Add CI pipeline for testing and style checks

Author: mtodor

.github/workflows/style.yml

@@ -0,0 +1,35 @@
+name: Style
+
+on:
+  push:
+    tags:
+      - '*'
+    branches:
+      - main
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  style:
+    name: Code Style Checks
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+
+      - name: Check code formatting
+        run: make fmt-check
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v8
+        with:
+          version: v2.6

.github/workflows/test.yml

@@ -0,0 +1,40 @@
+name: Test
+
+on:
+  push:
+    tags:
+      - '*'
+    branches:
+      - main
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  test:
+    name: Run Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Run tests with coverage
+        run: make test
+
+#      - name: Upload coverage to Codecov
+#        uses: codecov/codecov-action@v4
+#        with:
+#          file: ./coverage.out
+#          token: ${{ secrets.CODECOV_TOKEN }}
+#          fail_ci_if_error: false

.gitignore

@@ -8,3 +8,6 @@
 
 # Build output
 /stackrox-mcp
+
+# Lint output
+/report.xml

.golangci.yml

@@ -0,0 +1,205 @@
+version: "2"
+run:
+  timeout: 240m
+  go: "1.24"
+  build-tags:
+    - integration
+    - scanner_db_integration
+    - sql_integration
+    - test_e2e
+  modules-download-mode: readonly
+output:
+  formats:
+    text:
+      path: stdout
+    junit-xml:
+      path: report.xml
+linters:
+  # please, do not use `enable-all`: it's deprecated and will be removed soon.
+  # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
+  default: none
+  enable:
+    - asciicheck
+    - copyloopvar
+    - errcheck
+    - forbidigo
+    - gocritic
+    - exptostd
+    - gosec
+    - govet
+    - ineffassign
+    - nolintlint
+    - protogetter
+    - revive # replaces golint
+    - rowserrcheck
+    - staticcheck
+    - wrapcheck
+  # - nakedret TODO: add in follow-up
+  # - unconvert TODO: add in follow-up
+  # - unparam TODO: add in follow-up
+  # - unused // enabled in Makefile as it fails with release tag
+    - usestdlibvars
+  settings:
+    errcheck:
+      disable-default-exclusions: false
+      check-type-assertions: false
+      check-blank: false
+      exclude-functions:
+        - (*bytes.Buffer).WriteString
+        - (*strings.Builder).WriteByte
+        - (*strings.Builder).WriteRune
+        - (*strings.Builder).WriteString
+        - fmt.Fprint
+        - fmt.Fprintf
+        - fmt.Fprintln
+        - fmt.Print
+        - fmt.Printf
+        - fmt.Println
+        - github.com/stackrox/rox/pkg/utils.Should
+    forbidigo:
+      forbid:
+        - pattern: ^print\(.*\)$
+        - pattern: fmt\.Print.*(# Disallowed function used\. Use environments functions for printing or to a specific writer from environment\.InputOutput\(\)\.)?
+        - pattern: os\.Stdout(# Disallowed output streams used\. Use environment\.InputOutput\(\).Out instead\.)?
+        - pattern: os\.Stderr(# Disallowed output streams used\. Use environment\.InputOutput\(\).ErrOut instead\.)?
+        - pattern: os\.Stdin(# Disallowed output streams used\. Use environment\.InputOutput\(\).In instead\.)?
+    gocritic:
+      disabled-checks:
+        - appendAssign
+        - argOrder
+        - assignOp
+        - captLocal
+        - dupArg
+        - elseif
+        - exitAfterDefer
+        - ifElseChain
+        - mapKey
+        - singleCaseSwitch
+        - unlambda
+        - wrapperFunc
+    gosec:
+      includes:
+        - G101
+        - G102
+        - G103
+        - G104
+        - G106
+        - G108
+        - G109
+        - G111
+        - G201
+        - G202
+        - G203
+        - G303
+        - G307
+        - G403
+        - G502
+        - G503
+        - G504
+        - G601
+    govet:
+      disable:
+        - shadow
+        - fieldalignment
+      enable-all: true
+      settings:
+        printf:
+          funcs:
+            - Print
+            - Printf
+            - Println
+            - Debug
+            - Debugf
+            - Info
+            - Infof
+            - Warn
+            - Warnf
+            - Error
+            - Errorf
+            - github.com/stackrox/rox/migrator/log.WritetoStderr
+            - github.com/stackrox/rox/migrator/log.WritetoStderrf
+    nolintlint:
+      require-explanation: false
+      require-specific: true
+      allow-unused: false
+    revive:
+      rules:
+        - name: package-comments
+          disabled: true
+        - name: error-strings
+          disabled: true
+        - name: unexported-return
+          disabled: true
+    staticcheck:
+      checks:
+      - all
+      - -QF1001
+      - -QF1002
+      - -QF1003
+      - -QF1006
+      - -QF1007
+      - -QF1008
+      - -QF1009
+      - -QF1011
+      - -QF1012
+      - -SA1019
+      - -SA4001
+      - -ST1000
+      - -ST1001
+      - -ST1003
+      - -ST1005
+      - -ST1017
+      - -ST1019
+      - -ST1020
+      - -ST1021
+      - -ST1022
+      - -ST1023
+    wrapcheck:
+      ignore-sig-regexps:
+        - \(\*github\.com\/stackrox\/rox\/pkg\/errorhelpers\.ErrorList\)\.ToError\(\)
+        - backoff.Retry.*
+        - concurrency\.WithLock.*
+        - errox\..+\.CausedBy(f)?
+        - policy\.NewErr.*
+        - retry\.MakeRetryable
+        - retry\.WithRetry
+        - status\.Error
+        - utils\.Should
+  exclusions:
+    generated: lax
+    rules:
+      - linters:
+          - wrapcheck
+        path: ^(central|compliance|integration-tests|local|migrator|operator|pkg|scanner|sensor/tests/helper|tests|tools|scale)/
+      - linters:
+          - forbidigo
+        path: (central/graphql/schema/print|compliance|integration-tests|local|migrator|operator|pkg|scanner|sensor|tests|tools|scale|govulncheck|compliance/virtualmachines/agent)/
+      - linters:
+          - forbidigo
+        path: roxctl/central/generate/interactive.go
+      - linters:
+          - forbidigo
+          - wrapcheck
+        path: _test\.go
+      - linters:
+          - forbidigo
+        path: roxctl/common/io/io\.go # io.go will by default use os.Stdin/os.StdErr.
+    paths:
+      - pkg/complianceoperator/api
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - pkg/complianceoperator/api
+      - third_party$
+      - builtin$
+      - examples$

Makefile

@@ -0,0 +1,55 @@
+# Default target
+.DEFAULT_GOAL := help
+
+# Binary name
+BINARY_NAME=stackrox-mcp
+
+# Go parameters
+GOCMD=go
+GOBUILD=$(GOCMD) build
+GOTEST=$(GOCMD) test
+GOFMT=$(GOCMD) fmt
+GOCLEAN=$(GOCMD) clean
+
+# Coverage files
+COVERAGE_OUT=coverage.out
+
+# Lint files
+LINT_OUT=report.xml
+
+.PHONY: help
+help: ## Display this help message
+	@echo "Available targets:"
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: build
+build: ## Build the binary
+	$(GOBUILD) -o $(BINARY_NAME) ./cmd/stackrox-mcp
+
+.PHONY: test
+test: ## Run unit tests with coverage
+	$(GOTEST) -v -cover -coverprofile=$(COVERAGE_OUT) ./...
+
+.PHONY: fmt
+fmt: ## Format Go code
+	$(GOFMT) ./...
+
+.PHONY: fmt-check
+fmt-check: ## Check if Go code is formatted (fails if not)
+	@if [ -n "$$(gofmt -l .)" ]; then \
+		echo "The following files are not formatted:"; \
+		gofmt -l .; \
+		exit 1; \
+	fi
+
+.PHONY: lint
+lint: ## Run golangci-lint
+	go install -v "github.com/golangci/golangci-lint/v2/cmd/[email protected]"
+	golangci-lint run
+
+.PHONY: clean
+clean: ## Clean build artifacts and coverage files
+	$(GOCLEAN)
+	rm -f $(BINARY_NAME)
+	rm -f $(COVERAGE_OUT)
+	rm -f $(LINT_OUT)