# CI for Go services on Gitea Actions. # `shared` always runs; `test` and `image` activate when go.sum lands. name: ci on: pull_request: branches: [main] push: branches: [main] jobs: shared: runs-on: docker steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } - name: commitlint (PR only) if: github.event_name == 'pull_request' shell: bash env: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | set -euo pipefail pattern='^(feat|fix|docs|chore|refactor|test|perf|build|ci|revert)(\([a-z0-9_/.-]+\))?!?: .{1,72}$' bad=0 while IFS= read -r subject; do if ! [[ "$subject" =~ $pattern ]]; then echo "::error::Commit subject does not match Conventional Commits: $subject" bad=$((bad+1)) fi done < <(git log --format=%s "${BASE_SHA}..${HEAD_SHA}") if [ "$bad" -gt 0 ]; then echo "::error::$bad commit(s) failed commitlint." exit 1 fi echo "commitlint: OK" - name: gitleaks shell: bash run: | set -euo pipefail GL_VERSION=8.18.4 curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \ | tar -xz -C /tmp gitleaks /tmp/gitleaks detect --source . --no-banner --redact --verbose --exit-code 1 - name: trivy fs scan shell: bash run: | set -euo pipefail TRIVY_VERSION=0.70.0 curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \ | tar -xz -C /tmp trivy /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist . test: runs-on: docker steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: { go-version: '1.24' } - name: fmt run: test -z "$(gofmt -l .)" - name: vet run: go vet ./... - name: lint uses: golangci/golangci-lint-action@v7 # Pin to a version built on Go 1.25 — the runner's bundled tool # is Go 1.24 and refuses to lint a 1.25 module. with: { version: v2.12.2 } - name: test # Test runs the packages that HAVE test files (server, config). The # store package is exercised end-to-end via the server's eachStore # harness against both Memory and Postgres, so we don't need its # own test binary — and including it triggers a covdata-tool error # on packages with no _test.go files. -coverpkg makes the server's # exercise of store/* count toward coverage. run: go test -race -coverpkg=./internal/... -coverprofile=cover.out ./internal/server/... ./internal/config/... ./internal/keycloak/... - name: coverage gate run: | go tool cover -func=cover.out | tail -1 | awk '{ if ($3+0 < 70.0) { print "coverage below 70%"; exit 1 } }' - name: build run: go build ./... image: needs: [shared, test] if: github.event_name == 'push' && github.ref == 'refs/heads/main' && hashFiles('Dockerfile') != '' runs-on: docker steps: - uses: actions/checkout@v4 - uses: docker/login-action@v3 with: registry: registry.breakpilot.com username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_PASS }} - uses: docker/build-push-action@v6 with: push: true tags: | registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }} registry.breakpilot.com/${{ github.event.repository.name }}:env-stage - uses: anchore/sbom-action@v0 with: image: registry.breakpilot.com/${{ github.event.repository.name }}:sha-${{ github.sha }} - name: orca deploy stage run: orca apply --env=stage --image-tag=sha-${{ github.sha }} env: ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}