@@ -128,7 +128,7 @@ jobs:
128128 - name : Run golangci-lint
129129 run : |
130130 go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.0
131- golangci-lint run --timeout=5m --disable=noctx
131+ golangci-lint run --timeout=5m
132132
133133 # -------------------------------------------------------------------------
134134 # 5. Tests — race detector, coverage threshold, test shuffling.
@@ -155,8 +155,8 @@ jobs:
155155 echo "COVERAGE=${coverage}" >> "$GITHUB_ENV"
156156 - name : Coverage threshold (minimum 50%)
157157 run : |
158- if (( $(echo "${COVERAGE} < 50 " | bc -l) )); then
159- echo "::error::Coverage ${COVERAGE}% is below minimum 50 %"
158+ if (( $(echo "${COVERAGE} < 60 " | bc -l) )); then
159+ echo "::error::Coverage ${COVERAGE}% is below minimum 60 %"
160160 exit 1
161161 fi
162162 - name : Upload coverage
@@ -216,12 +216,12 @@ jobs:
216216 cache : true
217217 - name : govulncheck
218218 run : |
219- go install golang.org/x/vuln/cmd/govulncheck@latest
219+ go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
220220 govulncheck ./...
221221 - name : gosec (report only)
222222 continue-on-error : true
223223 run : |
224- go install github.com/securego/gosec/v2/cmd/gosec@latest
224+ go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4
225225 gosec -exclude=G104,G703,G704,G101,G107,G112,G114,G115,G201,G202,G203,G204,G301,G302,G304,G305,G306,G307,G401,G402,G403,G404,G501,G502,G503,G504,G505,G601,G602 -confidence=medium -severity=high ./...
226226
227227 # -------------------------------------------------------------------------
@@ -264,7 +264,7 @@ jobs:
264264 cache : true
265265 - name : deadcode
266266 run : |
267- go install golang.org/x/tools/cmd/deadcode@latest
267+ go install golang.org/x/tools/cmd/deadcode@v0.30.0
268268 deadcode ./... 2>&1 | head -50
269269
270270 # -------------------------------------------------------------------------
@@ -323,6 +323,31 @@ jobs:
323323 fi
324324 rm -f /tmp/hawk-bin
325325
326+ # -------------------------------------------------------------------------
327+ # Fuzz — short corpus runs to catch panics in fuzz targets.
328+ # -------------------------------------------------------------------------
329+ fuzz :
330+ name : fuzz (60s)
331+ runs-on : ubuntu-latest
332+ needs : [test]
333+ steps :
334+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
335+ - uses : ./.github/actions/checkout-eyrie
336+ with :
337+ ref : ${{ github.head_ref || github.ref_name }}
338+ - uses : actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
339+ with :
340+ go-version : ${{ env.GO_VERSION }}
341+ cache : true
342+ - name : Run fuzz targets
343+ run : |
344+ go test -fuzz=FuzzScanForAIComments -fuzztime=60s ./cmd/... || true
345+ go test -fuzz=FuzzValidateSettings -fuzztime=60s ./internal/config/... || true
346+ go test -fuzz=FuzzIsSuspicious -fuzztime=60s ./internal/tool/... || true
347+ go test -fuzz=FuzzIsSafeGitCommit -fuzztime=60s ./internal/tool/... || true
348+ go test -fuzz=FuzzParseMessage -fuzztime=60s ./internal/session/... || true
349+ go test -fuzz=FuzzParseSessionMeta -fuzztime=60s ./internal/session/... || true
350+
326351 # -------------------------------------------------------------------------
327352 # 10. Smoke — build hawk and verify ecosystem CLI wiring.
328353 # -------------------------------------------------------------------------
0 commit comments