Skip to content
CI Pipeline

Fix lint CI #363

Sign in to view logs

Fix lint CI

Fix lint CI #363

Workflow file for this run

.github/workflows/ci.yml at 8ab1aaf
name: CI Pipeline
on:
push:
branches: ["*"]
pull_request:
branches: ["*"]
env:
GO_VERSION: "1.25.5"
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install dependencies
run: go mod download
- name: Run unit tests
run: go test -v -race -coverprofile=coverage.out ./...
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
file: ./coverage.out
flags: unittests
name: codecov-umbrella
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Clean Go build cache
run: go clean -cache -modcache
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: latest
args: --timeout=5m
# Security vulnerability scanning
security-scan:
runs-on: ubuntu-latest
name: Security Vulnerability Scan
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install dependencies
run: go mod download
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck and generate SARIF
run: |
echo "Current directory: $(pwd)"
echo "Files in current directory:"
ls -la
govulncheck -format=sarif ./... > govulncheck-results.sarif
govulncheck -json ./... > vuln.json
count=$(jq '[.[] | select(.finding != null and .finding.trace != null)] | length' vuln.json || echo 0)
echo "Found $count vulnerabilities"
if [ "$count" -gt 0 ]; then
echo "⚠️ Vulnerabilities found by govulncheck (see Security tab for details)"
else
echo "✅ No vulnerabilities found by govulncheck"
fi
continue-on-error: true
- name: Clean SARIF file (remove duplicate tags)
if: always()
run: |
# Remove duplicate tags from SARIF rules to fix validation errors
jq '(.runs[]?.tool.driver.rules[]?.properties.tags) |= unique' \
govulncheck-results.sarif > govulncheck-results-clean.sarif
mv govulncheck-results-clean.sarif govulncheck-results.sarif
echo "✅ Cleaned govulncheck SARIF file"
- name: Upload govulncheck results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: govulncheck-results.sarif
category: govulncheck
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec security scanner
run: |
gosec -fmt sarif -out gosec-results.sarif -exclude G304 ./...
continue-on-error: true
- name: Clean gosec SARIF file (remove duplicate tags)
if: always()
run: |
# Remove duplicate tags from SARIF rules to fix validation errors
jq '(.runs[]?.tool.driver.rules[]?.properties.tags) |= unique' \
gosec-results.sarif > gosec-results-clean.sarif
mv gosec-results-clean.sarif gosec-results.sarif
echo "✅ Cleaned gosec SARIF file"
- name: Upload gosec results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: gosec-results.sarif
category: gosec
# CodeQL Analysis
codeql-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["go"]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install dependencies
run: go mod download
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Build for CodeQL
run: |
go build -v ./cmd/mpcium
go build -v ./cmd/mpcium-cli
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
# SBOM Generation
sbom:
runs-on: ubuntu-latest
name: Generate SBOM
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Install dependencies
run: go mod download
- name: Build binaries
run: |
go build -o mpcium ./cmd/mpcium
go build -o mpcium-cli ./cmd/mpcium-cli
- name: Generate SBOM with anchore/sbom-action (SPDX-JSON)
uses: anchore/sbom-action@v0
with:
artifact-name: sbom-spdx.json
output-file: sbom.spdx.json
format: spdx-json
- name: Generate SBOM with anchore/sbom-action (CycloneDX)
uses: anchore/sbom-action@v0
with:
artifact-name: sbom-cyclonedx.json
output-file: sbom.cyclonedx.json
format: cyclonedx-json
upload-artifact: false
- name: Generate SBOM with anchore/sbom-action (Syft JSON)
uses: anchore/sbom-action@v0
with:
artifact-name: sbom-syft.json
output-file: sbom.syft.json
format: syft-json
upload-artifact: false
- name: Upload all SBOM artifacts
uses: actions/upload-artifact@v4
with:
name: sbom-files
path: |
sbom.spdx.json
sbom.cyclonedx.json
sbom.syft.json
retention-days: 30
- name: Install Grype
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
# Keep SBOM generation & artifact upload as-is (no SARIF upload from SBOM)
- name: Grype SARIF (directory scan)
run: |
grype dir:. -o sarif --file grype-results.sarif
continue-on-error: true
- name: Upload Grype results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: grype-results.sarif
category: grype
- name: Display SBOM summary
run: |
echo "📦 SBOM Generation Summary"
echo "========================="
echo "Generated SBOM files:"
ls -la sbom.*
echo ""
echo "SBOM package count:"
echo "SPDX: $(jq '.packages | length' sbom.spdx.json)"
echo "CycloneDX: $(jq '.components | length' sbom.cyclonedx.json)"
echo "Syft: $(jq '.artifacts | length' sbom.syft.json)"
build:
runs-on: ubuntu-latest
needs: [test, lint, security-scan, codeql-analysis, sbom]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: Build mpcium
run: go build -v ./cmd/mpcium
- name: Build mpcium-cli
run: go build -v ./cmd/mpcium-cli