Skip to content

docs+ci: Staff-level README with Mermaid diagrams, golangci-lint v2, gosec/govulncheck/Trivy CI#3

Merged
Chetas-Patil merged 3 commits into
mainfrom
devin/1777716500-staff-readme-and-ci
May 2, 2026
Merged

docs+ci: Staff-level README with Mermaid diagrams, golangci-lint v2, gosec/govulncheck/Trivy CI#3
Chetas-Patil merged 3 commits into
mainfrom
devin/1777716500-staff-readme-and-ci

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented May 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Promotes workflowx from a tutorial-style repo to a Staff-level portfolio piece without changing runtime behavior:

README — full rewrite around the architecture

  • Mermaid flowchart LR of the producer → engine → store/queue → workers topology
  • Mermaid sequenceDiagram of the task lifecycle (Submit → poll → run-steps → save)
  • Concepts (Task, Workflow, Engine, Store) with explicit interface listings
  • Operational sections: status & recovery, concurrency model, backpressure
  • Security considerations: Redis auth/TLS, opaque body PII risk, no built-in retries
  • Scalability table: vertical, horizontal, storage, polling, custom backends
  • Honest roadmap: retries, compensation/saga hooks, OTel, DLQ, Postgres backend

CI/CD — production-grade, all under .github/workflows

  • ci.ymlgo vet, go test ./... -race -coverprofile, build, upload coverage artifact
  • security.ymlgosec (SARIF → Code Scanning), govulncheck, Trivy filesystem scan; runs on push, PR, and weekly cron
  • .golangci.yml v2 schema (errcheck, govet/all-except-fieldalignment, gocritic, revive, staticcheck, bodyclose, prealloc, nilerr, etc.)
  • Makefile targets: test, cover, lint, security, build, tidy

Code refactor (no behavior change)

  • Added package-level godoc on salvador
  • Added doc comments on every exported method on RedisStore, TaskStatus, status constants
  • gofmt normalized struct alignment in engine.go
  • gocritic paramTypeCombine cleanups
  • Replaced unused ctx/task parameters with _ in tests and example

Verified locally:

  • go test ./... -race -cover → pass, 56.9% coverage
  • golangci-lint run (v2.12.0) → 0 issues
  • gosec ./... → 0 issues

Review & Testing Checklist for Human

  • Verify all CI checks pass on this PR (ci, security)
  • Skim the new README and confirm the architecture description matches your mental model — flag anything I've overstated or misrepresented
  • Confirm you're OK with the doc-comment additions on exported types/methods (style is consistent with stdlib)
  • Check the security workflow uploads SARIF properly (requires security-events: write — already declared)
  • Decide if you want to enable fieldalignment later; it's currently disabled because reordering struct fields is a separate, behavior-adjacent change

Notes

  • Roadmap section calls out features the description previously implied (tracing, retries, compensation) but that aren't yet in the code. This is intentional — better to be honest than to overpromise on a portfolio repo.
  • README references badges for Chetas1/workflowx. If the canonical Go module path changes (currently github.com/workflowx/salvador), the pkg.go.dev badge should be updated accordingly.
  • I left WithLogger accepting the stdlib *log.Logger. A future PR could move to *slog.Logger for structured logging without breaking the public API (introduce WithSlogLogger and deprecate the old one).

Link to Devin session: https://app.devin.ai/sessions/475f16f7ca614b56a8f68426fb9485f9
Requested by: @Chetas1


Open in Devin Review

…cle diagrams

ci: add test/lint/gosec/govulncheck/trivy workflows and golangci-lint v2 config

refactor: add package and exported godoc comments, normalize gofmt, address gocritic/revive findings (no behavior change)
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

devin-ai-integration[bot]

This comment was marked as resolved.

…ble for govulncheck

Addresses Devin Review feedback:
- securego/gosec, aquasecurity/trivy-action: pin to release tags instead of @master
- golangci-lint-action v6 (only supports v1.x) -> v9 (supports v2.x configs)
- govulncheck job: use go-version: stable to pick up stdlib CVE fixes (GO-2026-4601/4602/4870/4946/4947 are fixed in 1.25.8+)
- test/lint/build jobs: use go-version-file: go.mod for reproducible builds against declared min version
@Chetas-Patil Chetas-Patil merged commit e9cf41b into main May 2, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants