ci-workflows

---

Common Continuous Integration (CI) workflows and setup for go-openapi repos.

• shared github action workflows
• shared dependabot configuration (BLOCKED)
• shared golangci-lint configuration (BLOCKED)

Status

Development is active. We are regularly adding more shared workflows to standardize CI across go-openapi repos.

NOTE: at this moment, it is difficult to share the configurations for dependabot and golangci-lint, so these are not shared yet.

Basic usage

You reuse a workflow like so:

name: go test

permissions:
  pull-requests: read
  contents: read

on:
  push:
    branches:
      - master

  pull_request:

jobs:
  test:
    uses: go-openapi/ci-workflow/.github/workflows/go-test.yml@master
    secrets: inherit

It is recommended to pin the git ref master with a commit sha, and let dependabot keep you up to date. Like so:

    uses: go-openapi/ci-workflow/.github/workflows/go-test.yml@b28a8b978a5ee5b7f4241ffafd6cc6163edb5dfd # v0.1.0

Permissions

Make sure your job permissions match the requirements of the called shared workflow.

Example:

name: "CodeQL"

on:
  push:
    branches: [ "master" ]
  pull_request:
    branches: [ "master" ]
    paths-ignore: # remove this clause if CodeQL is a required check
      - '**/*.md'
  schedule:
    - cron: '39 19 * * 5'

permissions:
  contents: read

jobs:
  codeql:
    permissions:  # <- grant permissions at the job level that match the requirements of the called workflow
      contents: read
      security-events: write
    uses: ./.github/workflows/codeql.yml
    secrets: inherit

Available workflows [v0.1.0]

Dependencies automation

• auto-merge.yml:
  • auto-merge dependabot updates, with dependency group rules
  • auto-merge go-openapi bot updates

Test automation

• go-test.yml: go unit tests TODO support for mono-repos
  • includes:
    • fuzz-test.yml: orchestrates fuzz testing with a cached corpus
    • collect-coverage.yml: (common) collect & publish test coverage (to codecov)
    • collect-reports.yml: (common) collect & publish test reports (to codecov and github)

Security

• codeql.yml: CodeQL workflow for go and github actions
• scanner.yml: trivy & govulncheck scans

Release automation

• bump-release.yml: manually triggered workflow to cut a release
• tag-release.yml: cut a release on push tag
• release.yml: (common) release & release notes build

Documentation quality

• contributors.yml: updates CONTRIBUTORS.md

Motivation

It took a while (well something like 10 years...), but we eventually managed to align all checks, tests and dependabot rules declared in the family of go-openapi repos.

Now we'd like to be able to maintain, enrich and improve these checks without worrying too much about the burden of replicating the stuff about a dozen times.

Change log

See https://github.com/go-openapi/ci-workflows/releases

Licensing

This content ships under the SPDX-License-Identifier: Apache-2.0.

Other documentation

• All-time contributors
• Contributing guidelines
• Maintainers documentation
• Code style

Cutting a new release

Maintainers can cut a new release by either:

• running this workflow
• or pushing a semver tag
  • signed tags are preferred
  • The tag message is prepended to release notes

Contemplated enhancements

Most urgent:

• mono-repo test
• mono-repo release

In no particular order:

• ui: enrich github actions UI with a job summary
• introduce config file specific checkout (markdownlint, spellcheck)
• security: separate PR / issue comments as a trusted bot workflow, acting on request artifacts
• version common workflows, so we can limit the impact of a change
• build: verify that go.sum cache for tests works (should be enabled)
• share mono repo workflows (see github.com/go-openapi/swag/.github/workflows)
• lint: manage somehow to share golangci config (with local merge)
• dependencies: manage somehow to share / replicate dependabot config
• lint: golangci-lint: check valid PR comments etc
• lint: use non-blocking, scheduled, proactive full linting to check for the impact of new linters, new go versions etc
• doc: (possibility) take over hugo & doc gen part from go-swagger
• (possibility) take over release part from go-swagger
• doc: produce hugo github page with all latest tagged versions (incl. mono repo)
• add bot to filter PRs, issues
• check with github API that all repo settings (branch protection rules, etc) are identical
• comment PRs and issues
• doc: checkout vale style-check guide (vale-action exists)
• doc: experiment LanguageTool for grammar checks ( -> a github action / docker image exists)
• doc: experiment LLM from github model, using embeddings ( ->
• issues: experiment LLM from github model, using embeddings ( -> show related issues)
• github pages w/ hugo (like go-swagger, experiment another theme and json data)

To be reworked:

• doc: add markdown linting for docs
• doc: add spellcheck for docs (and code?)