feat(hawk): production hardening — adopt top-50 OSS patterns #119
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, dev] | |
| pull_request: | |
| branches: [main, dev] | |
| permissions: | |
| contents: read | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-deps | |
| with: | |
| token: ${{ github.token }} | |
| - name: Run tests with race detector | |
| run: go test -race -count=1 -timeout=120s ./... | |
| - name: Run tests with coverage | |
| run: | | |
| go test -race -coverprofile=coverage.out -covermode=atomic -timeout=120s ./... | |
| go tool cover -func=coverage.out | grep "^total:" | |
| - name: Upload coverage | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage | |
| path: coverage.out | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-deps | |
| with: | |
| token: ${{ github.token }} | |
| - uses: golangci/golangci-lint-action@v7 | |
| with: | |
| version: v2.1.0 | |
| install-mode: goinstall | |
| verify: false | |
| args: --timeout 5m | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-deps | |
| with: | |
| token: ${{ github.token }} | |
| - name: Run govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck ./... | |
| - name: Run gosec | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| gosec -exclude=G104,G301,G302,G304,G306 ./... || true | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [test, lint] | |
| strategy: | |
| matrix: | |
| goos: [linux, darwin, windows] | |
| goarch: [amd64, arm64] | |
| exclude: | |
| - goos: windows | |
| goarch: arm64 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-deps | |
| with: | |
| token: ${{ github.token }} | |
| - name: Build | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| CGO_ENABLED: "0" | |
| run: | | |
| go build -ldflags "-s -w -X main.Version=${{ github.sha }}" \ | |
| -o hawk-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.goos == 'windows' && '.exe' || '' }} . | |
| - name: Upload binary | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: hawk-${{ matrix.goos }}-${{ matrix.goarch }} | |
| path: hawk-* | |
| benchmark: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-deps | |
| with: | |
| token: ${{ github.token }} | |
| - name: Run benchmarks | |
| run: go test ./... -bench=. -benchmem -count=3 -timeout=300s | tee bench.txt | |
| - name: Upload benchmark results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: benchmarks | |
| path: bench.txt |