diff --git a/.github/.env.base b/.github/.env.base index 69fc575..5d0eab0 100644 --- a/.github/.env.base +++ b/.github/.env.base @@ -235,7 +235,7 @@ REDIS_CACHE_FORCE_PULL=false # Force pull Redis images even when cache # ๐Ÿช„ MAGE-X CONFIGURATION # ================================================================================================ -MAGE_X_VERSION=v1.18.1 # https://github.com/mrz1836/mage-x/releases +MAGE_X_VERSION=v1.18.7 # https://github.com/mrz1836/mage-x/releases MAGE_X_USE_LOCAL=false # Use local version for development MAGE_X_CI_SKIP_STEP_SUMMARY=true # Skip duplicate test results in step summary (already in test validation summary) MAGE_X_AUTO_DISCOVER_BUILD_TAGS=true # Enable auto-discovery of build tags @@ -249,7 +249,7 @@ MAGE_X_GOVULNCHECK_VERSION=v1.1.4 # https://go.googl MAGE_X_GO_SECONDARY_VERSION=1.24.x # Secondary Go version for MAGE-X (also our secondary) MAGE_X_GO_VERSION=1.24.x # Primary Go version for MAGE-X (also our primary) MAGE_X_MOCKGEN_VERSION=v0.6.0 # https://github.com/uber-go/mock/releases -MAGE_X_NANCY_VERSION=v1.0.52 # https://github.com/sonatype-nexus-community/nancy/releases +MAGE_X_NANCY_VERSION=v1.2.0 # https://github.com/sonatype-nexus-community/nancy/releases MAGE_X_STATICCHECK_VERSION=2025.1.1 # https://github.com/dominikh/go-tools/releases MAGE_X_SWAG_VERSION=v1.16.6 # https://github.com/swaggo/swag/releases MAGE_X_YAMLFMT_VERSION=v0.21.0 # https://github.com/google/yamlfmt/releases @@ -309,14 +309,14 @@ MAGE_X_CVE_EXCLUDES=CVE-9999-12345,CVE-9999-43210 # Security Tools GITLEAKS_VERSION=8.30.0 # https://github.com/gitleaks/gitleaks/releases GOVULNCHECK_VERSION=v1.1.4 # https://pkg.go.dev/golang.org/x/vuln -NANCY_VERSION=v1.0.52 # https://github.com/sonatype-nexus-community/nancy/releases +NANCY_VERSION=v1.2.0 # https://github.com/sonatype-nexus-community/nancy/releases # ================================================================================================ # ๐Ÿช PRE-COMMIT SYSTEM CONFIGURATION (go-pre-commit) # ================================================================================================ # Pre-Commit System -GO_PRE_COMMIT_VERSION=v1.5.1 # https://github.com/mrz1836/go-pre-commit/releases +GO_PRE_COMMIT_VERSION=v1.5.2 # https://github.com/mrz1836/go-pre-commit/releases GO_PRE_COMMIT_USE_LOCAL=false # Use local version for development # System Settings @@ -516,3 +516,34 @@ GO_BROADCAST_AI_FAIL_ON_ERROR=false # Diff Debugging # GO_BROADCAST_DEBUG_DIFF_PATH=/tmp/debug-diff.txt + +# ================================================================================================ +# ๐Ÿ›ก๏ธ GUARDIAN CI TESTING FRAMEWORK +# ================================================================================================ + +# Feature Toggle +ENABLE_CI_GUARDIAN=false + +# Tool Versions (pinned for reproducibility) +GUARDIAN_ACT_VERSION=v0.2.84 +GUARDIAN_ACTIONLINT_VERSION=v1.7.10 +GUARDIAN_GO_SARIF_VERSION=v3.3.0 + +# Execution Settings +GUARDIAN_SCENARIO_TIMEOUT=30s +GUARDIAN_STATIC_TIMEOUT=5s +GUARDIAN_PARALLEL_SCENARIOS=1 + +# Output Configuration +GUARDIAN_OUTPUT_DIR=.mage-x +GUARDIAN_SARIF_OUTPUT=guardian.sarif +GUARDIAN_JSONL_OUTPUT=ci-results.jsonl + +# Policy Configuration +GUARDIAN_EXCEPTIONS_FILE=.github/guardian.yaml +GUARDIAN_POLICY_STRICT=true + +# Debug Settings +GUARDIAN_VERBOSE=false +GUARDIAN_DRY_RUN=false +GUARDIAN_KEEP_CONTAINERS=false diff --git a/.github/actions/cancel-workflow-on-failure/action.yml b/.github/actions/cancel-workflow-on-failure/action.yml index 964ec0b..24a6c81 100644 --- a/.github/actions/cancel-workflow-on-failure/action.yml +++ b/.github/actions/cancel-workflow-on-failure/action.yml @@ -1,6 +1,13 @@ # ------------------------------------------------------------------------------------ # Cancel Workflow On Failure (Composite Action) (GoFortress) # +# NOTE: This action is currently NOT IN USE. It was disabled because GitHub's +# cancel API overwrites the "failed" status with "cancelled" on the job that +# triggered it, making it impossible to identify which job actually failed. +# +# The action is kept for potential future use in scenarios where the trade-off +# (faster cancellation vs clear failure visibility) is acceptable. +# # Purpose: Provide a reusable action that cancels the entire workflow run when # a critical job fails. This prevents wasting CI resources on parallel jobs # that will ultimately be invalidated by an earlier failure. @@ -58,6 +65,23 @@ inputs: description: "GitHub token with actions:write permission (defaults to GITHUB_TOKEN)" required: false default: "" + # Failure context inputs for enhanced job summary + failed-job: + description: "Name of the job that failed (for prominent display)" + required: false + default: "" + failed-step: + description: "Name of the step that failed" + required: false + default: "" + failure-tool: + description: "Tool that detected the failure (e.g., 'go vet', 'golangci-lint')" + required: false + default: "" + failure-summary: + description: "Brief summary of what failed (e.g., '3 issues detected')" + required: false + default: "" outputs: cancelled: @@ -88,6 +112,11 @@ runs: GITHUB_JOB: ${{ github.job }} GITHUB_WORKFLOW: ${{ github.workflow }} GITHUB_API_URL: ${{ github.api_url }} + # Failure context for enhanced job summary + FAILED_JOB: ${{ inputs.failed-job }} + FAILED_STEP: ${{ inputs.failed-step }} + FAILURE_TOOL: ${{ inputs.failure-tool }} + FAILURE_SUMMARY: ${{ inputs.failure-summary }} run: | # Note: Using set -uo pipefail (but not -e): # -e is avoided so we can handle errors (like curl failures and HTTP status codes) explicitly @@ -261,19 +290,73 @@ runs: STATUS_CELL_VALUE="โš ๏ธ HTTP $HTTP_STATUS" fi + # Derive summary heading from actual outcome + if [[ "$HTTP_STATUS" == "202" ]]; then + SUMMARY_HEADING="## ๐Ÿšจ Workflow Cancelled: Critical Failure Detected" + else + SUMMARY_HEADING="## โš ๏ธ Cancellation Skipped: Critical Failure Detected" + fi + # Add to job summary (always, regardless of success/failure) + # Enhanced summary with prominent failure origin when context is provided { - echo "## ๐Ÿšจ Workflow Cancellation" + echo "$SUMMARY_HEADING" + echo "" + + # Show prominent failure origin if context was provided + if [[ -n "$FAILED_JOB" || -n "$FAILED_STEP" || -n "$FAILURE_TOOL" || -n "$FAILURE_SUMMARY" ]]; then + echo "### โŒ Failure Origin" + echo "" + echo "| | |" + echo "|---|---|" + if [[ -n "$FAILED_JOB" ]]; then + # Escape markdown special characters in FAILED_JOB + FAILED_JOB_MD=$FAILED_JOB + FAILED_JOB_MD=${FAILED_JOB_MD//\\/\\\\} + FAILED_JOB_MD=${FAILED_JOB_MD//|/\\|} + FAILED_JOB_MD=${FAILED_JOB_MD//\`/\\\`} + echo "| **Job** | $FAILED_JOB_MD |" + fi + if [[ -n "$FAILED_STEP" ]]; then + # Escape markdown special characters in FAILED_STEP + FAILED_STEP_MD=$FAILED_STEP + FAILED_STEP_MD=${FAILED_STEP_MD//\\/\\\\} + FAILED_STEP_MD=${FAILED_STEP_MD//|/\\|} + FAILED_STEP_MD=${FAILED_STEP_MD//\`/\\\`} + echo "| **Step** | $FAILED_STEP_MD |" + fi + if [[ -n "$FAILURE_TOOL" ]]; then + # Escape markdown special characters in FAILURE_TOOL + FAILURE_TOOL_MD=$FAILURE_TOOL + FAILURE_TOOL_MD=${FAILURE_TOOL_MD//\\/\\\\} + FAILURE_TOOL_MD=${FAILURE_TOOL_MD//|/\\|} + FAILURE_TOOL_MD=${FAILURE_TOOL_MD//\`/\\\`} + echo "| **Tool** | $FAILURE_TOOL_MD |" + fi + if [[ -n "$FAILURE_SUMMARY" ]]; then + # Escape markdown special characters in FAILURE_SUMMARY + FAILURE_SUMMARY_MD=$FAILURE_SUMMARY + FAILURE_SUMMARY_MD=${FAILURE_SUMMARY_MD//\\/\\\\} + FAILURE_SUMMARY_MD=${FAILURE_SUMMARY_MD//|/\\|} + FAILURE_SUMMARY_MD=${FAILURE_SUMMARY_MD//\`/\\\`} + echo "| **Reason** | $FAILURE_SUMMARY_MD |" + fi + echo "" + echo "---" + echo "" + fi + + echo "### Workflow Cancellation Details" echo "" echo "| Detail | Value |" echo "|--------|-------|" - echo "| **Reason** | $CANCEL_REASON_MD |" echo "| **Triggered by** | \`$GITHUB_JOB\` |" echo "| **Run ID** | $GITHUB_RUN_ID |" echo "| **Status** | $STATUS_CELL_VALUE |" + echo "| **Cancellation reason** | $CANCEL_REASON_MD |" echo "" if [[ "$HTTP_STATUS" == "202" ]]; then - echo "This cancellation was triggered to save CI resources after a critical failure." + echo "> This cancellation was triggered to save CI resources. Other parallel jobs were stopped." elif [[ "$HTTP_STATUS" == "403" ]]; then echo "โš ๏ธ **Permission Issue**: Add \`actions: write\` permission to enable cancellation." elif [[ "$HTTP_STATUS" == "409" ]]; then diff --git a/.github/actions/setup-go-with-cache/action.yml b/.github/actions/setup-go-with-cache/action.yml index c6d5132..11d1b25 100644 --- a/.github/actions/setup-go-with-cache/action.yml +++ b/.github/actions/setup-go-with-cache/action.yml @@ -206,11 +206,12 @@ runs: echo "๐Ÿ”‘ Cache keys computed successfully" # -------------------------------------------------------------------- - # Restore Go module cache (shared across versions) + # Go module cache (shared across versions) + # Uses actions/cache@v4 which handles both restore and save # -------------------------------------------------------------------- - - name: ๐Ÿ’พ Restore Go module cache + - name: ๐Ÿ’พ Go module cache id: restore-gomod - uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: ~/go/pkg/mod key: ${{ steps.cache-keys.outputs.module-key }} @@ -279,11 +280,12 @@ runs: echo "============================================================" # -------------------------------------------------------------------- - # Restore Go build cache (per-version) + # Go build cache (per-version) + # Uses actions/cache@v4 which handles both restore and save # -------------------------------------------------------------------- - - name: ๐Ÿ’พ Restore Go build cache + - name: ๐Ÿ’พ Go build cache id: restore-gobuild - uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: | ~/.cache/go-build diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d4dda56..148919d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,7 +46,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11 + uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -57,7 +57,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11 + uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 # โ„น๏ธ Command-line programs to run using the OS shell. # ๐Ÿ“š https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # uses a compiled language - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11 + uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 diff --git a/.github/workflows/fortress-benchmarks.yml b/.github/workflows/fortress-benchmarks.yml index 2d70b67..f121f9c 100644 --- a/.github/workflows/fortress-benchmarks.yml +++ b/.github/workflows/fortress-benchmarks.yml @@ -394,7 +394,7 @@ jobs: with: name: bench-stats-${{ matrix.os }}-${{ matrix.go-version }} path: bench-stats-${{ matrix.os }}-${{ matrix.go-version }}.json - retention-days: 1 + retention-days: 7 # -------------------------------------------------------------------- # Upload raw benchmark results diff --git a/.github/workflows/fortress-code-quality.yml b/.github/workflows/fortress-code-quality.yml index 86ea33c..8b0db88 100644 --- a/.github/workflows/fortress-code-quality.yml +++ b/.github/workflows/fortress-code-quality.yml @@ -66,7 +66,6 @@ jobs: runs-on: ${{ inputs.primary-runner }} permissions: contents: read - actions: write # Required for workflow cancellation on failure steps: # -------------------------------------------------------------------- # Checkout code (required for local actions) @@ -270,15 +269,6 @@ jobs: echo "โŒ Go vet detected static analysis issues" exit 1 - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "Go vet static analysis failed" - # ---------------------------------------------------------------------------------- # Lint (Code Linting) # ---------------------------------------------------------------------------------- @@ -289,7 +279,6 @@ jobs: runs-on: ${{ inputs.primary-runner }} permissions: contents: read - actions: write # Required for workflow cancellation on failure outputs: golangci-lint-version: ${{ steps.golangci-lint-version.outputs.version }} steps: @@ -568,15 +557,6 @@ jobs: echo "โŒ Lint detected code quality issues" exit 1 - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "Code linting (golangci-lint) failed" - # ---------------------------------------------------------------------------------- # YAML/JSON Format Validation (MAGE-X) # ---------------------------------------------------------------------------------- @@ -586,7 +566,6 @@ jobs: runs-on: ${{ inputs.primary-runner }} permissions: contents: read - actions: write # Required for workflow cancellation on failure outputs: yamlfmt-version: ${{ steps.yamlfmt-version.outputs.version }} steps: @@ -801,12 +780,3 @@ jobs: run: | echo "โŒ Format check detected YAML/JSON formatting issues" exit 1 - - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "YAML/JSON format validation failed" diff --git a/.github/workflows/fortress-completion-statistics.yml b/.github/workflows/fortress-completion-statistics.yml index d63d3bd..c8e4fd3 100644 --- a/.github/workflows/fortress-completion-statistics.yml +++ b/.github/workflows/fortress-completion-statistics.yml @@ -697,7 +697,7 @@ jobs: with: artifact-name: "statistics-section" artifact-path: "statistics-section.md" - retention-days: "1" + retention-days: "7" if-no-files-found: "warn" - name: ๐Ÿ“‹ Set Output Content diff --git a/.github/workflows/fortress-completion-tests.yml b/.github/workflows/fortress-completion-tests.yml index e3c2c3b..653d5b6 100644 --- a/.github/workflows/fortress-completion-tests.yml +++ b/.github/workflows/fortress-completion-tests.yml @@ -465,7 +465,7 @@ jobs: with: artifact-name: "tests-section" artifact-path: "tests-section.md" - retention-days: "1" + retention-days: "7" if-no-files-found: "warn" - name: ๐Ÿ“‹ Set Output Content diff --git a/.github/workflows/fortress-coverage.yml b/.github/workflows/fortress-coverage.yml index 4b94bf0..0640b65 100644 --- a/.github/workflows/fortress-coverage.yml +++ b/.github/workflows/fortress-coverage.yml @@ -51,6 +51,9 @@ on: CODECOV_TOKEN: description: "Codecov token for uploading coverage (required when coverage-provider is codecov)" required: false + GH_PAT_TOKEN: + description: "Personal access token for enhanced GitHub API access (optional, falls back to github-token)" + required: false # Security: Restrict default permissions (jobs must explicitly request what they need) permissions: {} @@ -2511,4 +2514,4 @@ jobs: with: name: coverage-stats-codecov path: coverage-stats-codecov-*.json - retention-days: 1 + retention-days: 7 diff --git a/.github/workflows/fortress-pre-commit.yml b/.github/workflows/fortress-pre-commit.yml index ce011ea..d264d29 100644 --- a/.github/workflows/fortress-pre-commit.yml +++ b/.github/workflows/fortress-pre-commit.yml @@ -54,7 +54,6 @@ jobs: runs-on: ${{ inputs.primary-runner }} permissions: contents: read - actions: write # Required for workflow cancellation on failure outputs: pre-commit-version: ${{ steps.pre-commit-version.outputs.version }} checks-executed: ${{ steps.run-checks.outputs.executed }} @@ -620,9 +619,9 @@ jobs: if [[ "${{ env.GO_PRE_COMMIT_ALL_FILES }}" == "true" ]]; then echo "๐Ÿ” Mode: All Files" echo " โ€ข Executing checks on all repository files" - echo " โ€ข Command: go-pre-commit run --all-files" + echo " โ€ข Command: go-pre-commit run --skip lint --all-files" echo "" - CHECKS_OUTPUT=$("${{ env.GO_PRE_COMMIT_BINARY }}" run --all-files 2>&1) || CHECKS_EXIT=$? + CHECKS_OUTPUT=$("${{ env.GO_PRE_COMMIT_BINARY }}" run --skip lint --all-files 2>&1) || CHECKS_EXIT=$? elif [[ "${{ steps.detect-files.outputs.files_found }}" == "true" ]]; then CHANGED_FILES="${{ steps.detect-files.outputs.changed_files }}" DETECTION_METHOD="${{ steps.detect-files.outputs.detection_method }}" @@ -657,8 +656,8 @@ jobs: done < "$TEMP_FILE_LIST" if [[ -n "$SAFE_FILE_LIST" ]]; then - echo " โ€ข Command: go-pre-commit run --files " - CHECKS_OUTPUT=$("${{ env.GO_PRE_COMMIT_BINARY }}" run --files "$SAFE_FILE_LIST" 2>&1) || CHECKS_EXIT=$? + echo " โ€ข Command: go-pre-commit run --skip lint --files " + CHECKS_OUTPUT=$("${{ env.GO_PRE_COMMIT_BINARY }}" run --skip lint --files "$SAFE_FILE_LIST" 2>&1) || CHECKS_EXIT=$? else echo " โ€ข No valid files to process, skipping" CHECKS_OUTPUT="No files to process" @@ -671,9 +670,9 @@ jobs: echo "๐Ÿ” Mode: Staged Files (Fallback)" echo " โ€ข No changed files detected, falling back to staged files" echo " โ€ข This will likely result in 'No files to check' in CI" - echo " โ€ข Command: go-pre-commit run" + echo " โ€ข Command: go-pre-commit run --skip lint" echo "" - CHECKS_OUTPUT=$("${{ env.GO_PRE_COMMIT_BINARY }}" run 2>&1) || CHECKS_EXIT=$? + CHECKS_OUTPUT=$("${{ env.GO_PRE_COMMIT_BINARY }}" run --skip lint 2>&1) || CHECKS_EXIT=$? fi # Clean and filter output (colors should be disabled but handle any remaining codes) @@ -885,12 +884,3 @@ jobs: artifact-name: cache-stats-pre-commit artifact-path: cache-stats-pre-commit.json retention-days: 1 - - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "Pre-commit checks failed" diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml index e88234a..1abdc2b 100644 --- a/.github/workflows/fortress-security-scans.yml +++ b/.github/workflows/fortress-security-scans.yml @@ -71,7 +71,6 @@ jobs: if: ${{ inputs.enable-nancy }} permissions: contents: read - actions: write # Required for workflow cancellation on failure steps: # -------------------------------------------------------------------- # Checkout code (required for local actions) @@ -259,15 +258,6 @@ jobs: echo "โŒ Nancy detected vulnerabilities in dependencies" exit 1 - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "Nancy dependency security check failed" - # ---------------------------------------------------------------------------------- # Govulncheck (Vulnerability Checks) # ---------------------------------------------------------------------------------- @@ -277,7 +267,6 @@ jobs: if: ${{ inputs.enable-govulncheck }} permissions: contents: read - actions: write # Required for workflow cancellation on failure steps: # -------------------------------------------------------------------- # Checkout code (required for local actions) @@ -508,15 +497,6 @@ jobs: echo "โŒ Govulncheck detected vulnerabilities in dependencies" exit 1 - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "Govulncheck vulnerability scan failed" - # ---------------------------------------------------------------------------------- # Gitleaks (Secret Scanning) # ---------------------------------------------------------------------------------- @@ -526,7 +506,6 @@ jobs: if: ${{ inputs.enable-gitleaks }} permissions: contents: read - actions: write # Required for workflow cancellation on failure steps: # -------------------------------------------------------------------- # Checkout code (required for local actions) @@ -649,12 +628,3 @@ jobs: run: | echo "โŒ Gitleaks detected secrets in the repository" exit 1 - - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "Gitleaks secret scan failed" diff --git a/.github/workflows/fortress-test-fuzz.yml b/.github/workflows/fortress-test-fuzz.yml index 57fa96d..5188d68 100644 --- a/.github/workflows/fortress-test-fuzz.yml +++ b/.github/workflows/fortress-test-fuzz.yml @@ -58,7 +58,6 @@ jobs: timeout-minutes: 15 # Fuzz tests have shorter timeout permissions: contents: read # Read repository content for testing - actions: write # Required for workflow cancellation on failure runs-on: ${{ inputs.primary-runner }} steps: @@ -260,12 +259,3 @@ jobs: fuzz-output.log retention-days: 1 if-no-files-found: ignore - - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "Fuzz tests failed" diff --git a/.github/workflows/fortress-test-matrix.yml b/.github/workflows/fortress-test-matrix.yml index eb8414b..01f9d13 100644 --- a/.github/workflows/fortress-test-matrix.yml +++ b/.github/workflows/fortress-test-matrix.yml @@ -110,7 +110,6 @@ jobs: timeout-minutes: 30 # Prevent hung tests permissions: contents: read # Read repository content for testing - actions: write # Required for workflow cancellation on failure strategy: fail-fast: true matrix: ${{ fromJSON(inputs.test-matrix) }} @@ -443,12 +442,3 @@ jobs: name: coverage-data path: coverage.txt retention-days: 1 - - # -------------------------------------------------------------------- - # Cancel workflow on failure (save CI resources) - # -------------------------------------------------------------------- - - name: ๐Ÿšจ Cancel workflow on failure - if: failure() - uses: ./.github/actions/cancel-workflow-on-failure - with: - reason: "Test matrix failed (${{ matrix.name }})" diff --git a/.github/workflows/fortress-test-suite.yml b/.github/workflows/fortress-test-suite.yml index 0d8ed55..dc89029 100644 --- a/.github/workflows/fortress-test-suite.yml +++ b/.github/workflows/fortress-test-suite.yml @@ -111,6 +111,9 @@ on: CODECOV_TOKEN: description: "Codecov token for uploading coverage (required when coverage-provider is codecov)" required: false + GH_PAT_TOKEN: + description: "Personal access token for enhanced GitHub API access (optional, falls back to github-token)" + required: false # Security: Restrict default permissions (jobs must explicitly request what they need) permissions: {} @@ -124,7 +127,6 @@ jobs: if: inputs.go-tests-enabled == 'true' permissions: contents: read - actions: write # Required for workflow cancellation on failure uses: ./.github/workflows/fortress-test-matrix.yml with: env-json: ${{ inputs.env-json }} @@ -152,7 +154,6 @@ jobs: if: inputs.go-tests-enabled == 'true' && inputs.fuzz-testing-enabled == 'true' permissions: contents: read - actions: write # Required for workflow cancellation on failure uses: ./.github/workflows/fortress-test-fuzz.yml with: env-json: ${{ inputs.env-json }} diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml index 0a53313..7bd5b8a 100644 --- a/.github/workflows/fortress.yml +++ b/.github/workflows/fortress.yml @@ -1,7 +1,7 @@ # ------------------------------------------------------------------------------------ # ๐Ÿฐ GoFortress - Enterprise-grade CI/CD fortress for Go applications # -# Version: 1.4.0 | Released: 2026-01-16 +# Version: 1.5.0 | Released: 2026-01-27 # # Built Strong. Tested Harder. # @@ -170,7 +170,6 @@ jobs: needs.setup.outputs.is-fork-pr != 'true' permissions: contents: read # Read repository content for security scanning - actions: write # Required for workflow cancellation on failure uses: ./.github/workflows/fortress-security-scans.yml with: env-json: ${{ needs.load-env.outputs.env-json }} @@ -199,7 +198,6 @@ jobs: needs.setup.outputs.pre-commit-enabled == 'true' permissions: contents: read # Read repository content for pre-commit checks - actions: write # Required for workflow cancellation on failure uses: ./.github/workflows/fortress-pre-commit.yml with: env-json: ${{ needs.load-env.outputs.env-json }} @@ -220,7 +218,6 @@ jobs: (needs.warm-cache.result == 'success' || needs.warm-cache.result == 'skipped') permissions: contents: read # Read repository content for code quality checks - actions: write # Required for workflow cancellation on failure uses: ./.github/workflows/fortress-code-quality.yml with: env-json: ${{ needs.load-env.outputs.env-json }} @@ -251,7 +248,7 @@ jobs: pages: write # Required: Coverage workflow needs to deploy to GitHub Pages id-token: write # Required: Coverage workflow needs GitHub Pages authentication statuses: write # Required: Coverage workflow needs to create commit status checks - actions: write # Required: Manage/cancel child test workflows (test matrix & fuzz tests); artifact access only needs actions: read + actions: read # Required: Coverage workflow needs to access artifacts from workflow runs uses: ./.github/workflows/fortress-test-suite.yml with: code-coverage-enabled: ${{ needs.setup.outputs.code-coverage-enabled }} @@ -321,25 +318,87 @@ jobs: runs-on: ${{ needs.setup.outputs.primary-runner }} steps: # -------------------------------------------------------------------- - # Build a summary table for the UI (always runs) + # Build results summary showing job statuses # -------------------------------------------------------------------- - name: ๐Ÿ“Š Build results summary + env: + SETUP_RESULT: ${{ needs.setup.result }} + MAGEX_RESULT: ${{ needs.test-magex.result }} + CACHE_RESULT: ${{ needs.warm-cache.result }} + SECURITY_RESULT: ${{ needs.security.result }} + QUALITY_RESULT: ${{ needs.code-quality.result }} + PRECOMMIT_RESULT: ${{ needs.pre-commit.result }} + TESTS_RESULT: ${{ needs.test-suite.result }} + BENCH_RESULT: ${{ needs.benchmarks.result }} + CACHE_ENABLED: ${{ needs.setup.outputs.cache-warming-enabled }} + PRECOMMIT_ENABLED: ${{ needs.setup.outputs.pre-commit-enabled }} + TESTS_ENABLED: ${{ needs.setup.outputs.go-tests-enabled }} run: | { echo "## ๐Ÿšฆ Workflow Results" echo "" echo "| Component | Result | Status |" echo "|-----------|--------|--------|" - echo "| ๐ŸŽฏ Setup | ${{ needs.setup.result }} | Required |" - echo "| ๐Ÿช„ MAGE-X | ${{ needs.test-magex.result }} | Required |" - echo "| ๐Ÿ’พ Warm Cache | ${{ needs.warm-cache.result }} | ${{ needs.setup.outputs.cache-warming-enabled == 'true' && 'Required' || 'Disabled' }} |" - echo "| ๐Ÿ”’ Security | ${{ needs.security.result }} | Required |" - echo "| ๐Ÿ“Š Code Quality | ${{ needs.code-quality.result }} | Required |" - echo "| ๐Ÿช Pre-commit | ${{ needs.pre-commit.result }} | ${{ needs.setup.outputs.pre-commit-enabled == 'true' && 'Required' || 'Skipped' }} |" - echo "| ๐Ÿงช Test Suite | ${{ needs.test-suite.result }} | ${{ needs.setup.outputs.go-tests-enabled == 'true' && 'Required' || 'Skipped' }} |" - echo "| ๐Ÿƒ Benchmarks | ${{ needs.benchmarks.result }} | Optional โš ๏ธ |" + + # Helper function to determine result display + get_result_display() { + local result="$1" + + if [[ "$result" == "failure" ]]; then + echo "โŒ **FAILED**" + elif [[ "$result" == "cancelled" ]]; then + echo "โน๏ธ cancelled" + elif [[ "$result" == "skipped" ]]; then + echo "โญ๏ธ skipped" + elif [[ "$result" == "success" ]]; then + echo "โœ… success" + else + echo "$result" + fi + } + + # Setup + SETUP_DISPLAY=$(get_result_display "$SETUP_RESULT") + echo "| ๐ŸŽฏ Setup | $SETUP_DISPLAY | Required |" + + # MAGE-X + MAGEX_DISPLAY=$(get_result_display "$MAGEX_RESULT") + echo "| ๐Ÿช„ MAGE-X | $MAGEX_DISPLAY | Required |" + + # Warm Cache + CACHE_REQ="Disabled" + [[ "$CACHE_ENABLED" == "true" ]] && CACHE_REQ="Required" + CACHE_DISPLAY=$(get_result_display "$CACHE_RESULT") + echo "| ๐Ÿ’พ Warm Cache | $CACHE_DISPLAY | $CACHE_REQ |" + + # Security + SECURITY_DISPLAY=$(get_result_display "$SECURITY_RESULT") + echo "| ๐Ÿ”’ Security | $SECURITY_DISPLAY | Required |" + + # Code Quality + QUALITY_DISPLAY=$(get_result_display "$QUALITY_RESULT") + echo "| ๐Ÿ“Š Code Quality | $QUALITY_DISPLAY | Required |" + + # Pre-commit + PRECOMMIT_REQ="Skipped" + [[ "$PRECOMMIT_ENABLED" == "true" ]] && PRECOMMIT_REQ="Required" + PRECOMMIT_DISPLAY=$(get_result_display "$PRECOMMIT_RESULT") + echo "| ๐Ÿช Pre-commit | $PRECOMMIT_DISPLAY | $PRECOMMIT_REQ |" + + # Test Suite + TESTS_REQ="Skipped" + [[ "$TESTS_ENABLED" == "true" ]] && TESTS_REQ="Required" + TESTS_DISPLAY=$(get_result_display "$TESTS_RESULT") + echo "| ๐Ÿงช Test Suite | $TESTS_DISPLAY | $TESTS_REQ |" + + # Benchmarks (always optional) + BENCH_DISPLAY=$(get_result_display "$BENCH_RESULT") + echo "| ๐Ÿƒ Benchmarks | $BENCH_DISPLAY | Optional โš ๏ธ |" + echo "" - if [[ "${{ needs.benchmarks.result }}" == "failure" ]]; then + + # Add explanatory note if benchmarks failed + if [[ "$BENCH_RESULT" == "failure" ]]; then echo "โš ๏ธ **Note**: Benchmarks failed but are currently non-blocking." fi } >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a4fe9a4..9de9e56 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -77,6 +77,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable the upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11 + uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0 with: sarif_file: results.sarif