Honor ignore files and exclude tests from scans #14
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: go-ci | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # No paths filter: if branch protection marks this required, skipped | |
| # workflows leave PRs waiting for a status that never reports. | |
| permissions: | |
| contents: read | |
| jobs: | |
| go: | |
| name: vet / test / staticcheck / gosec / govulncheck | |
| runs-on: ubuntu-latest | |
| env: | |
| CGO_ENABLED: "1" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Setup Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: '1.26.2' | |
| cache: true | |
| - name: go vet | |
| run: go vet ./... | |
| - name: go test (race) | |
| run: go test ./... -race -count=1 | |
| - name: staticcheck | |
| run: | | |
| go install honnef.co/go/tools/cmd/staticcheck@latest | |
| "$(go env GOPATH)/bin/staticcheck" ./... | |
| - name: gosec | |
| run: | | |
| go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| # Reviewed local-tool false positives: | |
| # G204 — scanner invokes only local git plumbing with fixed subcommands. | |
| # G304 — scanner intentionally reads user-selected local source/config paths. | |
| # G401/G505 — SHA-1 is used only for Git-compatible blob/config identity, not cryptography. | |
| "$(go env GOPATH)/bin/gosec" -quiet -exclude=G204,G304,G401,G505 ./... | |
| - name: govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| "$(go env GOPATH)/bin/govulncheck" ./... |