dbos-inc · maxdml · Aug 14, 2025 · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,52 @@
+name: Security Checks
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+    types:
+      - ready_for_review
+      - opened
+      - reopened
+      - synchronize
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Setup Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.25.x'
+
+    - name: Cache Go modules
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/go/pkg/mod
+          ~/.cache/go-build
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Download dependencies
+      run: go mod download
+
+    - name: Install security tools
+      run: |
+        go install golang.org/x/vuln/cmd/govulncheck@latest
+        go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+    - name: Run govulncheck
+      run: govulncheck ./...
+
+    - name: Run gosec
+      run: gosec ./...
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -42,7 +42,7 @@ jobs:
     - name: Setup Go
       uses: actions/setup-go@v5
       with:
-        go-version: '1.23.x'
+        go-version: '1.25.x'
 
     - name: Cache Go modules
       uses: actions/cache@v4
@@ -61,7 +61,7 @@ jobs:
       run: go install gotest.tools/gotestsum@latest
 
     - name: Run tests
-      run: gotestsum --format github-action -- -race ./...
+      run: go vet ./... && gotestsum --format github-action -- -race ./...
       working-directory: ./dbos
       env:
         PGPASSWORD: a!b@c$d()e*_,/:;=?@ff[]22

diff --git a/README.md b/README.md
@@ -3,11 +3,12 @@
 [![Go Reference](https://pkg.go.dev/badge/github.com/dbos-inc/dbos-transact-go.svg)](https://pkg.go.dev/github.com/dbos-inc/dbos-transact-go)
 [![Go Report Card](https://goreportcard.com/badge/github.com/dbos-inc/dbos-transact-go)](https://goreportcard.com/report/github.com/dbos-inc/dbos-transact-go)
 [![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/dbos-inc/dbos-transact-go?sort=semver)](https://github.com/dbos-inc/dbos-transact-go/releases)
+[![Join Discord](https://img.shields.io/badge/Discord-Join%20Chat-5865F2?logo=discord&logoColor=white)](https://discord.com/invite/jsmC6pXGgX)
 
 
 # DBOS Transact: Lightweight Durable Workflow Orchestration with Postgres
 
-#### [Documentation](https://docs.dbos.dev/) &nbsp;&nbsp;•&nbsp;&nbsp;  [Examples](https://docs.dbos.dev/examples) &nbsp;&nbsp;•&nbsp;&nbsp; [Github](https://github.com/dbos-inc) &nbsp;&nbsp;•&nbsp;&nbsp; [Discord](https://discord.com/invite/jsmC6pXGgX)
+#### [Documentation](https://docs.dbos.dev/) &nbsp;&nbsp;•&nbsp;&nbsp;  [Examples](https://docs.dbos.dev/examples) &nbsp;&nbsp;•&nbsp;&nbsp; [Github](https://github.com/dbos-inc)
 </div>
 
 #### This Golang version of DBOS Transact is in Alpha!

diff --git a/dbos/admin_server.go b/dbos/admin_server.go
@@ -10,28 +10,37 @@ import (
 )
 
 const (
-	healthCheckPath            = "/dbos-healthz"
-	workflowRecoveryPath       = "/dbos-workflow-recovery"
-	workflowQueuesMetadataPath = "/dbos-workflow-queues-metadata"
+	_HEALTHCHECK_PATH              = "/dbos-healthz"
+	_WORKFLOW_RECOVERY_PATH        = "/dbos-workflow-recovery"
+	_WORKFLOW_QUEUES_METADATA_PATH = "/dbos-workflow-queues-metadata"
+
+	_ADMIN_SERVER_READ_HEADER_TIMEOUT = 5 * time.Second
+	_ADMIN_SERVER_SHUTDOWN_TIMEOUT    = 10 * time.Second
 )
 
 type adminServer struct {
 	server *http.Server
 	logger *slog.Logger
+	port   int
 }
 
 func newAdminServer(ctx *dbosContext, port int) *adminServer {
 	mux := http.NewServeMux()
 
 	// Health endpoint
-	mux.HandleFunc(healthCheckPath, func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(_HEALTHCHECK_PATH, func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
-		w.Write([]byte(`{"status":"healthy"}`))
+		_, err := w.Write([]byte(`{"status":"healthy"}`))
+		if err != nil {
+			ctx.logger.Error("Error writing health check response", "error", err)
+			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
 	})
 
 	// Recovery endpoint
-	mux.HandleFunc(workflowRecoveryPath, func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(_WORKFLOW_RECOVERY_PATH, func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPost {
 			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 			return
@@ -67,7 +76,7 @@ func newAdminServer(ctx *dbosContext, port int) *adminServer {
 	})
 
 	// Queue metadata endpoint
-	mux.HandleFunc(workflowQueuesMetadataPath, func(w http.ResponseWriter, r *http.Request) {
+	mux.HandleFunc(_WORKFLOW_QUEUES_METADATA_PATH, func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodGet {
 			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
 			return
@@ -84,18 +93,20 @@ func newAdminServer(ctx *dbosContext, port int) *adminServer {
 	})
 
 	server := &http.Server{
-		Addr:    fmt.Sprintf(":%d", port),
-		Handler: mux,
+		Addr:              fmt.Sprintf(":%d", port),
+		Handler:           mux,
+		ReadHeaderTimeout: _ADMIN_SERVER_READ_HEADER_TIMEOUT,
 	}
 
 	return &adminServer{
 		server: server,
 		logger: ctx.logger,
+		port:   port,
 	}
 }
 
 func (as *adminServer) Start() error {
-	as.logger.Info("Starting admin server", "port", 3001)
+	as.logger.Info("Starting admin server", "port", as.port)
 
 	go func() {
 		if err := as.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
@@ -109,8 +120,8 @@ func (as *adminServer) Start() error {
 func (as *adminServer) Shutdown(ctx context.Context) error {
 	as.logger.Info("Shutting down admin server")
 
-	// XXX consider moving the grace period to DBOSContext.Shutdown()
-	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	// Note: consider moving the grace period to DBOSContext.Shutdown()
+	ctx, cancel := context.WithTimeout(ctx, _ADMIN_SERVER_SHUTDOWN_TIMEOUT)
 	defer cancel()
 
 	if err := as.server.Shutdown(ctx); err != nil {

diff --git a/dbos/admin_server_test.go b/dbos/admin_server_test.go
@@ -38,7 +38,7 @@ func TestAdminServer(t *testing.T) {
 
 		// Verify admin server is not running
 		client := &http.Client{Timeout: 1 * time.Second}
-		_, err = client.Get("http://localhost:3001" + healthCheckPath)
+		_, err = client.Get("http://localhost:3001" + _HEALTHCHECK_PATH)
 		require.Error(t, err, "Expected request to fail when admin server is not started")
 
 		// Verify the DBOS executor doesn't have an admin server instance
@@ -89,13 +89,13 @@ func TestAdminServer(t *testing.T) {
 			{
 				name:           "Health endpoint responds correctly",
 				method:         "GET",
-				endpoint:       "http://localhost:3001" + healthCheckPath,
+				endpoint:       "http://localhost:3001" + _HEALTHCHECK_PATH,
 				expectedStatus: http.StatusOK,
 			},
 			{
 				name:           "Recovery endpoint responds correctly with valid JSON",
 				method:         "POST",
-				endpoint:       "http://localhost:3001" + workflowRecoveryPath,
+				endpoint:       "http://localhost:3001" + _WORKFLOW_RECOVERY_PATH,
 				body:           bytes.NewBuffer(mustMarshal([]string{"executor1", "executor2"})),
 				contentType:    "application/json",
 				expectedStatus: http.StatusOK,
@@ -109,21 +109,21 @@ func TestAdminServer(t *testing.T) {
 			{
 				name:           "Recovery endpoint rejects invalid methods",
 				method:         "GET",
-				endpoint:       "http://localhost:3001" + workflowRecoveryPath,
+				endpoint:       "http://localhost:3001" + _WORKFLOW_RECOVERY_PATH,
 				expectedStatus: http.StatusMethodNotAllowed,
 			},
 			{
 				name:           "Recovery endpoint rejects invalid JSON",
 				method:         "POST",
-				endpoint:       "http://localhost:3001" + workflowRecoveryPath,
+				endpoint:       "http://localhost:3001" + _WORKFLOW_RECOVERY_PATH,
 				body:           strings.NewReader(`{"invalid": json}`),
 				contentType:    "application/json",
 				expectedStatus: http.StatusBadRequest,
 			},
 			{
 				name:           "Queue metadata endpoint responds correctly",
 				method:         "GET",
-				endpoint:       "http://localhost:3001" + workflowQueuesMetadataPath,
+				endpoint:       "http://localhost:3001" + _WORKFLOW_QUEUES_METADATA_PATH,
 				expectedStatus: http.StatusOK,
 				validateResp: func(t *testing.T, resp *http.Response) {
 					var queueMetadata []WorkflowQueue
@@ -149,7 +149,7 @@ func TestAdminServer(t *testing.T) {
 			{
 				name:           "Queue metadata endpoint rejects invalid methods",
 				method:         "POST",
-				endpoint:       "http://localhost:3001" + workflowQueuesMetadataPath,
+				endpoint:       "http://localhost:3001" + _WORKFLOW_QUEUES_METADATA_PATH,
 				expectedStatus: http.StatusMethodNotAllowed,
 			},
 		}