Skip to content
PR Checks

feat(apply): apply-time safety gates — declared-resource existence + drift preview/verify #168

Sign in to view logs

feat(apply): apply-time safety gates — declared-resource existence + drift preview/verify

feat(apply): apply-time safety gates — declared-resource existence + drift preview/verify #168

Workflow file for this run

.github/workflows/pr.yml at a5351fd
name: PR Checks
on:
pull_request:
branches:
- main
jobs:
test:
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: stable
- name: Run tests
run: go test ./...
lint:
# Run golangci-lint on the same OS matrix as test:. The Windows
# runner is essential — secureperm_windows.go is build-tagged
# (//go:build windows) and never gets evaluated on a Linux/macOS
# host. Without a Windows lint pass, build-tagged files diverge
# from the rest of the tree silently.
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: stable
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v7
with:
version: v2.12.2
args: --timeout=10m
dco:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Check DCO sign-off
run: |
BASE_SHA=${{ github.event.pull_request.base.sha }}
HEAD_SHA=${{ github.event.pull_request.head.sha }}
UNSIGNED=""
while read -r sha; do
if ! git log --format='%B' -n 1 "$sha" | grep -q "^Signed-off-by: "; then
UNSIGNED="${UNSIGNED}${sha}\n"
fi
done < <(git rev-list ${BASE_SHA}..${HEAD_SHA})
if [ -n "$UNSIGNED" ]; then
echo "::error::The following commits are missing DCO sign-off:"
echo -e "$UNSIGNED"
echo "Please sign-off commits with: git commit --signoff"
exit 1
fi
coverage:
# Report-only coverage summary. Does NOT block merge — the goal is
# visibility into per-package coverage drift over time. Adding a
# threshold gate would force every PR to also touch tests, which
# disincentivises small focused PRs. Reviewers eyeball the
# numbers; sustained drift gets addressed in dedicated coverage
# commits.
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: stable
- name: Run tests with coverage
run: |
go test ./... -coverprofile=coverage.out -covermode=atomic
- name: Per-package summary
run: |
# Aggregate coverage per Go package so the PR view shows
# one line per package instead of the per-function default.
# `go tool cover -func` has no per-package mode; awk
# collapses by the package portion of the path.
{
echo "## Coverage report"
echo
echo '```text'
go tool cover -func=coverage.out | awk '
/^total:/ { total = $NF; next }
{
# path looks like: github.com/cozystack/talm/pkg/engine/engine.go:75:\tfn\t75.0%
split($1, parts, ":")
path = parts[1]
# strip trailing /file.go
pkg = path
sub(/\/[^/]+\.go$/, "", pkg)
# strip module prefix for compactness
sub(/^github\.com\/cozystack\/talm\//, "", pkg)
pct = $NF
sub(/%/, "", pct)
sum[pkg] += pct
cnt[pkg] += 1
}
END {
for (pkg in sum) {
printf "%-50s %5.1f%% (avg of %d funcs)\n", pkg, sum[pkg]/cnt[pkg], cnt[pkg]
}
if (total != "") printf "\n%-50s %s (overall)\n", "TOTAL", total
}
' | sort
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
- name: Upload coverage artifact
uses: actions/upload-artifact@v4
with:
name: coverage-profile
path: coverage.out
retention-days: 14