feat: Update CI workflow to install Gosec and Task, enhancing securit… #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| test: | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| go-version: ['1.21', '1.22'] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ matrix.go-version }} | |
| - name: Install Task (Linux/macOS) | |
| if: runner.os != 'Windows' | |
| run: | | |
| sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d -b /usr/local/bin | |
| - name: Install Task (Windows) | |
| if: runner.os == 'Windows' | |
| run: | | |
| Invoke-WebRequest -Uri "https://github.com/go-task/task/releases/latest/download/task_windows_amd64.zip" -OutFile "task.zip" | |
| Expand-Archive -Path "task.zip" -DestinationPath "." | |
| Move-Item "task.exe" "C:/Windows/System32/" | |
| - name: Cache Go modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.cache/go-build | |
| ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ matrix.go-version }}- | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Run tests | |
| run: task test | |
| - name: Run linting | |
| if: matrix.os == 'ubuntu-latest' && matrix.go-version == '1.21' | |
| run: task lint | |
| - name: Build | |
| run: task build | |
| - name: Validate configuration | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| ./bin/codebase-interface validate-config | |
| ./bin/codebase-interface schema --output /tmp/test-schema.json | |
| - name: Test CLI functionality | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| ./bin/codebase-interface --help | |
| ./bin/codebase-interface version | |
| ./bin/codebase-interface init-config basic --force | |
| ./bin/codebase-interface validate-config | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.21' | |
| - name: Install Task | |
| run: | | |
| sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d -b /usr/local/bin | |
| - name: Install Gosec | |
| run: | | |
| go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest | |
| - name: Run Gosec Security Scanner | |
| run: | | |
| gosec -fmt sarif -out gosec.sarif ./... | |
| continue-on-error: true | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: gosec.sarif | |
| if: always() |