Update dependencies, workflow actions, and Go version matrix #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| go-version: ['1.24.x', '1.25.x'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| cache: true | |
| - name: Install dependencies | |
| run: go get . | |
| - name: Build | |
| run: go build -v ./... | |
| - name: Test with coverage | |
| run: go test -v -race -coverprofile=coverage.txt -covermode=atomic ./... | |
| - name: Upload coverage | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage.txt | |
| flags: unittests | |
| fail_ci_if_error: false | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| cache: true | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v6 | |
| with: | |
| version: latest | |
| args: --timeout=5m | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| cache: true | |
| - name: Run govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck ./... | |
| - name: Run gosec | |
| uses: securego/gosec@master | |
| with: | |
| args: '-no-fail -fmt sarif -out results.sarif ./...' | |
| - name: Run Semgrep | |
| uses: semgrep/semgrep-action@v1 | |
| with: | |
| config: auto | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run TruffleHog | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| sbom: | |
| name: SBOM & Vulnerability Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| cache: true | |
| - name: Build binary for SBOM | |
| run: go build -o drift-analysis-cli | |
| - name: Generate SBOM with Syft | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| path: ./ | |
| format: spdx-json | |
| output-file: sbom.spdx.json | |
| - name: Scan SBOM with Grype | |
| uses: anchore/scan-action@v4 | |
| with: | |
| path: ./ | |
| fail-build: false | |
| output-format: sarif | |
| output-file: grype-results.sarif | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.spdx.json | |
| retention-days: 30 | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| goos: [linux, darwin, windows] | |
| goarch: [amd64, arm64] | |
| exclude: | |
| - goos: windows | |
| goarch: arm64 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| cache: true | |
| - name: Build binary | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| run: | | |
| if [ "$GOOS" = "windows" ]; then | |
| go build -v -o drift-analysis-cli.exe | |
| else | |
| go build -v -o drift-analysis-cli | |
| fi | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: drift-analysis-cli-${{ matrix.goos }}-${{ matrix.goarch }} | |
| path: drift-analysis-cli* | |
| retention-days: 7 | |
| validate: | |
| name: Validate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| cache: true | |
| - name: Check formatting | |
| run: | | |
| if [ -n "$(gofmt -s -l .)" ]; then | |
| echo "Go code is not formatted:" | |
| gofmt -s -d . | |
| exit 1 | |
| fi | |
| - name: Run go vet | |
| run: go vet ./... | |
| - name: Check for ineffectual assignments | |
| run: | | |
| go install github.com/gordonklaus/ineffassign@latest | |
| ineffassign ./... | |
| - name: Check for suspicious constructs | |
| run: | | |
| go install honnef.co/go/tools/cmd/staticcheck@latest | |
| staticcheck ./... |