Skip to content

chore: remove stale go.work.sum; release 0.1.3 (#58) #312

chore: remove stale go.work.sum; release 0.1.3 (#58)

chore: remove stale go.work.sum; release 0.1.3 (#58) #312

Workflow file for this run

# Strict CI pipeline for hawk-eco Go repos.
# All jobs must pass — no continue-on-error except where explicitly noted.
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
security-events: write
pull-requests: read
concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
GO_VERSION: "1.26.4"
GOPRIVATE: "github.com/GrayCodeAI/*"
GONOSUMDB: "github.com/GrayCodeAI/*"
GONOSUMCHECK: "1"
jobs:
# -------------------------------------------------------------------------
# 1. Format — gofumpt + goimports must be clean (zero tolerance).
# -------------------------------------------------------------------------
format:
name: format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Boundary guard
run: bash ./scripts/check-ecosystem-boundaries.sh
- name: gofumpt
run: |
go install mvdan.cc/gofumpt@v0.10.0
out=$(gofumpt -l .)
if [ -n "$out" ]; then
echo "::error::gofumpt would reformat:"
echo "$out" | head -20
exit 1
fi
- name: goimports
run: |
go install golang.org/x/tools/cmd/goimports@v0.30.0
out=$(goimports -l .)
if [ -n "$out" ]; then
echo "::error::goimports would reformat:"
echo "$out" | head -20
exit 1
fi
# -------------------------------------------------------------------------
# 2. Module hygiene — tidy, verify, no stray replace directives.
# -------------------------------------------------------------------------
module:
name: module hygiene
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Clone tok (workspace dep)
run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok
- name: go mod tidy
run: |
go mod tidy
if ! git diff --quiet -- go.mod go.sum; then
echo "::error::go.mod / go.sum out of date — run 'go mod tidy'"
git diff -- go.mod go.sum
exit 1
fi
- name: go mod verify
run: go mod verify
- name: no stray replace directives
run: |
if grep -q "^\s*replace" go.mod; then
echo "::warning::go.mod contains replace directives (should use go.work for local dev)"
fi
# -------------------------------------------------------------------------
# 3. Vet + static analysis — compiler-level correctness.
# -------------------------------------------------------------------------
vet:
name: vet
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Clone tok (workspace dep)
run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok
- name: go vet
run: go vet ./...
# -------------------------------------------------------------------------
# 4. Lint — golangci-lint with project-specific config.
# -------------------------------------------------------------------------
lint:
name: lint
runs-on: ubuntu-latest
needs: [format, vet]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Clone tok (workspace dep)
run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok
- name: Boundary guard
run: bash ./scripts/check-ecosystem-boundaries.sh
- name: Run golangci-lint
run: |
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.0
golangci-lint run --timeout=5m
# -------------------------------------------------------------------------
# 5. Tests — race detector, coverage threshold, test shuffling.
# -------------------------------------------------------------------------
test:
name: test (race + coverage)
runs-on: ubuntu-latest
needs: [format, vet]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Clone tok (workspace dep)
run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok
- name: Boundary guard
run: bash ./scripts/check-ecosystem-boundaries.sh
- name: Test with race detector
run: go test ./... -race -count=1 -shuffle=on -coverprofile=coverage.out -covermode=atomic -timeout=300s
- name: Coverage summary
run: |
coverage=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | tr -d '%' | tail -1)
echo "Coverage: ${coverage}%"
echo "COVERAGE=${coverage}" >> "$GITHUB_ENV"
- name: Coverage threshold (minimum 60%)
run: |
if (( $(echo "${COVERAGE} < 60" | bc -l) )); then
echo "::error::Coverage ${COVERAGE}% is below minimum 60%"
exit 1
fi
- name: Upload coverage
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: coverage-${{ github.job }}
path: coverage.out
retention-days: 30
# -------------------------------------------------------------------------
# 6. Security — vulnerability scan + secret detection.
# -------------------------------------------------------------------------
security:
name: security
runs-on: ubuntu-latest
needs: [format, vet]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Clone tok (workspace dep)
run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok
- name: govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
govulncheck ./...
- name: gosec (advisory)
run: |
go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4
gosec -exclude=G104,G703,G704,G101,G107,G112,G114,G115,G201,G202,G203,G204,G301,G302,G304,G305,G306,G307,G401,G402,G403,G404,G501,G502,G503,G504,G505,G601,G602 -confidence=medium -severity=high ./...
# -------------------------------------------------------------------------
# Dead code detection.
# -------------------------------------------------------------------------
deadcode:
name: deadcode
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Clone tok (workspace dep)
run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok
- name: deadcode
run: |
go install golang.org/x/tools/cmd/deadcode@v0.30.0
deadcode ./... 2>&1 | head -50
# -------------------------------------------------------------------------
# Duplication detection — jscpd.
# -------------------------------------------------------------------------
jscpd:
name: duplication
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24'
- name: jscpd
run: |
npx jscpd --min-lines 5 --min-tokens 50 --reporters console --blame . 2>&1 | head -50
# -------------------------------------------------------------------------
# 7. Secret scan — detect leaked API keys, tokens, credentials.
# -------------------------------------------------------------------------
secrets:
name: secrets
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: trufflesecurity/trufflehog@0fa069c12f0c7baf431041cd1e564a9c5058846c # main 2026-05-18
with:
extra_args: --only-verified
# -------------------------------------------------------------------------
# 8. Markdown lint — validate documentation quality.
# -------------------------------------------------------------------------
markdown:
name: markdown
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run markdownlint-cli2
run: |
npm install -g markdownlint-cli2
markdownlint-cli2 '**/*.md'
# -------------------------------------------------------------------------
# 9. Cross-platform build matrix — zero CGO, all targets.
# -------------------------------------------------------------------------
build:
name: build (${{ matrix.goos }}/${{ matrix.goarch }})
runs-on: ubuntu-latest
needs: [format, lint, test, security]
strategy:
fail-fast: false
matrix:
goos: [linux, darwin, windows]
goarch: [amd64, arm64]
exclude:
- goos: windows
goarch: arm64
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Clone tok (workspace dep)
run: git clone --depth=1 https://github.com/GrayCodeAI/tok.git ../tok
- name: Build (library — cross-compile all packages)
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
CGO_ENABLED: "0"
run: go build -trimpath -v ./...