GitHub - go-openapi/ci-workflows: Common CI workflows and setup for go-openapi repos (original) (raw)

Common Continuous Integration (CI) workflows and setup for go-openapi repos.

• shared github action workflows
• shared dependabot configuration (BLOCKED)
• shared golangci-lint configuration (BLOCKED)

Status

Active development.

We are regularly adding more shared workflows to standardize CI across go-openapi repos.

NOTE: at this moment, it is difficult to share the configurations for dependabot and golangci-lint, so these are not shared yet.

Content

This repository essentially contains github action workflows in .github/workflows.

go code in this repo is provided only for the purpose of testing these workflows.

Workflows contents are detailed [here][.github/workflows/README.md].

Example

go-test.yml

Basic usage

You reuse a workflow like so:

name: go test

permissions: pull-requests: read contents: read

on: push: branches: - master

pull_request:

jobs: test: uses: go-openapi/ci-workflows/.github/workflows/go-test.yml@master secrets: inherit

It is recommended to pin the git ref master with a commit sha, and let dependabot keep you up to date. Like so:

uses: go-openapi/ci-workflows/.github/workflows/go-test.yml@b28a8b978a5ee5b7f4241ffafd6cc6163edb5dfd # v0.1.0

Permissions

Make sure your job permissions match the requirements of the called shared workflow.

Example:

name: "CodeQL"

on: push: branches: [ "master" ] pull_request: branches: [ "master" ] paths-ignore: # remove this clause if CodeQL is a required check - '**/*.md' schedule: - cron: '39 19 * * 5'

permissions: contents: read

jobs: codeql: permissions: # <- grant permissions at the job level that match the requirements of the called workflow contents: read security-events: write uses: ./.github/workflows/codeql.yml secrets: inherit

Available workflows [v0.2.16]

Dependencies automation

• auto-merge.yml:
  • auto-merge dependabot updates, with dependency group rules
  • auto-merge go-openapi bot updates

Test automation

• go-test.yml: go unit tests
  • includes:
    * fuzz-test.yml: orchestrates fuzz testing with a cached corpus
    * collect-coverage.yml: (common) collect & publish test coverage (to codecov)
    * collect-reports.yml: (common) collect & publish test reports (to codecov and github)
• go-test-monorepo.yml: go unit tests, with support for go mono-repos (same features)

NOTE: for mono-repos, the workflow works best with go1.25 and go.work declaring all your modules and committed to git.

Security

• codeql.yml: CodeQL workflow for go and github actions
• scanner.yml: trivy & govulncheck scans

Release automation

• bump-release.yml: manually triggered workflow to cut a release
• tag-release.yml: cut a release on push tag
• release.yml: (common) release & release notes build

NOTE: mono-repos are not supported yet.

Release notes are produced using git-cliff. The configuration may be set using a .cliff.toml file. The default configuration is the .cliff.toml in this repo (uses remote config).

Documentation quality

• contributors.yml: updates CONTRIBUTORS.md

Motivation

It took a while (well something like 10 years...), but we eventually managed to align all checks, tests and dependabot rules declared in the family of go-openapi repos.

Now we'd like to be able to maintain, enrich and improve these checks without worrying too much about the burden of replicating the stuff about a dozen times.

Change log

See https://github.com/go-openapi/ci-workflows/releases

Licensing

This content ships under the SPDX-License-Identifier: Apache-2.0.

Other documentation

• All-time contributors
• Contributing guidelines
• Maintainers documentation
• Code style
• Roadmap

Cutting a new release

Maintainers can cut a new release by either:

• running this workflow
• or pushing a semver tag
  • signed tags are preferred
  • The tag message is prepended to release notes