Skip to content

Honor ignore files and exclude tests from scans #14

Honor ignore files and exclude tests from scans

Honor ignore files and exclude tests from scans #14

Workflow file for this run

name: go-ci
on:
push:
branches: [main]
pull_request:
branches: [main]
# No paths filter: if branch protection marks this required, skipped
# workflows leave PRs waiting for a status that never reports.
permissions:
contents: read
jobs:
go:
name: vet / test / staticcheck / gosec / govulncheck
runs-on: ubuntu-latest
env:
CGO_ENABLED: "1"
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: '1.26.2'
cache: true
- name: go vet
run: go vet ./...
- name: go test (race)
run: go test ./... -race -count=1
- name: staticcheck
run: |
go install honnef.co/go/tools/cmd/staticcheck@latest
"$(go env GOPATH)/bin/staticcheck" ./...
- name: gosec
run: |
go install github.com/securego/gosec/v2/cmd/gosec@latest
# Reviewed local-tool false positives:
# G204 — scanner invokes only local git plumbing with fixed subcommands.
# G304 — scanner intentionally reads user-selected local source/config paths.
# G401/G505 — SHA-1 is used only for Git-compatible blob/config identity, not cryptography.
"$(go env GOPATH)/bin/gosec" -quiet -exclude=G204,G304,G401,G505 ./...
- name: govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
"$(go env GOPATH)/bin/govulncheck" ./...