84 lines
2.8 KiB
YAML
84 lines
2.8 KiB
YAML
name: Lint
|
|
on:
|
|
push:
|
|
branches:
|
|
- trunk
|
|
paths:
|
|
- "**.go"
|
|
- go.mod
|
|
- go.sum
|
|
- ".github/licenses.tmpl"
|
|
- "script/licenses"
|
|
pull_request:
|
|
paths:
|
|
- "**.go"
|
|
- go.mod
|
|
- go.sum
|
|
- ".github/licenses.tmpl"
|
|
- "script/licenses"
|
|
permissions:
|
|
contents: read
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check out code
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
|
|
- name: Ensure go.mod and go.sum are up to date
|
|
run: |
|
|
STATUS=0
|
|
assert-nothing-changed() {
|
|
local diff
|
|
"$@" >/dev/null || return 1
|
|
if ! diff="$(git diff -U1 --color --exit-code)"; then
|
|
printf '\e[31mError: running `\e[1m%s\e[22m` results in modifications that you must check into version control:\e[0m\n%s\n\n' "$*" "$diff" >&2
|
|
git checkout -- .
|
|
STATUS=1
|
|
fi
|
|
}
|
|
assert-nothing-changed go mod tidy
|
|
exit $STATUS
|
|
|
|
- name: golangci-lint
|
|
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
|
|
with:
|
|
version: v2.11.0
|
|
|
|
# Verify that license generation succeeds for all release platforms (GOOS/GOARCH).
|
|
# This catches issues like new dependencies with unrecognized licenses before release time.
|
|
#
|
|
# actions/setup-go does not setup the installed toolchain to be preferred over the system install,
|
|
# which causes go-licenses to raise "Package ... does not have module info" errors.
|
|
# For more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
|
|
- name: Verify license generation
|
|
run: |
|
|
export GOROOT=$(go env GOROOT)
|
|
export PATH=${GOROOT}/bin:$PATH
|
|
make licenses-check
|
|
|
|
# Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
|
|
govulncheck:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check out code
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
|
|
# `govulncheck` exits unsuccessfully if vulnerabilities are found, providing results in stdout.
|
|
# See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
|
|
#
|
|
# On go1.25+, To make `-mode binary` work we need to make sure the binary is built with `go build -buildvcs=false`
|
|
# Since our builds do not use `-buildvcs=false`, we run in source mode here instead.
|
|
- name: Check Go vulnerabilities
|
|
run: |
|
|
go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 ./...
|