diff --git a/.github/.env.base b/.github/.env.base deleted file mode 100644 index 98d07a8..0000000 --- a/.github/.env.base +++ /dev/null @@ -1,549 +0,0 @@ -# ================================================================================================ -# 🏰 GoFortress Base Configuration (.env.base) -# ================================================================================================ -# -# Purpose: Base configuration defaults for GoFortress CI/CD workflows and tools. -# This file contains the standard configuration that works for most Go projects. -# -# Override Strategy: -# - This file (.env.base) contains DEFAULT values for all configuration -# - Project-specific overrides go in .env.custom (optional) -# - .env.custom values take precedence over .env.base values -# -# Tools: -# - GoFortress -# - GoBroadcast -# - GoCoverage -# - GoPreCommit -# - MAGE-X -# - Gitleaks, Nancy, Govulncheck -# - GitHub Workflows (Dependabot, Stale, Sync Labels, Auto-Merge, PR Management) -# - Redis Service (optional) -# -# Maintainer: @mrz1836 -# -# ================================================================================================ - -# ================================================================================================ -# 🎯 GO VERSION CONFIGURATION -# ================================================================================================ - -# Primary Go version for builds and primary test runner -# This version is used for coverage, benchmarks, and release builds -GO_PRIMARY_VERSION=1.24.x - -# Secondary Go version for compatibility testing -# Set to same as primary to test with single version only -GO_SECONDARY_VERSION=1.24.x - -# Govulncheck-specific Go version for vulnerability scanning -# Uses newer Go version for accurate standard library vulnerability detection -# Override this in .env.custom if needed for compatibility -GOVULNCHECK_GO_VERSION=1.25.7 - -# ================================================================================================ -# πŸ“¦ GO MODULE CONFIGURATION -# ================================================================================================ - -# Go sum file location for dependency verification and caching -# Default: go.sum (standard location in repository root) -# NOTE: For multi-module monorepos (go.work), set ENABLE_MULTI_MODULE_TESTING=true -# GO_SUM_FILE is still required but will be ignored for caching (uses **/go.sum pattern instead) -GO_SUM_FILE=go.sum - -# Multi-module monorepo support -# When true: runs tests from repo root, magex discovers all Go modules and merges coverage -# Cache keys use **/go.sum pattern (no root go.sum required), skips root go.sum validation -# When false: runs tests from GO_MODULE_DIR (derived from GO_SUM_FILE path) -ENABLE_MULTI_MODULE_TESTING=false - -# ================================================================================================ -# πŸ–₯️ RUNNER CONFIGURATION -# ================================================================================================ - -# https://docs.github.com/en/actions/reference/runners/github-hosted-runners - -# Primary runner OS for most CI jobs -# Options: ubuntu-24.04, ubuntu-22.04, macos-15 -# Note: macOS runners are 10x more expensive than Linux -PRIMARY_RUNNER=ubuntu-24.04 - -# Secondary runner for cross-platform compatibility testing -# Set identical to PRIMARY_RUNNER for single-OS testing -SECONDARY_RUNNER=ubuntu-24.04 - -# ================================================================================================ -# πŸ”‘ GITHUB TOKEN CONFIGURATION -# ================================================================================================ - -# Preferred GitHub token for API operations -# GH_PAT_TOKEN: Personal Access Token (5000 requests/hour) - requires secret -# GITHUB_TOKEN: Default workflow token (1000 requests/hour) - always available -PREFERRED_GITHUB_TOKEN=GH_PAT_TOKEN - -# ================================================================================================ -# ✨ FEATURE FLAGS -# ================================================================================================ - -# Core Features -ENABLE_BENCHMARKS=true # Run benchmark tests -ENABLE_CACHE_WARMING=true # Warm Go module and build caches -ENABLE_CODE_COVERAGE=true # Generate coverage reports via go-coverage -ENABLE_FUZZ_TESTING=true # Run fuzz tests (Go 1.18+) -ENABLE_GO_TESTS=true # Run Go test suite (unit, integration, matrix) -ENABLE_RACE_DETECTION=true # Enable Go race detector -ENABLE_STATIC_ANALYSIS=true # Run go vet analysis -ENABLE_VERBOSE_TEST_OUTPUT=false # Verbose test output (can slow CI) - -# Code Quality Tools -ENABLE_GO_LINT=true # Run MAGE-X linter (golangci-lint) -ENABLE_GO_PRE_COMMIT=true # Run go-pre-commit checks -ENABLE_YAML_LINT=true # Validate YAML with yamlfmt (Go-based) - -# Security Scanning -ENABLE_SECURITY_SCAN_GITLEAKS=true # Scan for leaked secrets -ENABLE_SECURITY_SCAN_GOVULNCHECK=true # Go vulnerability scanning -ENABLE_SECURITY_SCAN_NANCY=true # Dependency vulnerability checks - -# Documentation & Publishing -ENABLE_GODOCS_PUBLISHING=true # Publish to pkg.go.dev on tag/releases - -# Workflow Reporting -ENABLE_COMPLETION_REPORT=true # Generate workflow completion report (adds 2-4 min) - -# ================================================================================================ -# πŸ“¦ ARTIFACT DOWNLOAD CONFIGURATION -# ================================================================================================ - -# Artifact Download Resilience Settings -ARTIFACT_DOWNLOAD_RETRIES=3 # Number of retry attempts for failed downloads -ARTIFACT_DOWNLOAD_RETRY_DELAY=10 # Initial retry delay in seconds (uses exponential backoff) -ARTIFACT_DOWNLOAD_TIMEOUT=300 # Download timeout in seconds (5 minutes) -ARTIFACT_DOWNLOAD_CONTINUE_ON_ERROR=true # Continue workflow execution even if artifact download fails (required for fork PRs) - -# ================================================================================================ -# βš™οΈ BENCHMARK & TEST CONFIGURATION -# ================================================================================================ - -# Benchmark execution timeout in minutes -BENCHMARK_TIMEOUT=20 - -# Benchmark mode (Options: quick, full, normal) -BENCHMARK_MODE=quick - -# Test Execution Timeouts -TEST_TIMEOUT=30m # Go test timeout for standard tests -TEST_TIMEOUT_RACE_COVER=30m # Timeout for tests with race+coverage (most intensive) -TEST_TIMEOUT_UNIT=20m # Timeout for unit tests only -TEST_TIMEOUT_FUZZ=5m # Timeout for fuzz tests - -# ================================================================================================ -# πŸ“Š GO-COVERAGE SYSTEM CONFIGURATION -# ================================================================================================ - -# Coverage Provider Selection -# Options: internal (go-coverage with GitHub Pages), codecov (external service) -# If you use codecov, set CODECOV_TOKEN in your repository secrets -GO_COVERAGE_PROVIDER=internal - -# Codecov Configuration (only used when provider=codecov) -CODECOV_TOKEN_REQUIRED=false - -# Go Coverage Tool Version -GO_COVERAGE_VERSION=v1.2.0 # https://github.com/mrz1836/go-coverage/releases -GO_COVERAGE_USE_LOCAL=false # Use local version for development - -# Core Coverage Settings -GO_COVERAGE_INPUT_FILE=coverage.txt -GO_COVERAGE_OUTPUT_DIR=. -GO_COVERAGE_THRESHOLD=65.0 -GO_COVERAGE_ALLOW_LABEL_OVERRIDE=true - -# Coverage Exclusions -GO_COVERAGE_EXCLUDE_PATHS=test/,vendor/,testdata/ -GO_COVERAGE_EXCLUDE_FILES=*_test.go,*.pb.go -GO_COVERAGE_EXCLUDE_TESTS=true -GO_COVERAGE_EXCLUDE_GENERATED=true - -# GitHub Integration -GO_COVERAGE_POST_COMMENTS=true -GO_COVERAGE_CREATE_STATUSES=true -GO_COVERAGE_SKIP_URL_CHECKS=false -GO_COVERAGE_FAIL_ON_URL_ERRORS=true -GO_COVERAGE_URL_CHECK_TIMEOUT=300 - -# Badge Configuration -GO_COVERAGE_BADGE_STYLE=flat -GO_COVERAGE_BADGE_LABEL=coverage -GO_COVERAGE_BADGE_LOGO=2fas -GO_COVERAGE_BADGE_LOGO_COLOR=white -GO_COVERAGE_BADGE_OUTPUT=coverage.svg -GO_COVERAGE_BADGE_TREND=false - -# Report Configuration -GO_COVERAGE_REPORT_OUTPUT=coverage.html -GO_COVERAGE_REPORT_TITLE="Coverage Report" -GO_COVERAGE_REPORT_THEME=github-dark -GO_COVERAGE_REPORT_PACKAGES=true -GO_COVERAGE_REPORT_FILES=true -GO_COVERAGE_REPORT_MISSING=true - -# History Tracking -GO_COVERAGE_HISTORY_ENABLED=true -GO_COVERAGE_HISTORY_PATH=history -GO_COVERAGE_HISTORY_RETENTION=90 -GO_COVERAGE_HISTORY_MAX_ENTRIES=1000 -GO_COVERAGE_HISTORY_CLEANUP=true -GO_COVERAGE_HISTORY_METRICS=true - -# Storage Configuration -GO_COVERAGE_BASE_DIR=. -GO_COVERAGE_AUTO_CREATE_DIRS=true -GO_COVERAGE_FILE_MODE=644 -GO_COVERAGE_DIR_MODE=755 - -# Logging Configuration -GO_COVERAGE_LOG_LEVEL=INFO -GO_COVERAGE_LOG_FORMAT=text -GO_COVERAGE_LOG_ENABLED=true - -# ================================================================================================ -# πŸ—„οΈ REDIS SERVICE CONFIGURATION -# ================================================================================================ - -# Redis Service Control -ENABLE_REDIS_SERVICE=false # Enable Redis service container for tests/benchmarks -REDIS_SERVICE_MODE=never # Options: auto, always, never (auto = enabled if redis tests detected) - -# Redis Version Configuration -REDIS_VERSION=7-alpine # Redis Docker image version (7-alpine, 6-alpine, latest) - -# Redis Connection Configuration -REDIS_HOST=localhost # Redis host (localhost for GitHub Actions service containers) -REDIS_PORT=6379 # Redis port (standard: 6379) - -# Redis Health Check Configuration -REDIS_TRUST_SERVICE_HEALTH=true # Trust GitHub Actions service container health checks (skip redis-cli verification) -REDIS_HEALTH_CHECK_RETRIES=10 # Number of health check retries -REDIS_HEALTH_CHECK_INTERVAL=10 # Health check interval in seconds -REDIS_HEALTH_CHECK_TIMEOUT=5 # Health check timeout in seconds - -# Redis Cache Configuration -REDIS_CACHE_FORCE_PULL=false # Force pull Redis images even when cached (true/false) - -# ================================================================================================ -# πŸͺ„ MAGE-X CONFIGURATION -# ================================================================================================ - -MAGE_X_VERSION=v1.19.2 # https://github.com/mrz1836/mage-x/releases -MAGE_X_USE_LOCAL=false # Use local version for development -MAGE_X_CI_SKIP_STEP_SUMMARY=true # Skip duplicate test results in step summary (already in test validation summary) -MAGE_X_AUTO_DISCOVER_BUILD_TAGS=true # Enable auto-discovery of build tags -MAGE_X_AUTO_DISCOVER_BUILD_TAGS_EXCLUDE=race,custom # Comma-separated list of tags to exclude -MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea # Format exclusion paths (comma-separated directories to exclude from formatting) -MAGE_X_GITLEAKS_VERSION=8.30.0 # https://github.com/gitleaks/gitleaks/releases -MAGE_X_GOFUMPT_VERSION=v0.9.2 # https://github.com/mvdan/gofumpt/releases -MAGE_X_GOLANGCI_LINT_VERSION=v2.8.0 # https://github.com/golangci/golangci-lint/releases -MAGE_X_GORELEASER_VERSION=v2.13.3 # https://github.com/goreleaser/goreleaser/releases -MAGE_X_GOVULNCHECK_VERSION=v1.1.4 # https://go.googlesource.com/vuln/+refs -MAGE_X_GO_SECONDARY_VERSION=1.24.x # Secondary Go version for MAGE-X (also our secondary) -MAGE_X_GO_VERSION=1.24.x # Primary Go version for MAGE-X (also our primary) -MAGE_X_MOCKGEN_VERSION=v0.6.0 # https://github.com/uber-go/mock/releases -MAGE_X_NANCY_VERSION=v1.2.0 # https://github.com/sonatype-nexus-community/nancy/releases -MAGE_X_STATICCHECK_VERSION=2025.1.1 # https://github.com/dominikh/go-tools/releases -MAGE_X_SWAG_VERSION=v1.16.6 # https://github.com/swaggo/swag/releases -MAGE_X_YAMLFMT_VERSION=v0.21.0 # https://github.com/google/yamlfmt/releases -MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260112171951-5abaabe9f1bd # https://pkg.go.dev/golang.org/x/perf/cmd/benchstat -MAGE_X_MAGE_VERSION=v1.15.0 # https://github.com/magefile/mage/releases - -# Exclude magefiles from prebuild - they require 'mage' build tag and fail without it -# MAGE_X_BUILD_EXCLUDE_PATTERN=magefiles - -# Runtime variables (set by setup-goreleaser action): -# MAGE_X_GORELEASER_PATH - Path to installed goreleaser binary -# MAGE_X_GORELEASER_INSTALLED - Set to 'true' when goreleaser is available -# MAGE_X_GORELEASER_CACHED_VERSION - Version of installed goreleaser - -# Optional Overrides (use .env.custom to override these defaults) -# MAGE_X_BINARY_NAME=magex -# MAGE_X_BUILD_BATCH_DELAY_MS=200 -# MAGE_X_BUILD_BATCH_SIZE=2 -# MAGE_X_BUILD_STRATEGY=incremental -# MAGE_X_BUILD_TAGS=mage -# MAGE_X_DOWNLOAD_BACKOFF=2.0 -# MAGE_X_DOWNLOAD_INITIAL_DELAY=300 -# MAGE_X_DOWNLOAD_MAX_DELAY=1000 -# MAGE_X_DOWNLOAD_RESUME=false -# MAGE_X_DOWNLOAD_RETRIES=3 -# MAGE_X_DOWNLOAD_TIMEOUT=5000 -# MAGE_X_DOWNLOAD_USER_AGENT=MAGE-X-Agent -# MAGE_X_PARALLEL=3 -# MAGE_X_TEST_EXCLUDE_MODULES=module1,module2 -# MAGE_X_TEST_RACE=false -# MAGE_X_VERBOSE=true - -# ================================================================================================ -# πŸ”’ SECURITY CONFIGURATION & TOOLS -# ================================================================================================ - -# Gitleaks Configuration -GITLEAKS_NOTIFY_USER_LIST=@mrz1836 - -# Empty = use default config -GITLEAKS_CONFIG_FILE= - -# Nancy CVE Exclusions (known acceptable vulnerabilities) (these are fake examples) -NANCY_EXCLUDES=CVE-9999-12345,CVE-9999-43210 - -# Govulncheck/Magex CVE Exclusions (known acceptable vulnerabilities) (these are fake examples) -# Format: comma-separated CVE IDs (e.g., CVE-9999-12345,CVE-9999-43210) -# Used by: magex deps:audit (govulncheck) (env or param) -# Can also be passed via: magex deps:audit exclude=CVE-9999-12345 -MAGE_X_CVE_EXCLUDES=CVE-9999-12345,CVE-9999-43210 - -# OSS Index Authentication for Nancy (optional) -# Username (email) for OSS Index authentication - reduces rate limits and provides better vulnerability data -# Get your API token from: https://ossindex.sonatype.org/user-token -# Github Secret(s): OSSI_USERNAME and OSSI_TOKEN - -# Security Tools -GITLEAKS_VERSION=8.30.0 # https://github.com/gitleaks/gitleaks/releases -GOVULNCHECK_VERSION=v1.1.4 # https://pkg.go.dev/golang.org/x/vuln -NANCY_VERSION=v1.2.0 # https://github.com/sonatype-nexus-community/nancy/releases - -# ================================================================================================ -# πŸͺ PRE-COMMIT SYSTEM CONFIGURATION (go-pre-commit) -# ================================================================================================ - -# Pre-Commit System -GO_PRE_COMMIT_VERSION=v1.5.2 # https://github.com/mrz1836/go-pre-commit/releases -GO_PRE_COMMIT_USE_LOCAL=false # Use local version for development - -# System Settings -GO_PRE_COMMIT_FAIL_FAST=false -GO_PRE_COMMIT_TIMEOUT_SECONDS=720 -GO_PRE_COMMIT_TOOL_INSTALL_TIMEOUT=300 -GO_PRE_COMMIT_AUTO_ADJUST_CI_TIMEOUTS=true -GO_PRE_COMMIT_PARALLEL_WORKERS=2 -GO_PRE_COMMIT_LOG_LEVEL=debug -GO_PRE_COMMIT_MAX_FILE_SIZE_MB=10 -GO_PRE_COMMIT_MAX_FILES_OPEN=100 -GO_PRE_COMMIT_DEBUG=false # Enable verbose debug output for tool caching and locations - -# File Detection Strategy for CI -# true = Check all repository files (comprehensive but slower) -# false = Check only changed files in PR/push (faster, smart detection) -GO_PRE_COMMIT_ALL_FILES=true - -# Tool Versions -GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.8.0 # https://github.com/golangci/golangci-lint/releases -GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2 # https://github.com/mvdan/gofumpt/releases -GO_PRE_COMMIT_GOIMPORTS_VERSION=latest # https://github.com/golang/tools -GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0 # https://github.com/gitleaks/gitleaks/releases - -# Build tags for golangci-lint and other tools -GO_PRE_COMMIT_BUILD_TAGS= - -# Individual Checks -GO_PRE_COMMIT_ENABLE_FMT=true -GO_PRE_COMMIT_ENABLE_FUMPT=true -GO_PRE_COMMIT_ENABLE_GOIMPORTS=true -GO_PRE_COMMIT_ENABLE_LINT=true -GO_PRE_COMMIT_ENABLE_MOD_TIDY=true -GO_PRE_COMMIT_ENABLE_WHITESPACE=true -GO_PRE_COMMIT_ENABLE_EOF=true -GO_PRE_COMMIT_ENABLE_AI_DETECTION=true -GO_PRE_COMMIT_ENABLE_GITLEAKS=true -GO_PRE_COMMIT_GITLEAKS_ALL_FILES=false - -# Auto-staging Settings -GO_PRE_COMMIT_FMT_AUTO_STAGE=true -GO_PRE_COMMIT_FUMPT_AUTO_STAGE=true -GO_PRE_COMMIT_GOIMPORTS_AUTO_STAGE=true -GO_PRE_COMMIT_WHITESPACE_AUTO_STAGE=true -GO_PRE_COMMIT_EOF_AUTO_STAGE=true -GO_PRE_COMMIT_AI_DETECTION_AUTO_FIX=false - -# Check Timeouts (seconds) -GO_PRE_COMMIT_FMT_TIMEOUT=30 -GO_PRE_COMMIT_FUMPT_TIMEOUT=30 -GO_PRE_COMMIT_GOIMPORTS_TIMEOUT=30 -GO_PRE_COMMIT_LINT_TIMEOUT=600 -GO_PRE_COMMIT_MOD_TIDY_TIMEOUT=60 -GO_PRE_COMMIT_WHITESPACE_TIMEOUT=30 -GO_PRE_COMMIT_EOF_TIMEOUT=30 -GO_PRE_COMMIT_AI_DETECTION_TIMEOUT=30 -GO_PRE_COMMIT_GITLEAKS_TIMEOUT=60 - -# Path Configuration -GO_PRE_COMMIT_HOOKS_PATH=.git/hooks -GO_PRE_COMMIT_EXCLUDE_PATTERNS=vendor/,node_modules/,.git/ -GO_PRE_COMMIT_COLOR_OUTPUT=false - -# Plugin System Configuration -GO_PRE_COMMIT_ENABLE_PLUGINS=true -GO_PRE_COMMIT_PLUGIN_DIR=.pre-commit-plugins -GO_PRE_COMMIT_PLUGIN_TIMEOUT=60 - -# ================================================================================================ -# πŸ“… STALE WORKFLOW CONFIGURATION -# ================================================================================================ - -STALE_DAYS_BEFORE_STALE=60 -STALE_DAYS_BEFORE_CLOSE=14 -STALE_LABEL=stale -STALE_EXEMPT_ISSUE_LABELS=work-in-progress,security,requires-manual-review -STALE_EXEMPT_PR_LABELS=work-in-progress,security,requires-manual-review -STALE_OPERATIONS_PER_RUN=300 - -# ================================================================================================ -# 🏷️ SYNC LABELS CONFIGURATION -# ================================================================================================ - -SYNC_LABELS_FILE=.github/labels.yml - -# ================================================================================================ -# πŸ€– DEPENDABOT AUTO-MERGE CONFIGURATION -# ================================================================================================ - -DEPENDABOT_MAINTAINER_USERNAME=mrz1836 -DEPENDABOT_AUTO_MERGE_PATCH=true -DEPENDABOT_AUTO_MERGE_MINOR_DEV=true -DEPENDABOT_AUTO_MERGE_MINOR_PROD=true -DEPENDABOT_AUTO_MERGE_PATCH_INDIRECT=true -DEPENDABOT_AUTO_MERGE_MINOR_INDIRECT=true -DEPENDABOT_AUTO_MERGE_SECURITY_NON_MAJOR=true -DEPENDABOT_ALERT_ON_MAJOR=true -DEPENDABOT_ALERT_ON_MINOR_PROD=true -DEPENDABOT_MANUAL_REVIEW_LABEL=requires-manual-review -DEPENDABOT_AUTO_MERGE_LABELS=automerge,dependabot - -# ================================================================================================ -# βœ… AUTO-MERGE ON APPROVAL CONFIGURATION -# ================================================================================================ - -AUTO_MERGE_MIN_APPROVALS=1 -AUTO_MERGE_REQUIRE_ALL_REQUESTED_REVIEWS=true -AUTO_MERGE_ALLOWED_MERGE_TYPES=squash -AUTO_MERGE_DELETE_BRANCH=true -AUTO_MERGE_SKIP_DRAFT=true -AUTO_MERGE_SKIP_WIP=true -AUTO_MERGE_WIP_LABELS=work-in-progress,wip,do-not-merge,requires-manual-review,security -AUTO_MERGE_COMMENT_ON_ENABLE=true -AUTO_MERGE_COMMENT_ON_DISABLE=true -AUTO_MERGE_LABELS_TO_ADD=automerge-enabled -AUTO_MERGE_SKIP_BOT_PRS=true -AUTO_MERGE_SKIP_FORK_PRS=true -# Note: Fork PRs receive welcome comments from pull-request-management-fork.yml instead -# This setting only affects same-repo PRs (fork PRs use read-only GITHUB_TOKEN) -AUTO_MERGE_COMMENT_ON_FORK_SKIP=true -AUTO_MERGE_REQUIRE_LABEL=true -AUTO_MERGE_LABEL=automerge - -# ================================================================================================ -# πŸ“ PULL REQUEST MANAGEMENT CONFIGURATION -# ================================================================================================ - -PR_MANAGEMENT_DEFAULT_ASSIGNEE=mrz1836 -PR_MANAGEMENT_SKIP_BOT_USERS=dependabot[bot],mergify[bot],copilot[bot] -PR_MANAGEMENT_WELCOME_FIRST_TIME=true -PR_MANAGEMENT_APPLY_SIZE_LABELS=true -PR_MANAGEMENT_APPLY_TYPE_LABELS=true -PR_MANAGEMENT_CLEAN_CACHE_ON_CLOSE=true -PR_MANAGEMENT_DELETE_BRANCH_ON_MERGE=true -PR_MANAGEMENT_PROTECTED_BRANCHES=master,main,development,production - -# PR Size Thresholds -PR_MANAGEMENT_SIZE_XS_THRESHOLD=10 -PR_MANAGEMENT_SIZE_S_THRESHOLD=50 -PR_MANAGEMENT_SIZE_M_THRESHOLD=200 -PR_MANAGEMENT_SIZE_L_THRESHOLD=500 - -# ================================================================================================ -# πŸ“‘ GO-BROADCAST CONFIGURATION & AI-POWERED TEXT GENERATION -# ================================================================================================ - -# Automerge Labels Configuration -# When using --automerge flag, these labels will be added to created PRs -# Comma-separated list of labels to apply for automatic merging -GO_BROADCAST_AUTOMERGE_LABELS=automerge - -# AI generates intelligent PR descriptions and commit messages based on diff analysis. -# Disabled by default. All AI failures fall back to static templates silently. -# Uses Google Genkit SDK with support for Anthropic, OpenAI, and Google providers. - -# Master switch - enables AI infrastructure (disabled by default) -GO_BROADCAST_AI_ENABLED=false - -# Granular controls (default to GO_BROADCAST_AI_ENABLED value) -GO_BROADCAST_AI_PR_ENABLED= # Enable AI for PR body generation -GO_BROADCAST_AI_COMMIT_ENABLED= # Enable AI for commit message generation - -# Provider: anthropic, openai, google -GO_BROADCAST_AI_PROVIDER=anthropic - -# API key (or use provider-specific: ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY) -# DO NOT USE THIS IN PUBLIC REPOSITORIES, USE ENVIRONMENT SECRETS INSTEAD -# GO_BROADCAST_AI_API_KEY= - -# Model override (uses provider defaults if empty) -# anthropic: claude-sonnet-4-5-20250929 | openai: gpt-5.2 | google: gemini-3-pro-preview -GO_BROADCAST_AI_MODEL= - -# Generation parameters -GO_BROADCAST_AI_MAX_TOKENS=5000 -GO_BROADCAST_AI_TIMEOUT=30 -GO_BROADCAST_AI_TEMPERATURE=0.3 - -# Diff truncation (prevents token limit issues) -GO_BROADCAST_AI_DIFF_MAX_CHARS=4000 -GO_BROADCAST_AI_DIFF_MAX_LINES_PER_FILE=50 - -# Response caching (reduces API calls for identical diffs across repos) -GO_BROADCAST_AI_CACHE_ENABLED=true -GO_BROADCAST_AI_CACHE_TTL=3600 -GO_BROADCAST_AI_CACHE_MAX_SIZE=1000 - -# Retry settings (handles transient failures) -GO_BROADCAST_AI_RETRY_MAX_ATTEMPTS=3 -GO_BROADCAST_AI_RETRY_INITIAL_DELAY=1 -GO_BROADCAST_AI_RETRY_MAX_DELAY=10 - -# Error handling behavior -# When true, AI failures will cause sync to fail with an error (shows which API key env var was used) -# When false (default), AI failures silently fall back to static templates -GO_BROADCAST_AI_FAIL_ON_ERROR=false - -# Diff Debugging -# GO_BROADCAST_DEBUG_DIFF_PATH=/tmp/debug-diff.txt - -# ================================================================================================ -# πŸ›‘οΈ GUARDIAN CI TESTING FRAMEWORK -# ================================================================================================ - -# Feature Toggle -ENABLE_CI_GUARDIAN=false - -# Tool Versions (pinned for reproducibility) -GUARDIAN_ACT_VERSION=v0.2.84 -GUARDIAN_ACTIONLINT_VERSION=v1.7.10 -GUARDIAN_GO_SARIF_VERSION=v3.3.0 - -# Execution Settings -GUARDIAN_SCENARIO_TIMEOUT=30s -GUARDIAN_STATIC_TIMEOUT=5s -GUARDIAN_PARALLEL_SCENARIOS=1 - -# Output Configuration -GUARDIAN_OUTPUT_DIR=.mage-x -GUARDIAN_SARIF_OUTPUT=guardian.sarif -GUARDIAN_JSONL_OUTPUT=ci-results.jsonl - -# Policy Configuration -GUARDIAN_EXCEPTIONS_FILE=.github/guardian.yaml -GUARDIAN_POLICY_STRICT=true - -# Debug Settings -GUARDIAN_VERBOSE=false -GUARDIAN_DRY_RUN=false -GUARDIAN_KEEP_CONTAINERS=false diff --git a/.github/.yamlfmt b/.github/.yamlfmt index 288bf35..559f8bb 100644 --- a/.github/.yamlfmt +++ b/.github/.yamlfmt @@ -74,6 +74,7 @@ exclude: - "**/*.swo" - "**/*~" - # Build configs + # Environment files + - "**/env/**" - "**/.env.base" - "**/.env.custom" diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 17a93ba..e305095 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -6,7 +6,10 @@ * @mrz1836 # GitHub Actions workflows +.github/actions/* @mrz1836 +.github/scripts/* @mrz1836 .github/workflows/* @mrz1836 +.github/env/* @mrz1836 .github/.env.base @mrz1836 .github/.env.custom @mrz1836 @@ -37,7 +40,6 @@ codecov.yml @mrz1836 .github/AGENTS.md @mrz1836 .cursorrules @mrz1836 .github/CLAUDE.md @mrz1836 -sweep.yml @mrz1836 # Security and configuration files .github/SECURITY.md @mrz1836 @@ -46,3 +48,16 @@ sweep.yml @mrz1836 # Repository configuration .github/labels.yml @mrz1836 .github/dependabot.yml @mrz1836 + +# Tech Conventions +.github/tech-conventions/* @mrz1836 + +# Cursor Rules +.cursorrules @mrz1836 + +# Devcontainer configuration +.devcontainer/* @mrz1836 +.devcontainer.json @mrz1836 + +# Gitpod configuration +.gitpod.yml @mrz1836 \ No newline at end of file diff --git a/.github/actions/download-artifact-resilient/action.yml b/.github/actions/download-artifact-resilient/action.yml index b98c8aa..15e7c91 100644 --- a/.github/actions/download-artifact-resilient/action.yml +++ b/.github/actions/download-artifact-resilient/action.yml @@ -101,18 +101,29 @@ runs: # Check if artifacts exist first (avoid unnecessary retries) echo "πŸ” Checking artifact availability..." - # Fetch artifacts list, handling API errors gracefully - ARTIFACTS_JSON=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts 2>&1) || { + # Fetch artifacts list (best-effort). In some workflow contexts GitHub will + # block listing artifacts via API even though direct downloads work. + # So: if listing fails, we fall back to attempting the download directly. + ARTIFACTS_JSON=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts --paginate 2>&1) || { API_ERROR=$? echo "⚠️ Failed to fetch artifacts list (exit code: $API_ERROR)" echo " Response: $ARTIFACTS_JSON" + echo "β†ͺ Falling back to direct download attempt (skipping preflight list)" + + DOWNLOAD_CMD="gh run download ${{ github.run_id }} --pattern \"$ARTIFACT_PATTERN\" --dir \"$ARTIFACT_PATH\"" + if timeout "$DOWNLOAD_TIMEOUT" bash -c "$DOWNLOAD_CMD"; then + echo "βœ… Successfully downloaded artifacts via fallback" + DOWNLOAD_SUCCESS=true + ARTIFACTS_FOUND=1 + break + fi if [ "$CONTINUE_ON_ERROR" = "true" ]; then - echo "::warning title=Artifact API Error::Failed to fetch artifacts list - API may be unavailable or credentials invalid" + echo "::warning title=Artifact API Error::Failed to list/download artifacts - API may be unavailable or credentials invalid" DOWNLOAD_SUCCESS=false break else - echo "::error title=Artifact API Error::Failed to fetch artifacts list - API may be unavailable or credentials invalid" + echo "::error title=Artifact API Error::Failed to list/download artifacts - API may be unavailable or credentials invalid" exit 1 fi } @@ -121,6 +132,15 @@ runs: if ! echo "$ARTIFACTS_JSON" | jq -e '.artifacts' > /dev/null 2>&1; then echo "⚠️ Invalid API response (not valid artifacts JSON)" echo " Response: $ARTIFACTS_JSON" + echo "β†ͺ Falling back to direct download attempt (skipping preflight list)" + + DOWNLOAD_CMD="gh run download ${{ github.run_id }} --pattern \"$ARTIFACT_PATTERN\" --dir \"$ARTIFACT_PATH\"" + if timeout "$DOWNLOAD_TIMEOUT" bash -c "$DOWNLOAD_CMD"; then + echo "βœ… Successfully downloaded artifacts via fallback" + DOWNLOAD_SUCCESS=true + ARTIFACTS_FOUND=1 + break + fi if [ "$CONTINUE_ON_ERROR" = "true" ]; then echo "::warning title=Invalid API Response::Artifacts API returned invalid response" diff --git a/.github/actions/load-env/action.yml b/.github/actions/load-env/action.yml index fc0ed02..ec348ad 100644 --- a/.github/actions/load-env/action.yml +++ b/.github/actions/load-env/action.yml @@ -1,16 +1,15 @@ # ------------------------------------------------------------------------------------ # Load Environment Variables Composite Action # -# Purpose: Loads and parses environment configuration from .env.base and .env.custom +# Purpose: Loads and parses environment configuration from modular .github/env/ # files into JSON format for use across all GitHub Actions workflows. # # Loading Strategy: -# 1. Load .env.base (required) - contains default configuration -# 2. Load .env.custom (optional) - project-specific overrides -# 3. Merge with custom values taking precedence +# 1. Run .github/env/load-env.sh to load all modular env files +# 2. Extract exported variables to JSON for workflow compatibility # # Outputs: -# env-json: JSON object containing all merged environment variables +# env-json: JSON object containing all environment variables # # Usage: # - uses: ./.github/actions/load-env @@ -21,7 +20,7 @@ # ------------------------------------------------------------------------------------ name: "Load Environment Variables" -description: "Loads and merges environment variables from .env.base and .env.custom files" +description: "Loads environment variables from modular .github/env/ files" outputs: env-json: @@ -30,154 +29,70 @@ outputs: primary-runner: description: "Primary runner OS extracted from environment variables" value: ${{ steps.load-env.outputs.primary-runner }} - base-file-found: - description: "Whether .env.base file was found" - value: ${{ steps.load-env.outputs.base-file-found }} - custom-file-found: - description: "Whether .env.custom file was found" - value: ${{ steps.load-env.outputs.custom-file-found }} - base-var-count: - description: "Number of variables loaded from .env.base" - value: ${{ steps.load-env.outputs.base-var-count }} - custom-var-count: - description: "Number of variables loaded from .env.custom" - value: ${{ steps.load-env.outputs.custom-var-count }} - config-mode: - description: "Configuration mode: new (base+custom) or base-only" - value: ${{ steps.load-env.outputs.config-mode }} + env-file-count: + description: "Number of env files loaded" + value: ${{ steps.load-env.outputs.env-file-count }} + var-count: + description: "Total number of variables loaded" + value: ${{ steps.load-env.outputs.var-count }} runs: using: "composite" steps: # -------------------------------------------------------------------- - # Load and merge environment configuration files + # Load environment configuration from modular env files # -------------------------------------------------------------------- - - name: πŸ”§ Load environment variables + - name: 🌍 Load environment variables id: load-env shell: bash run: | echo "πŸ“‹ Loading environment configuration..." - # Function to parse .env file to JSON - parse_env_file() { - local file="$1" - if [[ -f "$file" ]]; then - cat "$file" | \ - grep -v '^#' | \ - grep -v '^$' | \ - sed 's/#.*$//' | \ - sed 's/[[:space:]]*$//' | \ - jq -Rs 'split("\n") | map(select(length > 0) | split("=") | select(length == 2) | {(.[0]): .[1]}) | add // {}' - else - echo "{}" - fi - } + LOADER_SCRIPT=".github/env/load-env.sh" - # Function to validate environment variable names and values - validate_env_vars() { - local json="$1" - local source="$2" - - echo "πŸ”’ Validating environment variables from $source..." - - # Extract all keys and values - local keys=$(echo "$json" | jq -r 'keys[]') - - while IFS= read -r key; do - # Skip empty keys - [[ -z "$key" ]] && continue - - # Validate key name: must match ^[A-Z_][A-Z0-9_]*$ - if ! echo "$key" | grep -qE '^[A-Z_][A-Z0-9_]*$'; then - echo "❌ ERROR: Invalid environment variable name in $source: '$key'" >&2 - echo " Variable names must start with uppercase letter or underscore" >&2 - echo " and contain only uppercase letters, numbers, and underscores" >&2 - exit 1 - fi - - # Get the value for this key - local value=$(echo "$json" | jq -r --arg k "$key" '.[$k]') - - # Validate value length (max 10000 chars to prevent DoS) - if [[ ${#value} -gt 10000 ]]; then - echo "❌ ERROR: Environment variable value too long in $source: '$key'" >&2 - echo " Maximum length is 10000 characters, got ${#value}" >&2 - exit 1 - fi - - # Check for suspicious command injection patterns - if echo "$value" | grep -qE '`|\$\(|\$\{|;|&|\||<\(|>|<|\\|'"'"'|"|\x00|[[:cntrl:]]'; then - echo "⚠️ WARNING: Potentially unsafe characters in $source variable '$key'" >&2 - echo " Value contains backticks, command substitution, or shell metacharacters" >&2 - echo " Value will be treated as a literal string during extraction" >&2 - fi - - done <<< "$keys" - - echo "βœ… All variables in $source passed validation" - } - - # Load configuration files in order of precedence - BASE_JSON="{}" - CUSTOM_JSON="{}" - - # 1. Load base configuration (required) - if [[ -f ".github/.env.base" ]]; then - echo "πŸ“‚ Loading base configuration from .env.base..." - BASE_JSON=$(parse_env_file ".github/.env.base") - BASE_COUNT=$(echo "$BASE_JSON" | jq 'keys | length') - echo "βœ… Loaded $BASE_COUNT base configuration variables" + if [[ ! -f "$LOADER_SCRIPT" ]]; then + echo "❌ ERROR: Environment loader not found at $LOADER_SCRIPT" >&2 + exit 1 + fi - # Validate base configuration - validate_env_vars "$BASE_JSON" ".env.base" - else - echo "❌ ERROR: Required .env.base file not found!" >&2 + # Source the loader script with verbose output + echo "πŸ”„ Loading modular environment files..." + if ! source "$LOADER_SCRIPT" --verbose; then + echo "❌ ERROR: Failed to load environment configuration" >&2 exit 1 fi - # 2. Load custom overrides (optional) - if [[ -f ".github/.env.custom" ]]; then - echo "🎨 Loading custom configuration from .env.custom..." - CUSTOM_JSON=$(parse_env_file ".github/.env.custom") - CUSTOM_COUNT=$(echo "$CUSTOM_JSON" | jq 'keys | length') - echo "βœ… Loaded $CUSTOM_COUNT custom override variables" + # Extract all exported variables to JSON for workflow compatibility + echo "πŸ“¦ Extracting environment variables to JSON..." + ENV_JSON=$(env | grep -E '^[A-Z_][A-Z0-9_]*=' | while IFS='=' read -r key value; do + # Escape special characters in value for JSON + escaped_value=$(printf '%s' "$value" | jq -Rs '.') + echo "{\"$key\": $escaped_value}" + done | jq -s 'add // {}') - # Validate custom configuration - validate_env_vars "$CUSTOM_JSON" ".env.custom" - else - echo "ℹ️ No custom configuration file found (this is optional)" - fi + TOTAL_COUNT=$(echo "$ENV_JSON" | jq 'keys | length') + echo "βœ… Extracted $TOTAL_COUNT variables" - # 3. Merge configurations with precedence: custom > base - echo "πŸ”€ Merging configuration files..." - ENV_JSON=$(echo "$BASE_JSON $CUSTOM_JSON" | jq -s 'add') + # Count env files loaded + ENV_FILE_COUNT=$(ls -1 .github/env/*.env 2>/dev/null | wc -l | tr -d ' ') # Validate merged configuration if [[ -z "$ENV_JSON" ]] || [[ "$ENV_JSON" == "null" ]] || [[ "$ENV_JSON" == "{}" ]]; then echo "❌ ERROR: No valid environment variables found!" >&2 - echo " Please ensure .env.base exists with valid configuration." >&2 exit 1 fi - # Output final merged configuration + # Output final configuration echo "env-json<> $GITHUB_OUTPUT echo "$ENV_JSON" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT # Log summary - TOTAL_COUNT=$(echo "$ENV_JSON" | jq 'keys | length') echo "βœ… Environment configuration loaded successfully" echo "πŸ“Š Total variables: $TOTAL_COUNT" + echo "πŸ“ Env files loaded: $ENV_FILE_COUNT" - # Show merge summary if both files were used - if [[ -f ".github/.env.custom" ]] && [[ "$CUSTOM_COUNT" -gt 0 ]]; then - echo "πŸ“Š Configuration sources:" - echo " - Base (.env.base): $BASE_COUNT variables" - echo " - Custom (.env.custom): $CUSTOM_COUNT overrides" - echo " - Total merged: $TOTAL_COUNT variables" - fi - - # Extract and validate PRIMARY_RUNNER for backward compatibility + # Extract and validate PRIMARY_RUNNER PRIMARY_RUNNER=$(echo "$ENV_JSON" | jq -r '.PRIMARY_RUNNER') if [[ -z "$PRIMARY_RUNNER" ]] || [[ "$PRIMARY_RUNNER" == "null" ]]; then echo "❌ ERROR: PRIMARY_RUNNER is not set in the configuration!" >&2 @@ -186,33 +101,6 @@ runs: echo "primary-runner=$PRIMARY_RUNNER" >> $GITHUB_OUTPUT echo "πŸ–₯️ Primary runner: $PRIMARY_RUNNER" - # Output configuration file discovery information - BASE_FOUND="false" - CUSTOM_FOUND="false" - CONFIG_MODE="new" - - if [[ -f ".github/.env.base" ]]; then - BASE_FOUND="true" - fi - - if [[ -f ".github/.env.custom" ]]; then - CUSTOM_FOUND="true" - fi - - # Determine configuration mode - if [[ "$CUSTOM_FOUND" == "true" ]]; then - CONFIG_MODE="new" - else - CONFIG_MODE="base-only" - fi - - # Set default counts for missing variables - BASE_COUNT=${BASE_COUNT:-0} - CUSTOM_COUNT=${CUSTOM_COUNT:-0} - - # Output all the discovery information - echo "base-file-found=$BASE_FOUND" >> $GITHUB_OUTPUT - echo "custom-file-found=$CUSTOM_FOUND" >> $GITHUB_OUTPUT - echo "base-var-count=$BASE_COUNT" >> $GITHUB_OUTPUT - echo "custom-var-count=$CUSTOM_COUNT" >> $GITHUB_OUTPUT - echo "config-mode=$CONFIG_MODE" >> $GITHUB_OUTPUT + # Output counts + echo "env-file-count=$ENV_FILE_COUNT" >> $GITHUB_OUTPUT + echo "var-count=$TOTAL_COUNT" >> $GITHUB_OUTPUT diff --git a/.github/docs/repository-features.md b/.github/docs/repository-features.md new file mode 100644 index 0000000..aa79bd7 --- /dev/null +++ b/.github/docs/repository-features.md @@ -0,0 +1,40 @@ +# Repository Features + +A comprehensive list of built-in features that ship with this repository. + +
+ +--- + +
+ +* **Continuous Integration on Autopilot** with [GitHub Actions](https://github.com/features/actions) – every push is built, tested, and reported in minutes. +* **Pull‑Request Flow That Merges Itself** thanks to [auto‑merge](../workflows/auto-merge-on-approval.yml) and hands‑free [Dependabot auto‑merge](../workflows/dependabot-auto-merge.yml). +* **One‑Command Builds** powered by battle‑tested [MAGE-X](https://github.com/mrz1836/mage-x) targets for linting, testing, releases, and more. +* **First‑Class Dependency Management** using native [Go Modules](https://github.com/golang/go/wiki/Modules). +* **Uniform Code Style** via [gofumpt](https://github.com/mvdan/gofumpt) plus zero‑noise linting with [golangci‑lint](https://github.com/golangci/golangci-lint). +* **Confidence‑Boosting Tests** with [testify](https://github.com/stretchr/testify), the Go [race detector](https://blog.golang.org/race-detector), crystal‑clear [HTML coverage](https://blog.golang.org/cover) snapshots, and automatic reporting via internal coverage system. +* **Hands‑Free Releases** delivered by [GoReleaser](https://github.com/goreleaser/goreleaser) whenever you create a [new Tag](https://git-scm.com/book/en/v2/Git-Basics-Tagging). +* **Relentless Dependency & Vulnerability Scans** via [Dependabot](https://dependabot.com) (runs daily at 8am to ensure broadcast dependencies are always current), [Nancy](https://github.com/sonatype-nexus-community/nancy), and [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck). +* **Security Posture by Default** with [CodeQL](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning), [OpenSSF Scorecard](https://openssf.org), and secret‑leak detection via [gitleaks](https://github.com/gitleaks/gitleaks). +* **Automatic Syndication** to [pkg.go.dev](https://pkg.go.dev/) on every release for instant godoc visibility. +* **Polished Community Experience** using rich templates for [Issues & PRs](https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-go-broadcastsitory). +* **All the Right Meta Files** (`LICENSE`, `CONTRIBUTING.md`, `CODE_OF_CONDUCT.md`, `SUPPORT.md`, `SECURITY.md`) pre‑filled and ready. +* **Code Ownership** clarified through a [CODEOWNERS](../CODEOWNERS) file, keeping reviews fast and focused. +* **Zero‑Noise Dev Environments** with tuned editor settings ([`.editorconfig`](../../.editorconfig)) plus curated *ignore* files for [VS Code](../../.editorconfig), [Docker](../../.dockerignore), and [Git](../../.gitignore). +* **Label Sync Magic**: your repo labels stay in lock‑step with [.github/labels.yml](../labels.yml). +* **Friendly First PR Workflow** – newcomers get a warm welcome thanks to a dedicated [workflow](../workflows/pull-request-management.yml). +* **Standards‑Compliant Docs** adhering to the [standard‑readme](https://github.com/RichardLitt/standard-readme/blob/master/spec.md) spec. +* **Instant Cloud Workspaces** via [Gitpod](https://gitpod.io/) – spin up a fully configured dev environment with automatic linting and tests. +* **Out‑of‑the‑Box VS Code Happiness** with a preconfigured [Go](https://code.visualstudio.com/docs/languages/go) workspace and [`.vscode`](../../.vscode) folder with all the right settings. +* **Optional Release Broadcasts** to your community via [Slack](https://slack.com), [Discord](https://discord.com), or [Twitter](https://twitter.com) – plug in your webhook. +* **AI Playbook** – machine‑readable guidelines in [tech conventions](../tech-conventions/ai-compliance.md) +* **Go-Pre-commit System** - [High-performance Go-native pre-commit hooks](https://github.com/mrz1836/go-pre-commit) with 17x faster executionβ€”run the same formatting, linting, and tests before every commit, just like CI. +* **Zero Python Dependencies** - Pure Go implementation with [modular environment-based configuration](../env/README.md). +* **DevContainers for Instant Onboarding** – Launch a ready-to-code environment in seconds with [VS Code DevContainers](https://containers.dev/) and the included [.devcontainer.json](../../.devcontainer.json) config. + +
+ +--- + +[← Back to README](../../README.md) diff --git a/.github/docs/workflows.md b/.github/docs/workflows.md new file mode 100644 index 0000000..44d0ab5 --- /dev/null +++ b/.github/docs/workflows.md @@ -0,0 +1,39 @@ +# GitHub Workflows + +All GitHub Actions workflows in this repository are powered by modular configuration files – your one-stop shop for tweaking CI/CD behavior without touching a single YAML file! + +
+ +## The Workflow Control Center + +**Configuration Files:** +- **[`.github/env/`](../env/README.md)** – Modular environment configuration split into domain-specific files loaded in numeric order + +These configuration files control everything from: +- **Go version matrix** (test on multiple versions or just one) +- **Runner selection** (Ubuntu or macOS, your wallet decides) +- **Feature toggles** (coverage, fuzzing, linting, race detection, benchmarks) +- **Security tool versions** (gitleaks, nancy, govulncheck) +- **Auto-merge behaviors** (how aggressive should the bots be?) +- **PR management rules** (size labels, auto-assignment, welcome messages) + +
+ +## Workflows + +| Workflow | Description | +|----------|-------------| +| [auto-merge-on-approval.yml](../workflows/auto-merge-on-approval.yml) | Automatically merges PRs after approval and all required checks, following strict rules. | +| [codeql-analysis.yml](../workflows/codeql-analysis.yml) | Analyzes code for security vulnerabilities using [GitHub CodeQL](https://codeql.github.com/). | +| [dependabot-auto-merge.yml](../workflows/dependabot-auto-merge.yml) | Automatically merges [Dependabot](https://github.com/dependabot) PRs that meet all requirements. | +| [fortress.yml](../workflows/fortress.yml) | Runs the GoFortress security and testing workflow, including linting, testing, releasing, and vulnerability checks. | +| [pull-request-management.yml](../workflows/pull-request-management.yml) | Labels PRs by branch prefix, assigns a default user if none is assigned, and welcomes new contributors with a comment. | +| [scorecard.yml](../workflows/scorecard.yml) | Runs [OpenSSF](https://openssf.org/) Scorecard to assess supply chain security. | +| [stale.yml](../workflows/stale-check.yml) | Warns about (and optionally closes) inactive issues and PRs on a schedule or manual trigger. | +| [sync-labels.yml](../workflows/sync-labels.yml) | Keeps GitHub labels in sync with the declarative manifest at [`.github/labels.yml`](../labels.yml). | + +
+ +--- + +[← Back to README](../../README.md) diff --git a/.github/env/00-core.env b/.github/env/00-core.env new file mode 100644 index 0000000..03eaa0a --- /dev/null +++ b/.github/env/00-core.env @@ -0,0 +1,114 @@ +# ================================================================================================ +# 🎯 CORE CONFIGURATION (00-core.env) +# ================================================================================================ +# +# Purpose: Foundation layer - Go versions, runner configuration, feature flags, and timeouts +# Load Order: 00 (loaded first, can be overridden by later files) +# +# This file contains essential configuration that almost all Go projects need: +# - Go version configuration (primary, secondary, govulncheck) +# - Module configuration (go.sum location, multi-module support) +# - GitHub Actions runner configuration +# - GitHub token preferences +# - Core feature flags (benchmarks, coverage, tests, race detection, etc.) +# - Test and benchmark timeouts +# - Artifact download configuration +# +# Override in: 90-project.env (project-specific) or 99-local.env (local development) +# +# ================================================================================================ + +# ================================================================================================ +# 🎯 GO VERSION CONFIGURATION +# ================================================================================================ + +# Primary Go version for builds and primary test runner +GO_PRIMARY_VERSION=1.24.x + +# Secondary Go version for compatibility testing +GO_SECONDARY_VERSION=1.24.x + +# Govulncheck-specific Go version for vulnerability scanning +GOVULNCHECK_GO_VERSION=1.25.7 + +# ================================================================================================ +# πŸ“¦ GO MODULE CONFIGURATION +# ================================================================================================ + +# Go sum file location for dependency verification and caching +GO_SUM_FILE=go.sum + +# Multi-module monorepo support +ENABLE_MULTI_MODULE_TESTING=false + +# ================================================================================================ +# πŸ–₯️ RUNNER CONFIGURATION +# ================================================================================================ + +# Primary runner OS for most CI jobs +PRIMARY_RUNNER=ubuntu-24.04 + +# Secondary runner for cross-platform compatibility testing +SECONDARY_RUNNER=ubuntu-24.04 + +# ================================================================================================ +# πŸ”‘ GITHUB TOKEN CONFIGURATION +# ================================================================================================ + +# Preferred GitHub token for API operations +PREFERRED_GITHUB_TOKEN=GH_PAT_TOKEN + +# ================================================================================================ +# ✨ FEATURE FLAGS +# ================================================================================================ + +# Core Features +ENABLE_BENCHMARKS=true +ENABLE_CACHE_WARMING=true +ENABLE_CODE_COVERAGE=true +ENABLE_FUZZ_TESTING=true +ENABLE_GO_TESTS=true +ENABLE_RACE_DETECTION=true +ENABLE_STATIC_ANALYSIS=true +ENABLE_VERBOSE_TEST_OUTPUT=false + +# Code Quality Tools +ENABLE_GO_LINT=true +ENABLE_GO_PRE_COMMIT=true +ENABLE_YAML_LINT=true + +# Security Scanning +ENABLE_SECURITY_SCAN_GITLEAKS=true +ENABLE_SECURITY_SCAN_GOVULNCHECK=true +ENABLE_SECURITY_SCAN_NANCY=true + +# Documentation & Publishing +ENABLE_GODOCS_PUBLISHING=true + +# Workflow Reporting +ENABLE_COMPLETION_REPORT=true + +# ================================================================================================ +# πŸ“¦ ARTIFACT DOWNLOAD CONFIGURATION +# ================================================================================================ + +ARTIFACT_DOWNLOAD_RETRIES=3 +ARTIFACT_DOWNLOAD_RETRY_DELAY=10 +ARTIFACT_DOWNLOAD_TIMEOUT=300 +ARTIFACT_DOWNLOAD_CONTINUE_ON_ERROR=true + +# ================================================================================================ +# βš™οΈ BENCHMARK & TEST CONFIGURATION +# ================================================================================================ + +# Benchmark execution timeout in minutes +BENCHMARK_TIMEOUT=20 + +# Benchmark mode (Options: quick, full, normal) +BENCHMARK_MODE=quick + +# Test Execution Timeouts +TEST_TIMEOUT=30m +TEST_TIMEOUT_RACE_COVER=30m +TEST_TIMEOUT_UNIT=20m +TEST_TIMEOUT_FUZZ=5m diff --git a/.github/env/10-coverage.env b/.github/env/10-coverage.env new file mode 100644 index 0000000..4ad2298 --- /dev/null +++ b/.github/env/10-coverage.env @@ -0,0 +1,114 @@ +# ================================================================================================ +# πŸ“Š GO-COVERAGE CONFIGURATION (10-coverage.env) +# ================================================================================================ +# +# Purpose: go-coverage tool configuration for test coverage reporting and tracking +# Load Order: 10 (tool-specific defaults, loaded after core) +# +# go-coverage is the coverage reporting system used by go-fortress. +# This file defines all go-coverage configuration including: +# - Coverage provider selection (internal vs. codecov) +# - Tool version and local development settings +# - Coverage thresholds and exclusions +# - GitHub integration (comments, statuses, badges) +# - Report generation and styling +# - History tracking and retention +# - Storage and logging configuration +# +# Override in: 90-project.env for project-specific coverage settings +# +# Reference: https://github.com/mrz1836/go-coverage +# +# ================================================================================================ + +# ================================================================================================ +# πŸ“Š COVERAGE PROVIDER & TOOL VERSION +# ================================================================================================ + +# Coverage Provider Selection (internal or codecov) +GO_COVERAGE_PROVIDER=internal + +# Codecov Configuration (only used when provider=codecov) +CODECOV_TOKEN_REQUIRED=false + +# Go Coverage Tool Version +GO_COVERAGE_VERSION=v1.3.1 +GO_COVERAGE_USE_LOCAL=false + +# ================================================================================================ +# 🎯 CORE COVERAGE SETTINGS +# ================================================================================================ + +GO_COVERAGE_INPUT_FILE=coverage.txt +GO_COVERAGE_OUTPUT_DIR=. +GO_COVERAGE_THRESHOLD=65.0 +GO_COVERAGE_ALLOW_LABEL_OVERRIDE=true + +# ================================================================================================ +# 🚫 COVERAGE EXCLUSIONS +# ================================================================================================ + +GO_COVERAGE_EXCLUDE_PATHS=test/,vendor/,testdata/ +GO_COVERAGE_EXCLUDE_FILES=*_test.go,*.pb.go +GO_COVERAGE_EXCLUDE_TESTS=true +GO_COVERAGE_EXCLUDE_GENERATED=true + +# ================================================================================================ +# πŸ”— GITHUB INTEGRATION +# ================================================================================================ + +GO_COVERAGE_POST_COMMENTS=true +GO_COVERAGE_CREATE_STATUSES=true +GO_COVERAGE_SKIP_URL_CHECKS=false +GO_COVERAGE_FAIL_ON_URL_ERRORS=true +GO_COVERAGE_URL_CHECK_TIMEOUT=300 + +# ================================================================================================ +# 🏷️ BADGE CONFIGURATION +# ================================================================================================ + +GO_COVERAGE_BADGE_STYLE=flat +GO_COVERAGE_BADGE_LABEL=coverage +GO_COVERAGE_BADGE_LOGO=2fas +GO_COVERAGE_BADGE_LOGO_COLOR=white +GO_COVERAGE_BADGE_OUTPUT=coverage.svg +GO_COVERAGE_BADGE_TREND=false + +# ================================================================================================ +# πŸ“„ REPORT CONFIGURATION +# ================================================================================================ + +GO_COVERAGE_REPORT_OUTPUT=coverage.html +GO_COVERAGE_REPORT_TITLE="Coverage Report" +GO_COVERAGE_REPORT_THEME=github-dark +GO_COVERAGE_REPORT_PACKAGES=true +GO_COVERAGE_REPORT_FILES=true +GO_COVERAGE_REPORT_MISSING=true + +# ================================================================================================ +# πŸ“… HISTORY TRACKING +# ================================================================================================ + +GO_COVERAGE_HISTORY_ENABLED=true +GO_COVERAGE_HISTORY_PATH=history +GO_COVERAGE_HISTORY_RETENTION=90 +GO_COVERAGE_HISTORY_MAX_ENTRIES=1000 +GO_COVERAGE_HISTORY_CLEANUP=true +GO_COVERAGE_HISTORY_METRICS=true + +# ================================================================================================ +# πŸ’Ύ STORAGE CONFIGURATION +# ================================================================================================ + +GO_COVERAGE_BASE_DIR=. +GO_COVERAGE_AUTO_CREATE_DIRS=true +GO_COVERAGE_FILE_MODE=644 +GO_COVERAGE_DIR_MODE=755 + +# ================================================================================================ +# πŸ“ LOGGING CONFIGURATION +# ================================================================================================ + +GO_COVERAGE_LOG_LEVEL=INFO +GO_COVERAGE_LOG_FORMAT=text +GO_COVERAGE_LOG_ENABLED=true diff --git a/.github/env/10-mage-x.env b/.github/env/10-mage-x.env new file mode 100644 index 0000000..30f5fcd --- /dev/null +++ b/.github/env/10-mage-x.env @@ -0,0 +1,104 @@ +# ================================================================================================ +# πŸͺ„ MAGE-X CONFIGURATION (10-mage-x.env) +# ================================================================================================ +# +# Purpose: MAGE-X build tool configuration and tool version management +# Load Order: 10 (tool-specific defaults, loaded after core) +# +# MAGE-X is the task runner and build orchestration tool for go-fortress. +# This file defines all MAGE-X-specific configuration including: +# - MAGE-X version and local development settings +# - Tool versions (golangci-lint, gofumpt, goreleaser, etc.) +# - Build configuration (tags, exclusions, strategy) +# - Format exclusion paths +# - Auto-discovery settings +# +# Override in: 90-project.env for project-specific tool versions +# +# Tool Versions Reference: +# - golangci-lint: https://github.com/golangci/golangci-lint/releases +# - gofumpt: https://github.com/mvdan/gofumpt/releases +# - goreleaser: https://github.com/goreleaser/goreleaser/releases +# - govulncheck: https://go.googlesource.com/vuln/+refs +# - mockgen: https://github.com/uber-go/mock/releases +# - nancy: https://github.com/sonatype-nexus-community/nancy/releases +# - staticcheck: https://github.com/dominikh/go-tools/releases +# - swag: https://github.com/swaggo/swag/releases +# - yamlfmt: https://github.com/google/yamlfmt/releases +# - benchstat: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat +# - gitleaks: https://github.com/gitleaks/gitleaks/releases +# - mage: https://github.com/magefile/mage/releases +# +# ================================================================================================ + +# ================================================================================================ +# πŸͺ„ MAGE-X CORE CONFIGURATION +# ================================================================================================ + +# MAGE-X version +MAGE_X_VERSION=v1.20.1 + +# For mage-x development, set to 'true' to use local version instead of downloading from releases +MAGE_X_USE_LOCAL=false + +# Skip step summary in CI logs to reduce noise (set to 'true' to enable) +MAGE_X_CI_SKIP_STEP_SUMMARY=false + +# ================================================================================================ +# πŸ—οΈ BUILD CONFIGURATION +# ================================================================================================ + +MAGE_X_AUTO_DISCOVER_BUILD_TAGS=true +MAGE_X_AUTO_DISCOVER_BUILD_TAGS_EXCLUDE=race,custom +MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea + +# Exclude magefiles from prebuild - they require 'mage' build tag and fail without it +# MAGE_X_BUILD_EXCLUDE_PATTERN=magefiles + +# ================================================================================================ +# πŸ› οΈ TOOL VERSIONS +# ================================================================================================ + +MAGE_X_GITLEAKS_VERSION=8.30.0 +MAGE_X_GOFUMPT_VERSION=v0.9.2 +MAGE_X_GOLANGCI_LINT_VERSION=v2.8.0 +MAGE_X_GORELEASER_VERSION=v2.13.3 +MAGE_X_GOVULNCHECK_VERSION=v1.1.4 +MAGE_X_GO_SECONDARY_VERSION=1.24.x +MAGE_X_GO_VERSION=1.24.x +MAGE_X_MOCKGEN_VERSION=v0.6.0 +MAGE_X_NANCY_VERSION=v1.2.0 +MAGE_X_STATICCHECK_VERSION=2025.1.1 +MAGE_X_SWAG_VERSION=v1.16.6 +MAGE_X_YAMLFMT_VERSION=v0.21.0 +MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260112171951-5abaabe9f1bd +MAGE_X_MAGE_VERSION=v1.15.0 + +# ================================================================================================ +# πŸ“ RUNTIME VARIABLES (set by setup-goreleaser action) +# ================================================================================================ + +# MAGE_X_GORELEASER_PATH - Path to installed goreleaser binary +# MAGE_X_GORELEASER_INSTALLED - Set to 'true' when goreleaser is available +# MAGE_X_GORELEASER_CACHED_VERSION - Version of installed goreleaser + +# ================================================================================================ +# βš™οΈ OPTIONAL OVERRIDES (use 90-project.env to override these defaults) +# ================================================================================================ + +# MAGE_X_BINARY_NAME=magex +# MAGE_X_BUILD_BATCH_DELAY_MS=200 +# MAGE_X_BUILD_BATCH_SIZE=2 +# MAGE_X_BUILD_STRATEGY=incremental +# MAGE_X_BUILD_TAGS=mage +# MAGE_X_DOWNLOAD_BACKOFF=2.0 +# MAGE_X_DOWNLOAD_INITIAL_DELAY=300 +# MAGE_X_DOWNLOAD_MAX_DELAY=1000 +# MAGE_X_DOWNLOAD_RESUME=false +# MAGE_X_DOWNLOAD_RETRIES=3 +# MAGE_X_DOWNLOAD_TIMEOUT=5000 +# MAGE_X_DOWNLOAD_USER_AGENT=MAGE-X-Agent +# MAGE_X_PARALLEL=3 +# MAGE_X_TEST_EXCLUDE_MODULES=module1,module2 +# MAGE_X_TEST_RACE=false +# MAGE_X_VERBOSE=true diff --git a/.github/env/10-pre-commit.env b/.github/env/10-pre-commit.env new file mode 100644 index 0000000..b49f339 --- /dev/null +++ b/.github/env/10-pre-commit.env @@ -0,0 +1,117 @@ +# ================================================================================================ +# πŸͺ GO-PRE-COMMIT CONFIGURATION (10-pre-commit.env) +# ================================================================================================ +# +# Purpose: go-pre-commit system configuration for automated code quality checks +# Load Order: 10 (tool-specific defaults, loaded after core) +# +# go-pre-commit is the pre-commit hook system used by go-fortress. +# This file defines all go-pre-commit configuration including: +# - Tool version and local development settings +# - System settings (timeouts, parallelization, file detection) +# - Tool versions (golangci-lint, fumpt, goimports, gitleaks) +# - Individual check enable/disable flags +# - Auto-staging behavior +# - Check-specific timeouts +# - Path configuration and exclusions +# - Plugin system configuration +# +# Override in: 90-project.env for project-specific pre-commit settings +# +# Reference: https://github.com/mrz1836/go-pre-commit +# +# ================================================================================================ + +# ================================================================================================ +# πŸͺ PRE-COMMIT TOOL VERSION +# ================================================================================================ + +GO_PRE_COMMIT_VERSION=v1.6.1 +GO_PRE_COMMIT_USE_LOCAL=false + +# ================================================================================================ +# βš™οΈ SYSTEM SETTINGS +# ================================================================================================ + +GO_PRE_COMMIT_FAIL_FAST=false +GO_PRE_COMMIT_TIMEOUT_SECONDS=720 +GO_PRE_COMMIT_TOOL_INSTALL_TIMEOUT=300 +GO_PRE_COMMIT_AUTO_ADJUST_CI_TIMEOUTS=true +GO_PRE_COMMIT_PARALLEL_WORKERS=2 +GO_PRE_COMMIT_LOG_LEVEL=debug +GO_PRE_COMMIT_MAX_FILE_SIZE_MB=10 +GO_PRE_COMMIT_MAX_FILES_OPEN=100 +GO_PRE_COMMIT_DEBUG=false + +# File Detection Strategy for CI +# true = Check all repository files (comprehensive but slower) +# false = Check only changed files in PR/push (faster, smart detection) +GO_PRE_COMMIT_ALL_FILES=true + +# ================================================================================================ +# πŸ› οΈ TOOL VERSIONS +# ================================================================================================ + +GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.8.0 +GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2 +GO_PRE_COMMIT_GOIMPORTS_VERSION=latest +GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0 + +# Build tags for golangci-lint and other tools +GO_PRE_COMMIT_BUILD_TAGS= + +# ================================================================================================ +# βœ… INDIVIDUAL CHECKS +# ================================================================================================ + +GO_PRE_COMMIT_ENABLE_FMT=true +GO_PRE_COMMIT_ENABLE_FUMPT=true +GO_PRE_COMMIT_ENABLE_GOIMPORTS=true +GO_PRE_COMMIT_ENABLE_LINT=true +GO_PRE_COMMIT_ENABLE_MOD_TIDY=true +GO_PRE_COMMIT_ENABLE_WHITESPACE=true +GO_PRE_COMMIT_ENABLE_EOF=true +GO_PRE_COMMIT_ENABLE_AI_DETECTION=true +GO_PRE_COMMIT_ENABLE_GITLEAKS=true +GO_PRE_COMMIT_GITLEAKS_ALL_FILES=false + +# ================================================================================================ +# πŸ”„ AUTO-STAGING SETTINGS +# ================================================================================================ + +GO_PRE_COMMIT_FMT_AUTO_STAGE=true +GO_PRE_COMMIT_FUMPT_AUTO_STAGE=true +GO_PRE_COMMIT_GOIMPORTS_AUTO_STAGE=true +GO_PRE_COMMIT_WHITESPACE_AUTO_STAGE=true +GO_PRE_COMMIT_EOF_AUTO_STAGE=true +GO_PRE_COMMIT_AI_DETECTION_AUTO_FIX=false + +# ================================================================================================ +# ⏱️ CHECK TIMEOUTS (seconds) +# ================================================================================================ + +GO_PRE_COMMIT_FMT_TIMEOUT=30 +GO_PRE_COMMIT_FUMPT_TIMEOUT=30 +GO_PRE_COMMIT_GOIMPORTS_TIMEOUT=30 +GO_PRE_COMMIT_LINT_TIMEOUT=600 +GO_PRE_COMMIT_MOD_TIDY_TIMEOUT=60 +GO_PRE_COMMIT_WHITESPACE_TIMEOUT=30 +GO_PRE_COMMIT_EOF_TIMEOUT=30 +GO_PRE_COMMIT_AI_DETECTION_TIMEOUT=30 +GO_PRE_COMMIT_GITLEAKS_TIMEOUT=60 + +# ================================================================================================ +# πŸ“‚ PATH CONFIGURATION +# ================================================================================================ + +GO_PRE_COMMIT_HOOKS_PATH=.git/hooks +GO_PRE_COMMIT_EXCLUDE_PATTERNS=vendor/,node_modules/,.git/ +GO_PRE_COMMIT_COLOR_OUTPUT=false + +# ================================================================================================ +# πŸ”Œ PLUGIN SYSTEM CONFIGURATION +# ================================================================================================ + +GO_PRE_COMMIT_ENABLE_PLUGINS=true +GO_PRE_COMMIT_PLUGIN_DIR=.pre-commit-plugins +GO_PRE_COMMIT_PLUGIN_TIMEOUT=60 diff --git a/.github/env/10-security.env b/.github/env/10-security.env new file mode 100644 index 0000000..f5c6dcd --- /dev/null +++ b/.github/env/10-security.env @@ -0,0 +1,65 @@ +# ================================================================================================ +# πŸ”’ SECURITY TOOLS CONFIGURATION (10-security.env) +# ================================================================================================ +# +# Purpose: Security scanning tools configuration (Gitleaks, Nancy, Govulncheck) +# Load Order: 10 (tool-specific defaults, loaded after core) +# +# This file defines configuration for security scanning tools used by go-fortress: +# - Gitleaks: Secret and credential scanning +# - Nancy: Dependency vulnerability scanning via OSS Index +# - Govulncheck: Go-specific vulnerability detection +# - CVE exclusion lists for known acceptable vulnerabilities +# +# Override in: 90-project.env for project-specific security settings +# +# Tool References: +# - Gitleaks: https://github.com/gitleaks/gitleaks +# - Nancy: https://github.com/sonatype-nexus-community/nancy +# - Govulncheck: https://pkg.go.dev/golang.org/x/vuln +# - OSS Index: https://ossindex.sonatype.org/ +# +# ================================================================================================ + +# ================================================================================================ +# πŸ” GITLEAKS CONFIGURATION +# ================================================================================================ + +# User notification list for secret detection alerts +GITLEAKS_NOTIFY_USER_LIST=@mrz1836 + +# Gitleaks config file (empty = use default config) +GITLEAKS_CONFIG_FILE= + +# ================================================================================================ +# πŸ›‘οΈ NANCY CONFIGURATION +# ================================================================================================ + +# Nancy CVE Exclusions (known acceptable vulnerabilities) +# Format: comma-separated CVE IDs (e.g., CVE-9999-12345,CVE-9999-43210) +# These are example/fake CVEs - replace with real ones as needed +NANCY_EXCLUDES=CVE-9999-12345,CVE-9999-43210 + +# OSS Index Authentication for Nancy (optional, reduces rate limits) +# Set OSSI_USERNAME and OSSI_TOKEN in GitHub Secrets +# Get your API token from: https://ossindex.sonatype.org/user-token +# OSSI_USERNAME should be your email address + +# ================================================================================================ +# πŸ” GOVULNCHECK CONFIGURATION +# ================================================================================================ + +# Govulncheck/Magex CVE Exclusions (known acceptable vulnerabilities) +# Format: comma-separated CVE IDs (e.g., CVE-9999-12345,CVE-9999-43210) +# Used by: magex deps:audit (govulncheck) +# Can also be passed via: magex deps:audit exclude=CVE-9999-12345 +# These are example/fake CVEs - replace with real ones as needed +MAGE_X_CVE_EXCLUDES=CVE-9999-12345,CVE-9999-43210 + +# ================================================================================================ +# πŸ› οΈ SECURITY TOOL VERSIONS +# ================================================================================================ + +GITLEAKS_VERSION=8.30.0 +GOVULNCHECK_VERSION=v1.1.4 +NANCY_VERSION=v1.2.0 diff --git a/.github/env/20-redis.env b/.github/env/20-redis.env new file mode 100644 index 0000000..6dd62e3 --- /dev/null +++ b/.github/env/20-redis.env @@ -0,0 +1,74 @@ +# ================================================================================================ +# πŸ—„οΈ REDIS SERVICE CONFIGURATION (20-redis.env) +# ================================================================================================ +# +# Purpose: Redis service container configuration for tests and benchmarks +# Load Order: 20 (integration/service layer, loaded after tools) +# +# This file defines Redis service configuration for repositories that need Redis during testing. +# Configuration includes: +# - Service enable/disable and mode selection +# - Redis Docker image version +# - Connection settings (host, port) +# - Health check configuration +# - Cache configuration +# +# IMPORTANT: This file should only be included in repos that use Redis. +# Most libraries do NOT need this file - only include if your code/tests interact with Redis. +# +# Override in: 90-project.env for project-specific Redis settings +# +# ================================================================================================ + +# ================================================================================================ +# πŸŽ›οΈ REDIS SERVICE CONTROL +# ================================================================================================ + +# Enable Redis service container for tests/benchmarks +ENABLE_REDIS_SERVICE=false + +# Redis service mode: +# - auto: enabled if redis tests detected (smart detection) +# - always: always start Redis service +# - never: never start Redis service (even if tests exist) +REDIS_SERVICE_MODE=never + +# ================================================================================================ +# πŸ“¦ REDIS VERSION CONFIGURATION +# ================================================================================================ + +# Redis Docker image version +# Options: 7-alpine, 6-alpine, latest, or specific version like 7.2-alpine +REDIS_VERSION=7-alpine + +# ================================================================================================ +# πŸ”Œ REDIS CONNECTION CONFIGURATION +# ================================================================================================ + +# Redis host (localhost for GitHub Actions service containers) +REDIS_HOST=localhost + +# Redis port (standard: 6379) +REDIS_PORT=6379 + +# ================================================================================================ +# πŸ’š REDIS HEALTH CHECK CONFIGURATION +# ================================================================================================ + +# Trust GitHub Actions service container health checks +# When true: skip redis-cli verification (faster startup) +# When false: explicitly verify with redis-cli PING (more reliable) +REDIS_TRUST_SERVICE_HEALTH=true + +# Health check retry configuration +REDIS_HEALTH_CHECK_RETRIES=10 +REDIS_HEALTH_CHECK_INTERVAL=10 +REDIS_HEALTH_CHECK_TIMEOUT=5 + +# ================================================================================================ +# πŸ’Ύ REDIS CACHE CONFIGURATION +# ================================================================================================ + +# Force pull Redis images even when cached +# Set to true to always get latest patch version +REDIS_CACHE_FORCE_PULL=false diff --git a/.github/env/20-workflows.env b/.github/env/20-workflows.env new file mode 100644 index 0000000..edd0ac9 --- /dev/null +++ b/.github/env/20-workflows.env @@ -0,0 +1,170 @@ +# ================================================================================================ +# πŸ“… GITHUB WORKFLOWS CONFIGURATION (20-workflows.env) +# ================================================================================================ +# +# Purpose: GitHub Actions workflow automation configuration +# Load Order: 20 (integration/workflow layer, loaded after tools) +# +# This file defines configuration for GitHub Actions workflow automation including: +# - Stale issue/PR management +# - Label synchronization +# - Dependabot auto-merge settings +# - Auto-merge on approval configuration +# - Pull request management (assignments, labels, welcome messages) +# +# These settings control the automated workflows that manage issues, PRs, and repository hygiene. +# +# Override in: 90-project.env for project-specific workflow settings +# +# ================================================================================================ + +# ================================================================================================ +# πŸ“… STALE WORKFLOW CONFIGURATION +# ================================================================================================ + +# Days before an issue/PR is marked as stale +STALE_DAYS_BEFORE_STALE=60 + +# Days before a stale issue/PR is automatically closed +STALE_DAYS_BEFORE_CLOSE=14 + +# Label applied to stale issues/PRs +STALE_LABEL=stale + +# Labels that exempt issues from being marked stale +STALE_EXEMPT_ISSUE_LABELS=work-in-progress,security,requires-manual-review + +# Labels that exempt PRs from being marked stale +STALE_EXEMPT_PR_LABELS=work-in-progress,security,requires-manual-review + +# Maximum number of issues/PRs to process per workflow run +STALE_OPERATIONS_PER_RUN=300 + +# ================================================================================================ +# 🏷️ SYNC LABELS CONFIGURATION +# ================================================================================================ + +# Path to labels definition file +SYNC_LABELS_FILE=.github/labels.yml + +# ================================================================================================ +# πŸ€– DEPENDABOT AUTO-MERGE CONFIGURATION +# ================================================================================================ + +# Repository maintainer username +DEPENDABOT_MAINTAINER_USERNAME=mrz1836 + +# Auto-merge patch version updates +DEPENDABOT_AUTO_MERGE_PATCH=true + +# Auto-merge minor version updates for dev dependencies +DEPENDABOT_AUTO_MERGE_MINOR_DEV=true + +# Auto-merge minor version updates for production dependencies +DEPENDABOT_AUTO_MERGE_MINOR_PROD=true + +# Auto-merge patch updates for indirect dependencies +DEPENDABOT_AUTO_MERGE_PATCH_INDIRECT=true + +# Auto-merge minor updates for indirect dependencies +DEPENDABOT_AUTO_MERGE_MINOR_INDIRECT=true + +# Auto-merge security updates (non-major versions) +DEPENDABOT_AUTO_MERGE_SECURITY_NON_MAJOR=true + +# Send alerts for major version updates +DEPENDABOT_ALERT_ON_MAJOR=true + +# Send alerts for minor production dependency updates +DEPENDABOT_ALERT_ON_MINOR_PROD=true + +# Label for PRs requiring manual review +DEPENDABOT_MANUAL_REVIEW_LABEL=requires-manual-review + +# Labels applied to auto-mergeable Dependabot PRs +DEPENDABOT_AUTO_MERGE_LABELS=automerge,dependabot + +# ================================================================================================ +# βœ… AUTO-MERGE ON APPROVAL CONFIGURATION +# ================================================================================================ + +# Minimum number of approvals required before auto-merge +AUTO_MERGE_MIN_APPROVALS=1 + +# Require all requested reviewers to approve before merging +AUTO_MERGE_REQUIRE_ALL_REQUESTED_REVIEWS=true + +# Allowed merge types (comma-separated: merge, squash, rebase) +AUTO_MERGE_ALLOWED_MERGE_TYPES=squash + +# Delete branch after successful merge +AUTO_MERGE_DELETE_BRANCH=true + +# Skip auto-merge for draft PRs +AUTO_MERGE_SKIP_DRAFT=true + +# Skip auto-merge for PRs with WIP in title +AUTO_MERGE_SKIP_WIP=true + +# Labels that prevent auto-merge +AUTO_MERGE_WIP_LABELS=work-in-progress,wip,do-not-merge,requires-manual-review,security + +# Post comment when auto-merge is enabled +AUTO_MERGE_COMMENT_ON_ENABLE=true + +# Post comment when auto-merge is disabled +AUTO_MERGE_COMMENT_ON_DISABLE=true + +# Labels to add when auto-merge is enabled +AUTO_MERGE_LABELS_TO_ADD=automerge-enabled + +# Skip auto-merge for bot-created PRs (except Dependabot) +AUTO_MERGE_SKIP_BOT_PRS=true + +# Skip auto-merge for PRs from forks +AUTO_MERGE_SKIP_FORK_PRS=true + +# Comment when fork PR auto-merge is skipped +# Note: Fork PRs receive welcome comments from pull-request-management-fork.yml instead +# This setting only affects same-repo PRs (fork PRs use read-only GITHUB_TOKEN) +AUTO_MERGE_COMMENT_ON_FORK_SKIP=true + +# Require specific label for auto-merge to be enabled +AUTO_MERGE_REQUIRE_LABEL=true + +# Required label for auto-merge +AUTO_MERGE_LABEL=automerge + +# ================================================================================================ +# πŸ“ PULL REQUEST MANAGEMENT CONFIGURATION +# ================================================================================================ + +# Default assignee for new PRs +PR_MANAGEMENT_DEFAULT_ASSIGNEE=mrz1836 + +# Bot users to skip for PR management +PR_MANAGEMENT_SKIP_BOT_USERS=dependabot[bot],mergify[bot],copilot[bot] + +# Welcome first-time contributors with a comment +PR_MANAGEMENT_WELCOME_FIRST_TIME=true + +# Apply size labels based on PR lines changed +PR_MANAGEMENT_APPLY_SIZE_LABELS=true + +# Apply type labels based on PR content +PR_MANAGEMENT_APPLY_TYPE_LABELS=true + +# Clean workflow cache when PR is closed +PR_MANAGEMENT_CLEAN_CACHE_ON_CLOSE=true + +# Delete branch when PR is merged +PR_MANAGEMENT_DELETE_BRANCH_ON_MERGE=true + +# Protected branches (won't be deleted) +PR_MANAGEMENT_PROTECTED_BRANCHES=master,main,development,production + +# PR Size Thresholds (lines changed) +PR_MANAGEMENT_SIZE_XS_THRESHOLD=10 +PR_MANAGEMENT_SIZE_S_THRESHOLD=50 +PR_MANAGEMENT_SIZE_M_THRESHOLD=200 +PR_MANAGEMENT_SIZE_L_THRESHOLD=500 diff --git a/.github/env/README.md b/.github/env/README.md new file mode 100644 index 0000000..4c544b3 --- /dev/null +++ b/.github/env/README.md @@ -0,0 +1,145 @@ +# Modular Environment Configuration + +Configuration is split into domain-specific files loaded in numeric order. Later files override earlier ones (last wins). + +
+ +## File Structure + +``` +.github/env/ +β”œβ”€β”€ load-env.sh # Shell loader script +β”œβ”€β”€ README.md # This file +β”‚ +β”œβ”€β”€ 00-core.env # Go versions, runners, feature flags, timeouts +β”œβ”€β”€ 10-coverage.env # go-coverage settings +β”œβ”€β”€ 10-mage-x.env # MAGE-X build system configuration +β”œβ”€β”€ 10-pre-commit.env # go-pre-commit settings +β”œβ”€β”€ 10-security.env # Gitleaks, Nancy, Govulncheck +β”œβ”€β”€ 20-redis.env # Redis service configuration +β”œβ”€β”€ 20-workflows.env # Stale, labels, dependabot, PR management +β”œβ”€β”€ 90-project.env # Project-specific overrides (not synced) +└── 99-local.env # Local development (gitignored) +``` + +
+ +## Naming Convention + +| Prefix | Purpose | Examples | +|--------|---------|----------| +| `00-` | Core / foundation | Go versions, runners, feature flags | +| `10-` | Tool configuration | mage-x, coverage, pre-commit, security | +| `20-` | Services & workflows | Redis, workflow automation | +| `90-` | Project overrides | Project-specific settings (not synced) | +| `99-` | Local development | Machine-specific (gitignored) | + +
+ +## Override Behavior + +Files load in sorted order. Variables in later files override earlier ones: + +```bash +# 00-core.env +GO_PRIMARY_VERSION=1.24.x + +# 90-project.env (loaded later, wins) +GO_PRIMARY_VERSION=1.23.x # This value is used +``` + +
+ +## Usage + +### In GitHub Actions + +The loader is called automatically by the `load-env` composite action: + +```yaml +- uses: ./.github/actions/load-env + id: load-env +``` + +### Local Development + +```bash +source .github/env/load-env.sh + +# With verbose output +source .github/env/load-env.sh --verbose + +# Or via environment variable +ENV_LOADER_VERBOSE=1 source .github/env/load-env.sh +``` + +### Verifying Configuration + +```bash +# Check a specific variable +source .github/env/load-env.sh && echo $GO_PRIMARY_VERSION + +# List all exported variables +source .github/env/load-env.sh && env | grep -E '^[A-Z_]+' +``` + +
+ +## Adding New Variables + +1. **Identify the domain** β€” which file does this variable belong in? +2. **Add with a comment** β€” explain what the variable controls +3. **Test locally** β€” source the loader and verify +4. **Commit** β€” changes sync to other repos via go-broadcast (if configured) + +```bash +# In 10-mage-x.env +# Maximum parallel workers for mage builds +MAGE_X_MAX_WORKERS=4 +``` + +
+ +## Project Overrides (`90-project.env`) + +Settings specific to this repository that should not be synced to other repos: + +```bash +# 90-project.env - Project-specific overrides +# These settings are NOT synced via go-broadcast + +GO_COVERAGE_THRESHOLD=80.0 +ENABLE_REDIS_SERVICE=true +``` + +
+ +## Local Development (`99-local.env`) + +Create `99-local.env` for machine-specific settings (gitignored): + +```bash +# 99-local.env - Local development overrides + +GO_COVERAGE_USE_LOCAL=true +GO_COVERAGE_LOCAL_PATH=/Users/me/projects/go-coverage/go-coverage +MAGE_X_VERBOSE=true +``` + +
+ +## CI Behavior + +- In CI (`CI=true`), the loader skips `99-local.env` +- Variables are exported so downstream workflow steps can access them +- The composite action converts exported vars to JSON for workflow compatibility + +
+ +## Troubleshooting + +**Variables not available in workflow steps** β€” Ensure `set -a` is enabled in the loader (exports all sourced variables). + +**Wrong value being used** β€” Check load order. Later files override earlier ones. Use `--verbose` to see which files are loaded. + +**Local overrides not working** β€” Make sure `99-local.env` exists and you're not running in CI mode. diff --git a/.github/env/load-env.sh b/.github/env/load-env.sh new file mode 100644 index 0000000..3dccf1f --- /dev/null +++ b/.github/env/load-env.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +# load-env.sh β€” Modular environment loader for go-fortress CI +# +# Usage: source .github/env/load-env.sh [--verbose] +# ENV_LOADER_VERBOSE=1 source .github/env/load-env.sh +# +# Behavior: +# - Sources all *.env files in numeric order (00-, 10-, 20-, etc.) +# - Later files override earlier (last wins) +# - Skips 99-local.env when CI=true +# - Returns 0 on success, 1 on error, 2 if no .env files found +# +# Author: Z + ZAI | License: MIT + +set -euo pipefail + +# Portable directory resolution (handles symlinks) +_env_loader_dir() { + local source="${BASH_SOURCE[0]}" + while [[ -L "$source" ]]; do + local dir + dir="$(cd -P "$(dirname "$source")" && pwd)" + source="$(readlink "$source")" + [[ "$source" != /* ]] && source="$dir/$source" + done + cd -P "$(dirname "$source")" && pwd +} + +# Main loader logic +_load_env_files() { + local verbose="${ENV_LOADER_VERBOSE:-0}" + [[ "${1:-}" == "--verbose" ]] && verbose=1 + + local script_dir + script_dir="$(_env_loader_dir)" || return 1 + + [[ ! -d "$script_dir" ]] && { echo "env-loader: directory not found" >&2; return 1; } + + local count=0 + local in_ci="${CI:-false}" + + # Ensure variables set by sourced .env files are exported so downstream + # steps can read them via `env` (GitHub Actions compatibility). + # + # NOTE: We intentionally enable `allexport` only for the sourcing loop. + # This avoids exporting our internal loader variables. + set -a + + # LC_COLLATE=C ensures consistent sort order across locales + while IFS= read -r -d '' env_file; do + local filename + filename="$(basename "$env_file")" + + # Skip local overrides in CI + [[ "$in_ci" == "true" && "$filename" == "99-local.env" ]] && continue + + # shellcheck source=/dev/null + source "$env_file" + ((count++)) + + [[ "$verbose" == "1" ]] && echo "env-loader: loaded $filename" >&2 + done < <(find "$script_dir" -maxdepth 1 -name '*.env' -print0 | LC_COLLATE=C sort -z) + + set +a + + [[ "$verbose" == "1" ]] && echo "env-loader: $count file(s) loaded" >&2 + [[ "$count" -eq 0 ]] && return 2 + + return 0 +} + +_load_env_files "$@" diff --git a/.github/tech-conventions/commit-branch-conventions.md b/.github/tech-conventions/commit-branch-conventions.md index 4233260..4ea3f61 100644 --- a/.github/tech-conventions/commit-branch-conventions.md +++ b/.github/tech-conventions/commit-branch-conventions.md @@ -31,7 +31,7 @@ docs(README): improve installation instructions ## πŸ“ go-pre-commit System (Optional) -To ensure consistent commit messages and code quality, we use the external **go-pre-commit** tool that checks formatting, linting, and other standards before allowing a commit. The system is configured via `.github/.env.base` and can be installed with: +To ensure consistent commit messages and code quality, we use the external **go-pre-commit** tool that checks formatting, linting, and other standards before allowing a commit. The system is configured via `.github/env/` and can be installed with: ```bash # Install the external tool diff --git a/.github/tech-conventions/pre-commit.md b/.github/tech-conventions/pre-commit.md index 316f0cc..673c07d 100644 --- a/.github/tech-conventions/pre-commit.md +++ b/.github/tech-conventions/pre-commit.md @@ -56,7 +56,7 @@ That's it! The pre-commit hooks are now active and will run on every commit. ## Configuration -go-pre-commit uses environment variables for all configuration, typically stored in `.github/.env.base` for team-wide settings and optionally `.github/.env.custom` for local overrides. +go-pre-commit uses environment variables for all configuration, stored in `.github/env/` as modular files. Use `10-pre-commit.env` for team-wide settings and `90-project.env` for project-specific overrides. ### Basic Configuration @@ -264,7 +264,7 @@ The project has migrated from the embedded GoFortress pre-commit system (`.githu go-pre-commit install ``` -3. **Update configuration** (already done in `.github/.env.base`): +3. **Update configuration** (in `.github/env/10-pre-commit.env`): ```bash # Configuration now uses GO_PRE_COMMIT_ prefixes ENABLE_GO_PRE_COMMIT=true @@ -372,10 +372,10 @@ magex tidy # Test mod-tidy integration ### Team Setup **Repository Configuration:** -1. Pin tool version in `.github/.env.base`: `GO_PRE_COMMIT_VERSION=v1.1.11` +1. Pin tool version in `.github/env/10-pre-commit.env`: `GO_PRE_COMMIT_VERSION=v1.1.11` 2. Document installation in README or onboarding guides 3. Set up CI/CD integration for consistent enforcement -4. Use `.github/.env.custom` for developer-specific overrides +4. Use `.github/env/99-local.env` for developer-specific overrides (gitignored) **Developer Onboarding:** ```bash @@ -391,7 +391,7 @@ go-pre-commit install # Update go-pre-commit itself go install github.com/mrz1836/go-pre-commit/cmd/go-pre-commit@latest -# Update tool versions in .env.base +# Update tool versions in 10-pre-commit.env GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.6.0 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.0 ``` diff --git a/.github/workflows/auto-merge-on-approval.yml b/.github/workflows/auto-merge-on-approval.yml index 85a042c..55c27b6 100644 --- a/.github/workflows/auto-merge-on-approval.yml +++ b/.github/workflows/auto-merge-on-approval.yml @@ -5,14 +5,14 @@ # and readiness conditions are met. GitHub handles the actual merge # when all status checks pass. # -# Configuration: All settings are loaded from .env.base and .env.custom files for +# Configuration: All settings are loaded from modular .github/env/ files for # centralized management across all workflows. # # Triggers: # - Pull request reviews (submitted) # - Pull request state changes (ready_for_review, review_request_removed) # -# Auto-merge Rules (configurable via .env.base/.env.custom): +# Auto-merge Rules (configurable via .github/env/): # - Minimum number of approvals # - No requested reviewers remaining (if configured) # - No "Changes Requested" reviews @@ -47,7 +47,7 @@ concurrency: # -------------------------------------------------------------------- # Environment Variables # -------------------------------------------------------------------- -# Note: Configuration variables are loaded from .env.base and .env.custom files +# Note: Configuration variables are loaded from modular .github/env/ files jobs: # ---------------------------------------------------------------------------------- @@ -68,8 +68,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | - .github/.env.base - .github/.env.custom + .github/env .github/actions/load-env # -------------------------------------------------------------------- diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f618d35..fcd281f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -46,7 +46,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1 + uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -57,7 +57,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1 + uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 # ℹ️ Command-line programs to run using the OS shell. # πŸ“š https://git.io/JvXDl @@ -67,4 +67,4 @@ jobs: # uses a compiled language - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1 + uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index f3ee55a..d14a5e9 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -5,12 +5,12 @@ # for different update types (patch, minor, major) and dependency types # (development, production). Security updates get special handling. # -# Configuration: All settings are loaded from .env.base and .env.custom files for +# Configuration: All settings are loaded from modular .github/env/ files for # centralized management across all workflows. # # Triggers: Pull request events for immediate response to Dependabot PRs # -# Auto-merge Rules (configurable via .env.base/.env.custom): +# Auto-merge Rules (configurable via .github/env/): # - Patch updates: Auto-merge by default # - Minor dev dependencies: Auto-merge by default # - Minor prod dependencies: Manual review by default @@ -43,7 +43,7 @@ concurrency: # -------------------------------------------------------------------- # Environment Variables # -------------------------------------------------------------------- -# Note: Configuration variables are loaded from .env.base and .env.custom files +# Note: Configuration variables are loaded from modular .github/env/ files jobs: # ---------------------------------------------------------------------------------- @@ -66,8 +66,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | - .github/.env.base - .github/.env.custom + .github/env .github/actions/load-env # -------------------------------------------------------------------- diff --git a/.github/workflows/fortress-completion-tests.yml b/.github/workflows/fortress-completion-tests.yml index 653d5b6..6a5bea5 100644 --- a/.github/workflows/fortress-completion-tests.yml +++ b/.github/workflows/fortress-completion-tests.yml @@ -333,7 +333,7 @@ jobs: if [[ "${{ env.ENABLE_GO_TESTS }}" == "false" ]]; then echo "| **Test Suite** | ❌ Disabled - Set ENABLE_GO_TESTS=true to enable |" echo "| **Reason** | Tests are disabled via configuration flag |" - echo "| **Note** | Enable ENABLE_GO_TESTS in .env.custom or .env.base to run tests |" + echo "| **Note** | Enable ENABLE_GO_TESTS in .github/env/00-core.env to run tests |" else echo "| **Test Suite** | ⚠️ Skipped - No test statistics available |" echo "| **Reason** | Tests may have been skipped for fork PR security restrictions |" diff --git a/.github/workflows/fortress-coverage.yml b/.github/workflows/fortress-coverage.yml index f920ac8..e4d8274 100644 --- a/.github/workflows/fortress-coverage.yml +++ b/.github/workflows/fortress-coverage.yml @@ -405,7 +405,7 @@ jobs: echo "" echo "πŸ” Checking run $run_id for coverage history artifacts..." - ARTIFACTS=$(gh api repos/${{ github.repository }}/actions/runs/$run_id/artifacts \ + ARTIFACTS=$(gh api repos/${{ github.repository }}/actions/runs/$run_id/artifacts --paginate \ --jq '.artifacts[] | select(.name | startswith("coverage-history-")) | .archive_download_url' \ 2>/dev/null || echo "") @@ -940,7 +940,7 @@ jobs: echo "" echo "πŸ“ To fix this:" echo " 1. Add more tests to increase coverage" - echo " 2. Or adjust GO_COVERAGE_THRESHOLD in .env.base/.env.custom" + echo " 2. Or adjust GO_COVERAGE_THRESHOLD in .github/env/10-coverage.env" echo "" echo "πŸ“Š Coverage exclusions (applied during test generation):" echo " - GO_COVERAGE_EXCLUDE_PATHS: ${{ env.GO_COVERAGE_EXCLUDE_PATHS }}" @@ -1078,7 +1078,7 @@ jobs: echo "πŸ” Checking run $run_id for coverage artifacts..." # Look for coverage-data artifact - COVERAGE_ARTIFACTS=$(gh api repos/${{ github.repository }}/actions/runs/$run_id/artifacts \ + COVERAGE_ARTIFACTS=$(gh api repos/${{ github.repository }}/actions/runs/$run_id/artifacts --paginate \ --jq '.artifacts[] | select(.name == "coverage-data") | .archive_download_url' \ 2>/dev/null || echo "") @@ -2313,7 +2313,7 @@ jobs: if [[ "$FAIL_ON_ERRORS" == "true" ]]; then echo "" echo "πŸ’‘ To allow the job to continue despite URL verification failures, set:" - echo " GO_COVERAGE_FAIL_ON_URL_ERRORS=false in .github/.env.custom" + echo " GO_COVERAGE_FAIL_ON_URL_ERRORS=false in .github/env/10-coverage.env" exit 1 else echo "" diff --git a/.github/workflows/fortress-setup-config.yml b/.github/workflows/fortress-setup-config.yml index c857e50..45db5cb 100644 --- a/.github/workflows/fortress-setup-config.yml +++ b/.github/workflows/fortress-setup-config.yml @@ -20,31 +20,16 @@ on: description: "Primary runner OS" required: true type: string - base-file-found: - description: "Whether .env.base file was found" - required: false - type: string - default: "false" - custom-file-found: - description: "Whether .env.custom file was found" - required: false - type: string - default: "false" - base-var-count: - description: "Number of variables loaded from .env.base" + env-file-count: + description: "Number of env files loaded" required: false type: string default: "0" - custom-var-count: - description: "Number of variables loaded from .env.custom" + var-count: + description: "Total number of variables loaded" required: false type: string default: "0" - config-mode: - description: "Configuration mode: new or base-only" - required: false - type: string - default: "new" secrets: github-token: description: "GitHub token for API access" @@ -630,16 +615,10 @@ jobs: echo "- **Workflow Start Time**: ${{ steps.timer.outputs.start-time }}" >> $GITHUB_STEP_SUMMARY # Configuration File Discovery - BASE_FOUND="${{ inputs.base-file-found }}" - CUSTOM_FOUND="${{ inputs.custom-file-found }}" - BASE_COUNT="${{ inputs.base-var-count }}" - CUSTOM_COUNT="${{ inputs.custom-var-count }}" + ENV_FILE_COUNT="${{ inputs.env-file-count }}" + VAR_COUNT="${{ inputs.var-count }}" - if [[ "$CUSTOM_FOUND" == "true" ]]; then - echo "- **Configuration Sources**: Base (\`.env.base\`: $BASE_COUNT vars) + Custom (\`.env.custom\`: $CUSTOM_COUNT overrides)" >> $GITHUB_STEP_SUMMARY - else - echo "- **Configuration Sources**: Base only (\`.env.base\`: $BASE_COUNT variables)" >> $GITHUB_STEP_SUMMARY - fi + echo "- **Configuration Sources**: Modular env files ($ENV_FILE_COUNT files, $VAR_COUNT variables)" >> $GITHUB_STEP_SUMMARY echo "- **Total Environment Variables**: $ENV_COUNT" >> $GITHUB_STEP_SUMMARY echo "- **Enabled Features**: $ENABLED_FEATURES" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/fortress-test-magex.yml b/.github/workflows/fortress-test-magex.yml index b68a906..a2cdaf0 100644 --- a/.github/workflows/fortress-test-magex.yml +++ b/.github/workflows/fortress-test-magex.yml @@ -64,7 +64,7 @@ jobs: with: fetch-depth: 0 # Required for sparse checkout sparse-checkout: | - .github/.env.base + .github/env .github/actions/setup-magex .mage.yaml go.mod diff --git a/.github/workflows/fortress-warm-cache.yml b/.github/workflows/fortress-warm-cache.yml index 385aaf6..94e6c01 100644 --- a/.github/workflows/fortress-warm-cache.yml +++ b/.github/workflows/fortress-warm-cache.yml @@ -122,7 +122,7 @@ jobs: .github/actions/cache-redis-image .github/actions/setup-go-with-cache .github/actions/setup-magex - .github/.env.base + .github/env ${{ steps.module-paths.outputs.go_mod_file }} ${{ inputs.go-sum-file }} .mage.yaml diff --git a/.github/workflows/fortress.yml b/.github/workflows/fortress.yml index 7a6786d..c540dfb 100644 --- a/.github/workflows/fortress.yml +++ b/.github/workflows/fortress.yml @@ -1,7 +1,7 @@ # ------------------------------------------------------------------------------------ # 🏰 GoFortress - Enterprise-grade CI/CD fortress for Go applications # -# Version: 1.6.0 | Released: 2026-01-29 +# Version: 1.7.0 | Released: 2026-02-06 # # Built Strong. Tested Harder. # @@ -18,7 +18,7 @@ # πŸš€ Release Citadel: Automated deployments with GoReleaser and GoDocs # # Maintainer: @mrz1836 -# Repository: https://github.com/mrz1836/go-fortress +# Repository: https://github.com/mrz1836/go-broadcast # # Copyright 2025 @mrz1836 # SPDX-License-Identifier: MIT @@ -81,11 +81,8 @@ jobs: outputs: env-json: ${{ steps.load-env.outputs.env-json }} primary-runner: ${{ steps.load-env.outputs.primary-runner }} - base-file-found: ${{ steps.load-env.outputs.base-file-found }} - custom-file-found: ${{ steps.load-env.outputs.custom-file-found }} - base-var-count: ${{ steps.load-env.outputs.base-var-count }} - custom-var-count: ${{ steps.load-env.outputs.custom-var-count }} - config-mode: ${{ steps.load-env.outputs.config-mode }} + env-file-count: ${{ steps.load-env.outputs.env-file-count }} + var-count: ${{ steps.load-env.outputs.var-count }} steps: # -------------------------------------------------------------------- # Check out code to access env file @@ -94,8 +91,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | - .github/.env.base - .github/.env.custom + .github/env .github/actions/load-env # -------------------------------------------------------------------- @@ -117,11 +113,8 @@ jobs: with: env-json: ${{ needs.load-env.outputs.env-json }} primary-runner: ${{ needs.load-env.outputs.primary-runner }} - base-file-found: ${{ needs.load-env.outputs.base-file-found }} - custom-file-found: ${{ needs.load-env.outputs.custom-file-found }} - base-var-count: ${{ needs.load-env.outputs.base-var-count }} - custom-var-count: ${{ needs.load-env.outputs.custom-var-count }} - config-mode: ${{ needs.load-env.outputs.config-mode }} + env-file-count: ${{ needs.load-env.outputs.env-file-count }} + var-count: ${{ needs.load-env.outputs.var-count }} secrets: github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }} # ---------------------------------------------------------------------------------- diff --git a/.github/workflows/pull-request-management-fork.yml b/.github/workflows/pull-request-management-fork.yml index 9e13321..e14719b 100644 --- a/.github/workflows/pull-request-management-fork.yml +++ b/.github/workflows/pull-request-management-fork.yml @@ -3,7 +3,7 @@ # # Purpose: Automate labeling, assignment, and welcoming of pull requests for forked PRs. # -# Configuration: All settings are loaded from .env.base and .env.custom files for +# Configuration: All settings are loaded from modular .github/env/ files for # centralized management across all workflows. # # Triggers: Pull request events (opened, reopened, ready for review, closed, synchronize) @@ -27,25 +27,25 @@ # # β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” # β”‚ WHY pull_request_target IS SAFE HERE: β”‚ -# β”‚ β”‚ +# β”‚ β”‚ # β”‚ βœ… Uses pull_request_target trigger for write permissions β”‚ # β”‚ (Required for: labels, comments, assignees) β”‚ -# β”‚ β”‚ +# β”‚ β”‚ # β”‚ βœ… CRITICAL: Only checks out BASE branch code, NEVER PR head β”‚ # β”‚ (Prevents malicious code execution from untrusted forks) β”‚ -# β”‚ β”‚ +# β”‚ β”‚ # β”‚ βœ… Fork detection uses full_name comparison for accuracy β”‚ # β”‚ (Not owner.login which fails for org members) β”‚ -# β”‚ β”‚ +# β”‚ β”‚ # β”‚ βœ… All code execution happens from trusted base repository β”‚ # β”‚ (No code from PR is ever executed) β”‚ -# β”‚ β”‚ +# β”‚ β”‚ # β”‚ βœ… No secrets exposed to fork PRs (GITHUB_TOKEN only) β”‚ # β”‚ (No custom secrets accessible to malicious actors) β”‚ -# β”‚ β”‚ +# β”‚ β”‚ # β”‚ βœ… Sparse checkout minimizes attack surface β”‚ # β”‚ (Only config files checked out, no executable code) β”‚ -# β”‚ β”‚ +# β”‚ β”‚ # β”‚ βœ… Least-privilege permissions model β”‚ # β”‚ (Jobs get elevated permissions only where absolutely needed) β”‚ # β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ @@ -108,7 +108,7 @@ concurrency: # -------------------------------------------------------------------- # Environment Variables # -------------------------------------------------------------------- -# Note: Configuration variables are loaded from .env.base and .env.custom files +# Note: Configuration variables are loaded from modular .github/env/ files jobs: # ------------------------------------------------------------ @@ -117,6 +117,8 @@ jobs: load-env: name: 🌍 Load Environment (Base Repo) runs-on: ubuntu-latest + # Early exit: Skip entire workflow for same-repo PRs (handled by main workflow) + if: github.event.pull_request.head.repo.full_name != github.repository # No write perms here permissions: contents: read @@ -125,14 +127,14 @@ jobs: steps: # β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” # β”‚ SECURITY SCANNERS: This checkout is SAFE despite pull_request_targetβ”‚ - # β”‚ β”‚ - # β”‚ Justification: β”‚ + # β”‚ β”‚ + # β”‚ Justification: β”‚ # β”‚ - Only checks out TRUSTED base branch (ref: github.base_ref) β”‚ # β”‚ - NEVER checks out PR head code from untrusted fork β”‚ # β”‚ - Implements recommended two-workflow security pattern β”‚ # β”‚ - Uses sparse checkout (minimal attack surface) β”‚ # β”‚ - No executable code from PR is ever run β”‚ - # β”‚ β”‚ + # β”‚ β”‚ # β”‚ Pattern: Two-workflow security model (see SECURITY.md) β”‚ # β”‚ References: githubactions:S7631, semgrep:github-actions-checkout β”‚ # β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ @@ -162,8 +164,7 @@ jobs: ref: ${{ github.base_ref }} fetch-depth: 1 sparse-checkout: | - .github/.env.base - .github/.env.custom + .github/env .github/actions/load-env - name: 🌍 Load environment variables diff --git a/.github/workflows/pull-request-management.yml b/.github/workflows/pull-request-management.yml index 0d466a3..15a115e 100644 --- a/.github/workflows/pull-request-management.yml +++ b/.github/workflows/pull-request-management.yml @@ -5,7 +5,7 @@ # assignments, size analysis, welcomes for new contributors, and cleanup # tasks when PRs are closed. All configuration is centralized and customizable. # -# Configuration: All settings are loaded from .env.base and .env.custom files for +# Configuration: All settings are loaded from modular .github/env/ files for # centralized management across all workflows. # # Triggers: Pull request events (opened, reopened, ready for review, closed, synchronize) @@ -51,7 +51,7 @@ concurrency: # -------------------------------------------------------------------- # Environment Variables # -------------------------------------------------------------------- -# Note: Configuration variables are loaded from .env.base and .env.custom files +# Note: Configuration variables are loaded from modular .github/env/ files jobs: # ---------------------------------------------------------------------------------- @@ -60,6 +60,8 @@ jobs: load-env: name: 🌍 Load Environment Variables runs-on: ubuntu-latest + # Early exit: Skip entire workflow for fork PRs (handled by fork workflow) + if: github.event.pull_request.head.repo.full_name == github.repository permissions: contents: read # Required: Read repository content for sparse checkout outputs: @@ -72,8 +74,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | - .github/.env.base - .github/.env.custom + .github/env .github/actions/load-env # -------------------------------------------------------------------- diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 97faa18..abc6083 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -77,6 +77,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable the upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1 + uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 with: sarif_file: results.sarif diff --git a/.github/workflows/stale-check.yml b/.github/workflows/stale-check.yml index fd70c68..55b7f99 100644 --- a/.github/workflows/stale-check.yml +++ b/.github/workflows/stale-check.yml @@ -5,7 +5,7 @@ # This workflow identifies stale items, marks them with a label, and eventually closes # them if no activity occurs within the configured timeframe. # -# Configuration: All settings are loaded from .env.base and .env.custom files for +# Configuration: All settings are loaded from modular .github/env/ files for # centralized management across all workflows. # # Triggers: @@ -56,8 +56,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | - .github/.env.base - .github/.env.custom + .github/env .github/actions/load-env # -------------------------------------------------------------------- diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 92786eb..b5bd1f3 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -69,8 +69,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: sparse-checkout: | - .github/.env.base - .github/.env.custom + .github/env .github/actions/load-env # --------------------------------------------------------------------