Refactor: upgrade deps, improve reliability, update docs and tooling #18
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - name: Download dependencies | |
| run: go mod download | |
| - name: Run tests | |
| run: go test -race -v ./... | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v7 | |
| with: | |
| version: v2.9.0 | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| - name: Run gosec | |
| # Individual false positives are suppressed with inline #nosec comments. | |
| # Global exclusions for rules that produce widespread false positives: | |
| # G115: integer overflow on safe int<->int64 casts | |
| # G703: path traversal taint (CLI tools intentionally read user-supplied paths) | |
| # G704: SSRF taint (HTTP clients call known GitHub/Slack APIs) | |
| # G705: XSS taint (CLI tools print to stderr, not web responses) | |
| # G706: log injection taint (structured slog logger, not raw string concat) | |
| run: gosec -exclude=G115,G703,G704,G705,G706 ./... | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [test, lint] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - name: Build | |
| run: go build -v ./... | |
| scan: | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' | |
| deploy: | |
| runs-on: ubuntu-latest | |
| needs: [build, security, scan] | |
| # Only deploy on push to main (not on PRs) | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| environment: | |
| name: production | |
| url: ${{ steps.show-url.outputs.url }} | |
| permissions: | |
| contents: read | |
| id-token: write # Required for Workload Identity Federation | |
| env: | |
| PROJECT_ID: "github-copy-code-examples" | |
| SERVICE_NAME: "examples-copier" | |
| REGION: "us-central1" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Deploy to Cloud Run | |
| run: | | |
| gcloud run deploy $SERVICE_NAME \ | |
| --source . \ | |
| --region $REGION \ | |
| --project $PROJECT_ID \ | |
| --allow-unauthenticated \ | |
| --env-vars-file=env-cloudrun.yaml \ | |
| --set-env-vars="GITHUB_APP_ID=${{ secrets.GITHUB_APP_ID }},INSTALLATION_ID=${{ secrets.INSTALLATION_ID }}" \ | |
| --max-instances=10 \ | |
| --cpu=1 \ | |
| --memory=512Mi \ | |
| --timeout=300s \ | |
| --concurrency=80 \ | |
| --port=8080 \ | |
| --platform=managed | |
| - name: Show deployment URL | |
| id: show-url | |
| run: | | |
| URL=$(gcloud run services describe $SERVICE_NAME \ | |
| --region $REGION \ | |
| --project $PROJECT_ID \ | |
| --format='value(status.url)') | |
| echo "url=$URL" >> $GITHUB_OUTPUT | |
| echo "Deployed to: $URL" |