gosick/.gitea/workflows/push-validation.yml

name: Push Validation

on:
  push:
    branches:
      - "**"
    tags-ignore:
      - "*"

jobs:
  validate:
    runs-on: ubuntu-latest
    container: docker.io/catthehacker/ubuntu:act-latest
    defaults:
      run:
        shell: bash
    env:
      ARTEFACT_BUCKET_NAME: ${{ vars.ARTEFACT_BUCKET_NAME }}
      ARTEFACT_BUCKET_ENDPONT: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
      ARTEFACT_BUCKET_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_ACCESS_KEY_ID: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_KEY }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
      AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
      AWS_EC2_METADATA_DISABLED: true
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.26.1'
          check-latest: true
          cache: true
          cache-dependency-path: go.sum

      - name: Install security tools
        run: |
          set -euo pipefail
          go install github.com/securego/gosec/v2/cmd/gosec@v2.22.3
          go install golang.org/x/vuln/cmd/govulncheck@v1.1.4

      - name: Install AWS CLI v2
        uses: ankurk91/install-aws-cli-action@v1

      - name: Verify AWS CLI
        run: aws --version

      - name: Run full unit test suite with coverage
        id: coverage
        run: |
          set -euo pipefail

          go test -covermode=atomic -coverprofile=coverage.out ./...
          go tool cover -html=coverage.out -o coverage.html

          total="$(go tool cover -func=coverage.out | awk '/^total:/ {sub(/%/, "", $3); print $3}')"
          printf '{\n  "total": "%s"\n}\n' "$total" > coverage-summary.json
          printf 'total=%s\n' "$total" >> "$GITHUB_OUTPUT"

      - name: Run security analysis
        run: |
          set -euo pipefail
          "$(go env GOPATH)/bin/gosec" ./...
          "$(go env GOPATH)/bin/govulncheck" ./...

      - name: Generate coverage badge
        env:
          COVERAGE_TOTAL: ${{ steps.coverage.outputs.total }}
        run: |
          set -euo pipefail

          color="$(awk -v total="$COVERAGE_TOTAL" 'BEGIN {
            if (total >= 80) print "brightgreen";
            else if (total >= 70) print "green";
            else if (total >= 60) print "yellowgreen";
            else if (total >= 50) print "yellow";
            else print "red";
          }')"

          cat > coverage-badge.svg <<EOF
          <svg xmlns="http://www.w3.org/2000/svg" width="126" height="20" role="img" aria-label="coverage: ${COVERAGE_TOTAL}%">
            <linearGradient id="smooth" x2="0" y2="100%">
              <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
              <stop offset="1" stop-opacity=".1"/>
            </linearGradient>
            <clipPath id="round">
              <rect width="126" height="20" rx="3" fill="#fff"/>
            </clipPath>
            <g clip-path="url(#round)">
              <rect width="63" height="20" fill="#555"/>
              <rect x="63" width="63" height="20" fill="${color}"/>
              <rect width="126" height="20" fill="url(#smooth)"/>
            </g>
            <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" font-size="11">
              <text x="32.5" y="15" fill="#010101" fill-opacity=".3">coverage</text>
              <text x="32.5" y="14">coverage</text>
              <text x="93.5" y="15" fill="#010101" fill-opacity=".3">${COVERAGE_TOTAL}%</text>
              <text x="93.5" y="14">${COVERAGE_TOTAL}%</text>
            </g>
          </svg>
          EOF

      - name: Upload branch coverage artefacts
        id: upload
        run: |
          set -euo pipefail

          aws configure set default.s3.addressing_style path

          repo_name="${GITHUB_REPOSITORY##*/}"
          prefix="${repo_name}/branch/${GITHUB_REF_NAME}"
          report_url="${ARTEFACT_BUCKET_ENDPONT%/}/${ARTEFACT_BUCKET_NAME}/${prefix}/coverage.html"
          badge_url="${ARTEFACT_BUCKET_ENDPONT%/}/${ARTEFACT_BUCKET_NAME}/${prefix}/coverage-badge.svg"

          aws --endpoint-url "${ARTEFACT_BUCKET_ENDPONT}" s3 cp coverage.html "s3://${ARTEFACT_BUCKET_NAME}/${prefix}/coverage.html" --content-type text/html
          aws --endpoint-url "${ARTEFACT_BUCKET_ENDPONT}" s3 cp coverage-badge.svg "s3://${ARTEFACT_BUCKET_NAME}/${prefix}/coverage-badge.svg" --content-type image/svg+xml
          aws --endpoint-url "${ARTEFACT_BUCKET_ENDPONT}" s3 cp coverage-summary.json "s3://${ARTEFACT_BUCKET_NAME}/${prefix}/coverage-summary.json" --content-type application/json

          printf 'report_url=%s\n' "$report_url" >> "$GITHUB_OUTPUT"
          printf 'badge_url=%s\n' "$badge_url" >> "$GITHUB_OUTPUT"

      - name: Add coverage summary
        run: |
          {
            echo '## Coverage'
            echo
            echo '- Total: `${{ steps.coverage.outputs.total }}%`'
            echo '- Report: ${{ steps.upload.outputs.report_url }}'
            echo '- Badge: ${{ steps.upload.outputs.badge_url }}'
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Run behavior suite on main pushes
        if: ${{ github.ref == 'refs/heads/main' }}
        run: ./script/run-behavior-suite-docker.sh