chore(go): harden ci process workflows

2026-03-21 11:20:09 +00:00
parent 7bc7ee4746
commit cd92a961bd
4 changed files with 44 additions and 54 deletions
--- a/.gitea/workflows/pr-validation.yml
+++ b/.gitea/workflows/pr-validation.yml
@@ -22,6 +22,7 @@ jobs:
      AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
      AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_EC2_METADATA_DISABLED: true
+      SUMMARY_FILE: ${{ runner.temp }}/summary.md
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -34,6 +35,13 @@ jobs:
          cache: true
          cache-dependency-path: go.sum

+      - name: Verify module hygiene
+        run: |
+          set -euo pipefail
+          go mod tidy
+          git diff --exit-code go.mod go.sum
+          go mod verify
+
      - name: Install security tools
        run: |
          set -euo pipefail
@@ -230,7 +238,14 @@ jobs:
            echo
            echo '### Package Coverage'
            cat coverage-packages.md
-          } >> "$GITHUB_STEP_SUMMARY"
+          } >> "$SUMMARY_FILE"

      - name: Run behavior suite
        run: ./script/run-behavior-suite-docker.sh
+
+      - name: Summary
+        if: ${{ always() }}
+        run: |
+          if [[ -f "$SUMMARY_FILE" ]]; then
+            cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
+          fi
--- a/.gitea/workflows/push-validation.yml
+++ b/.gitea/workflows/push-validation.yml
@@ -22,6 +22,7 @@ jobs:
      AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
      AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_EC2_METADATA_DISABLED: true
+      SUMMARY_FILE: ${{ runner.temp }}/summary.md
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -34,6 +35,13 @@ jobs:
          cache: true
          cache-dependency-path: go.sum

+      - name: Verify module hygiene
+        run: |
+          set -euo pipefail
+          go mod tidy
+          git diff --exit-code go.mod go.sum
+          go mod verify
+
      - name: Install security tools
        run: |
          set -euo pipefail
@@ -186,8 +194,15 @@ jobs:
            echo
            echo '### Package Coverage'
            cat coverage-packages.md
-          } >> "$GITHUB_STEP_SUMMARY"
+          } >> "$SUMMARY_FILE"

      - name: Run behavior suite on main pushes
        if: ${{ github.ref == 'refs/heads/main' }}
        run: ./script/run-behavior-suite-docker.sh
+
+      - name: Summary
+        if: ${{ always() }}
+        run: |
+          if [[ -f "$SUMMARY_FILE" ]]; then
+            cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
+          fi
--- a/.gitea/workflows/tag-build-artifacts.yml
+++ b/.gitea/workflows/tag-build-artifacts.yml
@@ -30,6 +30,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0

      - name: Setup Go
        uses: actions/setup-go@v5
@@ -74,58 +76,11 @@ jobs:
  release:
    runs-on: ubuntu-latest
    needs: build
-    env:
-      RELEASE_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
-      - name: Download build artifacts
-        uses: actions/download-artifact@v4
+      - name: Checkout
+        uses: actions/checkout@v4
        with:
-          path: dist
+          fetch-depth: 0

-      - name: Ensure jq is installed
-        run: |
-          if ! command -v jq >/dev/null 2>&1; then
-            sudo apt-get update
-            sudo apt-get install -y jq
-          fi
-
-      - name: Create release if needed and upload assets
-        run: |
-          set -euo pipefail
-
-          if [[ -z "${RELEASE_TOKEN:-}" ]]; then
-            echo "RELEASE_TOKEN is empty. Expected secrets.GITHUB_TOKEN to be available." >&2
-            exit 1
-          fi
-
-          tag="${GITHUB_REF_NAME}"
-          api_base="${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}"
-
-          release_json="$(curl -sS -H "Authorization: token ${RELEASE_TOKEN}" "${api_base}/releases/tags/${tag}" || true)"
-          release_id="$(printf '%s' "${release_json}" | jq -r '.id // empty')"
-
-          if [[ -z "${release_id}" ]]; then
-            create_payload="$(jq -n --arg tag "${tag}" --arg name "${tag}" '{tag_name:$tag, name:$name, draft:false, prerelease:false}')"
-            release_json="$(curl -sS -X POST \
-              -H "Authorization: token ${RELEASE_TOKEN}" \
-              -H "Content-Type: application/json" \
-              -d "${create_payload}" \
-              "${api_base}/releases")"
-            release_id="$(printf '%s' "${release_json}" | jq -r '.id // empty')"
-          fi
-
-          if [[ -z "${release_id}" ]]; then
-            echo "Unable to determine or create release id for tag ${tag}" >&2
-            printf '%s\n' "${release_json}" >&2
-            exit 1
-          fi
-
-          find dist -type f -name '*.tar.gz' -print0 | while IFS= read -r -d '' file; do
-            asset_name="$(basename "${file}")"
-            curl -sS -X POST \
-              -H "Authorization: token ${RELEASE_TOKEN}" \
-              -H "Content-Type: application/octet-stream" \
-              --data-binary @"${file}" \
-              "${api_base}/releases/${release_id}/assets?name=${asset_name}"
-            echo "Uploaded ${asset_name}"
-          done
+      - name: Vociferate publish
+        uses: aether/vociferate/publish@v1.0.1