care runs every quality, security, dependency, and test check for a repo in one
command, built for working across many repos and languages at once.
Keeping standards consistent as you switch languages is hard. care helps you
follow each ecosystem's best practices. Go for now.
caregithub.com/toaweme/care │ C 78/100 needs-attention │ 7 passed, 2 failed, 1 skipped │ 3.2s │ 6 tools
main · a4d4a5a · 18 commits · dirty +235 -0 · touched 3m ago
✓ build compiles
✓ dependencies tidy, no replace directives
✓ docs 84% documented (309/366, 57 undocumented)
✓ runtime declared 1.25.0 · code 1.22 · deps 1.25.0
✓ secrets 0 secrets
✓ tests 161 tests, 38.5% coverage, 7 untested
✓ vulnerabilities 0 vulnerabilities (+12 in go toolchain)
○ benchmarks skipped: not applicable
✗ lint 1 issue
cmd/care/output/report_json.go:138:12 G306: Expect WriteFile permissions to be 0600 or less (gosec)
✗ version control 1 uncommitted (+235 -0)
untracked README.md +235 -0 3m agoOne command, every check, one grade. Run it before you push, in CI, or on a timer behind a dashboard.
# go
go install github.com/toaweme/care/cmd/care@latest
# homebrew (macos)
brew install toaweme/tap/care
# scoop (windows)
scoop bucket add toaweme https://github.com/toaweme/scoop-bucket
scoop install toaweme/care
# binary
wget -qO- https://github.com/toaweme/care/releases/download/v0.9.0/care_0.9.0_linux_x64.tar.gz | tar xzEvery release also lists the exact archive for each OS/arch on the releases page.
care shells out to a few tools (golangci-lint, govulncheck, betterleaks, plus go/gofmt). With
auto_install: true (the default) it installs any missing binary on demand via brew or go install; pin or
disable individual tools in config.
Bare care is care status with everything on.
Run the selected checks against the current repo and render the result.
--json/-jemits the report as JSON to stdout--output/-o <file>writes the JSON report to a file instead.--stdout/-soutputs to stdout. Useful in CI where we need both JSON file and the logs.--amend/-ais a fast one-shot refresh of just the working-tree state, merged into the--outputfile (~36x faster than a fullcare statusrun) for an external watcher, cron, or dashboard to poll.
Fetch a config file into the current repo from any source and, optionally, rewrite placeholder tokens on the way in. It decouples which file goes where from where the bytes come from.
care get toaweme/care/templates/.golangci.yml # pull a file, write ./.golangci.yml
care get toaweme/care/templates/.golangci.yml --out config/x.yml # choose the destination
care get owner/repo/path/LICENSE -r __YEAR__=2027 -r '__HOLDER__=toawe.me Authors' # rewrite tokens
care get ./local/x.yml --force # overwrite an existing fileThe source is the first positional argument; --out defaults to the source's filename. Pass -r token=value
to replace every occurrence of token in the fetched bytes; repeat -r for each replacement. Each pair splits
on the first =, so the value may contain any character (spaces, ;, ,, =, quotes) as long as your
shell passes it as one argument; the token may not contain =. If a token starts with -, use the glued
form -r=token=value.
Sources resolve in this order:
- local file (
./,~,file://, or any existing path) - remote (a real
github.com/raw.githubusercontent.com/gist URL, or theowner/repo[/path]shorthand).
Local and embedded sources are zero-network, a remote fetch is an explicit.
Set Github repo token via --token/-t, env:GITHUB_TOKEN
Derive release notes from conventional commits, the org's single source for a release body (it replaces
goreleaser's own changelog). The positional tag is the range end; --since sets the start.
care changelog # notes for the latest tag (or HEAD), since the previous tag
care changelog v1.2.0 # notes ending at v1.2.0, since the tag before it
care changelog v1.2.0 --since v1.0.0 # explicit range
care changelog --full # from the first commit, ignoring tags
care changelog --write # maintain CHANGELOG.md in place instead of printing- Prints to stdout by default (redirect to capture).
--writemaintains the Keep a Changelog file at--file/-f(default./CHANGELOG.md). - For the natural range, a matching
## [version]section already in--fileis used verbatim, so hand-written prose reaches the release. An explicit--since/--fullalways re-derives from git. --plaindrops commit/PR links and author attribution. Git-host extras (Full Changelog link, contributors) need a token via--token/-torGITHUB_TOKEN/GH_TOKEN.
Use the bundled action to run care in CI. Pin it to a tag or a commit SHA: each
tag carries the matching care version, so either pin installs the right binary
(no version: input) and verifies its cosign signature and SHA-256 first.
The action installs care and runs care status. Three optional inputs change
that: output writes a JSON report, publish-url publishes it, and strict fails
the job on failing checks. With none set, it just runs status and logs the result:
jobs:
quality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@<sha>
- uses: toaweme/care@v0.9.0 # runs `care status`Publishing needs id-token: write (a GitHub OIDC token is minted with the URL's
origin as audience). Point publish-url at your own ingestion engine. strict: true fails the step on a failing check; omit it to report without failing the job:
jobs:
quality:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # only for publishing
steps:
- uses: actions/checkout@<sha>
- uses: toaweme/care@v0.9.0
with:
strict: true # fail the job, but keep the report
publish-url: https://ci.example.com/care # POST the report here; omit to keep it localcare stays on PATH, so any other care command is just your own step, e.g.
run: care get toaweme/care/templates/.golangci.yml to sync the lint config first. Set install-only: true to
skip care status (and publish/gate) entirely and just get the verified binary
onto PATH:
- uses: toaweme/care@v0.9.0
with:
install-only: true
- run: care get toaweme/care/templates/.golangci.ymlInputs (none are required):
| Input | Purpose | Default |
|---|---|---|
install-only |
true installs and verifies care, then stops - no status run, publish, or gate. Use it when a later step just runs its own care command |
false |
version |
Override the binary version, only when pinning the action to a SHA or branch | Latest |
output |
Report file path, care's own --output (use a <name>.care.json name). A failing check still writes it rather than failing the step |
- |
strict |
true fails the step when a check fails, after any report is published. false reports without failing |
false |
verify |
Cosign signature check | true |
dir |
Directory care runs in (care's --cwd), for a module in a subdirectory with its own go.mod. The report still lands in the workspace root |
. |
publish-url |
Full URL to POST the report to; empty keeps it local. Needs id-token: write |
- |
publish-timeout |
Max seconds for each publish-report curl call (OIDC token mint and the POST) | 30 |
The publish endpoint gets the report JSON as the POST body with an Authorization: Bearer <OIDC token> header (audience is the URL's origin). A self-hosted codeviewer
exposes the same path: https://<your-host>/ingest?kind=care.
The report stays in the workspace even when checks fail, so you can read a failure
report without re-running care (only the download temp dir is cleaned up). The
report-path output exposes its location for later steps, e.g. to upload it as an
artifact.
Reports stay local unless you set both publish-url and id-token: write; then
they're POSTed there. Set publish-url without the token and publishing is skipped
with a warning.
Pin to an exact tag and bump it deliberately when you adopt a new release.
Each check runs only where it applies and skips itself otherwise (no benchmarks in a repo with none, nothing Go in a non-Go repo).
| Check | What it does |
|---|---|
| Version control | Uncommitted files as a worklog: per-file line delta + relative age, ordered most-recently-touched |
| Build | go build ./..., compiler diagnostics parsed and located; any error fails |
| Lint | Golangci-lint when a .golangci.* governs the repo, else a go vet + gofmt -l fallback |
| Dependencies | go mod tidy delta + replace directives + go mod verify; the runtime floor the graph forces |
| Runtime | Compares the declared Go version against what the code needs and what deps force (informational) |
| Docs | Exported-symbol doc-comment coverage via go/ast; warns below a configurable threshold |
| Tests | One go test ./... -json per profile: per-package/file/function coverage, untested pkgs, slowest |
| Benchmark | go test -bench (skipped instantly when the repo has no func Benchmark) |
| Secrets | Betterleaks over the working tree and (optionally) git history |
| Vulnerabilities | Govulncheck, called-only findings, categorized deps/code/runtime so toolchain CVEs don't fail |
Every check rolls up into one grade. Results are weighted, then critical failures cap the score: a committed secret
caps you at F, a reachable vulnerability at C. You get a score out of 100, an A+..F letter, and a healthy / needs-attention / failing verdict. Weights and caps are yours to retune.
- One score for a whole repo. Build, lint, deps, runtime, docs, tests, benchmarks, secrets, and vulnerabilities, all in one command and one grade. No remembering which tool checks what.
- Output you can build on.
--jsonemits the full report with the numbers that matter (coverage, vulns, secrets, issues, tests) lifted to the top. Ingest it into codeviewer, a dashboard, a status badge, or any other tooling, the format is stable and meant to be consumed. - Fast refresh for live tracking.
--amendre-checks just the working tree and reuses the last heavy run, about 36x faster than a full pass, so a watcher or status bar can poll it cheaply. - No noise from things you can't fix. Vulnerability findings are filtered to code you actually call, and a CVE that lives in the Go toolchain is shown but never drags your grade down.
- Tells you the real Go version you need. care reads your code to work out the minimum Go version it actually
requires, so you know whether your
go.moddirective can come down. - Drop in best-practice configs.
care getwrites canonical linter, release, taskfile, CI, and license files into a repo, bundled and offline by default, or synced from a URL when you ask. - Configure once, or not at all. Sensible defaults out of the box; layer
~/.care/care.ymland./care.ymlto pin tools, turn off checks, or retune the grade. Everything optional. - Built to grow beyond Go. The check engine is language-agnostic; Go is the first ecosystem, with more to come.
With Go Report Card winding down, coincidentally care works as a local alternative that runs on your own machine.
care uses an issue-first workflow. Open an issue describing the change and wait for a maintainer to approve the approach (the approved label) before you open a pull request. PRs that don't reference an approved issue are flagged by a bot and usually closed, so the issue step saves you wasted work.
Every commit must be signed off for the Developer Certificate of Origin with git commit -s. A CI check enforces this on every commit in a pull request.
Full flow in CONTRIBUTING.md, ground rules in CODE_OF_CONDUCT.md.
Care's --json output can be ingested by any 3rd party tooling including our code viewer, which also hosts our badges and cards.
Public availability soon.
Made with ❤️ in Lithuania 🇱🇹.
