Skip to content

ci: add GitHub Actions CI workflow (#5)#6

Merged
millerjp merged 1 commit into
mainfrom
feature/ci-workflow
Apr 20, 2026
Merged

ci: add GitHub Actions CI workflow (#5)#6
millerjp merged 1 commit into
mainfrom
feature/ci-workflow

Conversation

@millerjp

Copy link
Copy Markdown

Summary

Adds .github/workflows/ci.yml — the first CI workflow for this repo.

Jobs:

  • lint (ubuntu) — fmt-check, vet, lint, tidy-check
  • test (ubuntu, macos, windows) — make test + make test-bdd (no-op until feat: add Swap and Clear methods #13)
  • coverage (ubuntu, needs test) — runs make coverage, uploads coverage.out/coverage.html, writes total coverage to the job summary
  • security (ubuntu, needs test) — govulncheck against the repo
  • build-matrix — cross-compile for linux/amd64, linux/arm64, darwin/amd64, darwin/arm64, windows/amd64

Closes #5.

Supply-chain and permission posture

  • Workflow-level permissions: contents: read. No job escalates.
  • concurrency: ci-<workflow>-<ref> with cancel-in-progress: true.
  • First-party actions/* pinned to major tags (@v4, @v5).
  • No third-party actions. golangci-lint pinned to v2.11.4, goimports to v0.44.0, govulncheck to v1.2.0 via go install module versions.
  • No release behaviour: no git tag, no goreleaser release, no registry push, no content writes. Release automation lives in a separate workflow (plan item chore: add .gitignore, Makefile, and .golangci.yml (#3) #4).

Local validation

  • actionlint .github/workflows/ci.yml — 0 issues (actionlint v1.7.12)
  • make check on feature/ci-workflow HEAD — PASS (fmt-check / vet / lint / test / tidy-check / security)

Out of scope

Test plan

  • All five jobs show up on this PR and go green
  • test matrix shows three distinct runs (ubuntu/macos/windows)
  • build-matrix shows five distinct runs
  • coverage artefact is downloadable from the run
  • Total coverage line appears in the job summary
  • No job takes a write permission or pushes anything to the repo

Note: the earlier merged PRs (#2, #4) predate this workflow, so this is the first run. Future PRs will gate on CI per the plan.

Run the quality gate on every PR and push to main, plus a coverage
report, govulncheck, and a five-OS/arch cross-compile matrix. The
workflow is read-only: no tags, no publishes, no registry writes —
release automation lives in a separate workflow (#4).

Pins: actions/checkout@v4, actions/setup-go@v5, and upload-artifact@v4
are first-party major tags. golangci-lint, goimports, and govulncheck
pinned via go-install module versions so CI is reproducible.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: add GitHub Actions CI workflow

1 participant