipefail
-          go install github.com/securego/gosec/v2/cmd/gosec@v2.22.3
-          go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
+          fmt_output=$(go fmt ./...)
+          if [[ -n "$fmt_output" ]]; then
+            echo "Code formatting check failed. The following files need formatting:" >&2
+            echo "$fmt_output" >&2
+            exit 1
+          fi
+
+      - name: Run Gosec Security Scanner
+        uses: secureCodeBox/gosec-action@v1
+        with:
+          args: './...'
+
+      - name: Run Go Vulnerability Check
+        uses: golang/govulncheck-action@v1

      - name: Install AWS CLI v2
        uses: ankurk91/install-aws-cli-action@v1
@@ -163,12 +165,6 @@ jobs:
          repository-name: ${{ github.repository }}
          summary-file: ${{ env.SUMMARY_FILE }}

-      - name: Run security analysis
-        run: |
-          set -euo pipefail
-          "$(go env GOPATH)/bin/gosec" ./...
-          "$(go env GOPATH)/bin/govulncheck" ./...
-
      - name: Run behavior suite on main pushes
        if: ${{ github.ref == 'refs/heads/main' }}
        run: ./script/run-behavior-suite-docker.sh