ci: add repo hygiene and verification workflow

2026-03-07 14:44:54 +00:00 · 2026-03-07 14:44:54 +00:00 · a17424f0cc
commit a17424f0cc
parent d2b5c7e668
2 changed files with 120 additions and 12 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,93 @@
+name: ci
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6.0.2
+
+      - name: Setup Go
+        uses: actions/setup-go@v6.3.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v9.2.0
+        with:
+          version: v2.11.1
+
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6.0.2
+
+      - name: Setup Go
+        uses: actions/setup-go@v6.3.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Test with coverage
+        run: go test ./... -coverprofile=coverage.out
+
+      - name: Enforce coverage floor
+        run: |
+          total="$(go tool cover -func=coverage.out | awk '/^total:/ { sub(/%$/, "", $3); print $3 }')"
+          awk -v total="$total" 'BEGIN {
+            if (total == "") {
+              print "missing coverage total"
+              exit 1
+            }
+            if (total + 0 < 80.0) {
+              printf("coverage %.1f%% is below 80%%\n", total + 0)
+              exit 1
+            }
+            printf("coverage %.1f%%\n", total + 0)
+          }'
+
+      - name: Build
+        run: go build ./cmd/discrawl
+
+  secrets:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v6.3.0
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Install gitleaks
+        run: go install github.com/zricethezav/gitleaks/v8@v8.30.0
+
+      - name: Scan git history
+        run: |
+          "$(go env GOPATH)/bin/gitleaks" git --no-banner --redact
+
+      - name: Scan working tree
+        run: |
+          "$(go env GOPATH)/bin/gitleaks" dir . --no-banner --redact
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,4 @@
-# If you prefer the allow list template instead of the deny list, see community template:
-# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
-#
-# Binaries for programs and plugins
+# Go binaries and plugins
 *.exe
 *.exe~
 *.dll
@ -11,22 +8,40 @@
 # Test binary, built with `go test -c`
 *.test

-# Code coverage profiles and other test artifacts
+# Coverage and test artifacts
 *.out
+coverage.out
 coverage.*
 *.coverprofile
 profile.cov

-# Dependency directories (remove the comment below to include it)
+# Dependency directories
 # vendor/

-# Go workspace file
+# Go workspace files
 go.work
 go.work.sum

-# env file
-.env
+# Local runtime data
+.discrawl/
+*.db
+*.db-*
+*.sqlite
+*.sqlite-*
+*.sqlite3
+*.sqlite3-*

-# Editor/IDE
-# .idea/
-# .vscode/
+# Secrets and local env
+.env
+.env.*
+.direnv/
+
+# Build outputs
+/discrawl
+bin/
+dist/
+
+# Editor / OS noise
+.DS_Store
+.idea/
+.vscode/