feat(ci): add comprehensive GitHub Actions workflows for CI/CD#1
feat(ci): add comprehensive GitHub Actions workflows for CI/CD#1
Conversation
- CI workflow: build, test, coverage with race detector - Lint workflow: golangci-lint, govet, staticcheck, actionlint - Security workflow: govulncheck, gosec, CodeQL, dependency review - Release workflow: GoReleaser integration for multi-platform builds - Dependencies workflow: automated weekly dependency updates - Add .goreleaser.yaml for release configuration Fixes #0
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Critical fixes: - go.mod: update to Go 1.25.0 with proper module checksums (go mod tidy) - golangci-lint: pin to v2.1.0 to support Go 1.25+ (not 'latest') - actionlint: use 'shell: bash' and proper Go setup step - gosec: remove invalid -exit-code=0 flag - govulncheck: pin to v1.1.0 (not bare v1) - ci.yml: replace 'go mod tidy + git diff' with 'go mod verify + go build' Fixes #0
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 5 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds CI/CD infra: five GitHub Actions workflows (CI, lint, security, dependencies, release); a GoReleaser config for multi-platform releases; Go toolchain bumped to 1.25.0 with an indirect dependency change; and minor code/test edits to explicitly handle/discard returned errors. (50 words) Changes
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer
participant GH as GitHub Actions
participant Runner as Runner (ubuntu/macos/windows)
participant Artifact as Artifact Store (Actions artifacts / Releases)
participant Codecov as Codecov
participant GoReleaser as GoReleaser
Dev->>GH: push / pull_request / tag / schedule / dispatch
GH->>Runner: start job (ci / lint / security / deps / release)
Runner->>Codecov: upload coverage (test-coverage job)
Runner->>Artifact: upload artifacts / coverage
GH->>GoReleaser: run release job (on tag)
GoReleaser->>Artifact: publish GitHub Release artifacts
Artifact->>Dev: artifacts & release available
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- golangci-lint: upgrade action v6→v7 for golangci-lint v2 support - govulncheck: fix action path golang/vuln-action@v1.1.0 - coverage: make codecov upload non-failing, add coverage summary step - fix shellcheck issues in coverage summary step Fixes #0
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment Thanks for integrating Codecov - We've got you covered ☂️ |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 24-29: Remove the outdated Go 1.24 matrix lane: edit the CI
`strategy.matrix` so the `go-version` array no longer contains '1.24' and only
lists '1.25', and ensure the `include` entry that sets `race: true` references
the remaining '1.25' lane; update the `go-version` values in the matrix and any
`include` entries accordingly so the matrix and `go-version` entries are
consistent with the module's `go` directive.
- Around line 107-131: The macOS artifact is mislabeled as '-darwin-amd64' and
the Build step doesn't set GOARCH; update the matrix entry for macos-latest to
use '-darwin-arm64' (replace the include item that sets artifact_suffix) and
ensure the Build step sets GOARCH appropriately (e.g., export GOARCH=arm64 when
matrix.os == 'macos-latest' or derive GOARCH from runner architecture) before
running the go build command so the produced binary and matrix.artifact_suffix
(used by the go build -o fingerprintproxy${{ matrix.artifact_suffix }}) match
the actual architecture.
In @.github/workflows/release.yml:
- Around line 39-45: The release workflow fails because GoReleaser is configured
to sign artifacts but the workflow never supplies the required GPG environment
variables; update the release job that runs goreleaser/goreleaser-action@v7 to
export the GPG signing material (at minimum GPG_FINGERPRINT and any required
GPG_PRIVATE_KEY and GPG_PASSPHRASE) so GoReleaser can call gpg2 with {{
.Env.GPG_FINGERPRINT }}; add these env entries under the Run GoReleaser step (or
load them from repository/organization secrets) and ensure the action receives
the private key in a form the action expects (e.g., base64-encoded
GPG_PRIVATE_KEY) and any passphrase as GPG_PASSPHRASE.
- Around line 7-12: Remove the unused workflow_dispatch input named "version":
delete the "version" entry under workflow_dispatch inputs so the workflow only
exposes dispatching without a misleading version parameter; update any
references to workflow_dispatch in the file if present to confirm there's no
reliance on the "version" input and leave GoReleaser to derive the release from
the Git tag as intended.
In @.github/workflows/security.yml:
- Around line 71-86: The dependency-review job ("dependency-review") currently
runs regardless of event type but actions/dependency-review-action@v4 requires
pull request context; update the workflow trigger so this job only runs for
pull_request events (or add a job-level conditional like checking
github.event_name == 'pull_request') so that actions/dependency-review-action@v4
executes only on PR diffs and not on push/schedule/workflow_dispatch events.
In @.goreleaser.yaml:
- Around line 68-72: The release.github.name is currently using the full
GITHUB_REPOSITORY (owner/repo); change it to use only the repo name by
extracting the part after the slash. Update the value for release.github.name to
use a Go template that splits GITHUB_REPOSITORY and takes the last segment
(e.g., replace "{{ .Env.GITHUB_REPOSITORY }}" with a template that does split
"/" and last) so release.github.name contains only the repository name.
- Around line 31-57: The GoReleaser v2 config mixes incompatible fields: remove
checksum, signature, and fingerprint from the archives entry and instead define
a single top-level checksum section named checksum with proper fields (e.g.,
algorithm, ids) replacing checksums, and update the signs entry to use artifacts
(plural) not artifact and point it at checksum; ensure any fingerprint
references ({{ .Env.GPG_FINGERPRINT }}) are moved into the checksum and signs
entries as needed (e.g., fingerprint/ids in checksum and -u value in signs args)
and keep archives only with format/format_overrides/fingerprint removed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 9e806d89-cd7e-4427-a6ba-8185ebb63b6b
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (7)
.github/workflows/ci.yml.github/workflows/dependencies.yml.github/workflows/lint.yml.github/workflows/release.yml.github/workflows/security.yml.goreleaser.yamlgo.mod
| archives: | ||
| - id: default | ||
| format: tar.gz | ||
| format_overrides: | ||
| - goos: windows | ||
| format: zip | ||
| checksum: true | ||
| signature: true | ||
| fingerprint: {{ .Env.GPG_FINGERPRINT }} | ||
|
|
||
| checksums: | ||
| - algorithm: sha256 | ||
| signature: true | ||
| fingerprint: {{ .Env.GPG_FINGERPRINT }} | ||
|
|
||
| signs: | ||
| - artifact: checksum | ||
| cmd: gpg2 | ||
| args: | ||
| - "--batch" | ||
| - "-u" | ||
| - "{{ .Env.GPG_FINGERPRINT }}" | ||
| - "--output" | ||
| - "${signature}" | ||
| - "--detach-sign" | ||
| - "${artifact}" | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GoReleaser v2 archives checksum signature configuration schema
💡 Result:
GoReleaser v2 config schema (JSON Schema)
- Default (OSS):
https://goreleaser.com/static/schema.json(goreleaser.com) - Pin to a specific GoReleaser tag (example shown in docs):
https://raw.githubusercontent.com/goreleaser/goreleaser/v2.15.2/www/docs/static/schema.json(goreleaser.com) - Or generate for your installed version:
goreleaser jsonschema -o schema.json(goreleaser.com)
Add to your config for editor validation:
# yaml-language-server: $schema=https://goreleaser.com/static/schema.jsonRelevant configuration sections
archives (archives configuration)
archives is a list where you customize archive output (name/files/format, etc.). (goreleaser.com)
checksum (checksums file)
Key fields in checksum include:
name_templatealgorithm(sha256/sha512/… including sha3-, blake2, blake3)split(one checksum file per artifact)ids(which artifacts to include)disableextra_files/templated_extra_files(templated is Pro) (goreleaser.com)
signs (signatures)
Signing is configured with a signs: list; commonly you sign the checksum artifact:
signs:
- artifacts: checksumPer-sign entry fields include:
idsignature(output signature filename template; default${artifact}.sig)cmd(defaultgpg)args(default includes--output ${signature} --detach-sign ${artifact})artifacts(e.g.,checksum,archive,all, etc.)ids(filter by artifact IDs)stdin/stdin_filecertificate(useful for keyless/cosign flows)envoutput(show signer stdout/stderr; since v2.13) (goreleaser.com)
Citations:
- 1: https://goreleaser.com/customization/
- 2: https://goreleaser.com/customization/
- 3: https://goreleaser.com/cmd/goreleaser_jsonschema/
- 4: https://goreleaser.com/customization/
- 5: https://goreleaser.com/customization/archive/
- 6: https://goreleaser.com/customization/checksum/
- 7: https://goreleaser.com/customization/sign/
- 8: https://goreleaser.com/customization/sign/
🌐 Web query:
GoReleaser v2 signs artifacts configuration reference
💡 Result:
GoReleaser v2: signs (signing artifacts) — config reference
Configure in .goreleaser.yaml under signs:. The minimal (recommended) setup is signing the checksum file(s):
signs:
- artifacts: checksum[1]
All signs fields (v2):
id(string, unique; defaultdefault) [1]signature(string; default${artifact}.sig; templates allowed) [1]cmd(string; defaultgpg) [1]args(list of strings; default["--output","${signature}","--detach-sign","${artifact}"]; templates allowed) [1]artifacts(what to sign; defaultnone) — valid values:none,all,checksum,source,package,installer(Pro),diskimage(Pro),archive,sbom,binary(only whenarchives.format: binary; otherwise usebinary_signs) [1]ids(list of artifact IDs to include; no effect forchecksum/source) [1]if(artifact filter expression; Pro; since v2.2; templates allowed) [1]stdin(string; templates allowed) [1]stdin_file(path) [1]certificate(string name; templates allowed; useful for keyless cosign flows) [1]env(list ofKEY=valuepassed to the signing command; templates available) [1]output(bool; show signer stdout/stderr; templates allowed; since v2.13) [1]
Template variables available in templated fields: ${artifact}, ${artifactID}, ${certificate}, ${signature}. [1]
GoReleaser v2: binary_signs (sign binaries before archiving)
Since v2.2, use binary_signs to sign binaries directly (works regardless of archive format):
binary_signs:
- {}It supports similar fields (e.g., cmd, args, artifacts: binary, ids, env, output) and the same ${artifact}/${signature}-style variables. [2]
🌐 Web query:
GoReleaser v2 checksums singular vs plural configuration
💡 Result:
In GoReleaser v2, the configuration block is singular:
checksum:
name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt"
algorithm: sha256
split: false
ids: []That’s the only supported top-level key—checksums: (plural) is not a valid config section and will be treated as an unknown/unused field (e.g., goreleaser check should complain). The official docs and the v2 config schema both define it as checksum. [1], [2]
Sources:
[1] GoReleaser “Checksums” docs (shows checksum:) (goreleaser.com)
[2] GoReleaser v2 config model (Project.Checksum tagged yaml:"checksum,omitempty") (pkg.go.dev)
Citations:
- 1: https://goreleaser.com/customization/checksum/
- 2: https://pkg.go.dev/github.com/goreleaser/goreleaser/v2/pkg/config
Fix the GoReleaser v2 checksum and signing configuration schema.
The current configuration mixes incompatible fields: archives should not contain checksum, signature, or fingerprint fields; the top-level section must be singular checksum: (not checksums:); and the signs section must use artifacts: (not artifact:). These schema mismatches will cause config validation failures. Per GoReleaser v2 documentation:
archivesdefines archive format and output, not checksums or signingchecksum:(singular) is the valid top-level section with fields likealgorithm,ids, etc.signs:entries useartifacts:to specify what to sign (e.g.,artifacts: checksum)
Suggested fix
archives:
- id: default
format: tar.gz
format_overrides:
- goos: windows
format: zip
- checksum: true
- signature: true
- fingerprint: {{ .Env.GPG_FINGERPRINT }}
-checksums:
- - algorithm: sha256
- signature: true
- fingerprint: {{ .Env.GPG_FINGERPRINT }}
+checksum:
+ algorithm: sha256
signs:
- - artifact: checksum
+ - artifacts: checksum
cmd: gpg2
args:
- "--batch"
- "-u"
- "{{ .Env.GPG_FINGERPRINT }}"
- "--output"
- "${signature}"
- "--detach-sign"
- "${artifact}"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.goreleaser.yaml around lines 31 - 57, The GoReleaser v2 config mixes
incompatible fields: remove checksum, signature, and fingerprint from the
archives entry and instead define a single top-level checksum section named
checksum with proper fields (e.g., algorithm, ids) replacing checksums, and
update the signs entry to use artifacts (plural) not artifact and point it at
checksum; ensure any fingerprint references ({{ .Env.GPG_FINGERPRINT }}) are
moved into the checksum and signs entries as needed (e.g., fingerprint/ids in
checksum and -u value in signs args) and keep archives only with
format/format_overrides/fingerprint removed.
| release: | ||
| github: | ||
| enabled: true | ||
| owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}" | ||
| name: "{{ .Env.GITHUB_REPOSITORY }}" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name ".goreleaser.yaml" -o -name "goreleaser.yml" | head -5Repository: tomkabel/fingerprintproxy
Length of output: 87
🏁 Script executed:
cat -n .goreleaser.yaml | sed -n '60,80p'Repository: tomkabel/fingerprintproxy
Length of output: 377
🌐 Web query:
goreleaser release.github.name owner/repo format GITHUB_REPOSITORY environment variable
💡 Result:
In GoReleaser, release.github.name is just the repository name (e.g., repo), and the owner/org goes in release.github.owner (e.g., owner). It is not an owner/repo combined field. [1]
In GitHub Actions, GITHUB_REPOSITORY is in owner/repo format (example: octocat/Hello-World). [3]
So if you want to derive owner and name from GITHUB_REPOSITORY, split it:
release:
github:
owner: '{{ index (split .Env.GITHUB_REPOSITORY "/") 0 }}'
name: '{{ index (split .Env.GITHUB_REPOSITORY "/") 1 }}'GoReleaser templates can read environment variables via .Env and provide a split function for this. [2]
release.github.name should be the repository name only, not owner/repo.
The environment variable GITHUB_REPOSITORY is in owner/repo format (e.g., tomkabel/fingerprintproxy). GoReleaser's release.github.name field expects only the repository name. Passing the full value results in an incorrect release slug.
🛠️ Suggested fix
release:
github:
enabled: true
owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}"
- name: "{{ .Env.GITHUB_REPOSITORY }}"
+ name: "fingerprintproxy"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.goreleaser.yaml around lines 68 - 72, The release.github.name is currently
using the full GITHUB_REPOSITORY (owner/repo); change it to use only the repo
name by extracting the part after the slash. Update the value for
release.github.name to use a Go template that splits GITHUB_REPOSITORY and takes
the last segment (e.g., replace "{{ .Env.GITHUB_REPOSITORY }}" with a template
that does split "/" and last) so release.github.name contains only the
repository name.
- golangci-lint: v2.1.0 → v2.11.4 (supports Go 1.25) - govulncheck: use golang/govulncheck-action@v1 (correct repo) Fixes #0
- main.go: add _ to fmt.Fprintln, ln.Close(), c.Close() - main_test.go: fix unchecked resp.Body.Close() in two integration tests - main_test.go: handle GetOrCreate return values in TestCacheLength These changes satisfy errcheck linter requirements. Fixes #0
CI workflow: - Remove Go 1.24 from matrix (only test 1.25) - Fix macOS artifact: darwin-amd64 → darwin-arm64 - Add GOARCH environment variable based on OS Release workflow: - Remove unused workflow_dispatch version input - Disable signing in GoReleaser config (no GPG material) Security workflow: - Add if: github.event_name == 'pull_request' to dependency-review GoReleaser config: - Remove checksum/signature/fingerprint from archives (incompatible in v2) - Remove signs section (no GPG configured) - Simplify release config to just github.enabled: true Fixes #0
- Add goarch to matrix include entries for each OS
- Replace shell case statement with matrix.goarch variable
- Use direct GOARCH=${{ matrix.goarch }} before go build
The shell case statement caused syntax errors on macOS and Windows runners.
Fixes #0
- Move GOARCH from inline bash syntax to YAML env block - Prevents PowerShell syntax errors on Windows runners - Works consistently across Linux, macOS, and Windows Fixes #0
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/lint.yml:
- Around line 101-105: The workflow uses unpinned tool installs for the "Install
staticcheck" (run: go install honnef.co/go/tools/cmd/staticcheck@latest) and the
related "Run staticcheck" step, so change the "Install staticcheck" step to
install a specific version (use an environment variable like STATICCHECK_VERSION
and replace `@latest` with that variable) and update any other similar tool
installation steps (e.g., actionlint installation) to use pinned version
variables; ensure the workflow defines these version environment variables at
the top or in the job and reference them in the run commands so builds are
reproducible and not tied to `@latest`.
- Around line 52-58: The workflow job that runs gofmt ("Check formatting") does
not install a specific Go version, causing nondeterministic checks; add the
actions/setup-go@v5 step (set to 1.25) before running gofmt in that job so the
runner uses the same Go 1.25 toolchain as the other lint jobs and ensures
consistent formatting results.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 915a5fa1-57b2-4d92-b18e-912060035414
📒 Files selected for processing (7)
.github/workflows/ci.yml.github/workflows/lint.yml.github/workflows/release.yml.github/workflows/security.yml.goreleaser.yamlmain.gomain_test.go
✅ Files skipped from review due to trivial changes (4)
- main.go
- .github/workflows/security.yml
- .github/workflows/release.yml
- .github/workflows/ci.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .goreleaser.yaml
- Add STATICCHECK_VERSION and ACTIONLINT_VERSION env vars - Pin staticcheck and actionlint to specific versions - Add Set up Go step before running gofmt check - Ensure consistent, reproducible CI builds
3 participants
Fixes #0
Summary by CodeRabbit