ci: optimize CI/CD with lint and security scans

devfeel · devfeel · commit c120159f896c · 2026-03-05T15:54:55.000+08:00
- Add .golangci.yml with progressive configuration
- Update test.yml to include golangci-lint (continue-on-error: true)
- Add security.yml for vulnerability scanning (govulncheck, gosec)
- Remove legacy go.yml workflow

The initial setup uses continue-on-error to not block CI.
Issues will be fixed gradually before enabling strict mode.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,54 @@
+name: Security
+
+on:
+  push:
+    branches: [ aicode, master, develop ]
+  pull_request:
+    branches: [ aicode, master ]
+  schedule:
+    # 每周一早上 6:00 UTC 运行
+    - cron: '0 6 * * 1'
+
+jobs:
+  govulncheck:
+    name: Vulnerability Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck
+        run: govulncheck ./...
+
+  gosec:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+        # 渐进式：初期不阻塞 CI，后续修复问题后再强制
+        continue-on-error: true
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,9 +7,29 @@ on:
     branches: [ aicode, master ]
 
 jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+        # 渐进式：初期不阻塞 CI，后续修复问题后再强制
+        continue-on-error: true
+
   test:
     name: Test with Go ${{ matrix.go-version }}
     runs-on: ubuntu-latest
+    needs: lint
     strategy:
       matrix:
         go-version: ['1.21', '1.22', '1.23']
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,58 @@
+# golangci-lint configuration
+# 渐进式配置：初期宽松，逐步收紧
+
+run:
+  timeout: 5m
+  skip-dirs:
+    - examples
+  skip-files:
+    - ".*_test\\.go$"
+
+linters:
+  enable:
+    - errcheck
+    - gosimple
+    - govet
+    - ineffassign
+    - staticcheck
+    - unused
+    - typecheck
+    - gocritic
+    - misspell
+
+linters-settings:
+  errcheck:
+    check-type-assertions: false
+    check-blank: false
+
+  gocritic:
+    disabled-checks:
+      - ifElseChain
+      - singleCaseSwitch
+
+issues:
+  # 初期不阻塞 CI，后续修复后再强制
+  max-issues-per-linter: 0
+  max-same-issues: 0
+  
+  exclude-rules:
+    # 测试文件放宽要求
+    - path: _test\.go
+      linters:
+        - errcheck
+    
+    # examples 目录放宽要求
+    - path: examples/
+      linters:
+        - errcheck
+    
+    # 忽略已知问题的文件
+    - path: "test/.*"
+      linters:
+        - errcheck
+
+output:
+  formats:
+    - format: colored-line-number
+  print-issued-lines: true
+  print-linter-name: true
