From e5a83f5eaab0a0724334b291249fb776ffd4ff14 Mon Sep 17 00:00:00 2001 From: liangshuo-1 Date: Mon, 30 Mar 2026 11:09:31 +0800 Subject: [PATCH] ci: improve CI workflows and add golangci-lint config (#71) * ci: improve CI workflows and add golangci-lint config - Add path filters to avoid unnecessary CI runs on non-Go changes - Use go-version-file instead of hardcoded Go version - Unify runners to ubuntu-latest - Consolidate staticcheck/vet into golangci-lint with curated linter set - Add go mod tidy check, govulncheck, and dependency license check - Enable race detector in coverage, increase test timeout to 5m - Add build verification step to tests workflow - Add .codecov.yml with patch coverage target (60%) - Add .golangci.yml (v2) with security and correctness linters Change-Id: I409beb21cc1f1568ff47739c0a00f6214c10a0dd * ci: replace Codecov upload with GitHub Job Summary coverage report - Remove Codecov action dependency and CODECOV_TOKEN usage - Generate coverage report using go tool cover and display in Job Summary - Rename job from 'codecov' to 'coverage' - Remove .codecov.yml from paths filter Change-Id: Ib65dab6c4d7117c3300a9ea31eb1550537c72f88 * ci: trigger lint workflow Change-Id: Ic1c492dd339f5460d2be2971ac65ea8f99e524eb * ci: replace golangci-lint action with go run to avoid action whitelist restriction Change-Id: I87274abf9780eb8b6350e98a27302ec5acc2a2e5 * ci: replace golangci-lint action with go run, keep incremental lint via --new-from-rev Change-Id: I3d4a13cfd7b6c02e4098b04b8533a7248185c077 * ci: add fetch-depth 0 to lint checkout for incremental lint to work Change-Id: I112279c5ec06dc0aa3aa7e01d564ea27fbd20533 * ci: disable errcheck linter due to high volume of existing violations Change-Id: Iec57e8fbe42699f687d931d9dde2f879f2ae5b02 * ci: align golangci-lint config with GitHub CLI, make govulncheck non-blocking - Add exptostd, gocheckcompilerdirectives, gochecksumtype, gomoddirectives linters - Move gosec, staticcheck, errname, errorlint, misspell to TODO for later enablement - Remove G104 exclusion (errcheck is disabled) - Make govulncheck continue-on-error until Go version is upgraded Change-Id: I330ece4f202229aee1e2f50790f6b22738704c05 * ci: fix go-licenses module path for v2 Change-Id: Ifd018ebe79cd18402171417b1b73313af2d23c6d --- .codecov.yml | 8 ++++ .github/workflows/coverage.yml | 40 ++++++++++++----- .github/workflows/lint.yml | 78 ++++++++++++++-------------------- .github/workflows/tests.yml | 23 +++++++--- .golangci.yml | 66 ++++++++++++++++++++++++++++ 5 files changed, 154 insertions(+), 61 deletions(-) create mode 100644 .codecov.yml create mode 100644 .golangci.yml diff --git a/.codecov.yml b/.codecov.yml new file mode 100644 index 00000000..2f0a040f --- /dev/null +++ b/.codecov.yml @@ -0,0 +1,8 @@ +coverage: + status: + project: + default: + informational: true + patch: + default: + target: 60% diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 5aba7b0d..351cf3d9 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -2,22 +2,32 @@ name: Coverage on: push: - branches: [ main ] + branches: [main] + paths: + - "**.go" + - go.mod + - go.sum + - .github/workflows/coverage.yml pull_request: - branches: [ main ] + branches: [main] + paths: + - "**.go" + - go.mod + - go.sum + - .github/workflows/coverage.yml permissions: contents: read jobs: - codecov: - runs-on: ubuntu-22.04 + coverage: + runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: - go-version: '1.23' + go-version-file: go.mod - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: @@ -27,10 +37,18 @@ jobs: run: python3 scripts/fetch_meta.py - name: Run tests with coverage - run: go test -coverprofile=coverage.txt -covermode=atomic ./... + run: go test -race -coverprofile=coverage.txt -covermode=atomic ./... - - name: Upload coverage to Codecov - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 - with: - files: coverage.txt - token: ${{ secrets.CODECOV_TOKEN }} + - name: Generate coverage report + run: | + total=$(go tool cover -func=coverage.txt | grep total | awk '{print $3}') + echo "## Coverage Report" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "**Total coverage: ${total}**" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "
Details" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + go tool cover -func=coverage.txt >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + echo "
" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2d0da6b6..cec20a8b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,43 +2,36 @@ name: Lint on: push: - branches: [ main ] + branches: [main] + paths: + - "**.go" + - go.mod + - go.sum + - .golangci.yml + - .github/workflows/lint.yml pull_request: - branches: [ main ] + branches: [main] + paths: + - "**.go" + - go.mod + - go.sum + - .golangci.yml + - .github/workflows/lint.yml permissions: contents: read jobs: - staticcheck: - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 - with: - go-version: '1.23' - - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 - with: - python-version: '3.x' - - - name: Fetch meta_data.json - run: python3 scripts/fetch_meta.py - - - name: Run staticcheck - uses: dominikh/staticcheck-action@9716614d4101e79b4340dd97b10e54d68234e431 # v1 - with: - install-go: false - golangci-lint: - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + fetch-depth: 0 - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: - go-version: '1.23' + go-version-file: go.mod - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: @@ -47,26 +40,21 @@ jobs: - name: Fetch meta_data.json run: python3 scripts/fetch_meta.py + - name: Ensure go.mod and go.sum are tidy + run: | + go mod tidy + if ! git diff --quiet go.mod go.sum; then + echo "::error::go.mod or go.sum is not tidy. Run 'go mod tidy' and commit the changes." + git diff go.mod go.sum + exit 1 + fi + - name: Run golangci-lint - uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6 - with: - version: latest + run: go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 run --new-from-rev=origin/main - vet: - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - name: Run govulncheck + continue-on-error: true # informational until Go version is upgraded + run: go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./... - - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 - with: - go-version: '1.23' - - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 - with: - python-version: '3.x' - - - name: Fetch meta_data.json - run: python3 scripts/fetch_meta.py - - - name: Run go vet - run: go vet ./... + - name: Check dependency licenses + run: go run github.com/google/go-licenses/v2@v2.0.1 check ./... --disallowed_types=forbidden,restricted,reciprocal,unknown diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 11136dcf..58351696 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -2,22 +2,32 @@ name: Tests on: push: - branches: [ main ] + branches: [main] + paths: + - "**.go" + - go.mod + - go.sum + - .github/workflows/tests.yml pull_request: - branches: [ main ] + branches: [main] + paths: + - "**.go" + - go.mod + - go.sum + - .github/workflows/tests.yml permissions: contents: read jobs: unit-test: - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: - go-version: '1.23' + go-version-file: go.mod - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: @@ -27,4 +37,7 @@ jobs: run: python3 scripts/fetch_meta.py - name: Run tests - run: go test -v -race -count=1 -timeout=30s ./cmd/... ./internal/... ./shortcuts/... + run: go test -v -race -count=1 -timeout=5m ./cmd/... ./internal/... ./shortcuts/... + + - name: Build + run: go build -v ./... diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..4690fe93 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,66 @@ +version: "2" + +run: + timeout: 5m + +linters: + default: none + enable: + - asasalint # checks for pass []any as any in variadic func(...any) + - asciicheck # checks that code does not contain non-ASCII identifiers + - bidichk # checks for dangerous unicode character sequences + - bodyclose # checks whether HTTP response body is closed successfully + - copyloopvar # detects places where loop variables are copied + - durationcheck # checks for two durations multiplied together + - exptostd # detects functions from golang.org/x/exp/ replaceable by std + - fatcontext # detects nested contexts in loops + - gocheckcompilerdirectives # validates go compiler directive comments (//go:) + - gochecksumtype # checks exhaustiveness on Go "sum types" + - gocritic # diagnostics for bugs, performance and style + - gomoddirectives # checks for replace, retract, and exclude in go.mod + - goprintffuncname # checks that printf-like functions end with f + - govet # reports suspicious constructs + - ineffassign # detects ineffective assignments + - nilerr # finds code that returns nil even if error is not nil + - nolintlint # reports ill-formed nolint directives + - nosprintfhostport # checks for misuse of Sprintf to construct host:port + - reassign # checks that package variables are not reassigned + - unconvert # removes unnecessary type conversions + - unused # checks for unused constants, variables, functions and types + + # To enable later after fixing existing issues: + # - errcheck # checks for unchecked errors + # - errname # checks that error types are named XxxError + # - errorlint # checks error wrapping best practices + # - gosec # security-oriented linter + # - misspell # finds commonly misspelled English words + # - staticcheck # comprehensive static analysis + + exclusions: + paths: + - generated + rules: + - path: _test\.go$ + linters: + - bodyclose + - gocritic + + settings: + gocritic: + disabled-checks: + - appendAssign + - hugeParam + disabled-tags: + - style + govet: + enable: + - httpresponse + +formatters: + enable: + - gofmt + - goimports + +issues: + max-issues-per-linter: 0 + max-same-issues: 0