bsv-blockchain · mrz1836 · Mar 9, 2026 · Mar 9, 2026
@@ -36,12 +36,11 @@ runs:
     # --------------------------------------------------------------------
     - name: 🔧 Parse environment variables
       shell: bash
+      env:
+        ENV_JSON: ${{ inputs.env-json }}
       run: |
         echo "📋 Setting environment variables..."
 
-        # Get the input JSON
-        ENV_JSON='${{ inputs.env-json }}'
-
         # Validate JSON format before processing
         if ! echo "$ENV_JSON" | jq empty 2>/dev/null; then
           echo "❌ ERROR: Invalid JSON format in env-json input!" >&2

@@ -47,6 +47,10 @@ inputs:
     description: "Enable multi-module mode - uses pattern **/go.sum to hash all go.sum files for cache keys, skips root go.sum validation"
     required: false
     default: "false"
+  github-token:
+    description: "GitHub token for private module authentication (only used when GOPRIVATE is set in environment)"
+    required: false
+    default: ""
 
 outputs:
   go-version-actual:
@@ -443,6 +447,29 @@ runs:
         go-version: ${{ inputs.go-version }}
         cache: false # we handle caches ourselves
 
+    # --------------------------------------------------------------------
+    # Configure git authentication for private Go modules (conditional)
+    # Only runs when GOPRIVATE is set AND a github-token is provided
+    # --------------------------------------------------------------------
+    - name: 🔐 Configure private module authentication
+      if: ${{ inputs.github-token != '' && env.GOPRIVATE != '' }}
+      shell: bash
+      env:
+        PRIVATE_MODULE_TOKEN: ${{ inputs.github-token }}
+      run: |
+        echo "🔐 Configuring git authentication for private Go modules..."
+        echo "📋 GOPRIVATE=$GOPRIVATE"
+
+        # Configure git to use the token for HTTPS URLs
+        git config --global url."https://x-access-token:${PRIVATE_MODULE_TOKEN}@github.com/".insteadOf "https://github.com/"
+
+        # Set GONOSUMDB to match GOPRIVATE if not explicitly set
+        if [ -z "$GONOSUMDB" ]; then
+          echo "GONOSUMDB=$GOPRIVATE" >> $GITHUB_ENV
+        fi
+
+        echo "✅ Private module authentication configured"
+
     # --------------------------------------------------------------------
     # Summary and validation
     # --------------------------------------------------------------------

@@ -53,6 +53,10 @@ inputs:
     description: "Enable multi-module mode - uses hash of all go.sum files for cache keys"
     required: false
     default: "false"
+  github-token:
+    description: "GitHub token for private module authentication (only used when GOPRIVATE is set)"
+    required: false
+    default: ""
 
 runs:
   using: "composite"
@@ -96,6 +100,7 @@ runs:
         go-secondary-version: ${{ inputs.go-secondary-version }}
         go-sum-file: ${{ inputs.go-sum-file }}
         enable-multi-module: ${{ inputs.enable-multi-module }}
+        github-token: ${{ inputs.github-token }}
 
     # ────────────────────────────────────────────────────────────────────────────
     # Setup MAGE-X (required for magex commands in cache warming)

@@ -29,7 +29,7 @@ GO_PRIMARY_VERSION=1.24.x
 GO_SECONDARY_VERSION=1.24.x
 
 # Govulncheck-specific Go version for vulnerability scanning
-GOVULNCHECK_GO_VERSION=1.26.0
+GOVULNCHECK_GO_VERSION=1.26.1
 
 # ================================================================================================
 # 📦 GO MODULE CONFIGURATION
@@ -41,6 +41,13 @@ GO_SUM_FILE=go.sum
 # Multi-module monorepo support
 ENABLE_MULTI_MODULE_TESTING=false
 
+# Private Go module support (opt-in)
+# Set GOPRIVATE in 90-project.env to enable private module authentication
+# Example: github.com/myorg/*,github.com/otherorg/*
+GOPRIVATE=
+GONOSUMCHECK=
+GONOSUMDB=
+
 # ================================================================================================
 # 🖥️ RUNNER CONFIGURATION
 # ================================================================================================

@@ -36,7 +36,7 @@
 # ================================================================================================
 
 # MAGE-X version
-MAGE_X_VERSION=v1.20.7
+MAGE_X_VERSION=v1.20.8
 
 # For mage-x development, set to 'true' to use local version instead of downloading from releases
 MAGE_X_USE_LOCAL=false
@@ -61,8 +61,8 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea
 
 MAGE_X_GITLEAKS_VERSION=8.30.0
 MAGE_X_GOFUMPT_VERSION=v0.9.2
-MAGE_X_GOLANGCI_LINT_VERSION=v2.10.1
-MAGE_X_GORELEASER_VERSION=v2.14.1
+MAGE_X_GOLANGCI_LINT_VERSION=v2.11.2
+MAGE_X_GORELEASER_VERSION=v2.14.2
 MAGE_X_GOVULNCHECK_VERSION=v1.1.4
 MAGE_X_GO_SECONDARY_VERSION=1.24.x
 MAGE_X_GO_VERSION=1.24.x
@@ -72,7 +72,7 @@ MAGE_X_STATICCHECK_VERSION=2026.1
 MAGE_X_SWAG_VERSION=v1.16.6
 MAGE_X_YAMLFMT_VERSION=v0.21.0
 MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260211190930-8161c38c6cdc
-MAGE_X_MAGE_VERSION=v1.15.0
+MAGE_X_MAGE_VERSION=v1.16.0
 
 # ================================================================================================
 # 📝 RUNTIME VARIABLES (set by setup-goreleaser action)

@@ -26,7 +26,7 @@
 # 🪝 PRE-COMMIT TOOL VERSION
 # ================================================================================================
 
-GO_PRE_COMMIT_VERSION=v1.6.2
+GO_PRE_COMMIT_VERSION=v1.8.0
 GO_PRE_COMMIT_USE_LOCAL=false
 
 # ================================================================================================
@@ -52,7 +52,7 @@ GO_PRE_COMMIT_ALL_FILES=true
 # 🛠️ TOOL VERSIONS
 # ================================================================================================
 
-GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.10.1
+GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.11.2
 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2
 GO_PRE_COMMIT_GOIMPORTS_VERSION=latest
 GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0

@@ -46,7 +46,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
       #    uses a compiled language
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
@@ -144,6 +144,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-secondary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path

@@ -94,6 +94,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -316,6 +317,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -596,6 +598,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path

@@ -176,6 +176,7 @@ jobs:
           go-secondary-version: ${{ env.GO_SECONDARY_VERSION }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path

@@ -33,6 +33,10 @@ on:
         description: "Path to go.sum file for dependency verification"
         required: true
         type: string
+    secrets:
+      github-token:
+        description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)"
+        required: false
     outputs:
       pre-commit-version:
         description: "Version of go-pre-commit used"
@@ -87,6 +91,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ env.GO_SUM_FILE }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -690,6 +695,14 @@ jobs:
 
           if [ "${CHECKS_EXIT:-0}" -ne 0 ]; then
             echo "❌ Pre-commit checks failed with exit code: ${CHECKS_EXIT}"
+            # Persist cleaned output to log file for summary and artifact upload
+            # Use printf to avoid echo misinterpreting leading -n/-e in output
+            printf '%s\n' "$CHECKS_OUTPUT" | \
+              sed -E 's/\x1b\[[0-9;]*[mGKH]//g' | \
+              sed 's/\xc2\x9b\[[0-9;]*[mGKH]//g' | \
+              sed 's/�\[[0-9;]*[mGKH]//g' | \
+              sed 's/�//g' | \
+              tr -d '\033' > pre-commit-output.log
             # Emit GitHub annotation for visibility at top of summary
             echo "::error title=Pre-commit Checks Failed::Code quality issues detected - formatting, linting, or other pre-commit checks failed"
             exit ${CHECKS_EXIT}
@@ -843,15 +856,35 @@ jobs:
               fi
             done
             echo "" >> $GITHUB_STEP_SUMMARY
-            if [[ "${{ env.GO_PRE_COMMIT_ALL_FILES }}" == "true" ]]; then
-              echo "🎯 **All pre-commit checks passed successfully on all repository files.**" >> $GITHUB_STEP_SUMMARY
-            elif [[ "${{ steps.detect-files.outputs.files_found }}" == "true" ]]; then
-              FILE_COUNT=$(echo "${{ steps.detect-files.outputs.changed_files }}" | wc -l | tr -d ' ')
-              echo "🎯 **All pre-commit checks passed successfully on $FILE_COUNT changed files.**" >> $GITHUB_STEP_SUMMARY
+            # Show failure details or success summary based on run-checks outcome + log presence
+            if [[ -f pre-commit-output.log ]]; then
+              # Normal failure: log file was created, show full error details
+              echo "### 🚨 Error Details" >> $GITHUB_STEP_SUMMARY
               echo "" >> $GITHUB_STEP_SUMMARY
-              echo "⚡ **Performance**: Fast CI execution by checking only changed files instead of entire repository." >> $GITHUB_STEP_SUMMARY
+              echo "<details>" >> $GITHUB_STEP_SUMMARY
+              echo "<summary>Click to expand full output</summary>" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+              echo '```' >> $GITHUB_STEP_SUMMARY
+              head -200 pre-commit-output.log >> $GITHUB_STEP_SUMMARY
+              echo '```' >> $GITHUB_STEP_SUMMARY
+              echo "</details>" >> $GITHUB_STEP_SUMMARY
+            elif [[ "${{ steps.run-checks.outcome }}" == "failure" ]]; then
+              # Early failure: step failed before the log file could be written
+              # (e.g. invalid binary path, mktemp failure, etc.)
+              echo "### 🚨 Error Details" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+              echo "Pre-commit checks failed before an output log could be generated. Review the **Run pre-commit checks** step logs for details." >> $GITHUB_STEP_SUMMARY
             else
-              echo "🎯 **Pre-commit checks completed (no files required checking).**" >> $GITHUB_STEP_SUMMARY
+              if [[ "${{ env.GO_PRE_COMMIT_ALL_FILES }}" == "true" ]]; then
+                echo "🎯 **All pre-commit checks passed successfully on all repository files.**" >> $GITHUB_STEP_SUMMARY
+              elif [[ "${{ steps.detect-files.outputs.files_found }}" == "true" ]]; then
+                FILE_COUNT=$(echo "${{ steps.detect-files.outputs.changed_files }}" | wc -l | tr -d ' ')
+                echo "🎯 **All pre-commit checks passed successfully on $FILE_COUNT changed files.**" >> $GITHUB_STEP_SUMMARY
+                echo "" >> $GITHUB_STEP_SUMMARY
+                echo "⚡ **Performance**: Fast CI execution by checking only changed files instead of entire repository." >> $GITHUB_STEP_SUMMARY
+              else
+                echo "🎯 **Pre-commit checks completed (no files required checking).**" >> $GITHUB_STEP_SUMMARY
+              fi
             fi
           else
             echo "### ⚠️ Fallback Mode" >> $GITHUB_STEP_SUMMARY
@@ -860,6 +893,18 @@ jobs:
             echo "- ✅ magex tidy" >> $GITHUB_STEP_SUMMARY
           fi
 
+      # --------------------------------------------------------------------
+      # Upload pre-commit results (only present on failure)
+      # --------------------------------------------------------------------
+      - name: 📤 Upload pre-commit results
+        if: always()
+        uses: ./.github/actions/upload-artifact-resilient
+        with:
+          artifact-name: pre-commit-results
+          artifact-path: pre-commit-output.log
+          retention-days: "7"
+          if-no-files-found: ignore
+
       # --------------------------------------------------------------------
       # Collect cache statistics
       # --------------------------------------------------------------------

@@ -91,6 +91,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Validate version tag format

@@ -99,6 +99,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -297,6 +298,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-primary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path
@@ -506,6 +508,7 @@ jobs:
     if: ${{ inputs.enable-gitleaks }}
     permissions:
       contents: read
+      pull-requests: write
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -561,7 +564,7 @@ jobs:
         continue-on-error: true
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
-          GITHUB_TOKEN: ${{ secrets.github-token }}
+          GITHUB_TOKEN: ${{ github.token }}
           GITLEAKS_LICENSE: ${{ secrets.gitleaks-license }}
           GITLEAKS_NOTIFY_USER_LIST: ${{ env.GITLEAKS_NOTIFY_USER_LIST }}
           GITLEAKS_ENABLE_COMMENTS: "true"

@@ -568,6 +568,13 @@ jobs:
           echo "| **Features** | $ENABLED_FEATURES enabled · $DISABLED_FEATURES disabled |" >> $GITHUB_STEP_SUMMARY
           echo "| **Test Matrix** | $MATRIX_COUNT combinations |" >> $GITHUB_STEP_SUMMARY
           echo "| **Go Versions** | $(echo "$UNIQUE_GO_VERSIONS" | jq -r 'join(", ")') |" >> $GITHUB_STEP_SUMMARY
+
+          # Show private module status if GOPRIVATE is configured
+          GOPRIVATE_VAL=$(echo "$ENV_JSON" | jq -r '.GOPRIVATE // ""')
+          if [ -n "$GOPRIVATE_VAL" ]; then
+            echo "| **Private Modules** | \`$GOPRIVATE_VAL\` |" >> $GITHUB_STEP_SUMMARY
+          fi
+
           echo "" >> $GITHUB_STEP_SUMMARY
 
           # Fork PR Warning (if applicable) - this stays visible

@@ -44,6 +44,10 @@ on:
         description: "Path to go.sum file for dependency verification"
         required: true
         type: string
+    secrets:
+      github-token:
+        description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)"
+        required: false
 
 # Security: Restrict default permissions (jobs must explicitly request what they need)
 permissions: {}
@@ -88,6 +92,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-secondary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path

@@ -97,6 +97,10 @@ on:
         description: "Path to go.sum file for dependency verification"
         required: true
         type: string
+    secrets:
+      github-token:
+        description: "GitHub token for private module authentication (optional, only needed when GOPRIVATE is set)"
+        required: false
 
 # Security: Restrict default permissions (jobs must explicitly request what they need)
 permissions: {}
@@ -151,6 +155,7 @@ jobs:
           go-secondary-version: ${{ inputs.go-secondary-version }}
           go-sum-file: ${{ inputs.go-sum-file }}
           enable-multi-module: ${{ env.ENABLE_MULTI_MODULE_TESTING }}
+          github-token: ${{ secrets.github-token }}
 
       # --------------------------------------------------------------------
       # Extract Go module directory from GO_SUM_FILE path