sync(ci): update tool versions and add fuzz config (#103)

Author: mrz1836

.github/env/00-core.env

@@ -29,7 +29,7 @@ GO_PRIMARY_VERSION=1.24.x
 GO_SECONDARY_VERSION=1.24.x
 
 # Govulncheck-specific Go version for vulnerability scanning
-GOVULNCHECK_GO_VERSION=1.25.7
+GOVULNCHECK_GO_VERSION=1.26.0
 
 # ================================================================================================
 # 📦 GO MODULE CONFIGURATION

.github/env/10-coverage.env

@@ -32,7 +32,7 @@ GO_COVERAGE_PROVIDER=internal
 CODECOV_TOKEN_REQUIRED=false
 
 # Go Coverage Tool Version
-GO_COVERAGE_VERSION=v1.3.1
+GO_COVERAGE_VERSION=v1.3.5
 GO_COVERAGE_USE_LOCAL=false
 
 # ================================================================================================

.github/env/10-mage-x.env

@@ -36,7 +36,7 @@
 # ================================================================================================
 
 # MAGE-X version
-MAGE_X_VERSION=v1.20.1
+MAGE_X_VERSION=v1.20.4
 
 # For mage-x development, set to 'true' to use local version instead of downloading from releases
 MAGE_X_USE_LOCAL=false
@@ -61,17 +61,17 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea
 
 MAGE_X_GITLEAKS_VERSION=8.30.0
 MAGE_X_GOFUMPT_VERSION=v0.9.2
-MAGE_X_GOLANGCI_LINT_VERSION=v2.8.0
+MAGE_X_GOLANGCI_LINT_VERSION=v2.9.0
 MAGE_X_GORELEASER_VERSION=v2.13.3
 MAGE_X_GOVULNCHECK_VERSION=v1.1.4
 MAGE_X_GO_SECONDARY_VERSION=1.24.x
 MAGE_X_GO_VERSION=1.24.x
 MAGE_X_MOCKGEN_VERSION=v0.6.0
 MAGE_X_NANCY_VERSION=v1.2.0
-MAGE_X_STATICCHECK_VERSION=2025.1.1
+MAGE_X_STATICCHECK_VERSION=2026.1
 MAGE_X_SWAG_VERSION=v1.16.6
 MAGE_X_YAMLFMT_VERSION=v0.21.0
-MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260112171951-5abaabe9f1bd
+MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260211190930-8161c38c6cdc
 MAGE_X_MAGE_VERSION=v1.15.0
 
 # ================================================================================================
@@ -102,3 +102,25 @@ MAGE_X_MAGE_VERSION=v1.15.0
 # MAGE_X_TEST_EXCLUDE_MODULES=module1,module2
 # MAGE_X_TEST_RACE=false
 # MAGE_X_VERBOSE=true
+
+# ================================================================================================
+# 🧪 FUZZ TEST CONFIGURATION
+# ================================================================================================
+
+# Timeout for pre-compiling fuzz test binaries with coverage instrumentation.
+# This warms the Go build cache before running individual fuzz tests, preventing
+# the first test per package from timing out in projects with large dependency trees.
+# Set to "0s" to disable warmup.
+MAGE_X_FUZZ_WARMUP_TIMEOUT=5m
+
+# Buffer time added to each fuzz test timeout for setup/teardown overhead
+# MAGE_X_FUZZ_BASELINE_BUFFER=90s
+
+# Estimated time per seed during baseline gathering phase
+# MAGE_X_FUZZ_BASELINE_OVERHEAD_PER_SEED=500ms
+
+# Minimum timeout for any fuzz test
+# MAGE_X_FUZZ_MIN_TIMEOUT=90s
+
+# Maximum timeout cap for fuzz tests
+# MAGE_X_FUZZ_MAX_TIMEOUT=30m

.github/env/10-pre-commit.env

@@ -52,7 +52,7 @@ GO_PRE_COMMIT_ALL_FILES=true
 # 🛠️ TOOL VERSIONS
 # ================================================================================================
 
-GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.8.0
+GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.9.0
 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2
 GO_PRE_COMMIT_GOIMPORTS_VERSION=latest
 GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0

.github/env/load-env.sh

@@ -24,6 +24,7 @@ _env_loader_dir() {
         [[ "$source" != /* ]] && source="$dir/$source"
     done
     cd -P "$(dirname "$source")" && pwd
+    return $?
 }
 
 # Main loader logic

.github/workflows/codeql-analysis.yml

@@ -46,7 +46,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
       #    uses a compiled language
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
+        uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3

.github/workflows/fortress-completion-statistics.yml

@@ -538,6 +538,12 @@ jobs:
           LOC_OUTPUT=$(magex metrics:loc json 2>&1 || true)
           LOC_FOUND=false
 
+          # Save raw JSON for loc-stats artifact (consumed by go-broadcast analytics)
+          if [[ -n "$LOC_OUTPUT" ]] && echo "$LOC_OUTPUT" | jq empty 2>/dev/null; then
+            echo "$LOC_OUTPUT" > loc-stats.json
+            echo "📦 Saved loc-stats.json for artifact upload"
+          fi
+
           if [[ -n "$LOC_OUTPUT" ]]; then
             echo "📋 magex metrics:loc json output:"
             echo "$LOC_OUTPUT"
@@ -677,6 +683,14 @@ jobs:
       # --------------------------------------------------------------------
       # Upload statistics section
       # --------------------------------------------------------------------
+      - name: 📤 Upload LOC Stats JSON
+        if: always() && hashFiles('loc-stats.json') != ''
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: loc-stats
+          path: loc-stats.json
+          retention-days: 7
+
       - name: 📤 Upload Statistics Section
         id: upload-section
         if: always()

.github/workflows/fortress-test-matrix.yml

@@ -248,8 +248,8 @@ jobs:
             echo "🏁 Running tests with race detection (timeout: $TEST_TIMEOUT)..."
           else
             TEST_TIMEOUT="${TEST_TIMEOUT_UNIT:-20m}"
-            TEST_TYPE="unit"
-            echo "🏁 Running tests without coverage or race detection (timeout: $TEST_TIMEOUT)..."
+            TEST_TYPE="short"
+            echo "🏁 Running short tests (skipping integration tests) (timeout: $TEST_TIMEOUT)..."
           fi
 
           # magex CI mode auto-detects GitHub Actions and produces structured output

.github/workflows/fortress.yml

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------------------
 #  🏰 GoFortress - Enterprise-grade CI/CD fortress for Go applications
 #
-#  Version: 1.7.0 | Released: 2026-02-06
+#  Version: 1.7.1 | Released: 2026-02-13
 #
 #  Built Strong. Tested Harder.
 #

.github/workflows/pull-request-management-fork.yml

@@ -3,7 +3,7 @@
 #
 #  Purpose: Automate labeling, assignment, and welcoming of pull requests for forked PRs.
 #
-#  Configuration: All settings are loaded from modular .github/env/ files for
+#  Configuration: All settings are loaded from modular .github/env/*.env files for
 #  centralized management across all workflows.
 #
 #  Triggers: Pull request events (opened, reopened, ready for review, closed, synchronize)
@@ -108,7 +108,7 @@ concurrency:
 # --------------------------------------------------------------------
 # Environment Variables
 # --------------------------------------------------------------------
-# Note: Configuration variables are loaded from modular .github/env/ files
+# Note: Configuration variables are loaded from modular .github/env/*.env files
 
 jobs:
   # ------------------------------------------------------------
@@ -117,8 +117,8 @@ jobs:
   load-env:
     name: 🌍 Load Environment (Base Repo)
     runs-on: ubuntu-latest
-    # Early exit: Skip entire workflow for same-repo PRs (handled by main workflow)
-    if: github.event.pull_request.head.repo.full_name != github.repository
+    # Only run for fork PRs - same-repo PRs are handled by pull-request-management.yml
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     # No write perms here
     permissions:
       contents: read
@@ -127,14 +127,14 @@ jobs:
     steps:
       # ┌─────────────────────────────────────────────────────────────────────┐
       # │ SECURITY SCANNERS: This checkout is SAFE despite pull_request_target│
-      # │                                                                     │
-      # │ Justification:                                                      │
+      # │                                                                      │
+      # │ Justification:                                                       │
       # │  - Only checks out TRUSTED base branch (ref: github.base_ref)       │
       # │  - NEVER checks out PR head code from untrusted fork                │
       # │  - Implements recommended two-workflow security pattern             │
       # │  - Uses sparse checkout (minimal attack surface)                    │
       # │  - No executable code from PR is ever run                           │
-      # │                                                                     │
+      # │                                                                      │
       # │ Pattern: Two-workflow security model (see SECURITY.md)              │
       # │ References: githubactions:S7631, semgrep:github-actions-checkout    │
       # └─────────────────────────────────────────────────────────────────────┘
@@ -177,6 +177,8 @@ jobs:
   detect-fork:
     name: 🔍 Detect Fork PR
     runs-on: ubuntu-latest
+    # Only run for fork PRs - same-repo PRs are handled by pull-request-management.yml
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     permissions:
       contents: read
     outputs:
@@ -478,7 +480,8 @@ jobs:
   summary:
     name: 📊 Summary
     runs-on: ubuntu-latest
-    if: always()
+    # Only run for fork PRs, but always show summary regardless of job status
+    if: always() && github.event.pull_request.head.repo.full_name != github.repository
     needs: [load-env, detect-fork, handle-fork, clean-cache]
     steps:
       - name: 📄 Write summary