Skip to content
This repository was archived by the owner on Mar 15, 2026. It is now read-only.

chore: Update CI workflow to simplify shell settings and enhance erro… #11

chore: Update CI workflow to simplify shell settings and enhance erro…

chore: Update CI workflow to simplify shell settings and enhance erro… #11

Workflow file for this run

name: CI
on:
push:
branches: [master, main, develop]
paths-ignore:
- "**/*.md"
- ".github/renovate.json"
- "docs/**"
pull_request:
branches: [master, main, develop]
paths-ignore:
- "**/*.md"
- "docs/**"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
checks: write
security-events: write
pull-requests: read
defaults:
run:
shell: bash
env:
CGO_ENABLED: "0"
GOFLAGS: "-mod=readonly"
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
cache: true
- name: go vet
run: go vet ./...
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: latest
args: --timeout=5m
test:
name: Test
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
cache: true
- name: Download deps
run: go mod download
- name: Run unit tests (race+coverage)
run: |
set -euo pipefail
go test -v -race -covermode=atomic -coverprofile=coverage.out ./...
- name: Upload coverage artifact
uses: actions/upload-artifact@v4
with:
name: coverage
path: coverage.out
retention-days: 7
- name: Upload to Codecov
uses: codecov/codecov-action@v4
with:
files: ./coverage.out
fail_ci_if_error: false
build:
name: Build
runs-on: ubuntu-latest
needs: [test, lint]
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: "go.mod"
cache: true
- name: Build binary
run: make build
- name: Verify artifact exists
run: test -f build/ssh-audit
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ssh-audit
path: build/ssh-audit
retention-days: 7
docker:
name: Docker Build
runs-on: ubuntu-latest
needs: [test, lint]
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build image (no push on PRs)
uses: docker/build-push-action@v6
with:
context: .
push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/') }}
platforms: linux/amd64
tags: |
ssh-audit:latest
ssh-audit:sha-${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
security:
name: Security Scan
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Trivy FS scan (SARIF)
run: |
set -euo pipefail
docker run --rm -v "$GITHUB_WORKSPACE":/workspace -w /workspace \
aquasec/trivy:0.65.0 fs --quiet --format sarif -o trivy-results.sarif --severity HIGH,CRITICAL .
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
- name: Gosec scan (SARIF)
uses: securego/gosec@v2
with:
args: "-fmt sarif -out gosec-results.sarif ./..."
- name: Upload Gosec results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gosec-results.sarif