name: CI on: push: branches: [ main, develop ] pull_request: branches: [ main, develop ] env: GO_VERSION: '1.23' REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: test: name: Test runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: ${{ env.GO_VERSION }} cache: true - name: Download dependencies run: go mod download - name: Verify dependencies run: go mod verify - name: Run tests run: go test -v -race -coverprofile=coverage.out ./... - name: Upload coverage to Codecov uses: codecov/codecov-action@v4 with: file: ./coverage.out flags: unittests name: codecov-umbrella - name: Generate coverage report run: go tool cover -html=coverage.out -o coverage.html - name: Upload coverage report uses: actions/upload-artifact@v4 with: name: coverage-report path: coverage.html lint: name: Lint runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: ${{ env.GO_VERSION }} cache: true - name: Run golangci-lint uses: golangci/golangci-lint-action@v4 with: version: latest args: --timeout=5m security: name: Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: ${{ env.GO_VERSION }} cache: true - name: Run Gosec Security Scanner uses: securego/gosec@master with: args: '-no-fail -fmt sarif -out results.sarif ./...' - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif build: name: Build runs-on: ubuntu-latest needs: [test, lint] steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: ${{ env.GO_VERSION }} cache: true - name: Build binary run: | CGO_ENABLED=1 go build -v -o bin/gateway ./cmd/gateway - name: Upload binary uses: actions/upload-artifact@v4 with: name: gateway-binary path: bin/gateway docker: name: Build and Push Docker Image runs-on: ubuntu-latest needs: [test, lint, security] if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') permissions: contents: read packages: write steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha,prefix={{branch}}- type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - name: Build and push Docker image uses: docker/build-push-action@v5 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max platforms: linux/amd64,linux/arm64 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy results to GitHub Security uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif'