aether/gosick
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: aether:1f93a3d5329d8a67f122f3a091e9330cf43bac47
Branches Tags
aether:main
aether:v1.1.6 aether:v1.1.5 aether:v1.1.4 aether:v1.1.3 aether:v1.1.2 aether:v1.1.1 aether:v1.1.0 aether:v1.0.0 aether:v0.9.8 aether:v0.9.7 aether:v0.9.6 aether:v0.9.5 aether:v0.9.4 aether:v0.9.3 aether:v0.9.2 aether:v0.9.1 aether:v0.9.0 aether:v0.8.1 aether:v0.8.0 aether:v0.7.0 aether:v0.6.1 aether:v0.6.0 aether:v0.5.4 aether:v0.5.3 aether:v0.5.2 aether:v0.5.1 aether:v0.4.1 aether:v0.4.0 aether:v0.3.0 aether:v0.2.0 aether:v0.1.1 aether:v0.1.0
..
compare: aether:bbbacb0eb6f8c1f32f5f6d6b966c722fddd68b96
Branches Tags
aether:main
aether:v1.1.6 aether:v1.1.5 aether:v1.1.4 aether:v1.1.3 aether:v1.1.2 aether:v1.1.1 aether:v1.1.0 aether:v1.0.0 aether:v0.9.8 aether:v0.9.7 aether:v0.9.6 aether:v0.9.5 aether:v0.9.4 aether:v0.9.3 aether:v0.9.2 aether:v0.9.1 aether:v0.9.0 aether:v0.8.1 aether:v0.8.0 aether:v0.7.0 aether:v0.6.1 aether:v0.6.0 aether:v0.5.4 aether:v0.5.3 aether:v0.5.2 aether:v0.5.1 aether:v0.4.1 aether:v0.4.0 aether:v0.3.0 aether:v0.2.0 aether:v0.1.1 aether:v0.1.0

2 Commits
1f93a3d532 ... bbbacb0eb6

Author SHA1 Message Date
Micheal Wilkinson
bbbacb0eb6 docs: update changelog for workflow hardening
Some checks failed
Push Validation / check-open-pr (push) Successful in 2s
Details
Push Validation / validate (push) Has been skipped
Details
Pull Request Validation / validate (pull_request) Failing after 2m9s
Details
2026-03-21 22:54:07 +00:00
Micheal Wilkinson
28820748f7 ci: harden workflow dedup and badge gating 2026-03-21 22:54:07 +00:00
3 changed files with 24 additions and 7 deletions
Expand all files Collapse all files

16
.gitea/workflows/pr-validation.yml
View File

@@ -153,11 +153,24 @@ jobs:
cache: true cache: true
cache-dependency-path: go.sum cache-dependency-path: go.sum
- name: Check coverage artefacts
id: coverage-files
if: ${{ always() && steps.coverage.outcome == 'success' }}
run: |
set -euo pipefail
if [[ -f coverage.out ]]; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
echo "coverage.out was not produced; skipping coverage badge upload." >> "$GITHUB_STEP_SUMMARY"
fi
- name: Upload coverage badge - name: Upload coverage badge
id: badge id: badge
if: ${{ always() && steps.coverage.outcome == 'success' }} if: ${{ always() && steps.coverage.outcome == 'success' && steps.coverage-files.outputs.exists == 'true' }}
uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0 uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
with: with:
coverage-profile: coverage.out
artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }} artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }} artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
@@ -178,6 +191,7 @@ jobs:
- name: Decorate PR - name: Decorate PR
if: ${{ always() }} if: ${{ always() }}
uses: https://git.hrafn.xyz/aether/vociferate/decorate-pr@v1.1.0 uses: https://git.hrafn.xyz/aether/vociferate/decorate-pr@v1.1.0
continue-on-error: true
with: with:
coverage-percentage: ${{ steps.badge.outputs.total }} coverage-percentage: ${{ steps.badge.outputs.total }}
badge-url: ${{ steps.badge.outputs.badge-url }} badge-url: ${{ steps.badge.outputs.badge-url }}

12
.gitea/workflows/push-validation.yml
View File

@@ -27,18 +27,18 @@ jobs:
SERVER_URL: ${{ github.server_url }} SERVER_URL: ${{ github.server_url }}
TOKEN: ${{ secrets.GITHUB_TOKEN }} TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
set -euo pipefail set -eu
api_url="${SERVER_URL}/api/v1/repos/${REPOSITORY}/pulls?state=open&head=${OWNER}:${BRANCH}" api_url="${SERVER_URL}/api/v1/repos/${REPOSITORY}/pulls?state=open&head=${OWNER}:${BRANCH}"
auth_args=() if [ -n "${TOKEN:-}" ]; then
if [[ -n "${TOKEN:-}" ]]; then response="$(curl -fsSL -H "Authorization: token ${TOKEN}" -H "accept: application/json" "$api_url" || echo '[]')"
auth_args=(-H "Authorization: token ${TOKEN}") else
response="$(curl -fsSL -H "accept: application/json" "$api_url" || echo '[]')"
fi fi
response="$(curl -fsSL "${auth_args[@]}" -H 'accept: application/json' "$api_url" || echo '[]')"
open_prs="$(printf '%s' "$response" | grep -o '"number":[0-9]\+' | wc -l | tr -d ' ')" open_prs="$(printf '%s' "$response" | grep -o '"number":[0-9]\+' | wc -l | tr -d ' ')"
if [[ "$open_prs" -gt 0 ]]; then if [ "$open_prs" -gt 0 ]; then
echo "should_run=false" >> "$GITHUB_OUTPUT" echo "should_run=false" >> "$GITHUB_OUTPUT"
echo "Open PR detected for ${OWNER}:${BRANCH}; skipping push validation." >> "$GITHUB_STEP_SUMMARY" echo "Open PR detected for ${OWNER}:${BRANCH}; skipping push validation." >> "$GITHUB_STEP_SUMMARY"
else else

3
CHANGELOG.md
View File

@@ -34,6 +34,9 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
- Push validation now triggers on all branches, not only `main`. - Push validation now triggers on all branches, not only `main`.
- Push and PR validation workflows now share a `concurrency` group keyed on the branch name (`github.ref_name` / `github.head_ref`) with `cancel-in-progress: true`; when a push to a PR branch fires both workflows, the second run cancels the first so only one validation executes per commit. - Push and PR validation workflows now share a `concurrency` group keyed on the branch name (`github.ref_name` / `github.head_ref`) with `cancel-in-progress: true`; when a push to a PR branch fires both workflows, the second run cancels the first so only one validation executes per commit.
- Push validation now performs an open-PR branch check via the Gitea API and skips the heavy validation job when the branch already has an open PR, preventing duplicate full pipeline runs. - Push validation now performs an open-PR branch check via the Gitea API and skips the heavy validation job when the branch already has an open PR, preventing duplicate full pipeline runs.
- Push validation open-PR detection is now POSIX-shell compatible (no bash-only `pipefail`/array/`[[ ... ]]` usage), fixing failures on runners that execute `run` scripts with `/bin/sh`.
- PR validation now checks that `coverage.out` exists before invoking `coverage-badge`; when missing, badge upload is skipped with a summary note instead of failing the workflow.
- PR decoration is now `continue-on-error` to avoid hard-failing validation when the external `decorate-pr` action's internal extractor step is unavailable.
- README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards. - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
- CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching. - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
- CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners. - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.