From a17424f0cc684ec456e095beee2cf8a8e8fa10e9 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 7 Mar 2026 14:44:54 +0000 Subject: [PATCH] ci: add repo hygiene and verification workflow --- .github/workflows/ci.yml | 93 ++++++++++++++++++++++++++++++++++++++++ .gitignore | 39 +++++++++++------ 2 files changed, 120 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..3116807 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,93 @@ +name: ci + +on: + pull_request: + push: + branches: + - main + +permissions: + contents: read + +concurrency: + group: ci-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + lint: + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + + - name: Setup Go + uses: actions/setup-go@v6.3.0 + with: + go-version-file: go.mod + cache: true + + - name: Lint + uses: golangci/golangci-lint-action@v9.2.0 + with: + version: v2.11.1 + + test: + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + + - name: Setup Go + uses: actions/setup-go@v6.3.0 + with: + go-version-file: go.mod + cache: true + + - name: Test with coverage + run: go test ./... -coverprofile=coverage.out + + - name: Enforce coverage floor + run: | + total="$(go tool cover -func=coverage.out | awk '/^total:/ { sub(/%$/, "", $3); print $3 }')" + awk -v total="$total" 'BEGIN { + if (total == "") { + print "missing coverage total" + exit 1 + } + if (total + 0 < 80.0) { + printf("coverage %.1f%% is below 80%%\n", total + 0) + exit 1 + } + printf("coverage %.1f%%\n", total + 0) + }' + + - name: Build + run: go build ./cmd/discrawl + + secrets: + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + with: + fetch-depth: 0 + + - name: Setup Go + uses: actions/setup-go@v6.3.0 + with: + go-version-file: go.mod + cache: true + + - name: Install gitleaks + run: go install github.com/zricethezav/gitleaks/v8@v8.30.0 + + - name: Scan git history + run: | + "$(go env GOPATH)/bin/gitleaks" git --no-banner --redact + + - name: Scan working tree + run: | + "$(go env GOPATH)/bin/gitleaks" dir . --no-banner --redact diff --git a/.gitignore b/.gitignore index aaadf73..c4c4520 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,4 @@ -# If you prefer the allow list template instead of the deny list, see community template: -# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore -# -# Binaries for programs and plugins +# Go binaries and plugins *.exe *.exe~ *.dll @@ -11,22 +8,40 @@ # Test binary, built with `go test -c` *.test -# Code coverage profiles and other test artifacts +# Coverage and test artifacts *.out +coverage.out coverage.* *.coverprofile profile.cov -# Dependency directories (remove the comment below to include it) +# Dependency directories # vendor/ -# Go workspace file +# Go workspace files go.work go.work.sum -# env file -.env +# Local runtime data +.discrawl/ +*.db +*.db-* +*.sqlite +*.sqlite-* +*.sqlite3 +*.sqlite3-* -# Editor/IDE -# .idea/ -# .vscode/ +# Secrets and local env +.env +.env.* +.direnv/ + +# Build outputs +/discrawl +bin/ +dist/ + +# Editor / OS noise +.DS_Store +.idea/ +.vscode/