From beb7c3309804dbe322016bd0d95d3f9a53761945 Mon Sep 17 00:00:00 2001 From: Jonathan Baldie Date: Thu, 14 May 2026 11:37:49 +0100 Subject: [PATCH 1/2] ci: add GitHub Actions workflow to replace dead Travis CI badge Closes #38. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..cf66aa7 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,19 @@ +name: CI + +on: + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + - run: go build ./... + - run: go vet ./... + - run: go test -race -timeout 240s ./... From 98c220ce8a018e1da316439f63f34bbfb15df2b8 Mon Sep 17 00:00:00 2001 From: Jonathan Baldie Date: Thu, 14 May 2026 11:52:51 +0100 Subject: [PATCH 2/2] ci: pin action versions to SHA and add permissions: contents: read Unpinned version tags (v4, v5) can be silently updated to include malicious code; pinning to the commit SHA that the tag currently resolves to makes the workflow reproducible. Adds read-only contents permission to follow least-privilege practice for public repos. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cf66aa7..5fcc533 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,12 +6,15 @@ on: pull_request: branches: [master] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version-file: go.mod - run: go build ./...