sync(ci): update GitHub Actions workflows and env configs (#12)

Author: mrz1836

.github/actions/parse-env/action.yml

@@ -36,12 +36,11 @@ runs:
     # --------------------------------------------------------------------
     - name: 🔧 Parse environment variables
       shell: bash
+      env:
+        ENV_JSON: ${{ inputs.env-json }}
       run: |
         echo "📋 Setting environment variables..."
 
-        # Get the input JSON
-        ENV_JSON='${{ inputs.env-json }}'
-
         # Validate JSON format before processing
         if ! echo "$ENV_JSON" | jq empty 2>/dev/null; then
           echo "❌ ERROR: Invalid JSON format in env-json input!" >&2

.github/actions/setup-go-with-cache/action.yml

@@ -47,6 +47,10 @@ inputs:
     description: "Enable multi-module mode - uses pattern **/go.sum to hash all go.sum files for cache keys, skips root go.sum validation"
     required: false
     default: "false"
+  github-token:
+    description: "GitHub token for private module authentication (only used when GOPRIVATE is set in environment)"
+    required: false
+    default: ""
 
 outputs:
   go-version-actual:
@@ -443,6 +447,29 @@ runs:
         go-version: ${{ inputs.go-version }}
         cache: false # we handle caches ourselves
 
+    # --------------------------------------------------------------------
+    # Configure git authentication for private Go modules (conditional)
+    # Only runs when GOPRIVATE is set AND a github-token is provided
+    # --------------------------------------------------------------------
+    - name: 🔐 Configure private module authentication
+      if: ${{ inputs.github-token != '' && env.GOPRIVATE != '' }}
+      shell: bash
+      env:
+        PRIVATE_MODULE_TOKEN: ${{ inputs.github-token }}
+      run: |
+        echo "🔐 Configuring git authentication for private Go modules..."
+        echo "📋 GOPRIVATE=$GOPRIVATE"
+
+        # Configure git to use the token for HTTPS URLs
+        git config --global url."https://x-access-token:${PRIVATE_MODULE_TOKEN}@github.com/".insteadOf "https://github.com/"
+
+        # Set GONOSUMDB to match GOPRIVATE if not explicitly set
+        if [ -z "$GONOSUMDB" ]; then
+          echo "GONOSUMDB=$GOPRIVATE" >> $GITHUB_ENV
+        fi
+
+        echo "✅ Private module authentication configured"
+
     # --------------------------------------------------------------------
     # Summary and validation
     # --------------------------------------------------------------------

.github/actions/warm-cache/action.yml

@@ -53,6 +53,10 @@ inputs:
     description: "Enable multi-module mode - uses hash of all go.sum files for cache keys"
     required: false
     default: "false"
+  github-token:
+    description: "GitHub token for private module authentication (only used when GOPRIVATE is set)"
+    required: false
+    default: ""
 
 runs:
   using: "composite"
@@ -96,6 +100,7 @@ runs:
         go-secondary-version: ${{ inputs.go-secondary-version }}
         go-sum-file: ${{ inputs.go-sum-file }}
         enable-multi-module: ${{ inputs.enable-multi-module }}
+        github-token: ${{ inputs.github-token }}
 
     # ────────────────────────────────────────────────────────────────────────────
     # Setup MAGE-X (required for magex commands in cache warming)

.github/env/00-core.env

@@ -29,7 +29,7 @@ GO_PRIMARY_VERSION=1.24.x
 GO_SECONDARY_VERSION=1.24.x
 
 # Govulncheck-specific Go version for vulnerability scanning
-GOVULNCHECK_GO_VERSION=1.26.0
+GOVULNCHECK_GO_VERSION=1.26.1
 
 # ================================================================================================
 # 📦 GO MODULE CONFIGURATION
@@ -41,6 +41,13 @@ GO_SUM_FILE=go.sum
 # Multi-module monorepo support
 ENABLE_MULTI_MODULE_TESTING=false
 
+# Private Go module support (opt-in)
+# Set GOPRIVATE in 90-project.env to enable private module authentication
+# Example: github.com/myorg/*,github.com/otherorg/*
+GOPRIVATE=
+GONOSUMCHECK=
+GONOSUMDB=
+
 # ================================================================================================
 # 🖥️ RUNNER CONFIGURATION
 # ================================================================================================

.github/env/10-mage-x.env

@@ -36,7 +36,7 @@
 # ================================================================================================
 
 # MAGE-X version
-MAGE_X_VERSION=v1.20.7
+MAGE_X_VERSION=v1.20.8
 
 # For mage-x development, set to 'true' to use local version instead of downloading from releases
 MAGE_X_USE_LOCAL=false
@@ -61,8 +61,8 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea
 
 MAGE_X_GITLEAKS_VERSION=8.30.0
 MAGE_X_GOFUMPT_VERSION=v0.9.2
-MAGE_X_GOLANGCI_LINT_VERSION=v2.10.1
-MAGE_X_GORELEASER_VERSION=v2.14.1
+MAGE_X_GOLANGCI_LINT_VERSION=v2.11.2
+MAGE_X_GORELEASER_VERSION=v2.14.2
 MAGE_X_GOVULNCHECK_VERSION=v1.1.4
 MAGE_X_GO_SECONDARY_VERSION=1.24.x
 MAGE_X_GO_VERSION=1.24.x
@@ -72,7 +72,7 @@ MAGE_X_STATICCHECK_VERSION=2026.1
 MAGE_X_SWAG_VERSION=v1.16.6
 MAGE_X_YAMLFMT_VERSION=v0.21.0
 MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260211190930-8161c38c6cdc
-MAGE_X_MAGE_VERSION=v1.15.0
+MAGE_X_MAGE_VERSION=v1.16.0
 
 # ================================================================================================
 # 📝 RUNTIME VARIABLES (set by setup-goreleaser action)

.github/env/10-pre-commit.env

@@ -26,7 +26,7 @@
 # 🪝 PRE-COMMIT TOOL VERSION
 # ================================================================================================
 
-GO_PRE_COMMIT_VERSION=v1.6.2
+GO_PRE_COMMIT_VERSION=v1.8.0
 GO_PRE_COMMIT_USE_LOCAL=false
 
 # ================================================================================================
@@ -52,7 +52,7 @@ GO_PRE_COMMIT_ALL_FILES=true
 # 🛠️ TOOL VERSIONS
 # ================================================================================================
 
-GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.10.1
+GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.11.2
 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2
 GO_PRE_COMMIT_GOIMPORTS_VERSION=latest
 GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0

.github/workflows/codeql-analysis.yml

@@ -46,7 +46,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
       #    uses a compiled language
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6

.github/workflows/fortress-benchmarks.yml

@@ -144,6 +144,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-secondary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path

.github/workflows/fortress-code-quality.yml

@@ -94,6 +94,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -316,6 +317,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -596,6 +598,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path

.github/workflows/fortress-coverage.yml

@@ -176,6 +176,7 @@ jobs:
           go-secondary-version: ${{ env.GO_SECONDARY_VERSION }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path