-
Notifications
You must be signed in to change notification settings - Fork 24
133 lines (126 loc) · 4.18 KB
/
pr.yml
File metadata and controls
133 lines (126 loc) · 4.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: PR Checks
on:
pull_request:
branches:
- main
jobs:
test:
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: stable
- name: Run tests
run: go test ./...
lint:
# Run golangci-lint on the same OS matrix as test:. The Windows
# runner is essential — secureperm_windows.go is build-tagged
# (//go:build windows) and never gets evaluated on a Linux/macOS
# host. Without a Windows lint pass, build-tagged files diverge
# from the rest of the tree silently.
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: stable
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v7
with:
version: v2.12.2
args: --timeout=10m
dco:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Check DCO sign-off
run: |
BASE_SHA=${{ github.event.pull_request.base.sha }}
HEAD_SHA=${{ github.event.pull_request.head.sha }}
UNSIGNED=""
while read -r sha; do
if ! git log --format='%B' -n 1 "$sha" | grep -q "^Signed-off-by: "; then
UNSIGNED="${UNSIGNED}${sha}\n"
fi
done < <(git rev-list ${BASE_SHA}..${HEAD_SHA})
if [ -n "$UNSIGNED" ]; then
echo "::error::The following commits are missing DCO sign-off:"
echo -e "$UNSIGNED"
echo "Please sign-off commits with: git commit --signoff"
exit 1
fi
coverage:
# Report-only coverage summary. Does NOT block merge — the goal is
# visibility into per-package coverage drift over time. Adding a
# threshold gate would force every PR to also touch tests, which
# disincentivises small focused PRs. Reviewers eyeball the
# numbers; sustained drift gets addressed in dedicated coverage
# commits.
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: stable
- name: Run tests with coverage
run: |
go test ./... -coverprofile=coverage.out -covermode=atomic
- name: Per-package summary
run: |
# Aggregate coverage per Go package so the PR view shows
# one line per package instead of the per-function default.
# `go tool cover -func` has no per-package mode; awk
# collapses by the package portion of the path.
{
echo "## Coverage report"
echo
echo '```text'
go tool cover -func=coverage.out | awk '
/^total:/ { total = $NF; next }
{
# path looks like: github.com/cozystack/talm/pkg/engine/engine.go:75:\tfn\t75.0%
split($1, parts, ":")
path = parts[1]
# strip trailing /file.go
pkg = path
sub(/\/[^/]+\.go$/, "", pkg)
# strip module prefix for compactness
sub(/^github\.com\/cozystack\/talm\//, "", pkg)
pct = $NF
sub(/%/, "", pct)
sum[pkg] += pct
cnt[pkg] += 1
}
END {
for (pkg in sum) {
printf "%-50s %5.1f%% (avg of %d funcs)\n", pkg, sum[pkg]/cnt[pkg], cnt[pkg]
}
if (total != "") printf "\n%-50s %s (overall)\n", "TOTAL", total
}
' | sort
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
- name: Upload coverage artifact
uses: actions/upload-artifact@v4
with:
name: coverage-profile
path: coverage.out
retention-days: 14