aether/gosick
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f93a3d5329d8a67f122f3a091e9330cf43bac47
gosick/.gitea/workflows/push-validation.yml
Micheal Wilkinson 3104feb738 ci(push-validation): skip branch pushes with open PR
2026-03-21 22:36:23 +00:00

225 lines
7.2 KiB
YAML
Raw Blame History

name: Push Validation
on:
push:
branches:
- "**"
tags-ignore:
- "*"
concurrency:
group: ci-${{ github.ref_name }}
cancel-in-progress: true
jobs:
check-open-pr:
runs-on: ubuntu-latest
container: docker.io/catthehacker/ubuntu:act-latest
outputs:
should_run: ${{ steps.detect.outputs.should_run }}
steps:
- name: Detect open PR for branch
id: detect
env:
REPOSITORY: ${{ github.repository }}
OWNER: ${{ github.repository_owner }}
BRANCH: ${{ github.ref_name }}
SERVER_URL: ${{ github.server_url }}
TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
api_url="${SERVER_URL}/api/v1/repos/${REPOSITORY}/pulls?state=open&head=${OWNER}:${BRANCH}"
auth_args=()
if [[ -n "${TOKEN:-}" ]]; then
auth_args=(-H "Authorization: token ${TOKEN}")
fi
response="$(curl -fsSL "${auth_args[@]}" -H 'accept: application/json' "$api_url" || echo '[]')"
open_prs="$(printf '%s' "$response" | grep -o '"number":[0-9]\+' | wc -l | tr -d ' ')"
if [[ "$open_prs" -gt 0 ]]; then
echo "should_run=false" >> "$GITHUB_OUTPUT"
echo "Open PR detected for ${OWNER}:${BRANCH}; skipping push validation." >> "$GITHUB_STEP_SUMMARY"
else
echo "should_run=true" >> "$GITHUB_OUTPUT"
echo "No open PR detected for ${OWNER}:${BRANCH}; running push validation." >> "$GITHUB_STEP_SUMMARY"
fi
validate:
needs: check-open-pr
if: ${{ needs.check-open-pr.outputs.should_run == 'true' }}
runs-on: ubuntu-latest
container: docker.io/catthehacker/ubuntu:act-latest
defaults:
run:
shell: bash
env:
ARTEFACT_BUCKET_NAME: ${{ vars.ARTEFACT_BUCKET_NAME }}
ARTEFACT_BUCKET_ENDPONT: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
ARTEFACT_BUCKET_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
AWS_EC2_METADATA_DISABLED: true
GOTOOLCHAIN: auto
SUMMARY_FILE: ${{ runner.temp }}/summary.md
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: '1.26.1'
check-latest: true
cache: true
cache-dependency-path: go.sum
- name: Cache Go modules and build cache
uses: actions/cache@v4
with:
path: |
~/go/pkg/mod
~/.cache/go-build
~/go/bin
key: ${{ runner.os }}-go-cache-${{ hashFiles('**/go.mod', '**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-cache-
- name: Verify module hygiene
run: |
set -euo pipefail
go mod tidy
git diff --exit-code go.mod go.sum
go mod verify
- name: Check code formatting
run: |
set -euo pipefail
fmt_output=$(go fmt ./...)
if [[ -n "$fmt_output" ]]; then
echo "Code formatting check failed. The following files need formatting:" >&2
echo "$fmt_output" >&2
exit 1
fi
- name: Run Gosec Security Scanner
run: |
set -euo pipefail
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...
- name: Run Go Vulnerability Check
uses: golang/govulncheck-action@v1.0.4
with:
go-package: ./...
cache: true
cache-dependency-path: go.sum
- name: Install AWS CLI v2
uses: ankurk91/install-aws-cli-action@v1
- name: Verify AWS CLI
run: aws --version
- name: Prepare test runtime
run: |
set -euo pipefail
apt-get update
apt-get install -y ruby
git config --global user.name "gitea-actions[bot]"
git config --global user.email "gitea-actions[bot]@users.noreply.local"
- name: Run full unit test suite with coverage
id: coverage-tests
run: |
set -euo pipefail
go test -covermode=atomic -coverprofile=coverage.out ./... | tee go-test-coverage.log
go tool cover -html=coverage.out -o coverage.html
total="$(go tool cover -func=coverage.out | awk '/^total:/ {sub(/%/, "", $3); print $3}')"
printf '{\n "total": "%s"\n}\n' "$total" > coverage-summary.json
printf 'total=%s\n' "$total" >> "$GITHUB_OUTPUT"
set +e
awk '
/^ok[[:space:]]/ && /coverage: [0-9.]+% of statements/ {
pkg = $2
cov = $0
sub(/^.*coverage: /, "", cov)
sub(/% of statements.*$/, "", cov)
status = "target"
if (cov + 0 < 50) {
status = "fail"
fail = 1
} else if (cov + 0 < 65) {
status = "high-risk"
} else if (cov + 0 < 80) {
status = "warning"
}
printf "%s %.1f %s\n", pkg, cov + 0, status
}
END {
if (fail) {
exit 2
}
}
' go-test-coverage.log > coverage-packages.raw
package_gate_status=$?
set -e
{
echo '| Package | Coverage | Status |'
echo '| --- | ---: | --- |'
} > coverage-packages.md
while read -r pkg cov status; do
case "$status" in
fail)
pretty='FAIL (<50%)'
;;
high-risk)
pretty='High risk (50%-64.99%)'
;;
warning)
pretty='Warning (65%-79.99%)'
;;
*)
pretty='Target (>=80%)'
;;
esac
printf '| `%s` | %.1f%% | %s |\n' "$pkg" "$cov" "$pretty" >> coverage-packages.md
done < coverage-packages.raw
if [[ "$package_gate_status" -ne 0 ]]; then
echo "Per-package coverage gate failed: one or more packages are below 50%." >&2
exit 1
fi
- name: Publish coverage artefacts
id: coverage-badge
uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
with:
coverage-profile: coverage.out
coverage-html: coverage.html
coverage-badge: coverage-badge.svg
coverage-summary: coverage-summary.json
artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
branch-name: ${{ github.ref_name }}
repository-name: ${{ github.repository }}
summary-file: ${{ env.SUMMARY_FILE }}
- name: Run behavior suite on main pushes
if: ${{ github.ref == 'refs/heads/main' }}
run: ./script/run-behavior-suite-docker.sh
- name: Summary
if: ${{ always() }}
run: |
if [[ -f "$SUMMARY_FILE" ]]; then
cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
fi
Reference in New Issue View Git Blame Copy Permalink