From 9d5e8e4577362c96e0dfe8e9f813d3a995c5806c Mon Sep 17 00:00:00 2001 From: Valentin Maerten Date: Sun, 7 Dec 2025 12:57:27 +0100 Subject: [PATCH 1/6] ci(github): consolidate test and lint into single workflow --- .github/workflows/ci.yml | 91 ++++++++++++++++++++++++++++++++++++++ .github/workflows/lint.yml | 46 ------------------- .github/workflows/test.yml | 33 -------------- 3 files changed, 91 insertions(+), 79 deletions(-) create mode 100644 .github/workflows/ci.yml delete mode 100644 .github/workflows/lint.yml delete mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..2c327caf26 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,91 @@ +name: CI + +on: + pull_request: + push: + tags: + - v* + branches: + - main + +concurrency: + group: ci-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +jobs: + test: + name: Test (${{ matrix.go-version }}, ${{ matrix.platform }}) + strategy: + fail-fast: false + matrix: + go-version: [1.24.x, 1.25.x] + platform: [ubuntu-latest, macos-latest, windows-latest] + runs-on: ${{ matrix.platform }} + steps: + - uses: actions/setup-go@v6 + with: + go-version: ${{ matrix.go-version }} + + - uses: actions/checkout@v6 + + - name: Download Go modules + run: go mod download + env: + GOPROXY: https://proxy.golang.org + + - name: Build + run: go build -o ./bin/task -v ./cmd/task + + - name: Test + run: ./bin/task test --output=group --output-group-begin='::group::{{.TASK}}' --output-group-end='::endgroup::' + + lint: + name: Lint (${{ matrix.go-version }}) + strategy: + fail-fast: false + matrix: + go-version: [1.24.x, 1.25.x] + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v6 + with: + go-version: ${{ matrix.go-version }} + + - uses: actions/checkout@v6 + + - name: golangci-lint + uses: golangci/golangci-lint-action@v9 + with: + version: v2.7.1 + + lint-jsonschema: + name: Lint JSON Schema + runs-on: ubuntu-latest + steps: + - uses: actions/setup-python@v6 + with: + python-version: 3.14 + + - uses: actions/checkout@v6 + + - name: install check-jsonschema + run: python -m pip install 'check-jsonschema==0.27.3' + + - name: check-jsonschema (metaschema) + run: check-jsonschema --check-metaschema website/src/public/schema.json + + ci-status: + name: CI + runs-on: ubuntu-latest + needs: [test, lint, lint-jsonschema] + if: always() + steps: + - name: Check CI status + run: | + if [[ "${{ needs.test.result }}" != "success" ]] || \ + [[ "${{ needs.lint.result }}" != "success" ]] || \ + [[ "${{ needs.lint-jsonschema.result }}" != "success" ]]; then + echo "CI failed" + exit 1 + fi + echo "CI passed" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index 5513905c7d..0000000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Lint - -on: - pull_request: - push: - tags: - - v* - branches: - - main - -permissions: - contents: read - -jobs: - lint: - name: Lint - strategy: - matrix: - go-version: [1.25.10, 1.26.x] - runs-on: ubuntu-latest - steps: - - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 - with: - go-version: ${{matrix.go-version}} - - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - - name: golangci-lint - uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.3.0 - with: - version: v2.12.2 - - lint-jsonschema: - runs-on: ubuntu-latest - steps: - - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 - with: - python-version: 3.14 - - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - - name: install check-jsonschema - run: python -m pip install 'check-jsonschema==0.27.3' - - - name: check-jsonschema (metaschema) - run: check-jsonschema --check-metaschema website/src/public/schema.json diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index ceaab866d5..0000000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Test - -on: - pull_request: - push: - tags: - - v* - branches: - - main - -permissions: - contents: read - -jobs: - test: - name: Test - strategy: - fail-fast: false - matrix: - go-version: [1.25.10, 1.26.x] - platform: [ubuntu-latest, macos-latest, windows-latest] - runs-on: ${{matrix.platform}} - steps: - - name: Check out code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - - name: Set up Go ${{matrix.go-version}} - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 - with: - go-version: ${{matrix.go-version}} - - - name: Test - run: go run ./cmd/task test From e8d6795432415b68c57e4355e7a98bfa737f3494 Mon Sep 17 00:00:00 2001 From: Valentin Maerten Date: Sun, 7 Dec 2025 16:12:57 +0100 Subject: [PATCH 2/6] ci(github): improve workflow structure and add build job --- .github/workflows/ci.yml | 77 +++++++++++++++++++++++++--------------- 1 file changed, 49 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2c327caf26..30e5b3bcfe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,8 +13,27 @@ concurrency: cancel-in-progress: true jobs: + build: + name: ๐Ÿ”จ Build (${{ matrix.go-version }}) + strategy: + fail-fast: false + matrix: + go-version: [1.24.x, 1.25.x] + runs-on: ubuntu-latest + steps: + - name: ๐Ÿ“ฅ Checkout + uses: actions/checkout@v6 + + - name: โฌ‡๏ธ Setup Go + uses: actions/setup-go@v6 + with: + go-version: ${{ matrix.go-version }} + + - name: ๐Ÿ”จ Build + run: go build -v ./cmd/task + test: - name: Test (${{ matrix.go-version }}, ${{ matrix.platform }}) + name: ๐Ÿงช Test (${{ matrix.go-version }}, ${{ matrix.platform }}) strategy: fail-fast: false matrix: @@ -22,67 +41,69 @@ jobs: platform: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.platform }} steps: - - uses: actions/setup-go@v6 + - name: ๐Ÿ“ฅ Checkout + uses: actions/checkout@v6 + + - name: โฌ‡๏ธ Setup Go + uses: actions/setup-go@v6 with: go-version: ${{ matrix.go-version }} - - uses: actions/checkout@v6 - - - name: Download Go modules - run: go mod download - env: - GOPROXY: https://proxy.golang.org - - - name: Build - run: go build -o ./bin/task -v ./cmd/task + - name: โฌ‡๏ธ Setup Task + uses: go-task/setup-task@v1 - - name: Test - run: ./bin/task test --output=group --output-group-begin='::group::{{.TASK}}' --output-group-end='::endgroup::' + - name: ๐Ÿงช Test + run: task test lint: - name: Lint (${{ matrix.go-version }}) + name: ๐Ÿ” Lint (${{ matrix.go-version }}) strategy: fail-fast: false matrix: go-version: [1.24.x, 1.25.x] runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v6 + - name: ๐Ÿ“ฅ Checkout + uses: actions/checkout@v6 + + - name: โฌ‡๏ธ Setup Go + uses: actions/setup-go@v6 with: go-version: ${{ matrix.go-version }} - - uses: actions/checkout@v6 - - - name: golangci-lint + - name: ๐Ÿ” Lint uses: golangci/golangci-lint-action@v9 with: version: v2.7.1 lint-jsonschema: - name: Lint JSON Schema + name: ๐Ÿ“‹ Lint JSON Schema runs-on: ubuntu-latest steps: - - uses: actions/setup-python@v6 + - name: ๐Ÿ“ฅ Checkout + uses: actions/checkout@v6 + + - name: โฌ‡๏ธ Setup Python + uses: actions/setup-python@v6 with: python-version: 3.14 - - uses: actions/checkout@v6 - - - name: install check-jsonschema + - name: โฌ‡๏ธ Install check-jsonschema run: python -m pip install 'check-jsonschema==0.27.3' - - name: check-jsonschema (metaschema) + - name: ๐Ÿ“‹ Validate JSON Schema run: check-jsonschema --check-metaschema website/src/public/schema.json ci-status: - name: CI + name: โœ… CI runs-on: ubuntu-latest - needs: [test, lint, lint-jsonschema] + needs: [build, test, lint, lint-jsonschema] if: always() steps: - - name: Check CI status + - name: โœ… Check CI status run: | - if [[ "${{ needs.test.result }}" != "success" ]] || \ + if [[ "${{ needs.build.result }}" != "success" ]] || \ + [[ "${{ needs.test.result }}" != "success" ]] || \ [[ "${{ needs.lint.result }}" != "success" ]] || \ [[ "${{ needs.lint-jsonschema.result }}" != "success" ]]; then echo "CI failed" From 13a35982de44aa0ae2f32aa16eac8655e485a792 Mon Sep 17 00:00:00 2001 From: Valentin Maerten Date: Sun, 7 Dec 2025 22:46:05 +0100 Subject: [PATCH 3/6] ci(github): merge build step into test job --- .github/workflows/ci.yml | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30e5b3bcfe..345c0c0b90 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,25 +13,6 @@ concurrency: cancel-in-progress: true jobs: - build: - name: ๐Ÿ”จ Build (${{ matrix.go-version }}) - strategy: - fail-fast: false - matrix: - go-version: [1.24.x, 1.25.x] - runs-on: ubuntu-latest - steps: - - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 - - - name: โฌ‡๏ธ Setup Go - uses: actions/setup-go@v6 - with: - go-version: ${{ matrix.go-version }} - - - name: ๐Ÿ”จ Build - run: go build -v ./cmd/task - test: name: ๐Ÿงช Test (${{ matrix.go-version }}, ${{ matrix.platform }}) strategy: @@ -49,11 +30,11 @@ jobs: with: go-version: ${{ matrix.go-version }} - - name: โฌ‡๏ธ Setup Task - uses: go-task/setup-task@v1 + - name: ๐Ÿ”จ Build + run: go build -v -o ./bin/task ./cmd/task - name: ๐Ÿงช Test - run: task test + run: ./bin/task test lint: name: ๐Ÿ” Lint (${{ matrix.go-version }}) @@ -97,13 +78,12 @@ jobs: ci-status: name: โœ… CI runs-on: ubuntu-latest - needs: [build, test, lint, lint-jsonschema] + needs: [test, lint, lint-jsonschema] if: always() steps: - name: โœ… Check CI status run: | - if [[ "${{ needs.build.result }}" != "success" ]] || \ - [[ "${{ needs.test.result }}" != "success" ]] || \ + if [[ "${{ needs.test.result }}" != "success" ]] || \ [[ "${{ needs.lint.result }}" != "success" ]] || \ [[ "${{ needs.lint-jsonschema.result }}" != "success" ]]; then echo "CI failed" From f4a062453c0fdbfd2bd8871bb9a94d18e1d68882 Mon Sep 17 00:00:00 2001 From: Valentin Maerten Date: Wed, 10 Dec 2025 21:51:37 +0100 Subject: [PATCH 4/6] ci(github): use setup-task with output grouping for tests Restore the --output group options for better GitHub Actions log grouping, while keeping the separate build job for compilation check. --- .github/workflows/ci.yml | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 345c0c0b90..7b5609a46f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,25 @@ concurrency: cancel-in-progress: true jobs: + build: + name: ๐Ÿ”จ Build (${{ matrix.go-version }}) + strategy: + fail-fast: false + matrix: + go-version: [1.24.x, 1.25.x] + runs-on: ubuntu-latest + steps: + - name: ๐Ÿ“ฅ Checkout + uses: actions/checkout@v6 + + - name: โฌ‡๏ธ Setup Go + uses: actions/setup-go@v6 + with: + go-version: ${{ matrix.go-version }} + + - name: ๐Ÿ”จ Build + run: go build -v ./cmd/task + test: name: ๐Ÿงช Test (${{ matrix.go-version }}, ${{ matrix.platform }}) strategy: @@ -30,11 +49,11 @@ jobs: with: go-version: ${{ matrix.go-version }} - - name: ๐Ÿ”จ Build - run: go build -v -o ./bin/task ./cmd/task + - name: โฌ‡๏ธ Setup Task + uses: go-task/setup-task@v1 - name: ๐Ÿงช Test - run: ./bin/task test + run: task test --output group --output-group-begin '::group::{{.TASK}}' --output-group-end '::endgroup::' lint: name: ๐Ÿ” Lint (${{ matrix.go-version }}) @@ -78,12 +97,13 @@ jobs: ci-status: name: โœ… CI runs-on: ubuntu-latest - needs: [test, lint, lint-jsonschema] + needs: [build, test, lint, lint-jsonschema] if: always() steps: - name: โœ… Check CI status run: | - if [[ "${{ needs.test.result }}" != "success" ]] || \ + if [[ "${{ needs.build.result }}" != "success" ]] || \ + [[ "${{ needs.test.result }}" != "success" ]] || \ [[ "${{ needs.lint.result }}" != "success" ]] || \ [[ "${{ needs.lint-jsonschema.result }}" != "success" ]]; then echo "CI failed" From d1c1e079e9a71555aeca6a2a3256d6e84900442e Mon Sep 17 00:00:00 2001 From: Valentin Maerten Date: Wed, 1 Jul 2026 21:58:44 +0200 Subject: [PATCH 5/6] ci(github): carry over action pinning and version bumps from main Preserve security hardening and version updates that main applied to the now-removed lint.yml/test.yml: pin actions by commit SHA, bump Go matrix to 1.25.10/1.26.x, golangci-lint to v2.12.2, and add read-only permissions. --- .github/workflows/ci.yml | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b5609a46f..7735527454 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,20 +12,23 @@ concurrency: group: ci-${{ github.head_ref || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: ๐Ÿ”จ Build (${{ matrix.go-version }}) strategy: fail-fast: false matrix: - go-version: [1.24.x, 1.25.x] + go-version: [1.25.10, 1.26.x] runs-on: ubuntu-latest steps: - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: โฌ‡๏ธ Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: ${{ matrix.go-version }} @@ -37,15 +40,15 @@ jobs: strategy: fail-fast: false matrix: - go-version: [1.24.x, 1.25.x] + go-version: [1.25.10, 1.26.x] platform: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.platform }} steps: - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: โฌ‡๏ธ Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: ${{ matrix.go-version }} @@ -60,31 +63,31 @@ jobs: strategy: fail-fast: false matrix: - go-version: [1.24.x, 1.25.x] + go-version: [1.25.10, 1.26.x] runs-on: ubuntu-latest steps: - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: โฌ‡๏ธ Setup Go - uses: actions/setup-go@v6 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: ${{ matrix.go-version }} - name: ๐Ÿ” Lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.3.0 with: - version: v2.7.1 + version: v2.12.2 lint-jsonschema: name: ๐Ÿ“‹ Lint JSON Schema runs-on: ubuntu-latest steps: - name: ๐Ÿ“ฅ Checkout - uses: actions/checkout@v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: โฌ‡๏ธ Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: 3.14 From 1ce604da1c688de3b14880a6547d4a26e201f012 Mon Sep 17 00:00:00 2001 From: Valentin Maerten Date: Thu, 2 Jul 2026 11:04:00 +0200 Subject: [PATCH 6/6] ci(github): fold govulncheck into the CI workflow Move the govulncheck job from security.yml into ci.yml and add it to the ci-status gate so it shares the CI concurrency group and is covered by the single required check. Drop the now-redundant security.yml. --- .github/workflows/ci.yml | 11 +++++++++-- .github/workflows/security.yml | 19 ------------------- 2 files changed, 9 insertions(+), 21 deletions(-) delete mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7735527454..632a6384a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -97,10 +97,16 @@ jobs: - name: ๐Ÿ“‹ Validate JSON Schema run: check-jsonschema --check-metaschema website/src/public/schema.json + govulncheck: + name: ๐Ÿ›ก๏ธ Vulnerabilities + runs-on: ubuntu-latest + steps: + - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 + ci-status: name: โœ… CI runs-on: ubuntu-latest - needs: [build, test, lint, lint-jsonschema] + needs: [build, test, lint, lint-jsonschema, govulncheck] if: always() steps: - name: โœ… Check CI status @@ -108,7 +114,8 @@ jobs: if [[ "${{ needs.build.result }}" != "success" ]] || \ [[ "${{ needs.test.result }}" != "success" ]] || \ [[ "${{ needs.lint.result }}" != "success" ]] || \ - [[ "${{ needs.lint-jsonschema.result }}" != "success" ]]; then + [[ "${{ needs.lint-jsonschema.result }}" != "success" ]] || \ + [[ "${{ needs.govulncheck.result }}" != "success" ]]; then echo "CI failed" exit 1 fi diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml deleted file mode 100644 index af8d9b8924..0000000000 --- a/.github/workflows/security.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Security - -on: - pull_request: - push: - tags: - - v* - branches: - - main - -permissions: - contents: read - -jobs: - govulncheck: - name: govulncheck - runs-on: ubuntu-latest - steps: - - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4