From a7050f2882f9877c23ee2fe3fb669289cb575bc9 Mon Sep 17 00:00:00 2001 From: "Mr. Z" Date: Sat, 14 Feb 2026 10:41:00 -0500 Subject: [PATCH] sync(ci): update tool versions and add fuzz config --- .github/env/00-core.env | 2 +- .github/env/10-coverage.env | 2 +- .github/env/10-mage-x.env | 30 ++++++++++++++++--- .github/env/10-pre-commit.env | 2 +- .github/env/load-env.sh | 1 + .github/workflows/codeql-analysis.yml | 6 ++-- .../fortress-completion-statistics.yml | 14 +++++++++ .github/workflows/fortress-test-matrix.yml | 4 +-- .github/workflows/fortress.yml | 2 +- .../pull-request-management-fork.yml | 19 +++++++----- .github/workflows/scorecard.yml | 2 +- 11 files changed, 62 insertions(+), 22 deletions(-) diff --git a/.github/env/00-core.env b/.github/env/00-core.env index 03eaa0a..41885c3 100644 --- a/.github/env/00-core.env +++ b/.github/env/00-core.env @@ -29,7 +29,7 @@ GO_PRIMARY_VERSION=1.24.x GO_SECONDARY_VERSION=1.24.x # Govulncheck-specific Go version for vulnerability scanning -GOVULNCHECK_GO_VERSION=1.25.7 +GOVULNCHECK_GO_VERSION=1.26.0 # ================================================================================================ # πŸ“¦ GO MODULE CONFIGURATION diff --git a/.github/env/10-coverage.env b/.github/env/10-coverage.env index 4ad2298..5125fef 100644 --- a/.github/env/10-coverage.env +++ b/.github/env/10-coverage.env @@ -32,7 +32,7 @@ GO_COVERAGE_PROVIDER=internal CODECOV_TOKEN_REQUIRED=false # Go Coverage Tool Version -GO_COVERAGE_VERSION=v1.3.1 +GO_COVERAGE_VERSION=v1.3.5 GO_COVERAGE_USE_LOCAL=false # ================================================================================================ diff --git a/.github/env/10-mage-x.env b/.github/env/10-mage-x.env index 30f5fcd..01ef67f 100644 --- a/.github/env/10-mage-x.env +++ b/.github/env/10-mage-x.env @@ -36,7 +36,7 @@ # ================================================================================================ # MAGE-X version -MAGE_X_VERSION=v1.20.1 +MAGE_X_VERSION=v1.20.4 # For mage-x development, set to 'true' to use local version instead of downloading from releases MAGE_X_USE_LOCAL=false @@ -61,17 +61,17 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea MAGE_X_GITLEAKS_VERSION=8.30.0 MAGE_X_GOFUMPT_VERSION=v0.9.2 -MAGE_X_GOLANGCI_LINT_VERSION=v2.8.0 +MAGE_X_GOLANGCI_LINT_VERSION=v2.9.0 MAGE_X_GORELEASER_VERSION=v2.13.3 MAGE_X_GOVULNCHECK_VERSION=v1.1.4 MAGE_X_GO_SECONDARY_VERSION=1.24.x MAGE_X_GO_VERSION=1.24.x MAGE_X_MOCKGEN_VERSION=v0.6.0 MAGE_X_NANCY_VERSION=v1.2.0 -MAGE_X_STATICCHECK_VERSION=2025.1.1 +MAGE_X_STATICCHECK_VERSION=2026.1 MAGE_X_SWAG_VERSION=v1.16.6 MAGE_X_YAMLFMT_VERSION=v0.21.0 -MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260112171951-5abaabe9f1bd +MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260211190930-8161c38c6cdc MAGE_X_MAGE_VERSION=v1.15.0 # ================================================================================================ @@ -102,3 +102,25 @@ MAGE_X_MAGE_VERSION=v1.15.0 # MAGE_X_TEST_EXCLUDE_MODULES=module1,module2 # MAGE_X_TEST_RACE=false # MAGE_X_VERBOSE=true + +# ================================================================================================ +# πŸ§ͺ FUZZ TEST CONFIGURATION +# ================================================================================================ + +# Timeout for pre-compiling fuzz test binaries with coverage instrumentation. +# This warms the Go build cache before running individual fuzz tests, preventing +# the first test per package from timing out in projects with large dependency trees. +# Set to "0s" to disable warmup. +MAGE_X_FUZZ_WARMUP_TIMEOUT=5m + +# Buffer time added to each fuzz test timeout for setup/teardown overhead +# MAGE_X_FUZZ_BASELINE_BUFFER=90s + +# Estimated time per seed during baseline gathering phase +# MAGE_X_FUZZ_BASELINE_OVERHEAD_PER_SEED=500ms + +# Minimum timeout for any fuzz test +# MAGE_X_FUZZ_MIN_TIMEOUT=90s + +# Maximum timeout cap for fuzz tests +# MAGE_X_FUZZ_MAX_TIMEOUT=30m diff --git a/.github/env/10-pre-commit.env b/.github/env/10-pre-commit.env index b49f339..9b7477c 100644 --- a/.github/env/10-pre-commit.env +++ b/.github/env/10-pre-commit.env @@ -52,7 +52,7 @@ GO_PRE_COMMIT_ALL_FILES=true # πŸ› οΈ TOOL VERSIONS # ================================================================================================ -GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.8.0 +GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.9.0 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2 GO_PRE_COMMIT_GOIMPORTS_VERSION=latest GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0 diff --git a/.github/env/load-env.sh b/.github/env/load-env.sh index 3dccf1f..614b79d 100644 --- a/.github/env/load-env.sh +++ b/.github/env/load-env.sh @@ -24,6 +24,7 @@ _env_loader_dir() { [[ "$source" != /* ]] && source="$dir/$source" done cd -P "$(dirname "$source")" && pwd + return $? } # Main loader logic diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fcd281f..40edbf0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,7 +46,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 + uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -57,7 +57,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 + uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 # ℹ️ Command-line programs to run using the OS shell. # πŸ“š https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # uses a compiled language - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 + uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 diff --git a/.github/workflows/fortress-completion-statistics.yml b/.github/workflows/fortress-completion-statistics.yml index c8e4fd3..72fd9ee 100644 --- a/.github/workflows/fortress-completion-statistics.yml +++ b/.github/workflows/fortress-completion-statistics.yml @@ -538,6 +538,12 @@ jobs: LOC_OUTPUT=$(magex metrics:loc json 2>&1 || true) LOC_FOUND=false + # Save raw JSON for loc-stats artifact (consumed by go-broadcast analytics) + if [[ -n "$LOC_OUTPUT" ]] && echo "$LOC_OUTPUT" | jq empty 2>/dev/null; then + echo "$LOC_OUTPUT" > loc-stats.json + echo "πŸ“¦ Saved loc-stats.json for artifact upload" + fi + if [[ -n "$LOC_OUTPUT" ]]; then echo "πŸ“‹ magex metrics:loc json output:" echo "$LOC_OUTPUT" @@ -677,6 +683,14 @@ jobs: # -------------------------------------------------------------------- # Upload statistics section # -------------------------------------------------------------------- + - name: πŸ“€ Upload LOC Stats JSON + if: always() && hashFiles('loc-stats.json') != '' + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: loc-stats + path: loc-stats.json + retention-days: 7 + - name: πŸ“€ Upload Statistics Section id: upload-section if: always() diff --git a/.github/workflows/fortress-test-matrix.yml b/.github/workflows/fortress-test-matrix.yml index 31ee38c..4abb264 100644 --- a/.github/workflows/fortress-test-matrix.yml +++ b/.github/workflows/fortress-test-matrix.yml @@ -248,8 +248,8 @@ jobs: echo "🏁 Running tests with race detection (timeout: $TEST_TIMEOUT)..." else TEST_TIMEOUT="${TEST_TIMEOUT_UNIT:-20m}" - TEST_TYPE="unit" - echo "🏁 Running tests without coverage or race detection (timeout: $TEST_TIMEOUT)..." + TEST_TYPE="short" + echo "🏁 Running short tests (skipping integration tests) (timeout: $TEST_TIMEOUT)..." fi # magex CI mode auto-detects GitHub Actions and produces structured output diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml index c540dfb..1ea2f75 100644 --- a/.github/workflows/fortress.yml +++ b/.github/workflows/fortress.yml @@ -1,7 +1,7 @@ # ------------------------------------------------------------------------------------ # 🏰 GoFortress - Enterprise-grade CI/CD fortress for Go applications # -# Version: 1.7.0 | Released: 2026-02-06 +# Version: 1.7.1 | Released: 2026-02-13 # # Built Strong. Tested Harder. # diff --git a/.github/workflows/pull-request-management-fork.yml b/.github/workflows/pull-request-management-fork.yml index e14719b..f010f33 100644 --- a/.github/workflows/pull-request-management-fork.yml +++ b/.github/workflows/pull-request-management-fork.yml @@ -3,7 +3,7 @@ # # Purpose: Automate labeling, assignment, and welcoming of pull requests for forked PRs. # -# Configuration: All settings are loaded from modular .github/env/ files for +# Configuration: All settings are loaded from modular .github/env/*.env files for # centralized management across all workflows. # # Triggers: Pull request events (opened, reopened, ready for review, closed, synchronize) @@ -108,7 +108,7 @@ concurrency: # -------------------------------------------------------------------- # Environment Variables # -------------------------------------------------------------------- -# Note: Configuration variables are loaded from modular .github/env/ files +# Note: Configuration variables are loaded from modular .github/env/*.env files jobs: # ------------------------------------------------------------ @@ -117,8 +117,8 @@ jobs: load-env: name: 🌍 Load Environment (Base Repo) runs-on: ubuntu-latest - # Early exit: Skip entire workflow for same-repo PRs (handled by main workflow) - if: github.event.pull_request.head.repo.full_name != github.repository + # Only run for fork PRs - same-repo PRs are handled by pull-request-management.yml + if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} # No write perms here permissions: contents: read @@ -127,14 +127,14 @@ jobs: steps: # β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” # β”‚ SECURITY SCANNERS: This checkout is SAFE despite pull_request_targetβ”‚ - # β”‚ β”‚ - # β”‚ Justification: β”‚ + # β”‚ β”‚ + # β”‚ Justification: β”‚ # β”‚ - Only checks out TRUSTED base branch (ref: github.base_ref) β”‚ # β”‚ - NEVER checks out PR head code from untrusted fork β”‚ # β”‚ - Implements recommended two-workflow security pattern β”‚ # β”‚ - Uses sparse checkout (minimal attack surface) β”‚ # β”‚ - No executable code from PR is ever run β”‚ - # β”‚ β”‚ + # β”‚ β”‚ # β”‚ Pattern: Two-workflow security model (see SECURITY.md) β”‚ # β”‚ References: githubactions:S7631, semgrep:github-actions-checkout β”‚ # β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ @@ -177,6 +177,8 @@ jobs: detect-fork: name: πŸ” Detect Fork PR runs-on: ubuntu-latest + # Only run for fork PRs - same-repo PRs are handled by pull-request-management.yml + if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} permissions: contents: read outputs: @@ -478,7 +480,8 @@ jobs: summary: name: πŸ“Š Summary runs-on: ubuntu-latest - if: always() + # Only run for fork PRs, but always show summary regardless of job status + if: always() && github.event.pull_request.head.repo.full_name != github.repository needs: [load-env, detect-fork, handle-fork, clean-cache] steps: - name: πŸ“„ Write summary diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index abc6083..2c8102f 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -77,6 +77,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable the upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 + uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 with: sarif_file: results.sarif