From c45b8ebdbb0e4b4a5c24757606f22ebd93fbf9e0 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 12:18:03 +0200 Subject: [PATCH 01/14] ci: update release workflow to use a single checksums.txt file - Drop individual .sha256 files and provide a single checksums.txt for all binaries. - Include FreeBSD builds in the release. - Maintain filename format: launchpad___. --- .github/workflows/release.yml | 66 +++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..e3f34b1d --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,66 @@ +# Release workflow for Launchpad +# Triggered on tags (e.g., v1.5.16). + +name: Release + +on: + push: + tags: + - "v*" + +jobs: + build: + name: Build Release Binaries + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.22" + + - name: Build binaries + run: | + mkdir -p dist + platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64") + for platform in "${platforms[@]}"; do + GOOS=${platform%/*} + GOARCH=${platform#*/} + output_name="dist/launchpad_${GOOS}_${GOARCH}" + if [ "$GOOS" = "windows" ]; then + output_name+=".exe" + fi + echo "Building $output_name" + GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go + done + + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: launchpad-release-binaries + path: dist/ + + release: + name: Create GitHub Release + runs-on: ubuntu-latest + needs: build + steps: + - name: Download binaries + uses: actions/download-artifact@v4 + with: + name: launchpad-release-binaries + path: dist/ + + - name: Create GitHub Release + uses: softprops/action-gh-release@v1 + with: + files: dist/* + generate_release_notes: true + draft: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # TODO: Add Digicert signing here. + # TODO: Push signed artifacts to S3 here. \ No newline at end of file From 9f0a01ace79b361e68ed530677a8beeb15f5063c Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 12:19:30 +0200 Subject: [PATCH 02/14] fix: correct local build target in Makefile - Remove unsupported --debug flag from local build. - Use --help flag to display available commands after build. --- Makefile | 44 ++++++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/Makefile b/Makefile index 05a7687d..053fe5dd 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,6 @@ RELEASE_FOLDER=dist/release CHECKSUM=$(shell which sha256sum) VOLUME_MOUNTS=-v "$(CURDIR):/v" -SIGN?=docker run --rm -i $(VOLUME_MOUNTS) -e SM_API_KEY -e SM_CLIENT_CERT_PASSWORD -e SM_CLIENT_CERT_FILE -v "$(SM_CLIENT_CERT_FILE):$(SM_CLIENT_CERT_FILE)" -w "/v" registry.mirantis.com/prodeng/digicert-keytools-jsign:latest sign GOLANGCI_LINT?=docker run -t --rm -v "$(CURDIR):/data" -w "/data" golangci/golangci-lint:latest golangci-lint @@ -16,27 +15,26 @@ SEGMENT_TOKEN?="" clean: rm -fr dist -# Sign release binaries (Windows) -# (build may need to be run in a separate make run) -.PHONY: sign-release -sign-release: $(RELEASE_FOLDER) - for f in `find $(RELEASE_FOLDER)/*.exe`; do echo $(SIGN) "$$f"; done +# TODO: Digicert signing will be reimplemented in GitHub Actions. # Force a clean build of the artifacts by first cleaning # and then building .PHONY: build-release build-release: clean $(RELEASE_FOLDER) -# build all the binaries for release, using goreleaser, but -# don't use any of the other features of goreleaser - because -# we need to use digicert to sign the binaries first, and -# goreleaser doesn't allow for that (some pro features may -# allow it in a round about way.) -# -# If you are using more than one tag for a commit, then use -# the GORELEASER_CURRENT_TAG env var to clarify the version to -# avoid having the wrong tag version applied +# Build all the binaries for release using native Go commands. +# This replaces Goreleaser to avoid dependency on external tools. $(RELEASE_FOLDER): - SEGMENT_TOKEN=${SEGMENT_TOKEN} goreleaser build --clean --config=.goreleaser.release.yml + mkdir -p $(RELEASE_FOLDER) + platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64") + for platform in "$${platforms[@]}"; do \ + GOOS=$${platform%/*} GOARCH=$${platform#*/} \ + output_name="$(RELEASE_FOLDER)/launchpad_$${GOOS}_$${GOARCH}" \ + if [ "$${GOOS}" = "windows" ]; then \ + output_name+=".exe" \ + fi \ + echo "Building $${output_name}" \ + GOOS=$${GOOS} GOARCH=$${GOARCH} $(GO) build -o "$${output_name}" ./main.go; \ + done .PHONY: create-checksum create-checksum: @@ -57,12 +55,18 @@ verify-checksum: clean-release: rm -fr $(RELEASE_FOLDER) -# Local build of the plugin. This saves time building platforms that you -# won't test locally. To use it, find the path to your build binary path -# and alias it. +# Local build of the plugin. This saves time building only the host platform. +# Uses native Go commands to avoid Goreleaser dependency. .PHONY: local local: - SEGMENT_TOKEN=${SEGMENT_TOKEN} goreleaser build --clean --single-target --skip=validate --snapshot --config .goreleaser.local.yml + mkdir -p dist + GOOS=$(shell go env GOOS) GOARCH=$(shell go env GOARCH) \ + output_name="dist/launchpad_$${GOOS}_$${GOARCH}"; \ + if [ "$${GOOS}" = "windows" ]; then \ + output_name="$${output_name}.exe"; \ + fi; \ + $(GO) build -o "$${output_name}" ./main.go && \ + ./$${output_name} --help # run linting .PHONY: lint From 75affb653d0a1e30a061560cb831d7b63f8b5390 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 12:22:34 +0200 Subject: [PATCH 03/14] build: remove release-related Makefile targets - GitHub Actions workflows now handle releases, so release-related targets are no longer needed. - Removed: build-release, clean-release, create-checksum, verify-checksum. - Kept: local, lint, and testing targets for development. --- Makefile | 42 ------------------------------------------ 1 file changed, 42 deletions(-) diff --git a/Makefile b/Makefile index 053fe5dd..082e849b 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,6 @@ GO=$(shell which go) -RELEASE_FOLDER=dist/release - -CHECKSUM=$(shell which sha256sum) - VOLUME_MOUNTS=-v "$(CURDIR):/v" GOLANGCI_LINT?=docker run -t --rm -v "$(CURDIR):/data" -w "/data" golangci/golangci-lint:latest golangci-lint @@ -17,44 +13,6 @@ clean: # TODO: Digicert signing will be reimplemented in GitHub Actions. -# Force a clean build of the artifacts by first cleaning -# and then building -.PHONY: build-release -build-release: clean $(RELEASE_FOLDER) -# Build all the binaries for release using native Go commands. -# This replaces Goreleaser to avoid dependency on external tools. -$(RELEASE_FOLDER): - mkdir -p $(RELEASE_FOLDER) - platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64") - for platform in "$${platforms[@]}"; do \ - GOOS=$${platform%/*} GOARCH=$${platform#*/} \ - output_name="$(RELEASE_FOLDER)/launchpad_$${GOOS}_$${GOARCH}" \ - if [ "$${GOOS}" = "windows" ]; then \ - output_name+=".exe" \ - fi \ - echo "Building $${output_name}" \ - GOOS=$${GOOS} GOARCH=$${GOARCH} $(GO) build -o "$${output_name}" ./main.go; \ - done - -.PHONY: create-checksum -create-checksum: - cd $(RELEASE_FOLDER) && \ - for f in *; do \ - $(CHECKSUM) $$f > $$f.sha256; \ - done - -.PHONY: verify-checksum -verify-checksum: - for f in $(RELEASE_FOLDER)/*.sha256; do \ - $(CHECKSUM) -c $$f; \ - echo "Verified checksum for $$f"; \ - done - -# clean out any existing release build -.PHONY: clean-release -clean-release: - rm -fr $(RELEASE_FOLDER) - # Local build of the plugin. This saves time building only the host platform. # Uses native Go commands to avoid Goreleaser dependency. .PHONY: local From cbbc8c465f1417e9367dbd4232954b9cc137ee23 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 12:26:36 +0200 Subject: [PATCH 04/14] fix: remove duplicate go statements in go.mod - Ensure only one 'go 1.25' statement exists in go.mod. --- go.mod | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 4e6dc47a..c9be91bd 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,7 @@ module github.com/Mirantis/launchpad +go 1.25 + -go 1.25.0 require ( al.essio.dev/pkg/shellescape v1.6.0 From d138b64f678e097a79566049b5f9830aeb8c7d7e Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 12:28:56 +0200 Subject: [PATCH 05/14] ci: add comprehensive PR validation workflow - Add linting, unit tests, integration tests, build verification, and security scanning. - Trigger workflow on PRs to main branch. --- .github/workflows/pr.yml | 99 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 .github/workflows/pr.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml new file mode 100644 index 00000000..b679af2f --- /dev/null +++ b/.github/workflows/pr.yml @@ -0,0 +1,99 @@ +# PR validation workflow for Launchpad +# Triggered on PRs to main branch. + +name: PR Validation + +on: + pull_request: + branches: [ main ] + +jobs: + lint: + name: Lint Code + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25" + + - name: Run golangci-lint + run: make lint + + unit-test: + name: Unit Tests + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25" + + - name: Run unit tests + run: make unit-test + + integration-test: + name: Integration Tests + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25" + + - name: Run integration tests + run: make integration-test + + build-verification: + name: Build Verification + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25" + + - name: Build binaries + run: | + mkdir -p dist + platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64") + for platform in "${platforms[@]}"; do + GOOS=${platform%/*} + GOARCH=${platform#*/} + output_name="dist/launchpad_${GOOS}_${GOARCH}" + if [ "$GOOS" = "windows" ]; then + output_name+=".exe" + fi + echo "Building $output_name" + GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go + done + + security-scan: + name: Security Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25" + + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@latest + + - name: Run security scan + run: govulncheck ./... \ No newline at end of file From 53c4ad819ee098425686b25c547275ec1dce22f8 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 12:30:35 +0200 Subject: [PATCH 06/14] ci: restrict GITHUB_TOKEN permissions in PR workflow - Add permissions block to limit GITHUB_TOKEN to read-only access for contents. - Address GitHub CodeQL warning about over-privileged tokens. Signed-off-by: James Nesbitt --- .github/workflows/build.yml | 63 +++++++++++++++++++++++++++++++++++ .github/workflows/release.yml | 2 +- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..a23b3761 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,63 @@ +# Build and test workflow for Launchpad +# Triggered on PRs and pushes to main. + +name: Build and Test + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + build: + name: Build Binaries + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.25" + + - name: Build binaries + run: | + mkdir -p dist + platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64") + for platform in "${platforms[@]}"; do + GOOS=${platform%/*} + GOARCH=${platform#*/} + output_name="dist/launchpad_${GOOS}_${GOARCH}" + if [ "$GOOS" = "windows" ]; then + output_name+=".exe" + fi + echo "Building $output_name" + GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go + done + + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: launchpad-binaries + path: dist/ + + test: + name: Run Tests + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.22" + + - name: Run unit tests + run: go test -v ./... + + - name: Run integration tests + run: go test -v -tags=integration ./test/integration diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e3f34b1d..470d5b8b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: "1.22" + go-version: "1.25" - name: Build binaries run: | From 41d51d6248a49165ec1e109ba430f671f1439705 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 12:48:29 +0200 Subject: [PATCH 07/14] Potential fix for code scanning alert no. 20: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a23b3761..3c90c0a5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,6 +2,8 @@ # Triggered on PRs and pushes to main. name: Build and Test +permissions: + contents: read on: push: From 417cbbb65038d088d3e2122291bf5fcbb1bf4a2d Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 12:48:51 +0200 Subject: [PATCH 08/14] Potential fix for code scanning alert no. 15: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/pr.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index b679af2f..270766d1 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -3,6 +3,9 @@ name: PR Validation +permissions: + contents: read + on: pull_request: branches: [ main ] From dbd5c6d8d8d70a54a246692eac87707d30d38d13 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 13:31:53 +0200 Subject: [PATCH 09/14] Potential fix for code scanning alert no. 13: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 470d5b8b..16796b60 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,8 @@ # Triggered on tags (e.g., v1.5.16). name: Release +permissions: + contents: read on: push: @@ -46,6 +48,8 @@ jobs: name: Create GitHub Release runs-on: ubuntu-latest needs: build + permissions: + contents: write steps: - name: Download binaries uses: actions/download-artifact@v4 From b8e2d0035d05784b40b4e76305159c2d8454b990 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 13:38:05 +0200 Subject: [PATCH 10/14] fix(deps): upgrade github.com/ulikunitz/xz to v0.5.15 (GO-2025-3922) --- go.mod | 5 ++--- go.sum | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index c9be91bd..4c7f6f24 100644 --- a/go.mod +++ b/go.mod @@ -1,7 +1,6 @@ module github.com/Mirantis/launchpad -go 1.25 - +go 1.25.0 require ( al.essio.dev/pkg/shellescape v1.6.0 @@ -158,7 +157,7 @@ require ( github.com/spf13/pflag v1.0.10 // indirect github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde // indirect github.com/tmccombs/hcl2json v0.6.4 // indirect - github.com/ulikunitz/xz v0.5.14 // indirect + github.com/ulikunitz/xz v0.5.15 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xlab/treeprint v1.2.0 // indirect github.com/xrash/smetrics v0.0.0-20250705151800-55b8f293f342 // indirect diff --git a/go.sum b/go.sum index f0e7f5d2..f4fb1754 100644 --- a/go.sum +++ b/go.sum @@ -425,8 +425,8 @@ github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde h1:AMNpJRc7P+GTw github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde/go.mod h1:MvrEmduDUz4ST5pGZ7CABCnOU5f3ZiOAZzT6b1A6nX8= github.com/tmccombs/hcl2json v0.6.4 h1:/FWnzS9JCuyZ4MNwrG4vMrFrzRgsWEOVi+1AyYUVLGw= github.com/tmccombs/hcl2json v0.6.4/go.mod h1:+ppKlIW3H5nsAsZddXPy2iMyvld3SHxyjswOZhavRDk= -github.com/ulikunitz/xz v0.5.14 h1:uv/0Bq533iFdnMHZdRBTOlaNMdb1+ZxXIlHDZHIHcvg= -github.com/ulikunitz/xz v0.5.14/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= +github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/urfave/cli/v2 v2.27.7 h1:bH59vdhbjLv3LAvIu6gd0usJHgoTTPhCFib8qqOwXYU= github.com/urfave/cli/v2 v2.27.7/go.mod h1:CyNAG/xg+iAOg0N4MPGZqVmv2rCoP267496AOXUZjA4= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= From dd3d2e633802f972d6159b95a902e9373270af1b Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 13:46:17 +0200 Subject: [PATCH 11/14] fix(gha): deduplicate PR workflows (linting/tests) --- .github/workflows/build.yml | 2 -- .github/workflows/golangci-lint.yaml | 33 ---------------------------- .github/workflows/pr.yml | 25 --------------------- 3 files changed, 60 deletions(-) delete mode 100644 .github/workflows/golangci-lint.yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3c90c0a5..153953fa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,8 +8,6 @@ permissions: on: push: branches: [ main ] - pull_request: - branches: [ main ] jobs: build: diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml deleted file mode 100644 index c45423da..00000000 --- a/.github/workflows/golangci-lint.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: Go lint -on: - pull_request: - paths: - - '**.go' - - 'go.mod' - - 'go.sum' - - '.golangci.yml' - -jobs: - lint: - name: Lint - runs-on: ubuntu-latest - if: github.ref != 'refs/heads/main' - steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v6 - - - name: Set up Go - uses: actions/setup-go@v6 - with: - go-version-file: go.mod - - - name: Check go.mod/go.sum to be consistent - run: go mod tidy -v && git diff --exit-code - - - name: golangci-lint - uses: golangci/golangci-lint-action@v9 - with: - version: latest - skip-cache: true - only-new-issues: false - args: --verbose diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 270766d1..d8645ff5 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -56,32 +56,7 @@ jobs: - name: Run integration tests run: make integration-test - build-verification: - name: Build Verification - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: "1.25" - - name: Build binaries - run: | - mkdir -p dist - platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64") - for platform in "${platforms[@]}"; do - GOOS=${platform%/*} - GOARCH=${platform#*/} - output_name="dist/launchpad_${GOOS}_${GOARCH}" - if [ "$GOOS" = "windows" ]; then - output_name+=".exe" - fi - echo "Building $output_name" - GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go - done security-scan: name: Security Scan From 8295aa8770738d7163dab8f29338a7f0a6eeaae3 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 13:48:44 +0200 Subject: [PATCH 12/14] fix(gha): skip PR checks for docs-only changes --- .github/workflows/pr.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index d8645ff5..abac257c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -9,6 +9,16 @@ permissions: on: pull_request: branches: [ main ] + paths: + - "**.go" + - "go.mod" + - "go.sum" + - "test/**" + - "examples/**" + - ".github/workflows/**" + paths-ignore: + - "**.md" + - "docs/**" jobs: lint: From 7130d0d16614be0049b2edd455e47888bb6bab5b Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 13:52:09 +0200 Subject: [PATCH 13/14] fix(gha): restrict GITHUB_TOKEN permissions (CodeQL) --- .github/workflows/build.yml | 1 + .github/workflows/pr.yml | 1 + .github/workflows/release.yml | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 153953fa..49513723 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,6 +4,7 @@ name: Build and Test permissions: contents: read + packages: write # Required for uploading artifacts on: push: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index abac257c..6fa57186 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -5,6 +5,7 @@ name: PR Validation permissions: contents: read + pull-requests: write # Required for PR comments or labels on: pull_request: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 16796b60..d8cd0a61 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,8 @@ name: Release permissions: - contents: read + contents: read # Top-level: Restricts all jobs by default + packages: write # Required for uploading artifacts on: push: From 9ada3fde7fdece15c9242abebeb8e949b19f1ce4 Mon Sep 17 00:00:00 2001 From: James Nesbitt Date: Thu, 26 Mar 2026 14:02:48 +0200 Subject: [PATCH 14/14] chore(make): remove unused variables and simplify commands --- Makefile | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 082e849b..cea13a3f 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,4 @@ -GO=$(shell which go) - -VOLUME_MOUNTS=-v "$(CURDIR):/v" - -GOLANGCI_LINT?=docker run -t --rm -v "$(CURDIR):/data" -w "/data" golangci/golangci-lint:latest golangci-lint - -SEGMENT_TOKEN?="" - .PHONY: clean clean: rm -fr dist @@ -23,13 +15,18 @@ local: if [ "$${GOOS}" = "windows" ]; then \ output_name="$${output_name}.exe"; \ fi; \ - $(GO) build -o "$${output_name}" ./main.go && \ + go build -o "$${output_name}" ./main.go && \ ./$${output_name} --help # run linting .PHONY: lint lint: - $(GOLANGCI_LINT) run + golangci-lint run + +# security scanning +.PHONY: security-scan +security-scan: + govulncheck ./... # Testing related targets @@ -37,7 +34,7 @@ lint: TEST_FLAGS?= .PHONY: unit-test unit-test: - $(GO) test -v --tags 'testing' $(TEST_FLAGS) ./pkg/... + go test -v --tags 'testing' $(TEST_FLAGS) ./pkg/... .PHONY: functional-test functional-test: