name: Push Validation on: push: branches: - "**" tags-ignore: - "*" jobs: validate: runs-on: ubuntu-latest container: docker.io/catthehacker/ubuntu:act-latest defaults: run: shell: bash env: ARTEFACT_BUCKET_NAME: ${{ vars.ARTEFACT_BUCKET_NAME }} ARTEFACT_BUCKET_ENDPONT: ${{ vars.ARTEFACT_BUCKET_ENDPONT }} ARTEFACT_BUCKET_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }} AWS_ACCESS_KEY_ID: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }} AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }} AWS_EC2_METADATA_DISABLED: true SUMMARY_FILE: ${{ runner.temp }}/summary.md steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Go uses: actions/setup-go@v5 with: go-version: '1.26.1' check-latest: true cache: true cache-dependency-path: go.sum - name: Cache security tools uses: actions/cache@v4 with: path: | ~/.cache/go-build ~/go/bin key: ${{ runner.os }}-go-security-tools-${{ hashFiles('**/go.mod', '**/go.sum') }} restore-keys: | ${{ runner.os }}-go-security-tools- - name: Verify module hygiene run: | set -euo pipefail go mod tidy git diff --exit-code go.mod go.sum go mod verify - name: Install security tools run: | set -euo pipefail go install github.com/securego/gosec/v2/cmd/gosec@v2.22.3 go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 - name: Install AWS CLI v2 uses: ankurk91/install-aws-cli-action@v1 - name: Verify AWS CLI run: aws --version - name: Prepare test runtime run: | set -euo pipefail apt-get update apt-get install -y ruby git config --global user.name "gitea-actions[bot]" git config --global user.email "gitea-actions[bot]@users.noreply.local" - name: Run full unit test suite with coverage id: coverage-tests run: | set -euo pipefail go test -covermode=atomic -coverprofile=coverage.out ./... | tee go-test-coverage.log go tool cover -html=coverage.out -o coverage.html total="$(go tool cover -func=coverage.out | awk '/^total:/ {sub(/%/, "", $3); print $3}')" printf '{\n "total": "%s"\n}\n' "$total" > coverage-summary.json printf 'total=%s\n' "$total" >> "$GITHUB_OUTPUT" set +e awk ' /^ok[[:space:]]/ && /coverage: [0-9.]+% of statements/ { pkg = $2 cov = $0 sub(/^.*coverage: /, "", cov) sub(/% of statements.*$/, "", cov) status = "target" if (cov + 0 < 50) { status = "fail" fail = 1 } else if (cov + 0 < 65) { status = "high-risk" } else if (cov + 0 < 80) { status = "warning" } printf "%s %.1f %s\n", pkg, cov + 0, status } END { if (fail) { exit 2 } } ' go-test-coverage.log > coverage-packages.raw package_gate_status=$? set -e { echo '| Package | Coverage | Status |' echo '| --- | ---: | --- |' } > coverage-packages.md while read -r pkg cov status; do case "$status" in fail) pretty='FAIL (<50%)' ;; high-risk) pretty='High risk (50%-64.99%)' ;; warning) pretty='Warning (65%-79.99%)' ;; *) pretty='Target (>=80%)' ;; esac printf '| `%s` | %.1f%% | %s |\n' "$pkg" "$cov" "$pretty" >> coverage-packages.md done < coverage-packages.raw if [[ "$package_gate_status" -ne 0 ]]; then echo "Per-package coverage gate failed: one or more packages are below 50%." >&2 exit 1 fi - name: Publish coverage artefacts id: coverage-badge uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.0.1 with: coverage-profile: coverage.out coverage-html: coverage.html coverage-badge: coverage-badge.svg coverage-summary: coverage-summary.json artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }} artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }} branch-name: ${{ github.ref_name }} repository-name: ${{ github.repository }} summary-file: ${{ env.SUMMARY_FILE }} - name: Run security analysis run: | set -euo pipefail "$(go env GOPATH)/bin/gosec" ./... "$(go env GOPATH)/bin/govulncheck" ./... - name: Run behavior suite on main pushes if: ${{ github.ref == 'refs/heads/main' }} run: ./script/run-behavior-suite-docker.sh - name: Summary if: ${{ always() }} run: | if [[ -f "$SUMMARY_FILE" ]]; then cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY" fi