# CI for Go services on Gitea Actions. # `shared` always runs; `test` and `image` activate when go.sum lands. name: ci on: pull_request: branches: [main] push: branches: [main] jobs: shared: runs-on: docker steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } - name: commitlint (PR only) if: github.event_name == 'pull_request' shell: bash env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | set -euo pipefail pattern='^(feat|fix|docs|chore|refactor|test|perf|build|ci|revert)(\([a-z0-9_/.-]+\))?!?: .{1,72}$' bad=0 while IFS= read -r subject; do if ! [[ "$subject" =~ $pattern ]]; then echo "::error::Commit subject does not match Conventional Commits: $subject" bad=$((bad+1)) fi done < <(git log --format=%s "${BASE_SHA}..${HEAD_SHA}") if [ "$bad" -gt 0 ]; then echo "::error::$bad commit(s) failed commitlint." exit 1 fi echo "commitlint: OK" - name: gitleaks shell: bash run: | set -euo pipefail GL_VERSION=8.18.4 curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \ | tar -xz -C /tmp gitleaks /tmp/gitleaks detect --source . --no-banner --redact --verbose --exit-code 1 - name: trivy fs scan shell: bash run: | set -euo pipefail TRIVY_VERSION=0.70.0 curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \ | tar -xz -C /tmp trivy /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist . test: runs-on: docker steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: { go-version: '1.24' } - name: fmt run: test -z "$(gofmt -l .)" - name: vet run: go vet ./... - name: lint uses: golangci/golangci-lint-action@v7 # Pin to a version built on Go 1.25 — the runner's bundled tool # is Go 1.24 and refuses to lint a 1.25 module. with: { version: v2.12.2 } - name: test # Test runs the packages that HAVE test files (server, config). The # store package is exercised end-to-end via the server's eachStore # harness against both Memory and Postgres, so we don't need its # own test binary — and including it triggers a covdata-tool error # on packages with no _test.go files. -coverpkg makes the server's # exercise of store/* count toward coverage. run: go test -race -coverpkg=./internal/... -coverprofile=cover.out ./internal/server/... ./internal/config/... ./internal/keycloak/... - name: coverage gate run: | go tool cover -func=cover.out | tail -1 | awk '{ if ($3+0 < 70.0) { print "coverage below 70%"; exit 1 } }' - name: build run: go build ./... image: # Mirrors the portal CI pattern (platform/portal PR #14): push to # registry.meghsakha.com, then POST a github-style payload signed # with HMAC-SHA256 to the orca webhook on the master. Master matches # on repo+branch and redeploys the breakpilot-tenant-registry service. needs: [shared, test] if: github.event_name == 'push' && github.ref == 'refs/heads/main' && hashFiles('Dockerfile') != '' runs-on: docker steps: - uses: actions/checkout@v4 - uses: docker/login-action@v3 with: registry: registry.meghsakha.com username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_PASS }} - uses: docker/build-push-action@v6 with: push: true tags: | registry.meghsakha.com/breakpilot/tenant-registry:latest registry.meghsakha.com/breakpilot/tenant-registry:sha-${{ github.sha }} - name: trigger orca redeploy env: ORCA_WEBHOOK_SECRET: ${{ secrets.ORCA_WEBHOOK_SECRET }} run: | BODY='{"repository":{"full_name":"platform/tenant-registry"},"ref":"refs/heads/main"}' SIG="sha256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$ORCA_WEBHOOK_SECRET" -hex | awk '{print $NF}')" curl -ksSf -X POST \ -H "Content-Type: application/json" \ -H "X-GitHub-Event: push" \ -H "X-Hub-Signature-256: $SIG" \ -d "$BODY" \ https://46.225.100.82:6880/api/v1/webhooks/github