ci: GitHub Actions workflows (CI, release, CodeQL) + Dependabot

devituz · devituz · commit 5d1cfa782e79 · 2026-05-30T18:37:10.000+05:00
CI workflow (.github/workflows/ci.yml):
- Test matrix: ubuntu-latest + macos-latest, Go 1.25
- Builds and tests core module + adapters/gin separately
- -race -count=1 for both
- Lint job: gofmt check, go vet (core + adapter), staticcheck
- Bench sanity: -benchtime=1x to verify benchmarks still compile
- Per-branch concurrency cancellation (no queue buildup on rapid pushes)

Release workflow (.github/workflows/release.yml):
- Triggers on `v*.*.*` semver tags (skips adapters/gin/v* — those are
  pure Go-module markers, no binary)
- Cross-platform matrix: linux-amd64, darwin-amd64, darwin-arm64,
  windows-amd64. Each builds on native runner so CGO + sqlite3 just work
- Outputs lago + artisan binaries with version baked via -ldflags
- Aggregates artifacts → SHA-256 checksums → softprops/action-gh-release
- Warms the Go module proxy after release so `go get @latest` resolves
  the new tag immediately

CodeQL (.github/workflows/codeql.yml):
- Runs on push/PR + weekly Monday cron — catches dependency CVEs
- security-and-quality query set, Go autobuild
- Posts findings to GitHub Security tab

Dependabot (.github/dependabot.yml):
- Weekly Go module updates for / and /adapters/gin (grouped PRs)
- Monthly GitHub Actions updates
- Asia/Tashkent timezone for PR opening
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,46 @@
+version: 2
+
+updates:
+  # Core Go module
+  - package-ecosystem: gomod
+    directory: '/'
+    schedule:
+      interval: weekly
+      day: monday
+      time: '08:00'
+      timezone: Asia/Tashkent
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: 'chore(deps)'
+      include: scope
+    groups:
+      go-deps:
+        patterns: ['*']
+
+  # adapters/gin sub-module
+  - package-ecosystem: gomod
+    directory: '/adapters/gin'
+    schedule:
+      interval: weekly
+      day: monday
+      time: '08:00'
+      timezone: Asia/Tashkent
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: 'chore(deps/gin)'
+      include: scope
+    groups:
+      gin-deps:
+        patterns: ['*']
+
+  # GitHub Actions themselves
+  - package-ecosystem: github-actions
+    directory: '/'
+    schedule:
+      interval: monthly
+      day: monday
+      time: '08:00'
+      timezone: Asia/Tashkent
+    commit-message:
+      prefix: 'chore(ci)'
+      include: scope
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,92 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+# Cancel superseded runs from the same PR/branch so the queue stays short.
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: Test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+          cache: true
+
+      - name: Build (core)
+        run: go build ./...
+
+      - name: Test (core)
+        run: go test -race -count=1 -timeout 5m ./...
+
+      - name: Build (adapters/gin)
+        working-directory: adapters/gin
+        run: go build ./...
+
+      - name: Test (adapters/gin)
+        working-directory: adapters/gin
+        run: go test -race -count=1 -timeout 5m ./...
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+          cache: true
+
+      - name: gofmt
+        run: |
+          out=$(gofmt -l . 2>&1)
+          if [ -n "$out" ]; then
+            echo "::error::gofmt found unformatted files:"
+            echo "$out"
+            exit 1
+          fi
+
+      - name: go vet (core)
+        run: go vet ./...
+
+      - name: go vet (adapters/gin)
+        working-directory: adapters/gin
+        run: go vet ./...
+
+      - name: staticcheck
+        uses: dominikh/staticcheck-action@v1
+        with:
+          version: latest
+          install-go: false
+
+  bench-sanity:
+    name: Benchmarks compile
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+          cache: true
+
+      # `-run=^$` skips tests; `-benchtime=1x` runs each bench exactly once.
+      # We only want to confirm benchmarks still compile and execute, not
+      # measure them — the timing matrix lives elsewhere.
+      - name: Bench dry-run
+        run: go test -run=^$ -bench=. -benchtime=1x ./benchmarks/...
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,43 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly run on Monday at 04:00 UTC — catches CVEs in dependencies
+    # even when no code lands.
+    - cron: '0 4 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (Go)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+          cache: true
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:go'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,98 @@
+name: Release
+
+on:
+  push:
+    tags:
+      # Trigger only on root-module semver tags. The `adapters/gin/v*` tags
+      # are pure Go-module markers — they don't produce binaries.
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-*'
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build (${{ matrix.target.label }})
+    runs-on: ${{ matrix.target.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - { os: ubuntu-latest,  label: linux-amd64,  goos: linux,   goarch: amd64, ext: '' }
+          - { os: macos-13,       label: darwin-amd64, goos: darwin,  goarch: amd64, ext: '' }
+          - { os: macos-latest,   label: darwin-arm64, goos: darwin,  goarch: arm64, ext: '' }
+          - { os: windows-latest, label: windows-amd64, goos: windows, goarch: amd64, ext: '.exe' }
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.25'
+          cache: true
+
+      # mattn/go-sqlite3 needs CGO. We build on the native runner for each
+      # target so the C toolchain is already present — no cross-compile
+      # gymnastics required.
+      - name: Build lago + artisan
+        shell: bash
+        env:
+          CGO_ENABLED: '1'
+          GOOS:   ${{ matrix.target.goos }}
+          GOARCH: ${{ matrix.target.goarch }}
+        run: |
+          mkdir -p dist
+          VERSION="${GITHUB_REF_NAME}"
+          LDFLAGS="-s -w -X main.version=${VERSION}"
+
+          go build -ldflags="${LDFLAGS}" -o "dist/lago-${{ matrix.target.label }}${{ matrix.target.ext }}"    ./cmd/lago
+          go build -ldflags="${LDFLAGS}" -o "dist/artisan-${{ matrix.target.label }}${{ matrix.target.ext }}" ./cmd/artisan
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: binaries-${{ matrix.target.label }}
+          path: dist/*
+          if-no-files-found: error
+          retention-days: 7
+
+  release:
+    name: Publish release
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/download-artifact@v4
+        with:
+          path: dist
+          pattern: binaries-*
+          merge-multiple: true
+
+      - name: Generate SHA-256 checksums
+        run: |
+          cd dist
+          shasum -a 256 * > SHA256SUMS
+
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/lago-*
+            dist/artisan-*
+            dist/SHA256SUMS
+          generate_release_notes: true
+          fail_on_unmatched_files: true
+
+  # Notifies the Go module proxy to fetch the new version so `go get @latest`
+  # resolves it without waiting for the periodic refresh.
+  warm-proxy:
+    name: Warm Go proxy
+    runs-on: ubuntu-latest
+    needs: [release]
+    steps:
+      - name: Trigger pkg.go.dev fetch
+        run: |
+          VERSION="${GITHUB_REF_NAME}"
+          curl -fsSL "https://proxy.golang.org/github.com/devituz/lagodev/@v/${VERSION}.info" || true
+          curl -fsSL "https://proxy.golang.org/github.com/devituz/lagodev/adapters/gin/@v/${VERSION}.info" || true
