Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
version: 2
updates:
# Go module dependencies. Keeps cobra/pflag and their transitive deps
# patched; pairs with the govulncheck gate in ci.yml.
- package-ecosystem: gomod
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 5

# GitHub Actions versions. When the actions are later SHA-pinned, this
# is what bumps the pinned SHAs (and annotates them with the version).
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 5
26 changes: 24 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
pull_request:
branches: [main]

permissions:
contents: read

jobs:
# Cross-platform verification. The project cross-compiles cleanly to
# all three OSes via the release workflow, but "compiles" ≠ "runtime-
Expand All @@ -27,7 +30,7 @@ jobs:

- uses: actions/setup-go@v5
with:
go-version: '1.21'
go-version-file: go.mod

- name: Vet
run: go vet ./...
Expand All @@ -50,7 +53,7 @@ jobs:

- uses: actions/setup-go@v5
with:
go-version: '1.21'
go-version-file: go.mod

- name: Build
run: make build
Expand All @@ -61,3 +64,22 @@ jobs:
- name: Quality gates
run: ./gitcortex ci --fail-on-churn-risk 5500 --format github-actions
# Add --fail-on-busfactor 1 when team grows

# Vulnerability scan against the Go vulnerability database. govulncheck
# does reachability analysis, so it only fails when vulnerable code is
# actually reachable from this module — low false-positive, safe as a
# blocking gate. Covers both our deps and the stdlib we call.
vulncheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/setup-go@v5
with:
go-version-file: go.mod

- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest

- name: Run govulncheck
run: govulncheck ./...
2 changes: 1 addition & 1 deletion .github/workflows/pages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:

- uses: actions/setup-go@v5
with:
go-version: '1.21'
go-version-file: go.mod

- name: Build gitcortex
run: make build
Expand Down
19 changes: 17 additions & 2 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,22 +18,37 @@ jobs:

- uses: actions/setup-go@v5
with:
go-version: '1.21'
go-version-file: go.mod

- name: Vet
run: go vet ./...

- name: Test
run: go test ./... -count=1

# CGO_ENABLED=0 -> fully static binaries (no libc dependency, run on
# any Linux). -s -w strips the symbol table and DWARF: ~25-30%
# smaller artifacts. Go panic stack traces survive (they use the
# embedded pclntab, not ELF/DWARF) — only interactive debuggers
# (delve/gdb) lose symbols, which we never run against a release.
- name: Build binaries
env:
CGO_ENABLED: 0
run: |
VERSION=${GITHUB_REF#refs/tags/}
LDFLAGS="-X main.version=$VERSION"
LDFLAGS="-s -w -X main.version=$VERSION"

GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "$LDFLAGS" -o dist/gitcortex-linux-amd64 ./cmd/gitcortex/
GOOS=linux GOARCH=arm64 go build -trimpath -ldflags "$LDFLAGS" -o dist/gitcortex-linux-arm64 ./cmd/gitcortex/
GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "$LDFLAGS" -o dist/gitcortex-darwin-amd64 ./cmd/gitcortex/
GOOS=darwin GOARCH=arm64 go build -trimpath -ldflags "$LDFLAGS" -o dist/gitcortex-darwin-arm64 ./cmd/gitcortex/
GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "$LDFLAGS" -o dist/gitcortex-windows-amd64.exe ./cmd/gitcortex/

# Publish checksums so downloads can be verified:
# sha256sum -c SHA256SUMS
- name: Checksums
run: cd dist && sha256sum gitcortex-* > SHA256SUMS

- name: Create release
uses: softprops/action-gh-release@v2
with:
Expand Down
Loading