name: Push Validation on: push: branches: - "**" tags-ignore: - "*" jobs: coverage-badge: runs-on: ubuntu-latest container: docker.io/catthehacker/ubuntu:act-latest defaults: run: shell: bash env: ARTEFACT_BUCKET_NAME: ${{ vars.ARTEFACT_BUCKET_NAME }} ARTEFACT_BUCKET_ENDPONT: ${{ vars.ARTEFACT_BUCKET_ENDPONT }} ARTEFACT_BUCKET_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }} AWS_ACCESS_KEY_ID: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }} AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }} AWS_EC2_METADATA_DISABLED: true SUMMARY_FILE: ${{ runner.temp }}/push-validation-summary.md steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Go uses: actions/setup-go@v5 with: go-version: '1.26.1' check-latest: true cache: true cache-dependency-path: go.sum - name: Validate formatting run: test -z "$(gofmt -l .)" - name: Module hygiene run: | set -euo pipefail go mod tidy go mod verify - name: Restore cached gosec binary id: cache-gosec uses: actions/cache@v4 with: path: ${{ runner.temp }}/gosec-bin key: gosec-v2.22.4-${{ runner.os }}-${{ runner.arch }} - name: Install gosec binary if: steps.cache-gosec.outputs.cache-hit != 'true' run: | set -euo pipefail mkdir -p "${RUNNER_TEMP}/gosec-bin" GOBIN="${RUNNER_TEMP}/gosec-bin" go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 - name: Run gosec security analysis run: | set -euo pipefail "${RUNNER_TEMP}/gosec-bin/gosec" ./... - name: Run govulncheck uses: golang/govulncheck-action@v1.0.4 with: go-package: ./... cache: true cache-dependency-path: go.sum - name: Run full unit test suite with coverage run: | set -euo pipefail go test -covermode=atomic -coverprofile=coverage.out ./... - name: Publish coverage badge artefacts id: coverage uses: ./coverage-badge with: artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }} artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }} summary-file: ${{ env.SUMMARY_FILE }} - name: Summary if: ${{ always() }} run: | set -euo pipefail echo 'Summary' echo if [[ -s "$SUMMARY_FILE" ]]; then cat "$SUMMARY_FILE" else echo 'No summary generated.' fi recommend-release: runs-on: ubuntu-latest container: docker.io/catthehacker/ubuntu:act-latest needs: coverage-badge if: ${{ github.ref == 'refs/heads/main' }} defaults: run: shell: bash env: SUMMARY_FILE: ${{ runner.temp }}/push-validation-recommend-summary.md steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Go uses: actions/setup-go@v5 with: go-version: '1.26.1' check-latest: true cache: true cache-dependency-path: go.sum - name: Recommend next release tag on main pushes run: | set -euo pipefail if recommended_tag="$(go run ./cmd/vociferate --recommend --root . 2>release-recommendation.err)"; then { echo echo '## Release Recommendation' echo echo "- Recommended next tag: \`${recommended_tag}\`" } >> "$SUMMARY_FILE" else recommendation_error="$(tr '\n' ' ' < release-recommendation.err | sed 's/[[:space:]]\+/ /g' | sed 's/^ //; s/ $//')" echo "::warning::${recommendation_error}" { echo echo '## Release Recommendation' echo echo "- No recommended tag emitted: ${recommendation_error}" } >> "$SUMMARY_FILE" fi - name: Summary if: ${{ always() }} run: | set -euo pipefail echo 'Summary' echo if [[ -s "$SUMMARY_FILE" ]]; then cat "$SUMMARY_FILE" else echo 'No summary generated.' fi