feat: CI/CD pipelines, security scanning, and dependency updates#42
Merged
Conversation
- Matrix strategy: lint + test 20 Go modules in parallel (13 services + 7 shared libs) - Matrix strategy: Docker build all 13 service images in parallel - go vet + go test on every PR and push to main - CI Pass summary gate requires all jobs to succeed - workflow_dispatch for manual trigger
Security scanning (security.yml): - govulncheck on 16 Go modules in parallel matrix - Trivy container image scan on 10 core service images - Fails on CRITICAL/HIGH severity, ignores unfixed - Weekly scheduled scan (Monday 6am UTC) + PR/push triggers E2E integration tests (e2e.yml): - Builds all 13 Docker images via make docker-build - Spins up full stack with docker-compose (MongoDB, NATS, Redis) - Runs 82-test suite: E2E, NATS events, circuit breaker, rate limiter - Uploads docker logs as artifact on failure - Triggered on PR to main CD workflow (cd.yml): - Builds and pushes all 13 images to GHCR on merge to main - Tags with git SHA + latest - Staging deploy placeholder (dry-run, ready for kubectl apply) - Manual trigger with environment selection (staging/production) - Only triggers on src/deploy/hack changes
- google.golang.org/grpc: 1.61→1.80 (fixes CRITICAL auth bypass CVE) - go.opentelemetry.io/otel/sdk: 1.24→1.43 (fixes HIGH code execution CVE) - google.golang.org/protobuf: 1.32→1.36 (fixes infinite loop CVE) - golang.org/x/net: 0.20→0.52 (fixes XSS, proxy bypass, header flood CVEs) - google.golang.org/api: updated for grpc compatibility Addresses 30 Dependabot alerts (9 critical, 10 high, 11 medium)
- All 13 Dockerfiles: golang:1.24-alpine → golang:1.26-alpine (required by dependency update that bumped go.mod to 1.25) - CI + security workflows: GO_VERSION 1.24 → 1.26 - E2E test: fix CRL issuer field assertion (.issuer → .issuer_id) Validated: 82/82 tests pass (44 E2E + 18 NATS + 10 CB + 10 rate limiter)
- All 13 Dockerfiles: add apk --no-cache upgrade before ca-certificates install to patch CVE-2026-22184 (zlib buffer overflow, HIGH) - Gateway: golang-jwt/jwt v5.2.1 → v5.3.1 (GO-2025-3553, memory alloc) - Gateway: go-redis v9.7.0 → v9.18.0 (GO-2025-3540, out of order responses)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
go vet) + test (go test) all 20 Go modules and Docker build all 13 service images in parallel using matrix strategy. Runs on every PR and push to maingovulncheckon 16 Go modules + Trivy container image scan on 10 core services. Fails on CRITICAL/HIGH severity. Weekly scheduled scan + PR triggers.issuerto.issuer_id)Security Fixes
Test plan
go vetclean on all 17 modulesgo testpass on all modules