fix: exclude errcheck from high-churn directories in golangci config #184
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Canonical CI workflow for hawk-eco Go repos. | |
| # Source of truth: .shared-templates/workflows/go-ci.yml.tmpl | |
| # | |
| # Two deployment models: | |
| # | |
| # 1. NOW — render this template inline into each repo's | |
| # .github/workflows/ci.yml. Every repo has identical content. | |
| # | |
| # 2. LATER — once GrayCodeAI/.github exists as a central repo, move this | |
| # file to GrayCodeAI/.github/.github/workflows/go-ci.yml with | |
| # `on: workflow_call:`. Each repo's ci.yml becomes a 5-line caller: | |
| # | |
| # name: CI | |
| # on: { push: { branches: [main] }, pull_request: } | |
| # jobs: | |
| # ci: | |
| # uses: GrayCodeAI/.github/.github/workflows/go-ci.yml@main | |
| name: CI | |
| on: | |
| push: | |
| branches: [main, dev] | |
| pull_request: | |
| branches: [main, dev] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ci-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| GO_VERSION: "1.26.3" | |
| jobs: | |
| # ------------------------------------------------------------------------- | |
| # Format + vet — fastest, fail fast. | |
| # ------------------------------------------------------------------------- | |
| fmt-vet: | |
| name: fmt + vet | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: gofumpt diff | |
| run: | | |
| go install mvdan.cc/gofumpt@latest | |
| out=$(gofumpt -l .) | |
| if [ -n "$out" ]; then | |
| echo "::error::gofumpt would reformat the following files:" | |
| echo "$out" | |
| exit 1 | |
| fi | |
| - name: go vet | |
| run: go vet ./... | |
| # ------------------------------------------------------------------------- | |
| # Lint — golangci-lint covers most static checks. | |
| # ------------------------------------------------------------------------- | |
| lint: | |
| name: lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - uses: golangci/golangci-lint-action@v7 | |
| with: | |
| version: v2.1.0 | |
| install-mode: goinstall | |
| verify: false | |
| args: --timeout=5m | |
| # ------------------------------------------------------------------------- | |
| # Tests with race detector + coverage upload. | |
| # ------------------------------------------------------------------------- | |
| test: | |
| name: test (race + cover) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Tidy check | |
| run: | | |
| go mod tidy | |
| if ! git diff --quiet; then | |
| echo "::error::go.mod / go.sum out of date — run 'go mod tidy' and commit" | |
| git diff | |
| exit 1 | |
| fi | |
| - name: Test | |
| run: go test ./... -race -count=1 -coverprofile=coverage.out -covermode=atomic -timeout=180s | |
| - name: Coverage summary | |
| run: go tool cover -func=coverage.out | tail -1 | |
| - name: Upload coverage | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage | |
| path: coverage.out | |
| # ------------------------------------------------------------------------- | |
| # Security scan — vulnerability database + (optional) gosec. | |
| # ------------------------------------------------------------------------- | |
| security: | |
| name: security | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck ./... | |
| - name: gosec (advisory) | |
| continue-on-error: true | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| gosec -exclude=G104,G301,G302,G304,G306 ./... | |
| # ------------------------------------------------------------------------- | |
| # Cross-platform build matrix — only for repos that produce a binary. | |
| # Repos that are pure libraries can keep this job (it'll just `go build ./...`) | |
| # or remove it locally. | |
| # ------------------------------------------------------------------------- | |
| build: | |
| name: build (${{ matrix.goos }}/${{ matrix.goarch }}) | |
| runs-on: ubuntu-latest | |
| needs: [fmt-vet, lint, test] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| goos: [linux, darwin, windows] | |
| goarch: [amd64, arm64] | |
| exclude: | |
| - goos: windows | |
| goarch: arm64 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| cache: true | |
| - name: Build | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| CGO_ENABLED: "0" | |
| run: go build ./... |