bsv-blockchain · mrz1836 · Jan 29, 2026 · Jan 29, 2026
@@ -235,7 +235,7 @@ REDIS_CACHE_FORCE_PULL=false           # Force pull Redis images even when cache
 # 🪄 MAGE-X CONFIGURATION
 # ================================================================================================
 
-MAGE_X_VERSION=v1.18.1                                        # https://github.com/mrz1836/mage-x/releases
+MAGE_X_VERSION=v1.18.7                                        # https://github.com/mrz1836/mage-x/releases
 MAGE_X_USE_LOCAL=false                                        # Use local version for development
 MAGE_X_CI_SKIP_STEP_SUMMARY=true                              # Skip duplicate test results in step summary (already in test validation summary)
 MAGE_X_AUTO_DISCOVER_BUILD_TAGS=true                          # Enable auto-discovery of build tags
@@ -249,7 +249,7 @@ MAGE_X_GOVULNCHECK_VERSION=v1.1.4                             # https://go.googl
 MAGE_X_GO_SECONDARY_VERSION=1.24.x                            # Secondary Go version for MAGE-X (also our secondary)
 MAGE_X_GO_VERSION=1.24.x                                      # Primary Go version for MAGE-X (also our primary)
 MAGE_X_MOCKGEN_VERSION=v0.6.0                                 # https://github.com/uber-go/mock/releases
-MAGE_X_NANCY_VERSION=v1.0.52                                  # https://github.com/sonatype-nexus-community/nancy/releases
+MAGE_X_NANCY_VERSION=v1.2.0                                   # https://github.com/sonatype-nexus-community/nancy/releases
 MAGE_X_STATICCHECK_VERSION=2025.1.1                           # https://github.com/dominikh/go-tools/releases
 MAGE_X_SWAG_VERSION=v1.16.6                                   # https://github.com/swaggo/swag/releases
 MAGE_X_YAMLFMT_VERSION=v0.21.0                                # https://github.com/google/yamlfmt/releases
@@ -309,14 +309,14 @@ MAGE_X_CVE_EXCLUDES=CVE-9999-12345,CVE-9999-43210
 # Security Tools
 GITLEAKS_VERSION=8.30.0                # https://github.com/gitleaks/gitleaks/releases
 GOVULNCHECK_VERSION=v1.1.4             # https://pkg.go.dev/golang.org/x/vuln
-NANCY_VERSION=v1.0.52                  # https://github.com/sonatype-nexus-community/nancy/releases
+NANCY_VERSION=v1.2.0                   # https://github.com/sonatype-nexus-community/nancy/releases
 
 # ================================================================================================
 # 🪝 PRE-COMMIT SYSTEM CONFIGURATION (go-pre-commit)
 # ================================================================================================
 
 # Pre-Commit System
-GO_PRE_COMMIT_VERSION=v1.5.1             # https://github.com/mrz1836/go-pre-commit/releases
+GO_PRE_COMMIT_VERSION=v1.5.2             # https://github.com/mrz1836/go-pre-commit/releases
 GO_PRE_COMMIT_USE_LOCAL=false            # Use local version for development
 
 # System Settings
@@ -516,3 +516,34 @@ GO_BROADCAST_AI_FAIL_ON_ERROR=false
 
 # Diff Debugging
 # GO_BROADCAST_DEBUG_DIFF_PATH=/tmp/debug-diff.txt
+
+# ================================================================================================
+# 🛡️ GUARDIAN CI TESTING FRAMEWORK
+# ================================================================================================
+
+# Feature Toggle
+ENABLE_CI_GUARDIAN=false
+
+# Tool Versions (pinned for reproducibility)
+GUARDIAN_ACT_VERSION=v0.2.84
+GUARDIAN_ACTIONLINT_VERSION=v1.7.10
+GUARDIAN_GO_SARIF_VERSION=v3.3.0
+
+# Execution Settings
+GUARDIAN_SCENARIO_TIMEOUT=30s
+GUARDIAN_STATIC_TIMEOUT=5s
+GUARDIAN_PARALLEL_SCENARIOS=1
+
+# Output Configuration
+GUARDIAN_OUTPUT_DIR=.mage-x
+GUARDIAN_SARIF_OUTPUT=guardian.sarif
+GUARDIAN_JSONL_OUTPUT=ci-results.jsonl
+
+# Policy Configuration
+GUARDIAN_EXCEPTIONS_FILE=.github/guardian.yaml
+GUARDIAN_POLICY_STRICT=true
+
+# Debug Settings
+GUARDIAN_VERBOSE=false
+GUARDIAN_DRY_RUN=false
+GUARDIAN_KEEP_CONTAINERS=false
@@ -1,6 +1,13 @@
 # ------------------------------------------------------------------------------------
 #  Cancel Workflow On Failure (Composite Action) (GoFortress)
 #
+#  NOTE: This action is currently NOT IN USE. It was disabled because GitHub's
+#  cancel API overwrites the "failed" status with "cancelled" on the job that
+#  triggered it, making it impossible to identify which job actually failed.
+#
+#  The action is kept for potential future use in scenarios where the trade-off
+#  (faster cancellation vs clear failure visibility) is acceptable.
+#
 #  Purpose: Provide a reusable action that cancels the entire workflow run when
 #  a critical job fails. This prevents wasting CI resources on parallel jobs
 #  that will ultimately be invalidated by an earlier failure.
@@ -58,6 +65,23 @@ inputs:
     description: "GitHub token with actions:write permission (defaults to GITHUB_TOKEN)"
     required: false
     default: ""
+  # Failure context inputs for enhanced job summary
+  failed-job:
+    description: "Name of the job that failed (for prominent display)"
+    required: false
+    default: ""
+  failed-step:
+    description: "Name of the step that failed"
+    required: false
+    default: ""
+  failure-tool:
+    description: "Tool that detected the failure (e.g., 'go vet', 'golangci-lint')"
+    required: false
+    default: ""
+  failure-summary:
+    description: "Brief summary of what failed (e.g., '3 issues detected')"
+    required: false
+    default: ""
 
 outputs:
   cancelled:
@@ -88,6 +112,11 @@ runs:
         GITHUB_JOB: ${{ github.job }}
         GITHUB_WORKFLOW: ${{ github.workflow }}
         GITHUB_API_URL: ${{ github.api_url }}
+        # Failure context for enhanced job summary
+        FAILED_JOB: ${{ inputs.failed-job }}
+        FAILED_STEP: ${{ inputs.failed-step }}
+        FAILURE_TOOL: ${{ inputs.failure-tool }}
+        FAILURE_SUMMARY: ${{ inputs.failure-summary }}
       run: |
         # Note: Using set -uo pipefail (but not -e):
         #   -e is avoided so we can handle errors (like curl failures and HTTP status codes) explicitly
@@ -261,19 +290,73 @@ runs:
           STATUS_CELL_VALUE="⚠️ HTTP $HTTP_STATUS"
         fi
 
+        # Derive summary heading from actual outcome
+        if [[ "$HTTP_STATUS" == "202" ]]; then
+          SUMMARY_HEADING="## 🚨 Workflow Cancelled: Critical Failure Detected"
+        else
+          SUMMARY_HEADING="## ⚠️ Cancellation Skipped: Critical Failure Detected"
+        fi
+
         # Add to job summary (always, regardless of success/failure)
+        # Enhanced summary with prominent failure origin when context is provided
         {
-          echo "## 🚨 Workflow Cancellation"
+          echo "$SUMMARY_HEADING"
+          echo ""
+
+          # Show prominent failure origin if context was provided
+          if [[ -n "$FAILED_JOB" || -n "$FAILED_STEP" || -n "$FAILURE_TOOL" || -n "$FAILURE_SUMMARY" ]]; then
+            echo "### ❌ Failure Origin"
+            echo ""
+            echo "| | |"
+            echo "|---|---|"
+            if [[ -n "$FAILED_JOB" ]]; then
+              # Escape markdown special characters in FAILED_JOB
+              FAILED_JOB_MD=$FAILED_JOB
+              FAILED_JOB_MD=${FAILED_JOB_MD//\\/\\\\}
+              FAILED_JOB_MD=${FAILED_JOB_MD//|/\\|}
+              FAILED_JOB_MD=${FAILED_JOB_MD//\`/\\\`}
+              echo "| **Job** | $FAILED_JOB_MD |"
+            fi
+            if [[ -n "$FAILED_STEP" ]]; then
+              # Escape markdown special characters in FAILED_STEP
+              FAILED_STEP_MD=$FAILED_STEP
+              FAILED_STEP_MD=${FAILED_STEP_MD//\\/\\\\}
+              FAILED_STEP_MD=${FAILED_STEP_MD//|/\\|}
+              FAILED_STEP_MD=${FAILED_STEP_MD//\`/\\\`}
+              echo "| **Step** | $FAILED_STEP_MD |"
+            fi
+            if [[ -n "$FAILURE_TOOL" ]]; then
+              # Escape markdown special characters in FAILURE_TOOL
+              FAILURE_TOOL_MD=$FAILURE_TOOL
+              FAILURE_TOOL_MD=${FAILURE_TOOL_MD//\\/\\\\}
+              FAILURE_TOOL_MD=${FAILURE_TOOL_MD//|/\\|}
+              FAILURE_TOOL_MD=${FAILURE_TOOL_MD//\`/\\\`}
+              echo "| **Tool** | $FAILURE_TOOL_MD |"
+            fi
+            if [[ -n "$FAILURE_SUMMARY" ]]; then
+              # Escape markdown special characters in FAILURE_SUMMARY
+              FAILURE_SUMMARY_MD=$FAILURE_SUMMARY
+              FAILURE_SUMMARY_MD=${FAILURE_SUMMARY_MD//\\/\\\\}
+              FAILURE_SUMMARY_MD=${FAILURE_SUMMARY_MD//|/\\|}
+              FAILURE_SUMMARY_MD=${FAILURE_SUMMARY_MD//\`/\\\`}
+              echo "| **Reason** | $FAILURE_SUMMARY_MD |"
+            fi
+            echo ""
+            echo "---"
+            echo ""
+          fi
+
+          echo "### Workflow Cancellation Details"
           echo ""
           echo "| Detail | Value |"
           echo "|--------|-------|"
-          echo "| **Reason** | $CANCEL_REASON_MD |"
           echo "| **Triggered by** | \`$GITHUB_JOB\` |"
           echo "| **Run ID** | $GITHUB_RUN_ID |"
           echo "| **Status** | $STATUS_CELL_VALUE |"
+          echo "| **Cancellation reason** | $CANCEL_REASON_MD |"
           echo ""
           if [[ "$HTTP_STATUS" == "202" ]]; then
-            echo "This cancellation was triggered to save CI resources after a critical failure."
+            echo "> This cancellation was triggered to save CI resources. Other parallel jobs were stopped."
           elif [[ "$HTTP_STATUS" == "403" ]]; then
             echo "⚠️ **Permission Issue**: Add \`actions: write\` permission to enable cancellation."
           elif [[ "$HTTP_STATUS" == "409" ]]; then

@@ -206,11 +206,12 @@ runs:
         echo "🔑 Cache keys computed successfully"
 
     # --------------------------------------------------------------------
-    # Restore Go module cache (shared across versions)
+    # Go module cache (shared across versions)
+    # Uses actions/cache@v4 which handles both restore and save
     # --------------------------------------------------------------------
-    - name: 💾 Restore Go module cache
+    - name: 💾 Go module cache
       id: restore-gomod
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
         path: ~/go/pkg/mod
         key: ${{ steps.cache-keys.outputs.module-key }}
@@ -279,11 +280,12 @@ runs:
         echo "============================================================"
 
     # --------------------------------------------------------------------
-    # Restore Go build cache (per-version)
+    # Go build cache (per-version)
+    # Uses actions/cache@v4 which handles both restore and save
     # --------------------------------------------------------------------
-    - name: 💾 Restore Go build cache
+    - name: 💾 Go build cache
       id: restore-gobuild
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
         path: |
           ~/.cache/go-build

@@ -46,7 +46,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11
+        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11
+        uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
       #    uses a compiled language
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11
+        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
@@ -394,7 +394,7 @@ jobs:
         with:
           name: bench-stats-${{ matrix.os }}-${{ matrix.go-version }}
           path: bench-stats-${{ matrix.os }}-${{ matrix.go-version }}.json
-          retention-days: 1
+          retention-days: 7
 
       # --------------------------------------------------------------------
       # Upload raw benchmark results

@@ -66,7 +66,6 @@ jobs:
     runs-on: ${{ inputs.primary-runner }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     steps:
       # --------------------------------------------------------------------
       # Checkout code (required for local actions)
@@ -270,15 +269,6 @@ jobs:
           echo "❌ Go vet detected static analysis issues"
           exit 1
 
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Go vet static analysis failed"
-
   # ----------------------------------------------------------------------------------
   # Lint (Code Linting)
   # ----------------------------------------------------------------------------------
@@ -289,7 +279,6 @@ jobs:
     runs-on: ${{ inputs.primary-runner }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     outputs:
       golangci-lint-version: ${{ steps.golangci-lint-version.outputs.version }}
     steps:
@@ -568,15 +557,6 @@ jobs:
           echo "❌ Lint detected code quality issues"
           exit 1
 
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "Code linting (golangci-lint) failed"
-
   # ----------------------------------------------------------------------------------
   # YAML/JSON Format Validation (MAGE-X)
   # ----------------------------------------------------------------------------------
@@ -586,7 +566,6 @@ jobs:
     runs-on: ${{ inputs.primary-runner }}
     permissions:
       contents: read
-      actions: write # Required for workflow cancellation on failure
     outputs:
       yamlfmt-version: ${{ steps.yamlfmt-version.outputs.version }}
     steps:
@@ -801,12 +780,3 @@ jobs:
         run: |
           echo "❌ Format check detected YAML/JSON formatting issues"
           exit 1
-
-      # --------------------------------------------------------------------
-      # Cancel workflow on failure (save CI resources)
-      # --------------------------------------------------------------------
-      - name: 🚨 Cancel workflow on failure
-        if: failure()
-        uses: ./.github/actions/cancel-workflow-on-failure
-        with:
-          reason: "YAML/JSON format validation failed"
@@ -697,7 +697,7 @@ jobs:
         with:
           artifact-name: "statistics-section"
           artifact-path: "statistics-section.md"
-          retention-days: "1"
+          retention-days: "7"
           if-no-files-found: "warn"
 
       - name: 📋 Set Output Content

@@ -465,7 +465,7 @@ jobs:
         with:
           artifact-name: "tests-section"
           artifact-path: "tests-section.md"
-          retention-days: "1"
+          retention-days: "7"
           if-no-files-found: "warn"
 
       - name: 📋 Set Output Content

@@ -51,6 +51,9 @@ on:
       CODECOV_TOKEN:
         description: "Codecov token for uploading coverage (required when coverage-provider is codecov)"
         required: false
+      GH_PAT_TOKEN:
+        description: "Personal access token for enhanced GitHub API access (optional, falls back to github-token)"
+        required: false
 
 # Security: Restrict default permissions (jobs must explicitly request what they need)
 permissions: {}
@@ -2511,4 +2514,4 @@ jobs:
         with:
           name: coverage-stats-codecov
           path: coverage-stats-codecov-*.json
-          retention-days: 1
+          retention-days: 7