gin-gonic/gin

# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "CodeQL"

on:
  push:
    branches: [master]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [master]
  schedule:
    - cron: "0 17 * * 5"

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest

    permissions:
      # required for all workflows
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        # Override automatic language detection by changing the below list
        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
        # TODO: Enable for javascript later
        language: ["go"]

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
          # By default, queries listed here will override any specified in a config file.
          # Prefix the list here with "+" to use these queries and those in the config file.
          # queries: ./path/to/local/query, your-org/your-repo/queries@main

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4

name: Run Tests

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: "^1"
      - name: Setup golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
          version: v2.11
          args: --verbose
  test:
    needs: lint
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest]
        go: ["1.25", "1.26"]
        test-tags:
          [
            "",
            "-tags nomsgpack",
            '--ldflags="-checklinkname=0" -tags sonic',
            "-tags go_json",
            "-race",
          ]
        include:
          - os: ubuntu-latest
            go-build: ~/.cache/go-build
          - os: macos-latest
            go-build: ~/Library/Caches/go-build
    name: ${{ matrix.os }} @ Go ${{ matrix.go }} ${{ matrix.test-tags }}
    runs-on: ${{ matrix.os }}
    env:
      GO111MODULE: on
      TESTTAGS: ${{ matrix.test-tags }}
      GOPROXY: https://proxy.golang.org
    steps:
      - name: Set up Go ${{ matrix.go }}
        uses: actions/setup-go@v6
        with:
          go-version: ${{ matrix.go }}
          cache: false

      - name: Checkout Code
        uses: actions/checkout@v6
        with:
          ref: ${{ github.ref }}

      - uses: actions/cache@v5
        with:
          path: |
            ${{ matrix.go-build }}
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-

      - name: Run Tests
        run: make test

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v5
        with:
          flags: ${{ matrix.os }},go-${{ matrix.go }},${{ matrix.test-tags }}

name: Goreleaser

on:
  push:
    tags:
      - "*"

permissions:
  contents: write

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: "^1"
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          # either 'goreleaser' (default) or 'goreleaser-pro'
          distribution: goreleaser
          version: latest
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Trigger Go module reindex (pkg.go.dev)
        run: |
          echo "Triggering Go module reindex at proxy.golang.org"
          curl -sSf "https://proxy.golang.org/github.com/${GITHUB_REPOSITORY,,}/@v/${GITHUB_REF_NAME}.info"

name: Trivy Security Scan

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  schedule:
    # Run daily at 00:00 UTC
    - cron: "0 0 * * *"
  workflow_dispatch: # Allow manual trigger

permissions:
  contents: read
  security-events: write # Required for uploading SARIF results

jobs:
  trivy-scan:
    name: Trivy Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Run Trivy vulnerability scanner (source code)
        uses: aquasecurity/trivy-action@0.35.0
        with:
          scan-type: "fs"
          scan-ref: "."
          scanners: "vuln,secret,misconfig"
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH,MEDIUM"
          ignore-unfixed: true

      - name: Upload Trivy results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: "trivy-results.sarif"

      - name: Run Trivy scanner (table output for logs)
        uses: aquasecurity/trivy-action@0.35.0
        if: always()
        with:
          scan-type: "fs"
          scan-ref: "."
          scanners: "vuln,secret,misconfig"
          format: "table"
          severity: "CRITICAL,HIGH,MEDIUM"
          ignore-unfixed: true
          exit-code: "1"