Skip to content

ci: add vuln scanning + module verify, and streamline the test workflow #409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SantiagoDePolonia merged 4 commits into from
Jun 17, 2026
Merged

ci: add vuln scanning + module verify, and streamline the test workflow #409

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
691400b
ci: add govulncheck scan and module integrity verification
SantiagoDePolonia Jun 17, 2026
7893eb4
ci: collapse go test jobs into a matrix and un-gate build
SantiagoDePolonia Jun 17, 2026
60e26e2
ci: harden vulncheck job (timeout + swagger-tag scan)
SantiagoDePolonia Jun 17, 2026
85806ef
ci: pin govulncheck to v1.3.0
SantiagoDePolonia Jun 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 43 additions & 44 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,24 @@ jobs:
# the schema fetch is reliable again; track in this PR/branch discussion.
verify: false

test-unit:
name: Unit Tests
# Unit, E2E, integration, and contract suites share identical setup and
# differ only in the test command, so they run as one matrix.
go-tests:
name: ${{ matrix.name }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- name: Unit Tests
cmd: make test-race
coverage: true
- name: E2E Tests
cmd: go test -v -tags=e2e -timeout=5m ./tests/e2e/...
- name: Integration Tests
cmd: go test -v -tags=integration -timeout=10m ./tests/integration/...
- name: Contract Replay Tests
cmd: go test -v -tags=contract -timeout=5m ./tests/contract/...
steps:
- uses: actions/checkout@v6

Expand All @@ -49,10 +64,11 @@ jobs:
go-version: ${{ env.GO_VERSION }}
cache: true

- name: Run unit tests
run: make test-race
- name: Run tests
run: ${{ matrix.cmd }}

- name: Upload coverage
if: matrix.coverage
uses: codecov/codecov-action@v7
with:
files: ./coverage.out
Expand All @@ -73,38 +89,8 @@ jobs:
- name: Run dashboard JavaScript tests
run: make test-dashboard

test-e2e:
name: E2E Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true

- name: Run E2E tests
run: go test -v -tags=e2e -timeout=5m ./tests/e2e/...

integration:
name: Integration Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
cache: true

- name: Run integration tests
run: go test -v -tags=integration -timeout=10m ./tests/integration/...

test-contract:
name: Contract Replay Tests
performance:
name: Performance Guard
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
Expand All @@ -115,12 +101,14 @@ jobs:
go-version: ${{ env.GO_VERSION }}
cache: true

- name: Run contract replay tests
run: go test -v -tags=contract -timeout=5m ./tests/contract/...
- name: Run hot-path performance guard
# Thresholds are maintained in tests/perf/hotpath_test.go.
run: make perf-check

performance:
name: Performance Guard
vulncheck:
name: Vulnerability Scan
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
Comment thread
coderabbitai[bot] marked this conversation as resolved.
- uses: actions/checkout@v6

Expand All @@ -130,9 +118,16 @@ jobs:
go-version: ${{ env.GO_VERSION }}
cache: true
Comment on lines +113 to +119

@coderabbitai coderabbitai Bot Jun 17, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden action references and disable credential persistence.

The static analysis tool flagged supply-chain security gaps: actions are not pinned to commit hashes and credentials are persisted to disk. In a PR adding supply-chain controls, these gaps should be addressed.

🔒 Hardening recommendations
  1. Pin actions to commit SHA hashes instead of tags to prevent tag-hijacking attacks
  2. Set persist-credentials: false to prevent the GITHUB_TOKEN from being accessible to malicious code
       steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6  # Pin to commit SHA: actions/checkout@<commit-hash>
+        with:
+          persist-credentials: false

       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v6  # Pin to commit SHA: actions/setup-go@<commit-hash>
         with:
           go-version: ${{ env.GO_VERSION }}
           cache: true

To get commit hashes: visit the action repository's releases page and copy the full commit SHA for the desired version.

Note: The same pattern exists throughout this workflow. Consider hardening all jobs in a follow-up PR to establish consistent supply-chain security practices.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 141-141: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 141-141: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 144-144: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 141 - 147, Pin the actions/checkout
and actions/setup-go actions to their full commit SHA hashes instead of version
tags (currently `@v6`) to prevent tag-hijacking attacks. Additionally, add
persist-credentials: false to the actions/checkout step to prevent the
GITHUB_TOKEN from being accessible to potentially malicious code. These changes
address the supply-chain security gaps flagged by static analysis tools.

Source: Linters/SAST tools


- name: Run hot-path performance guard
# Thresholds are maintained in tests/perf/hotpath_test.go.
run: make perf-check
# Scans the dependency graph against the Go vulnerability database,
# reporting only vulnerabilities reachable from our code. The second run
# covers the swagger-tagged production build (swagger_enabled.go), which
# the default tag set excludes. The tests/* suites behind e2e/integration/
# contract tags are deliberately skipped — they aren't in the shipped binary.
- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@v1.3.0
govulncheck ./...
Comment thread
greptile-apps[bot] marked this conversation as resolved.
govulncheck -tags=swagger ./...
Comment thread
coderabbitai[bot] marked this conversation as resolved.

docs-validate:
name: Docs Validation
Expand All @@ -153,10 +148,11 @@ jobs:
run: npx mint validate
working-directory: docs

# Compiling the binary doesn't depend on tests passing, so this runs in
# parallel with the test jobs rather than gating behind them.
build:
name: Build
runs-on: ubuntu-latest
needs: [lint, test-unit, test-dashboard, test-e2e, integration, test-contract, performance]
steps:
- uses: actions/checkout@v6

Expand All @@ -166,5 +162,8 @@ jobs:
go-version: ${{ env.GO_VERSION }}
cache: true

- name: Verify module integrity
run: go mod verify

- name: Build
run: go build -v ./cmd/gomodel
Loading