chore: remove stale go.work.sum; release 0.1.3 (#58) #312
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Strict CI pipeline for hawk-eco Go repos. | |
| # All jobs must pass — no continue-on-error except where explicitly noted. | |
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| pull-requests: read | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| GO_VERSION: "1.26.4" | |
| GOPRIVATE: "github.com/GrayCodeAI/*" | |
| GONOSUMDB: "github.com/GrayCodeAI/*" | |
| GONOSUMCHECK: "1" | |
| jobs: | |
| # ------------------------------------------------------------------------- | |
| # 1. Format — gofumpt + goimports must be clean (zero tolerance). | |
| # ------------------------------------------------------------------------- | |
| format: | |
| name: format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Boundary guard | |
| run: bash ./scripts/check-ecosystem-boundaries.sh | |
| - name: gofumpt | |
| run: | | |
| go install mvdan.cc/gofumpt@v0.10.0 | |
| out=$(gofumpt -l .) | |
| if [ -n "$out" ]; then | |
| echo "::error::gofumpt would reformat:" | |
| echo "$out" | head -20 | |
| exit 1 | |
| fi | |
| - name: goimports | |
| run: | | |
| go install golang.org/x/tools/cmd/goimports@v0.30.0 | |
| out=$(goimports -l .) | |
| if [ -n "$out" ]; then | |
| echo "::error::goimports would reformat:" | |
| echo "$out" | head -20 | |
| exit 1 | |
| fi | |
| # ------------------------------------------------------------------------- | |
| # 2. Module hygiene — tidy, verify, no stray replace directives. | |
| # ------------------------------------------------------------------------- | |
| module: | |
| name: module hygiene | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Clone tok (workspace dep) | |
| run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok | |
| - name: go mod tidy | |
| run: | | |
| go mod tidy | |
| if ! git diff --quiet -- go.mod go.sum; then | |
| echo "::error::go.mod / go.sum out of date — run 'go mod tidy'" | |
| git diff -- go.mod go.sum | |
| exit 1 | |
| fi | |
| - name: go mod verify | |
| run: go mod verify | |
| - name: no stray replace directives | |
| run: | | |
| if grep -q "^\s*replace" go.mod; then | |
| echo "::warning::go.mod contains replace directives (should use go.work for local dev)" | |
| fi | |
| # ------------------------------------------------------------------------- | |
| # 3. Vet + static analysis — compiler-level correctness. | |
| # ------------------------------------------------------------------------- | |
| vet: | |
| name: vet | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Clone tok (workspace dep) | |
| run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok | |
| - name: go vet | |
| run: go vet ./... | |
| # ------------------------------------------------------------------------- | |
| # 4. Lint — golangci-lint with project-specific config. | |
| # ------------------------------------------------------------------------- | |
| lint: | |
| name: lint | |
| runs-on: ubuntu-latest | |
| needs: [format, vet] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Clone tok (workspace dep) | |
| run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok | |
| - name: Boundary guard | |
| run: bash ./scripts/check-ecosystem-boundaries.sh | |
| - name: Run golangci-lint | |
| run: | | |
| go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.0 | |
| golangci-lint run --timeout=5m | |
| # ------------------------------------------------------------------------- | |
| # 5. Tests — race detector, coverage threshold, test shuffling. | |
| # ------------------------------------------------------------------------- | |
| test: | |
| name: test (race + coverage) | |
| runs-on: ubuntu-latest | |
| needs: [format, vet] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Clone tok (workspace dep) | |
| run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok | |
| - name: Boundary guard | |
| run: bash ./scripts/check-ecosystem-boundaries.sh | |
| - name: Test with race detector | |
| run: go test ./... -race -count=1 -shuffle=on -coverprofile=coverage.out -covermode=atomic -timeout=300s | |
| - name: Coverage summary | |
| run: | | |
| coverage=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | tr -d '%' | tail -1) | |
| echo "Coverage: ${coverage}%" | |
| echo "COVERAGE=${coverage}" >> "$GITHUB_ENV" | |
| - name: Coverage threshold (minimum 60%) | |
| run: | | |
| if (( $(echo "${COVERAGE} < 60" | bc -l) )); then | |
| echo "::error::Coverage ${COVERAGE}% is below minimum 60%" | |
| exit 1 | |
| fi | |
| - name: Upload coverage | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: coverage-${{ github.job }} | |
| path: coverage.out | |
| retention-days: 30 | |
| # ------------------------------------------------------------------------- | |
| # 6. Security — vulnerability scan + secret detection. | |
| # ------------------------------------------------------------------------- | |
| security: | |
| name: security | |
| runs-on: ubuntu-latest | |
| needs: [format, vet] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Clone tok (workspace dep) | |
| run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok | |
| - name: govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 | |
| govulncheck ./... | |
| - name: gosec (advisory) | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 | |
| gosec -exclude=G104,G703,G704,G101,G107,G112,G114,G115,G201,G202,G203,G204,G301,G302,G304,G305,G306,G307,G401,G402,G403,G404,G501,G502,G503,G504,G505,G601,G602 -confidence=medium -severity=high ./... | |
| # ------------------------------------------------------------------------- | |
| # Dead code detection. | |
| # ------------------------------------------------------------------------- | |
| deadcode: | |
| name: deadcode | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Clone tok (workspace dep) | |
| run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok | |
| - name: deadcode | |
| run: | | |
| go install golang.org/x/tools/cmd/deadcode@v0.30.0 | |
| deadcode ./... 2>&1 | head -50 | |
| # ------------------------------------------------------------------------- | |
| # Duplication detection — jscpd. | |
| # ------------------------------------------------------------------------- | |
| jscpd: | |
| name: duplication | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '24' | |
| - name: jscpd | |
| run: | | |
| npx jscpd --min-lines 5 --min-tokens 50 --reporters console --blame . 2>&1 | head -50 | |
| # ------------------------------------------------------------------------- | |
| # 7. Secret scan — detect leaked API keys, tokens, credentials. | |
| # ------------------------------------------------------------------------- | |
| secrets: | |
| name: secrets | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: trufflesecurity/trufflehog@0fa069c12f0c7baf431041cd1e564a9c5058846c # main 2026-05-18 | |
| with: | |
| extra_args: --only-verified | |
| # ------------------------------------------------------------------------- | |
| # 8. Markdown lint — validate documentation quality. | |
| # ------------------------------------------------------------------------- | |
| markdown: | |
| name: markdown | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run markdownlint-cli2 | |
| run: | | |
| npm install -g markdownlint-cli2 | |
| markdownlint-cli2 '**/*.md' | |
| # ------------------------------------------------------------------------- | |
| # 9. Cross-platform build matrix — zero CGO, all targets. | |
| # ------------------------------------------------------------------------- | |
| build: | |
| name: build (${{ matrix.goos }}/${{ matrix.goarch }}) | |
| runs-on: ubuntu-latest | |
| needs: [format, lint, test, security] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| goos: [linux, darwin, windows] | |
| goarch: [amd64, arm64] | |
| exclude: | |
| - goos: windows | |
| goarch: arm64 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Clone tok (workspace dep) | |
| run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok | |
| - name: Build (library — cross-compile all packages) | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| CGO_ENABLED: "0" | |
| run: go build -trimpath -v ./... |