.github/workflows: update and harden GitHub Actions workflows

FiloSottile · FiloSottile · commit 7196d32fe474 · 2025-12-07T20:59:19.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -16,19 +16,20 @@ jobs:
           - {GOOS: linux, GOARCH: amd64}
           - {GOOS: linux, GOARCH: arm, GOARM: 6}
           - {GOOS: linux, GOARCH: arm64}
-          - {GOOS: darwin, GOARCH: amd64}
           - {GOOS: darwin, GOARCH: arm64}
           - {GOOS: windows, GOARCH: amd64}
           - {GOOS: freebsd, GOARCH: amd64}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install Go
         uses: actions/setup-go@v5
         with:
           go-version: 1.x
+          cache: false
       - name: Build binary
         run: |
           cp LICENSE "$RUNNER_TEMP/LICENSE"
diff --git a/.github/workflows/ronn.yml b/.github/workflows/ronn.yml
@@ -13,23 +13,24 @@ jobs:
     name: Ronn
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install ronn
-        run: sudo apt-get update && sudo apt-get install -y ronn
-      - name: Run ronn
-        run: bash -O globstar -c 'ronn **/*.ronn'
-      - name: Undo email mangling
-        # rdiscount randomizes the output for no good reason, which causes
-        # changes to always get committed. Sigh.
-        # https://github.com/davidfstr/rdiscount/blob/6b1471ec3/ext/generate.c#L781-L795
-        run: |-
-          for f in doc/*.html; do
-            awk '/Filippo Valsorda/ { $0 = "<p>Filippo Valsorda <a href=\"mailto:age@filippo.io\" data-bare-link=\"true\">age@filippo.io</a></p>" } { print }' "$f" > "$f.tmp"
-            mv "$f.tmp" "$f"
-          done
-      - name: Upload generated files
-        uses: actions/upload-artifact@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - uses: geomys/sandboxed-step@v1.2.1
+        with:
+          persist-workspace-changes: true
+          run: |
+            sudo apt-get update && sudo apt-get install -y ronn
+            bash -O globstar -c 'ronn **/*.ronn'
+            # rdiscount randomizes the output for no good reason, which causes
+            # changes to always get committed. Sigh.
+            # https://github.com/davidfstr/rdiscount/blob/6b1471ec3/ext/generate.c#L781-L795
+            run: |-
+              for f in doc/*.html; do
+                awk '/Filippo Valsorda/ { $0 = "<p>Filippo Valsorda <a href=\"mailto:age@filippo.io\" data-bare-link=\"true\">age@filippo.io</a></p>" } { print }' "$f" > "$f.tmp"
+                mv "$f.tmp" "$f"
+              done
+      - uses: actions/upload-artifact@v4
         with:
           name: man-pages
           path: |
@@ -42,10 +43,10 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Download generated files
-        uses: actions/download-artifact@v4
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@v4
         with:
           name: man-pages
           path: doc/
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,55 +1,79 @@
 name: Go tests
-on: [push, pull_request]
+on:
+  push:
+  pull_request:
+  schedule: # daily at 09:42 UTC
+    - cron: '42 9 * * *'
+  workflow_dispatch:
 permissions:
   contents: read
 jobs:
   test:
-    name: Test
     strategy:
       fail-fast: false
       matrix:
-        go: [1.19.x, 1.x]
-        os: [ubuntu-latest, macos-latest, windows-latest]
+        go:
+          - { go-version: stable }
+          - { go-version: oldstable }
+          - { go-version-file: go.mod }
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
     runs-on: ${{ matrix.os }}
     steps:
-      - name: Install Go ${{ matrix.go }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ matrix.go }}
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Run tests
-        run: go test -race ./...
-  gotip:
-    name: Test (Go tip)
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: ${{ matrix.go.go-version }}
+          go-version-file: ${{ matrix.go.go-version-file }}
+      - run: |
+          go test -race ./...
+  test-latest:
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
+        go:
+          - { go-version: stable }
+          - { go-version: oldstable }
+          - { go-version-file: go.mod }
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: ${{ matrix.go.go-version }}
+          go-version-file: ${{ matrix.go.go-version-file }}
+      - uses: geomys/sandboxed-step@v1.2.1
+        with:
+          run: |
+            go get -u -t ./...
+            go test -race ./...
+  staticcheck:
+    runs-on: ubuntu-latest
     steps:
-      - name: Install bootstrap Go
-        uses: actions/setup-go@v5
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
         with:
           go-version: stable
-      - name: Install Go tip (UNIX)
-        if: runner.os != 'Windows'
-        run: |
-          git clone --filter=tree:0 https://go.googlesource.com/go $HOME/gotip
-          cd $HOME/gotip/src && ./make.bash
-          echo "$HOME/gotip/bin" >> $GITHUB_PATH
-      - name: Install Go tip (Windows)
-        if: runner.os == 'Windows'
-        run: |
-          git clone --filter=tree:0 https://go.googlesource.com/go $HOME/gotip
-          cd $HOME/gotip/src && ./make.bat
-          echo "$HOME/gotip/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - run: go version
-      - name: Run tests
-        run: go test -race ./...
+      - uses: geomys/sandboxed-step@v1.2.1
+        with:
+          run: go run honnef.co/go/tools/cmd/staticcheck@latest ./...
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v6
+        with:
+          go-version: stable
+      - uses: geomys/sandboxed-step@v1.2.1
+        with:
+          run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
