mirror of
https://github.com/gin-gonic/gin.git
synced 2025-10-13 03:22:12 +08:00
cb000f570c
- Add a GitHub Actions job for vulnerability scanning using Trivy - Configure Trivy to scan the repository for vulnerabilities of severity critical, high, and medium - Ensure the workflow fails if vulnerabilities are found Signed-off-by: appleboy <appleboy.tw@gmail.com>
100 lines
2.3 KiB
YAML
100 lines
2.3 KiB
YAML
name: Run Tests
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version: "^1"
|
|
- name: Setup golangci-lint
|
|
uses: golangci/golangci-lint-action@v8
|
|
with:
|
|
version: v2.1.6
|
|
args: --verbose
|
|
test:
|
|
needs: lint
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
go: ["1.23", "1.24", "1.25"]
|
|
test-tags:
|
|
[
|
|
"",
|
|
"-tags nomsgpack",
|
|
'--ldflags="-checklinkname=0" -tags sonic',
|
|
"-tags go_json",
|
|
"-race",
|
|
]
|
|
include:
|
|
- os: ubuntu-latest
|
|
go-build: ~/.cache/go-build
|
|
- os: macos-latest
|
|
go-build: ~/Library/Caches/go-build
|
|
name: ${{ matrix.os }} @ Go ${{ matrix.go }} ${{ matrix.test-tags }}
|
|
runs-on: ${{ matrix.os }}
|
|
env:
|
|
GO111MODULE: on
|
|
TESTTAGS: ${{ matrix.test-tags }}
|
|
GOPROXY: https://proxy.golang.org
|
|
steps:
|
|
- name: Set up Go ${{ matrix.go }}
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version: ${{ matrix.go }}
|
|
cache: false
|
|
|
|
- name: Checkout Code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.ref }}
|
|
|
|
- uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
${{ matrix.go-build }}
|
|
~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Run Tests
|
|
run: make test
|
|
|
|
- name: Upload coverage to Codecov
|
|
uses: codecov/codecov-action@v4
|
|
with:
|
|
flags: ${{ matrix.os }},go-${{ matrix.go }},${{ matrix.test-tags }}
|
|
|
|
vulnerability-scanning:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run Trivy vulnerability scanner in repo mode
|
|
uses: aquasecurity/trivy-action@0.33.1
|
|
with:
|
|
scan-type: 'fs'
|
|
ignore-unfixed: true
|
|
format: 'table'
|
|
exit-code: '1'
|
|
severity: 'CRITICAL,HIGH,MEDIUM'
|