|
| 1 | +# CLAUDE.md |
| 2 | + |
| 3 | +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. |
| 4 | + |
| 5 | +## Repository Overview |
| 6 | + |
| 7 | +This repository provides shared, reusable GitHub Actions workflows for the go-openapi organization. The workflows are designed to be called from other go-openapi repositories to standardize CI/CD processes across the entire project family. |
| 8 | + |
| 9 | +## Testing & Development Commands |
| 10 | + |
| 11 | +### Running Tests |
| 12 | +```bash |
| 13 | +# Run all unit tests with coverage |
| 14 | +gotestsum --jsonfile 'unit.report.json' -- -race -p 2 -count 1 -timeout=20m -coverprofile='unit.coverage.out' -covermode=atomic -coverpkg="$(go list)"/... ./... |
| 15 | + |
| 16 | +# Run a single test |
| 17 | +go test -v -run TestName ./path/to/package |
| 18 | + |
| 19 | +# Run tests locally (as CI would) |
| 20 | +# Uses the local-* workflows which mirror how other repos consume these workflows |
| 21 | +``` |
| 22 | + |
| 23 | +### Linting |
| 24 | +```bash |
| 25 | +# Run golangci-lint (uses .golangci.yml configuration) |
| 26 | +golangci-lint run |
| 27 | + |
| 28 | +# The linter configuration is highly customized with many linters disabled |
| 29 | +# to match go-openapi's established code style |
| 30 | +``` |
| 31 | + |
| 32 | +### Fuzz Testing |
| 33 | +```bash |
| 34 | +# List available fuzz tests across all packages |
| 35 | +go test -list Fuzz ./... |
| 36 | + |
| 37 | +# Run a specific fuzz test for 1m30s |
| 38 | +go test -fuzz=FuzzTestName -fuzztime=1m30s ./path/to/package |
| 39 | + |
| 40 | +# Fuzz corpus is cached in $(go env GOCACHE)/fuzz |
| 41 | +``` |
| 42 | + |
| 43 | +## Architecture & Design |
| 44 | + |
| 45 | +### Workflow Types |
| 46 | + |
| 47 | +This repository contains two types of workflows: |
| 48 | + |
| 49 | +1. **Shared Workflows** (called by other repos): |
| 50 | + - `go-test.yml` - Complete test pipeline with linting, unit tests, fuzz tests, coverage |
| 51 | + - `auto-merge.yml` - Auto-approves and merges dependabot and bot PRs |
| 52 | + - `bump-release.yml` - Manually triggered release workflow (creates signed tags) |
| 53 | + - `tag-release.yml` - Release workflow triggered by pushing tags |
| 54 | + - `release.yml` - Common release building workflow (called by other release workflows) |
| 55 | + - `codeql.yml` - CodeQL security scanning for Go and GitHub Actions |
| 56 | + - `scanner.yml` - Trivy and govulncheck vulnerability scanning |
| 57 | + - `contributors.yml` - Automatically updates CONTRIBUTORS.md |
| 58 | + - `collect-coverage.yml` - Collects and publishes coverage to codecov |
| 59 | + - `collect-reports.yml` - Collects and publishes test reports |
| 60 | + - `fuzz-test.yml` - Orchestrates fuzz testing with cached corpus |
| 61 | + |
| 62 | +2. **Local Test Workflows** (prefixed with `local-*`): |
| 63 | + - These workflows test the shared workflows within this repository |
| 64 | + - They mimic how consuming repos would invoke the shared workflows |
| 65 | + - Example: `local-go-test.yml` calls `./.github/workflows/go-test.yml` |
| 66 | + |
| 67 | +### How Shared Workflows Are Used |
| 68 | + |
| 69 | +Other go-openapi repos consume these workflows like: |
| 70 | + |
| 71 | +```yaml |
| 72 | +jobs: |
| 73 | + test: |
| 74 | + uses: go-openapi/ci-workflows/.github/workflows/go-test.yml@master |
| 75 | + secrets: inherit |
| 76 | +``` |
| 77 | +
|
| 78 | +Recommended practice: pin to a commit SHA and let dependabot update it: |
| 79 | +```yaml |
| 80 | +uses: go-openapi/ci-workflows/.github/workflows/go-test.yml@b28a8b978a5ee5b7f4241ffafd6cc6163edb5dfd # v0.1.0 |
| 81 | +``` |
| 82 | +
|
| 83 | +### Fuzz Test Architecture |
| 84 | +
|
| 85 | +Fuzz testing has a unique multi-stage design due to Go's limitation that `go test -fuzz` cannot run across multiple packages: |
| 86 | + |
| 87 | +1. **fuzz-matrix job**: Discovers all fuzz tests using `go test -list Fuzz -json` and creates a matrix |
| 88 | +2. **fuzz-test job**: Runs each discovered fuzz test in parallel with: |
| 89 | + - Cached corpus stored in GitHub Actions cache (max 250MB) |
| 90 | + - Automatic cache purging to maintain size limits |
| 91 | + - Failed corpus uploaded as artifacts for 60 days |
| 92 | + - Default fuzz time: 1m30s, minimize time: 5m |
| 93 | + |
| 94 | +### Release Process |
| 95 | + |
| 96 | +Releases can be triggered in two ways: |
| 97 | + |
| 98 | +1. **Manual bump** via `bump-release.yml`: |
| 99 | + - Select patch/minor/major bump |
| 100 | + - Creates GPG-signed tag using bot credentials |
| 101 | + - Triggers release build automatically |
| 102 | + |
| 103 | +2. **Direct tag push** via `tag-release.yml`: |
| 104 | + - Push a semver tag (signed tags preferred) |
| 105 | + - Tag message is prepended to release notes |
| 106 | + - Triggers release build |
| 107 | + |
| 108 | +Release notes are generated using [git-cliff](https://git-cliff.org/) with configuration in `.cliff.toml`. |
| 109 | + |
| 110 | +### Auto-merge Logic |
| 111 | + |
| 112 | +The `auto-merge.yml` workflow handles two bot types: |
| 113 | +- **dependabot[bot]**: Auto-approves all PRs, auto-merges only development-dependencies group |
| 114 | +- **bot-go-openapi[bot]**: Auto-approves and auto-merges all PRs (for contributor updates, etc.) |
| 115 | + |
| 116 | +## Key Configuration Files |
| 117 | + |
| 118 | +- `.golangci.yml` - Linter configuration (many linters disabled to match go-openapi style) |
| 119 | +- `.cliff.toml` - Release notes generation configuration |
| 120 | +- `.github/dependabot.yaml` - Dependency update configuration |
| 121 | +- `go.mod` - Requires Go 1.24.0 |
| 122 | + |
| 123 | +## Important Notes |
| 124 | + |
| 125 | +- All workflow action versions are pinned to commit SHAs for security |
| 126 | +- Permissions are explicitly granted at job level to follow least-privilege principle |
| 127 | +- This repo itself uses minimal Go code (just sample tests); it's primarily YAML workflows |
| 128 | +- The `local-*` workflows serve as both tests and documentation of proper usage |
0 commit comments