kafka-attic/.github/workflows/ci.yml at c1f4768e150e56003ec80a466e29084106c925f1 · sderosiaux/kafka-attic · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: CI

on:
  push:
    branches: [main]
  pull_request:

permissions:
  contents: read

concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

jobs:
  test:
    name: Test (ubuntu-latest)
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: true

      - name: go vet
        run: go vet ./...

      - name: go build
        run: go build -trimpath ./...

      - name: go test
        run: go test ./... -race -count=1 -coverprofile=coverage.out -covermode=atomic -coverpkg=./...

      - name: Upload coverage
        uses: actions/upload-artifact@v7
        with:
          name: coverage
          path: coverage.out

  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: true

      - name: golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
          version: latest

  mod-hygiene:
    name: Module hygiene
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: true

      - name: go mod tidy is clean
        run: |
          go mod tidy
          if ! git diff --exit-code -- go.mod go.sum; then
            echo "::error::go mod tidy produced changes; run it locally and commit"
            exit 1
          fi

      - name: go mod verify
        run: go mod verify

  vuln:
    name: Vulnerability scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: true

      - name: govulncheck
        uses: golang/govulncheck-action@v1
        with:
          go-version-input: stable
          repo-checkout: false

  readonly:
    name: Read-only invariant
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Assert no producer code in non-test paths
        run: |
          if grep -RIn 'kgo.NewProducer\|\.ProduceSync(\|\.Produce(' --include="*.go" . | \
            grep -v _test.go | \
            grep -v 'ErrProduceForbidden\|LastProduceTs\|formatLastProduced\|lastProducedLabel\|MessageTimestampType\|callers must never invoke Produce\|LastProducedLabel\|//.*Produce'; then
            echo "::error::READ-ONLY INVARIANT VIOLATED: producer call detected in non-test code"
            exit 1
          fi
          echo "Read-only invariant intact."

  integration:
    name: Integration
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: true

      - name: Integration tests
        run: go test ./... -tags=integration -count=1 -timeout=15m