fix: Skip Homebrew tap upload (token expired) #618
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop, 'feature/**'] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 | |
| with: | |
| version: latest | |
| args: --timeout=5m | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Install scip-go | |
| run: go install github.com/sourcegraph/scip-go/cmd/scip-go@latest | |
| - name: Run tests | |
| run: go test -v -race ./... | |
| golden: | |
| name: Golden Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Run golden tests | |
| run: go test ./internal/query/... -run TestGolden -v | |
| - name: Verify goldens are committed | |
| run: | | |
| go test ./internal/query/... -run TestGolden -update | |
| if ! git diff --exit-code testdata/fixtures/*/expected/; then | |
| echo "::error::Golden files are out of date! Run: go test ./internal/query/... -run TestGolden -update" | |
| git diff testdata/fixtures/*/expected/ | |
| exit 1 | |
| fi | |
| review-tests: | |
| name: Review Engine Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Run review engine tests | |
| run: go test -v -race ./internal/query/... -run "TestReview|TestHealth|TestBaseline|TestFingerprint|TestSave|TestList|TestLoad|TestCompare|TestCheckTraceability|TestCheckIndependence|TestClassify|TestEstimate|TestSuggest|TestBFS|TestIsConfig|TestDefault|TestDetect|TestMatch|TestCalculate|TestDetermine|TestSort|TestContainsSource|TestCodeHealth|TestCountLines|TestComplexity|TestFileSize" | |
| - name: Run format tests | |
| run: go test -v ./cmd/ckb/... -run "TestFormatSARIF|TestFormatCodeClimate|TestFormatGitHubActions|TestFormatHuman_|TestFormatMarkdown|TestFormatCompliance" | |
| - name: Run review golden tests | |
| run: go test -v ./cmd/ckb/... -run "TestGolden" | |
| - name: Verify review goldens are committed | |
| run: | | |
| go test ./cmd/ckb/... -run TestGolden -update-golden | |
| if ! git diff --exit-code testdata/review/; then | |
| echo "::error::Review golden files are out of date! Run: go test ./cmd/ckb/... -run TestGolden -update-golden" | |
| git diff testdata/review/ | |
| exit 1 | |
| fi | |
| tidycheck: | |
| name: Go Mod Tidy | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Check go mod tidy | |
| run: | | |
| go mod tidy | |
| if ! git diff --quiet go.mod go.sum; then | |
| echo "::error::go.mod or go.sum not tidy. Run 'go mod tidy' and commit." | |
| git diff go.mod go.sum | |
| exit 1 | |
| fi | |
| security: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Run govulncheck | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck ./... | |
| - name: Run Trivy filesystem scan | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| severity: 'HIGH,CRITICAL' | |
| exit-code: '1' | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| needs: [lint, test, review-tests, tidycheck, security] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Build binary | |
| run: go build -ldflags="-s -w" -o ckb ./cmd/ckb | |
| - name: Verify binary | |
| run: ./ckb version | |
| - name: Upload binary | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: ckb-linux-amd64 | |
| path: ckb | |
| retention-days: 7 | |
| pr-review: | |
| name: PR Review | |
| if: always() && github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| needs: [build] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download CKB binary | |
| id: download | |
| continue-on-error: true | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: ckb-linux-amd64 | |
| - name: Build CKB (fallback) | |
| if: steps.download.outcome == 'failure' | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Build CKB binary (fallback) | |
| if: steps.download.outcome == 'failure' | |
| run: go build -ldflags="-s -w" -o ckb ./cmd/ckb | |
| - name: Install CKB | |
| run: chmod +x ckb && sudo mv ckb /usr/local/bin/ | |
| - name: Initialize and index | |
| run: | | |
| ckb init | |
| ckb index 2>/dev/null || echo "Indexing skipped (no supported indexer)" | |
| - name: Run review | |
| id: review | |
| env: | |
| BASE_REF: ${{ github.event.pull_request.base.ref }} | |
| run: | | |
| set +e | |
| ckb review --ci --base="${BASE_REF}" --format=json > review.json 2>&1 | |
| EXIT_CODE=$? | |
| set -e | |
| echo "verdict=$(jq -r '.verdict // "unknown"' review.json)" >> "$GITHUB_OUTPUT" | |
| echo "score=$(jq -r '.score // 0' review.json)" >> "$GITHUB_OUTPUT" | |
| echo "findings=$(jq -r '.findings | length // 0' review.json)" >> "$GITHUB_OUTPUT" | |
| echo "exit_code=${EXIT_CODE}" >> "$GITHUB_OUTPUT" | |
| - name: GitHub Actions annotations | |
| env: | |
| BASE_REF: ${{ github.event.pull_request.base.ref }} | |
| run: ckb review --base="${BASE_REF}" --format=github-actions 2>/dev/null || true | |
| - name: Post PR comment | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| GH_REPO: ${{ github.repository }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| BASE_REF: ${{ github.event.pull_request.base.ref }} | |
| run: | | |
| MARKDOWN=$(ckb review --base="${BASE_REF}" --format=markdown 2>/dev/null || echo "CKB review failed to generate output.") | |
| MARKER="<!-- ckb-review-marker -->" | |
| COMMENT_ID=$(gh api \ | |
| "repos/${GH_REPO}/issues/${PR_NUMBER}/comments" \ | |
| --jq ".[] | select(.body | contains(\"${MARKER}\")) | .id" \ | |
| 2>/dev/null | head -1) | |
| if [ -n "${COMMENT_ID}" ]; then | |
| gh api \ | |
| "repos/${GH_REPO}/issues/comments/${COMMENT_ID}" \ | |
| -X PATCH \ | |
| -f body="${MARKDOWN}" | |
| else | |
| gh api \ | |
| "repos/${GH_REPO}/issues/${PR_NUMBER}/comments" \ | |
| -f body="${MARKDOWN}" | |
| fi | |
| - name: Summary | |
| env: | |
| VERDICT: ${{ steps.review.outputs.verdict }} | |
| SCORE: ${{ steps.review.outputs.score }} | |
| FINDINGS: ${{ steps.review.outputs.findings }} | |
| run: | | |
| echo "### CKB Review" >> "$GITHUB_STEP_SUMMARY" | |
| echo "| Metric | Value |" >> "$GITHUB_STEP_SUMMARY" | |
| echo "|--------|-------|" >> "$GITHUB_STEP_SUMMARY" | |
| echo "| Verdict | ${VERDICT} |" >> "$GITHUB_STEP_SUMMARY" | |
| echo "| Findings | ${FINDINGS} |" >> "$GITHUB_STEP_SUMMARY" | |
| - name: Fail on review verdict | |
| env: | |
| REVIEW_EXIT_CODE: ${{ steps.review.outputs.exit_code }} | |
| SCORE: ${{ steps.review.outputs.score }} | |
| run: | | |
| if [ "${REVIEW_EXIT_CODE}" = "1" ]; then | |
| echo "::error::CKB review failed (score: ${SCORE})" | |
| exit 1 | |
| fi | |