@@ -2,9 +2,13 @@ name: CI
22
33on :
44 push :
5- branches : [main, master ]
5+ branches : [main]
66 pull_request :
7- branches : [main, master]
7+ branches : [main]
8+
9+ permissions :
10+ contents : read
11+ security-events : write
812
913jobs :
1014 test :
1923 uses : actions/checkout@v4
2024
2125 - name : Set up Go
22- uses : actions/setup-go@v5
26+ uses : actions/setup-go@v6
2327 with :
2428 go-version : ${{ matrix.go }}
2529
2933 path : |
3034 ~/.cache/go-build
3135 ~/go/pkg/mod
32- key : ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
36+ key : ${{ runner.os }}-go-${{ hashFiles('**/go.sum', '**/go.mod' ) }}
3337 restore-keys : |
3438 ${{ runner.os }}-go-
3539
4448 run : go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...
4549
4650 - name : Upload coverage to Codecov
51+ if : matrix.os == 'ubuntu-latest'
4752 uses : codecov/codecov-action@v5
4853 with :
4954 token : ${{ secrets.CODECOV_TOKEN }}
6974 build :
7075 name : Build
7176 runs-on : ${{ matrix.os }}
77+ needs : [test, lint, security]
7278 strategy :
7379 matrix :
7480 os : [ubuntu-latest, macos-latest, windows-latest]
@@ -103,12 +109,18 @@ jobs:
103109 with :
104110 go-version : " 1.25"
105111
106- - name : Run Gosec Security Scanner
107- uses : securego/gosec @master
112+ - name : Run Trivy vulnerability scanner
113+ uses : aquasecurity/trivy-action @master
108114 with :
109- args : " -no-fail -fmt sarif -out results.sarif ./..."
110-
111- - name : Upload SARIF file
115+ scan-type : " fs"
116+ scan-ref : " ."
117+ format : " sarif"
118+ output : " trivy-results.sarif"
119+ severity : " CRITICAL,HIGH,MEDIUM"
120+ exit-code : " 1"
121+
122+ - name : Upload Trivy results to GitHub Security tab
112123 uses : github/codeql-action/upload-sarif@v4
124+ if : always()
113125 with :
114- sarif_file : results.sarif
126+ sarif_file : " trivy- results.sarif"
0 commit comments