This repository was archived by the owner on Mar 15, 2026. It is now read-only.
chore: Update CI workflow to simplify shell settings and enhance erro… #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [master, main, develop] | |
| paths-ignore: | |
| - "**/*.md" | |
| - ".github/renovate.json" | |
| - "docs/**" | |
| pull_request: | |
| branches: [master, main, develop] | |
| paths-ignore: | |
| - "**/*.md" | |
| - "docs/**" | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| checks: write | |
| security-events: write | |
| pull-requests: read | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| CGO_ENABLED: "0" | |
| GOFLAGS: "-mod=readonly" | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| cache: true | |
| - name: go vet | |
| run: go vet ./... | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v6 | |
| with: | |
| version: latest | |
| args: --timeout=5m | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| cache: true | |
| - name: Download deps | |
| run: go mod download | |
| - name: Run unit tests (race+coverage) | |
| run: | | |
| set -euo pipefail | |
| go test -v -race -covermode=atomic -coverprofile=coverage.out ./... | |
| - name: Upload coverage artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage | |
| path: coverage.out | |
| retention-days: 7 | |
| - name: Upload to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| files: ./coverage.out | |
| fail_ci_if_error: false | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: [test, lint] | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: "go.mod" | |
| cache: true | |
| - name: Build binary | |
| run: make build | |
| - name: Verify artifact exists | |
| run: test -f build/ssh-audit | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ssh-audit | |
| path: build/ssh-audit | |
| retention-days: 7 | |
| docker: | |
| name: Docker Build | |
| runs-on: ubuntu-latest | |
| needs: [test, lint] | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build image (no push on PRs) | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/') }} | |
| platforms: linux/amd64 | |
| tags: | | |
| ssh-audit:latest | |
| ssh-audit:sha-${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Trivy FS scan (SARIF) | |
| run: | | |
| set -euo pipefail | |
| docker run --rm -v "$GITHUB_WORKSPACE":/workspace -w /workspace \ | |
| aquasec/trivy:0.65.0 fs --quiet --format sarif -o trivy-results.sarif --severity HIGH,CRITICAL . | |
| - name: Upload Trivy results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Gosec scan (SARIF) | |
| uses: securego/gosec@v2 | |
| with: | |
| args: "-fmt sarif -out gosec-results.sarif ./..." | |
| - name: Upload Gosec results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: gosec-results.sarif |