opencost-ai/.github/workflows/ci.yml at main · opencost/opencost-ai · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# CI for opencost-ai.
#
# Jobs are intentionally small and parallel so a failure points at one
# specific check (vet / test / staticcheck / govulncheck / image
# build). SHA-pinned actions per OpenSSF best practice; version
# comments are the human-readable tag.
#
# The image build job performs `docker build` only — no push — until a
# release workflow with cosign signing and SBOM generation lands. Do
# not add a registry login or push step here.

name: ci

on:
  push:
    branches: [develop]
  pull_request:
    branches: [develop]

permissions:
  contents: read

# Pinning here instead of per-step so Go bumps happen in one place.
# Current stable Go (1.26 at initial commit), matching go.mod. We track
# the latest 1.26 patch via a setup-go wildcard so govulncheck always
# scans against a stdlib that carries current security backports.
# Pinning a specific 1.26.N patch is strictly worse for security: the
# pin silently ages out as new CVEs land. setup-go resolves the
# wildcard against its own versioned manifest at run time, so the
# result is reproducible within the supported 1.26 line.
env:
  GO_VERSION: "1.26.x"

concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  vet:
    name: go vet
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: false
      - name: Verify modules
        run: |
          go mod download
          go mod verify
      - name: go vet
        run: go vet ./...

  test:
    name: go test
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: false
      - name: go test
        run: go test -race -count=1 ./...

  staticcheck:
    name: staticcheck
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: false
      # Installed at a pinned version; not committed to go.mod because
      # it is a CI-only lint tool, not an import of the module itself.
      - name: Install staticcheck
        # staticcheck 2026.1 (v0.7.0) is the first release whose stdlib
        # object-format support reaches go 1.26; bump in lockstep with
        # GO_VERSION. Pinning is an explicit supply-chain control:
        # updates are reviewed, not silently adopted.
        run: go install honnef.co/go/tools/cmd/staticcheck@v0.7.0
      - name: Run staticcheck
        run: staticcheck ./...

  govulncheck:
    name: govulncheck
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - name: Set up Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: false
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@v1.2.0
      - name: Run govulncheck
        # Emit machine-readable findings to a file so any future
        # toolchain bump has the exact GO-YYYY-NNNN IDs and their fix
        # versions to cite. Also prints the human summary so the run
        # log still documents failures inline. We preserve the JSON-run
        # exit code (3 on findings) so the check still fails the PR
        # when vulnerabilities are present.
        run: |
          set +e
          govulncheck -format=json ./... > govulncheck.json
          exit_code=$?
          echo "::group::govulncheck text summary"
          govulncheck ./... || true
          echo "::endgroup::"
          exit $exit_code
      - name: Upload govulncheck report
        if: always()
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.3.1
        with:
          name: govulncheck-report
          path: govulncheck.json
          if-no-files-found: error
          retention-days: 14

  image:
    name: build distroless image (no push)
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
      - name: Build (no push)
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          file: ./Dockerfile
          push: false
          load: false
          tags: |
            opencost-ai-gateway:ci-${{ github.sha }}
          build-args: |
            VERSION=ci-${{ github.sha }}
            REVISION=${{ github.sha }}