Merge pull request #83 from CodeMonkeyCybersecurity/dependabot/go_mod… #49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ci.yml - Consolidated CI pipeline | ||
| # Last Updated: 2026-02-22 | ||
| name: CI | ||
| on: | ||
| pull_request: | ||
| branches: [main, develop] | ||
| push: | ||
| branches: [main] | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: "0 3 * * *" | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
| jobs: | ||
| ci-debug-parity: | ||
| name: ci-debug-parity | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 20 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | ||
| with: | ||
| node-version: "24" | ||
| - name: Run npm ci:debug | ||
| env: | ||
| CI: "true" | ||
| run: npm run ci:debug --silent | ||
| - name: Print ci:debug report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/debug/report.json && cat outputs/ci/debug/report.json || true | ||
| test -f outputs/ci/governance/report.json && cat outputs/ci/governance/report.json || true | ||
| test -f outputs/ci/governance-propagation-coverage/coverage.json && cat outputs/ci/governance-propagation-coverage/coverage.json || true | ||
| - name: Alert on governance wrapper report | ||
| if: always() | ||
| run: | | ||
| python3 scripts/ci/report-alert.py governance outputs/ci/governance/report.json | ||
| python3 scripts/ci/report-alert.py shell-coverage outputs/ci/governance-propagation-coverage/coverage.json | ||
| - name: Upload ci:debug artifacts | ||
| if: always() | ||
| uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 | ||
| with: | ||
| name: ci-debug-artifacts | ||
| path: | | ||
| outputs/ci/debug/** | ||
| outputs/ci/governance/** | ||
| outputs/ci/governance-propagation-coverage/** | ||
| if-no-files-found: warn | ||
| ci-self-update-quality: | ||
| name: ci-self-update-quality | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 30 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 | ||
| with: | ||
| node-version: "24" | ||
| - name: Validate CI policy | ||
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | ||
| - name: Run self-update quality lane | ||
| run: npm run ci:self-update-quality --silent | ||
| - name: Summarize self-update quality lane | ||
| if: always() | ||
| env: | ||
| CI_LANE: self-update-quality | ||
| CI_STATUS: ${{ job.status }} | ||
| CI_LOG_DIR: outputs/ci/self-update-quality | ||
| CI_COVERAGE_FILE: outputs/ci/self-update-quality/coverage.out | ||
| CI_REPORT_FILE: outputs/ci/self-update-quality/report.json | ||
| CI_SUMMARY_FILE: outputs/ci/self-update-quality/summary.md | ||
| run: scripts/ci/summary.sh | ||
| - name: Bundle self-update quality artifacts | ||
| if: always() | ||
| run: | | ||
| tar -czf outputs/ci/self-update-quality-artifacts.tgz -C outputs/ci self-update-quality || true | ||
| ls -lh outputs/ci/self-update-quality-artifacts.tgz || true | ||
| - name: Print self-update quality report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/self-update-quality/report.json && cat outputs/ci/self-update-quality/report.json || true | ||
| - name: Alert on self-update quality failure details | ||
| if: always() | ||
| run: | | ||
| set -euo pipefail | ||
| report="outputs/ci/self-update-quality/report.json" | ||
| if [[ ! -f "${report}" ]]; then | ||
| echo "::warning::self-update-quality report missing" | ||
| exit 0 | ||
| fi | ||
| python3 - <<'PY' "${report}" | ||
| import json | ||
| import sys | ||
| from pathlib import Path | ||
| report = Path(sys.argv[1]) | ||
| data = json.loads(report.read_text(encoding="utf-8")) | ||
| status = data.get("status", "unknown") | ||
| if status == "pass": | ||
| print("self-update-quality status=pass") | ||
| raise SystemExit(0) | ||
| stage = data.get("stage", "unknown") | ||
| failed_command = data.get("failed_command", "unknown") | ||
| coverage = data.get("coverage_percent", "n/a") | ||
| message = data.get("message", "unknown") | ||
| print(f"::error::self-update-quality failed stage={stage} command={failed_command} coverage={coverage} message={message}") | ||
| PY | ||
| lint: | ||
| name: lint | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Validate CI policy | ||
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | ||
| - name: CI preflight | ||
| run: scripts/ci/preflight.sh | ||
| - name: Install golangci-lint | ||
| run: bash scripts/ci/install-golangci-lint.sh | ||
| - name: Run lint lane | ||
| env: | ||
| CI_EVENT_NAME: ${{ github.event_name }} | ||
| CI_BASE_REF: ${{ github.base_ref }} | ||
| run: | | ||
| if [ "${CI_EVENT_NAME}" = "pull_request" ]; then | ||
| scripts/ci/lint.sh changed | ||
| else | ||
| scripts/ci/lint.sh all | ||
| fi | ||
| - name: Summarize lint lane | ||
| if: always() | ||
| env: | ||
| CI_LANE: lint | ||
| CI_STATUS: ${{ job.status }} | ||
| CI_LOG_DIR: outputs/ci/lint | ||
| CI_COVERAGE_FILE: "-" | ||
| CI_REPORT_FILE: outputs/ci/lint/report.json | ||
| CI_SUMMARY_FILE: outputs/ci/lint/summary.md | ||
| run: scripts/ci/summary.sh | ||
| - name: Bundle lint artifacts | ||
| if: always() | ||
| run: | | ||
| tar -czf outputs/ci/lint-artifacts.tgz -C outputs/ci lint || true | ||
| ls -lh outputs/ci/lint-artifacts.tgz || true | ||
| - name: Print lint report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/lint/report.json && cat outputs/ci/lint/report.json || true | ||
| ci-unit: | ||
| name: ci-unit | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 40 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Validate CI policy | ||
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | ||
| - name: CI preflight | ||
| run: scripts/ci/preflight.sh | ||
| - name: Run unit lane | ||
| env: | ||
| CI_EVENT_NAME: ${{ github.event_name }} | ||
| CI_BASE_REF: ${{ github.base_ref }} | ||
| CI_SUITE_FILE: test/ci/suites.yaml | ||
| run: scripts/ci/test.sh unit | ||
| - name: Summarize unit lane | ||
| if: always() | ||
| env: | ||
| CI_LANE: unit | ||
| CI_STATUS: ${{ job.status }} | ||
| CI_LOG_DIR: outputs/ci/unit | ||
| CI_COVERAGE_FILE: outputs/ci/unit/coverage.out | ||
| CI_REPORT_FILE: outputs/ci/unit/report.json | ||
| CI_SUMMARY_FILE: outputs/ci/unit/summary.md | ||
| run: scripts/ci/summary.sh | ||
| - name: Bundle unit artifacts | ||
| if: always() | ||
| run: | | ||
| tar -czf outputs/ci/unit-artifacts.tgz -C outputs/ci unit || true | ||
| ls -lh outputs/ci/unit-artifacts.tgz || true | ||
| - name: Print unit report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/unit/report.json && cat outputs/ci/unit/report.json || true | ||
| - name: Alert on unit lane report | ||
| if: always() | ||
| run: python3 scripts/ci/report-alert.py ci-unit outputs/ci/unit/report.json | ||
| ci-deps-unit: | ||
| name: ci-deps-unit | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 20 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Validate CI policy | ||
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | ||
| - name: CI preflight | ||
| run: scripts/ci/preflight.sh | ||
| - name: Run dependency-focused unit lane | ||
| env: | ||
| CI_EVENT_NAME: ${{ github.event_name }} | ||
| CI_BASE_REF: ${{ github.base_ref }} | ||
| CI_SUITE_FILE: test/ci/suites.yaml | ||
| run: scripts/ci/test.sh deps-unit | ||
| - name: Summarize dependency-focused unit lane | ||
| if: always() | ||
| env: | ||
| CI_LANE: deps-unit | ||
| CI_STATUS: ${{ job.status }} | ||
| CI_LOG_DIR: outputs/ci/deps-unit | ||
| CI_COVERAGE_FILE: "-" | ||
| CI_REPORT_FILE: outputs/ci/deps-unit/report.json | ||
| CI_SUMMARY_FILE: outputs/ci/deps-unit/summary.md | ||
| CI_SUITE_FILE: test/ci/suites.yaml | ||
| run: scripts/ci/summary.sh | ||
| - name: Bundle dependency-focused unit artifacts | ||
| if: always() | ||
| run: | | ||
| tar -czf outputs/ci/deps-unit-artifacts.tgz -C outputs/ci deps-unit || true | ||
| ls -lh outputs/ci/deps-unit-artifacts.tgz || true | ||
| - name: Print dependency-focused unit report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/deps-unit/report.json && cat outputs/ci/deps-unit/report.json || true | ||
| - name: Alert on dependency-focused unit lane report | ||
| if: always() | ||
| run: python3 scripts/ci/report-alert.py ci-deps-unit outputs/ci/deps-unit/report.json | ||
| ci-integration: | ||
| name: ci-integration | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 45 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Validate CI policy | ||
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | ||
| - name: CI preflight | ||
| run: scripts/ci/preflight.sh | ||
| - name: Run integration lane | ||
| env: | ||
| CI_EVENT_NAME: ${{ github.event_name }} | ||
| CI_BASE_REF: ${{ github.base_ref }} | ||
| CI_SUITE_FILE: test/ci/suites.yaml | ||
| run: scripts/ci/test.sh integration | ||
| - name: Summarize integration lane | ||
| if: always() | ||
| env: | ||
| CI_LANE: integration | ||
| CI_STATUS: ${{ job.status }} | ||
| CI_LOG_DIR: outputs/ci/integration | ||
| CI_COVERAGE_FILE: "-" | ||
| CI_REPORT_FILE: outputs/ci/integration/report.json | ||
| CI_SUMMARY_FILE: outputs/ci/integration/summary.md | ||
| run: scripts/ci/summary.sh | ||
| - name: Bundle integration artifacts | ||
| if: always() | ||
| run: | | ||
| tar -czf outputs/ci/integration-artifacts.tgz -C outputs/ci integration || true | ||
| ls -lh outputs/ci/integration-artifacts.tgz || true | ||
| - name: Print integration report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/integration/report.json && cat outputs/ci/integration/report.json || true | ||
| - name: Alert on integration lane report | ||
| if: always() | ||
| run: python3 scripts/ci/report-alert.py ci-integration outputs/ci/integration/report.json | ||
| ci-e2e-smoke: | ||
| name: ci-e2e-smoke | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 20 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Validate CI policy | ||
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | ||
| - name: CI preflight | ||
| run: scripts/ci/preflight.sh | ||
| - name: Run e2e smoke lane | ||
| env: | ||
| CI_SUITE_FILE: test/ci/suites.yaml | ||
| run: scripts/ci/test.sh e2e-smoke | ||
| - name: Summarize e2e smoke lane | ||
| if: always() | ||
| env: | ||
| CI_LANE: e2e-smoke | ||
| CI_STATUS: ${{ job.status }} | ||
| CI_LOG_DIR: outputs/ci/e2e-smoke | ||
| CI_COVERAGE_FILE: "-" | ||
| CI_REPORT_FILE: outputs/ci/e2e-smoke/report.json | ||
| CI_SUMMARY_FILE: outputs/ci/e2e-smoke/summary.md | ||
| run: scripts/ci/summary.sh | ||
| - name: Bundle e2e smoke artifacts | ||
| if: always() | ||
| run: | | ||
| tar -czf outputs/ci/e2e-smoke-artifacts.tgz -C outputs/ci e2e-smoke || true | ||
| ls -lh outputs/ci/e2e-smoke-artifacts.tgz || true | ||
| - name: Print e2e smoke report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/e2e-smoke/report.json && cat outputs/ci/e2e-smoke/report.json || true | ||
| - name: Alert on e2e smoke lane report | ||
| if: always() | ||
| run: python3 scripts/ci/report-alert.py ci-e2e-smoke outputs/ci/e2e-smoke/report.json | ||
| ci-fuzz: | ||
| name: ci-fuzz | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Validate CI policy | ||
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | ||
| - name: CI preflight | ||
| run: scripts/ci/preflight.sh | ||
| - name: Run fuzz lane | ||
| env: | ||
| CI_SUITE_FILE: test/ci/suites.yaml | ||
| run: scripts/ci/test.sh fuzz | ||
| - name: Summarize fuzz lane | ||
| if: always() | ||
| env: | ||
| CI_LANE: fuzz | ||
| CI_STATUS: ${{ job.status }} | ||
| CI_LOG_DIR: outputs/ci/fuzz | ||
| CI_COVERAGE_FILE: "-" | ||
| CI_REPORT_FILE: outputs/ci/fuzz/report.json | ||
| CI_SUMMARY_FILE: outputs/ci/fuzz/summary.md | ||
| run: scripts/ci/summary.sh | ||
| - name: Bundle fuzz artifacts | ||
| if: always() | ||
| run: | | ||
| tar -czf outputs/ci/fuzz-artifacts.tgz -C outputs/ci fuzz || true | ||
| ls -lh outputs/ci/fuzz-artifacts.tgz || true | ||
| - name: Print fuzz report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/fuzz/report.json && cat outputs/ci/fuzz/report.json || true | ||
| - name: Alert on fuzz lane report | ||
| if: always() | ||
| run: python3 scripts/ci/report-alert.py ci-fuzz outputs/ci/fuzz/report.json | ||
| ci-e2e-full: | ||
| name: ci-e2e-full | ||
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 90 | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Setup Go environment | ||
| uses: ./.github/actions/setup-go-env | ||
| - name: Validate CI policy | ||
| run: go run ./test/ci/tool policy-validate test/ci/suites.yaml | ||
| - name: CI preflight | ||
| run: scripts/ci/preflight.sh | ||
| - name: Run e2e full lane | ||
| env: | ||
| CI_SUITE_FILE: test/ci/suites.yaml | ||
| run: scripts/ci/test.sh e2e-full | ||
| - name: Summarize e2e full lane | ||
| if: always() | ||
| env: | ||
| CI_LANE: e2e-full | ||
| CI_STATUS: ${{ job.status }} | ||
| CI_LOG_DIR: outputs/ci/e2e-full | ||
| CI_COVERAGE_FILE: "-" | ||
| CI_REPORT_FILE: outputs/ci/e2e-full/report.json | ||
| CI_SUMMARY_FILE: outputs/ci/e2e-full/summary.md | ||
| run: scripts/ci/summary.sh | ||
| - name: Bundle e2e full artifacts | ||
| if: always() | ||
| run: | | ||
| tar -czf outputs/ci/e2e-full-artifacts.tgz -C outputs/ci e2e-full || true | ||
| ls -lh outputs/ci/e2e-full-artifacts.tgz || true | ||
| - name: Print e2e full report | ||
| if: always() | ||
| run: | | ||
| test -f outputs/ci/e2e-full/report.json && cat outputs/ci/e2e-full/report.json || true | ||
| - name: Alert on e2e full lane report | ||
| if: always() | ||
| run: python3 scripts/ci/report-alert.py ci-e2e-full outputs/ci/e2e-full/report.json | ||
