aether/gosick
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(ci): replace manual security tools with marketplace actions and add go fmt check

Browse Source 
- Replace `go install` of gosec/govulncheck with secureCodeBox/gosec-action and golang/govulncheck-action
- Actions handle their own caching; remove explicit security tools cache step
- Add code formatting check using `go fmt ./...` to reject pushes/PRs with incorrect formatting
- Formatting check runs before security scanning for faster feedback
This commit is contained in:
Micheal Wilkinson
2026-03-21 13:22:25 +00:00
parent c36b738240
commit 3cc90ff54e
2 changed files with 30 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
.gitea/workflows/pr-validation.yml
View File

@@ -45,16 +45,6 @@ jobs:
restore-keys: | restore-keys: |
${{ runner.os }}-go-modules- ${{ runner.os }}-go-modules-
- name: Cache security tools
uses: actions/cache@v4
with:
path: |
~/.cache/go-build
~/go/bin
key: ${{ runner.os }}-go-security-tools-${{ hashFiles('**/go.mod', '**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-security-tools-
- name: Verify module hygiene - name: Verify module hygiene
run: | run: |
set -euo pipefail set -euo pipefail
@@ -157,11 +147,23 @@ jobs:
exit 1 exit 1
fi fi
- name: Run security analysis - name: Check code formatting
run: | run: |
set -euo pipefail set -euo pipefail
"$(go env GOPATH)/bin/gosec" ./... fmt_output=$(go fmt ./...)
"$(go env GOPATH)/bin/govulncheck" ./... if [[ -n "$fmt_output" ]]; then
echo "Code formatting check failed. The following files need formatting:" >&2
echo "$fmt_output" >&2
exit 1
fi
- name: Run Gosec Security Scanner
uses: secureCodeBox/gosec-action@v1
with:
args: './...'
- name: Run Go Vulnerability Check
uses: golang/govulncheck-action@v1
- name: Generate coverage badge - name: Generate coverage badge
env: env:

34
.gitea/workflows/push-validation.yml
View File

@@ -45,16 +45,6 @@ jobs:
restore-keys: | restore-keys: |
${{ runner.os }}-go-modules- ${{ runner.os }}-go-modules-
- name: Cache security tools
uses: actions/cache@v4
with:
path: |
~/.cache/go-build
~/go/bin
key: ${{ runner.os }}-go-security-tools-${{ hashFiles('**/go.mod', '**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-security-tools-
- name: Verify module hygiene - name: Verify module hygiene
run: | run: |
set -euo pipefail set -euo pipefail
@@ -62,11 +52,23 @@ jobs:
git diff --exit-code go.mod go.sum git diff --exit-code go.mod go.sum
go mod verify go mod verify
- name: Install security tools - name: Check code formatting
run: | run: |
set -euo pipefail set -euo pipefail
go install github.com/securego/gosec/v2/cmd/gosec@v2.22.3 fmt_output=$(go fmt ./...)
go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 if [[ -n "$fmt_output" ]]; then
echo "Code formatting check failed. The following files need formatting:" >&2
echo "$fmt_output" >&2
exit 1
fi
- name: Run Gosec Security Scanner
uses: secureCodeBox/gosec-action@v1
with:
args: './...'
- name: Run Go Vulnerability Check
uses: golang/govulncheck-action@v1
- name: Install AWS CLI v2 - name: Install AWS CLI v2
uses: ankurk91/install-aws-cli-action@v1 uses: ankurk91/install-aws-cli-action@v1
@@ -163,12 +165,6 @@ jobs:
repository-name: ${{ github.repository }} repository-name: ${{ github.repository }}
summary-file: ${{ env.SUMMARY_FILE }} summary-file: ${{ env.SUMMARY_FILE }}
- name: Run security analysis
run: |
set -euo pipefail
"$(go env GOPATH)/bin/gosec" ./...
"$(go env GOPATH)/bin/govulncheck" ./...
- name: Run behavior suite on main pushes - name: Run behavior suite on main pushes
if: ${{ github.ref == 'refs/heads/main' }} if: ${{ github.ref == 'refs/heads/main' }}
run: ./script/run-behavior-suite-docker.sh run: ./script/run-behavior-suite-docker.sh