Skip to content
GoFortress

chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#60) #100

Sign in to view logs

chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#60)

chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#60) #100

Workflow file for this run

.github/workflows/fortress.yml at a8e95bf
# ------------------------------------------------------------------------------------
# 🏰 GoFortress - Enterprise-grade CI/CD fortress for Go applications
#
# Version: 1.1.0 | Released: 2025-09-15
#
# Built Strong. Tested Harder.
#
# GoFortress transforms your Go development pipeline into an impenetrable fortress
# of quality. Like a medieval fortress with multiple layers of defense, GoFortress
# employs multi-stage verification to ensure your code is battle-tested before deployment.
#
# Your Code's Defense System:
# 🏰 Fortress of Go: Multi-stage CI/CD pipeline for Go applications
# 🛡️ Security Ramparts: Nancy, Govulncheck, Gitleaks guard against threats
# 🏗️ Quality Battlements: Static analysis and comprehensive linting
# ⚔️ Testing Garrison: Multi-OS, multi-version matrices with race detection
# 🎯 Performance Watchtowers: Real-time metrics and cache optimization
# 🚀 Release Citadel: Automated deployments with GoReleaser and GoDocs
#
# Maintainer: @mrz1836
# Repository: https://github.com/mrz1836/go-fortress
#
# Copyright 2025 @mrz1836
# SPDX-License-Identifier: MIT
#
# This file is licensed under the MIT License.
# Attribution is requested if reused: Created by @mrz1836
#
# FORK PR HANDLING:
# This workflow intelligently handles fork PRs by detecting fork status during setup
# and conditionally skipping jobs that require repository secrets. Jobs are categorized:
#
# FORK-SAFE (Always run - no secrets required):
# ✅ setup, test-magex, warm-cache, code-quality, pre-commit, benchmarks, status-check
#
# FORK-UNSAFE (Skipped on fork PRs - require secrets):
# ⛔ security (OSSI_TOKEN, OSSI_USERNAME, GITLEAKS_LICENSE)
# ⛔ test-suite (CODECOV_TOKEN for coverage uploads)
# ⛔ release (already tag-only, but extra safety for forks)
#
# Fork contributors see clear messaging in setup summary explaining which jobs run.
# This provides security without workflow duplication or maintenance overhead.
#
# ------------------------------------------------------------------------------------
name: GoFortress
# --------------------------------------------------------------------
# Trigger Configuration
# --------------------------------------------------------------------
on:
push:
branches:
- master # (Default) Main branch for production
- main # (Secondary) Main branch for production
tags:
- "v*" # Tags starting with 'v' (e.g., v1.0.0) trigger the workflow
pull_request:
branches:
- "**" # All branches for PRs
# Security: Restrictive default permissions with job-level overrides for least privilege access
permissions:
contents: read
# --------------------------------------------------------------------
# Concurrency Control
# --------------------------------------------------------------------
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/') }}
jobs:
# ----------------------------------------------------------------------------------
# Load Environment Variables and Setup Configuration
# ----------------------------------------------------------------------------------
load-env:
name: 🌍 Load Environment Variables
runs-on: ubuntu-24.04
permissions:
contents: read # Read repository content for environment config
outputs:
env-json: ${{ steps.load-env.outputs.env-json }}
primary-runner: ${{ steps.load-env.outputs.primary-runner }}
base-file-found: ${{ steps.load-env.outputs.base-file-found }}
custom-file-found: ${{ steps.load-env.outputs.custom-file-found }}
base-var-count: ${{ steps.load-env.outputs.base-var-count }}
custom-var-count: ${{ steps.load-env.outputs.custom-var-count }}
config-mode: ${{ steps.load-env.outputs.config-mode }}
steps:
# --------------------------------------------------------------------
# Check out code to access env file
# --------------------------------------------------------------------
- name: 📥 Checkout code (sparse)
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
sparse-checkout: |
.github/.env.base
.github/.env.custom
.github/actions/load-env
# --------------------------------------------------------------------
# Load and parse environment file
# --------------------------------------------------------------------
- name: 🌍 Load environment variables
uses: ./.github/actions/load-env
id: load-env
# ----------------------------------------------------------------------------------
# Setup Configuration Workflow
# ----------------------------------------------------------------------------------
setup:
name: 🔧 Setup Configuration
needs: [load-env]
permissions:
contents: read # Read repository content for setup configuration
uses: ./.github/workflows/fortress-setup-config.yml
with:
env-json: ${{ needs.load-env.outputs.env-json }}
primary-runner: ${{ needs.load-env.outputs.primary-runner }}
base-file-found: ${{ needs.load-env.outputs.base-file-found }}
custom-file-found: ${{ needs.load-env.outputs.custom-file-found }}
base-var-count: ${{ needs.load-env.outputs.base-var-count }}
custom-var-count: ${{ needs.load-env.outputs.custom-var-count }}
config-mode: ${{ needs.load-env.outputs.config-mode }}
secrets:
github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
# ----------------------------------------------------------------------------------
# Test MAGE-X
# ----------------------------------------------------------------------------------
test-magex:
name: 🪄 Verify & Test MAGE-X
needs: [load-env, setup]
permissions:
contents: read # Read repository content for magex testing
uses: ./.github/workflows/fortress-test-magex.yml
with:
env-json: ${{ needs.load-env.outputs.env-json }}
primary-runner: ${{ needs.setup.outputs.primary-runner }}
# ----------------------------------------------------------------------------------
# Warm Go Caches (FORK-SAFE: No secrets required)
# ----------------------------------------------------------------------------------
warm-cache:
name: 💾 Warm Cache
needs: [load-env, setup, test-magex]
if: needs.setup.outputs.cache-warming-enabled == 'true'
permissions:
contents: read # Read repository content for cache warming
uses: ./.github/workflows/fortress-warm-cache.yml
with:
env-json: ${{ needs.load-env.outputs.env-json }}
warm-cache-matrix: ${{ needs.setup.outputs.warm-cache-matrix }}
go-primary-version: ${{ needs.setup.outputs.go-primary-version }}
go-secondary-version: ${{ needs.setup.outputs.go-secondary-version }}
redis-enabled: ${{ needs.setup.outputs.redis-enabled }}
redis-version: ${{ needs.setup.outputs.redis-version }}
redis-cache-force-pull: ${{ needs.setup.outputs.redis-cache-force-pull }}
go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
# ----------------------------------------------------------------------------------
# Security Scans (FORK-UNSAFE: Requires secrets - skipped on fork PRs)
# ----------------------------------------------------------------------------------
security:
name: 🔒 Security Scans
needs: [load-env, setup, test-magex, warm-cache]
if: |
!cancelled() &&
needs.setup.result == 'success' &&
needs.test-magex.result == 'success' &&
(needs.warm-cache.result == 'success' || needs.warm-cache.result == 'skipped') &&
needs.setup.outputs.security-scans-enabled == 'true' &&
needs.setup.outputs.is-fork-pr != 'true'
permissions:
contents: read # Read repository content for security scanning
uses: ./.github/workflows/fortress-security-scans.yml
with:
env-json: ${{ needs.load-env.outputs.env-json }}
enable-nancy: ${{ needs.setup.outputs.nancy-enabled == 'true' }}
enable-govulncheck: ${{ needs.setup.outputs.govulncheck-enabled == 'true' }}
enable-gitleaks: ${{ needs.setup.outputs.gitleaks-enabled == 'true' }}
go-primary-version: ${{ needs.setup.outputs.go-primary-version }}
primary-runner: ${{ needs.setup.outputs.primary-runner }}
go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
secrets:
github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}
ossi-token: ${{ secrets.OSSI_TOKEN }}
ossi-username: ${{ secrets.OSSI_USERNAME }}
# ----------------------------------------------------------------------------------
# Code Quality Checks (FORK-SAFE: No secrets required)
# ----------------------------------------------------------------------------------
code-quality:
name: 📊 Code Quality
needs: [load-env, setup, test-magex, warm-cache]
if: |
!cancelled() &&
needs.setup.result == 'success' &&
needs.test-magex.result == 'success' &&
(needs.warm-cache.result == 'success' || needs.warm-cache.result == 'skipped')
permissions:
contents: read # Read repository content for code quality checks
uses: ./.github/workflows/fortress-code-quality.yml
with:
env-json: ${{ needs.load-env.outputs.env-json }}
go-primary-version: ${{ needs.setup.outputs.go-primary-version }}
go-lint-enabled: ${{ needs.setup.outputs.go-lint-enabled }}
yaml-lint-enabled: ${{ needs.setup.outputs.yaml-lint-enabled }}
primary-runner: ${{ needs.setup.outputs.primary-runner }}
static-analysis-enabled: ${{ needs.setup.outputs.static-analysis-enabled }}
go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
secrets:
github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
# ----------------------------------------------------------------------------------
# Pre-commit Checks (FORK-SAFE: No secrets required)
# ----------------------------------------------------------------------------------
pre-commit:
name: 🪝 Pre-commit Checks
needs: [load-env, setup, test-magex, warm-cache]
if: |
!cancelled() &&
needs.setup.result == 'success' &&
needs.test-magex.result == 'success' &&
(needs.warm-cache.result == 'success' || needs.warm-cache.result == 'skipped') &&
needs.setup.outputs.pre-commit-enabled == 'true'
permissions:
contents: read # Read repository content for pre-commit checks
uses: ./.github/workflows/fortress-pre-commit.yml
with:
env-json: ${{ needs.load-env.outputs.env-json }}
primary-runner: ${{ needs.setup.outputs.primary-runner }}
go-primary-version: ${{ needs.setup.outputs.go-primary-version }}
pre-commit-enabled: ${{ needs.setup.outputs.pre-commit-enabled }}
go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
# ----------------------------------------------------------------------------------
# Test Suite (FORK-UNSAFE: Requires CODECOV_TOKEN for coverage - skipped on fork PRs)
# ----------------------------------------------------------------------------------
test-suite:
name: 🧪 Test Suite
needs: [load-env, setup, test-magex, warm-cache]
if: |
!cancelled() &&
needs.setup.result == 'success' &&
needs.test-magex.result == 'success' &&
(needs.warm-cache.result == 'success' || needs.warm-cache.result == 'skipped') &&
needs.setup.outputs.is-fork-pr != 'true' &&
needs.setup.outputs.go-tests-enabled == 'true'
permissions:
contents: write # Write repository content and push to gh-pages branch for test execution
pull-requests: write # Required: Coverage workflow needs to create PR comments
pages: write # Required: Coverage workflow needs to deploy to GitHub Pages
id-token: write # Required: Coverage workflow needs GitHub Pages authentication
statuses: write # Required: Coverage workflow needs to create commit status checks
actions: read # Required: Test validation workflow needs to access artifacts
uses: ./.github/workflows/fortress-test-suite.yml
with:
code-coverage-enabled: ${{ needs.setup.outputs.code-coverage-enabled }}
coverage-provider: ${{ needs.setup.outputs.coverage-provider }}
env-json: ${{ needs.load-env.outputs.env-json }}
fuzz-testing-enabled: ${{ needs.setup.outputs.fuzz-testing-enabled }}
go-tests-enabled: ${{ needs.setup.outputs.go-tests-enabled }}
go-primary-version: ${{ needs.setup.outputs.go-primary-version }}
go-secondary-version: ${{ needs.setup.outputs.go-secondary-version }}
primary-runner: ${{ needs.setup.outputs.primary-runner }}
race-detection-enabled: ${{ needs.setup.outputs.race-detection-enabled }}
test-matrix: ${{ needs.setup.outputs.test-matrix }}
redis-enabled: ${{ needs.setup.outputs.redis-enabled }}
redis-version: ${{ needs.setup.outputs.redis-version }}
redis-host: ${{ needs.setup.outputs.redis-host }}
redis-port: ${{ needs.setup.outputs.redis-port }}
redis-health-retries: ${{ needs.setup.outputs.redis-health-retries }}
redis-health-interval: ${{ needs.setup.outputs.redis-health-interval }}
redis-health-timeout: ${{ needs.setup.outputs.redis-health-timeout }}
redis-trust-service-health: ${{ needs.setup.outputs.redis-trust-service-health }}
go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
secrets:
github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
# ----------------------------------------------------------------------------------
# Benchmark Suite (FORK-SAFE: No secrets required)
# ----------------------------------------------------------------------------------
benchmarks:
name: 🏃 Benchmarks
needs: [load-env, setup, test-magex, warm-cache]
if: |
!cancelled() &&
needs.setup.result == 'success' &&
needs.test-magex.result == 'success' &&
(needs.warm-cache.result == 'success' || needs.warm-cache.result == 'skipped') &&
needs.setup.outputs.benchmarks-enabled == 'true'
permissions:
contents: read # Read repository content for benchmarking
uses: ./.github/workflows/fortress-benchmarks.yml
with:
env-json: ${{ needs.load-env.outputs.env-json }}
benchmark-matrix: ${{ needs.setup.outputs.benchmark-matrix }}
primary-runner: ${{ needs.setup.outputs.primary-runner }}
go-primary-version: ${{ needs.setup.outputs.go-primary-version }}
go-secondary-version: ${{ needs.setup.outputs.go-secondary-version }}
benchmark-timeout: 30
redis-enabled: ${{ needs.setup.outputs.redis-enabled }}
redis-version: ${{ needs.setup.outputs.redis-version }}
redis-host: ${{ needs.setup.outputs.redis-host }}
redis-port: ${{ needs.setup.outputs.redis-port }}
redis-health-retries: ${{ needs.setup.outputs.redis-health-retries }}
redis-health-interval: ${{ needs.setup.outputs.redis-health-interval }}
redis-health-timeout: ${{ needs.setup.outputs.redis-health-timeout }}
redis-trust-service-health: ${{ needs.setup.outputs.redis-trust-service-health }}
go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
secrets:
github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
# ----------------------------------------------------------------------------------
# Final Status Check
# ----------------------------------------------------------------------------------
status-check:
name: 🎯 All Tests Passed
if: ${{ always() }}
needs: [setup, test-magex, warm-cache, security, code-quality, pre-commit, test-suite, benchmarks]
permissions:
contents: read # Read repository content for status checking
runs-on: ${{ needs.setup.outputs.primary-runner }}
steps:
# --------------------------------------------------------------------
# Build a summary table for the UI (always runs)
# --------------------------------------------------------------------
- name: 📊 Build results summary
run: |
{
echo "## 🚦 Workflow Results"
echo ""
echo "| Component | Result | Status |"
echo "|-----------|--------|--------|"
echo "| 🎯 Setup | ${{ needs.setup.result }} | Required |"
echo "| 🪄 MAGE-X | ${{ needs.test-magex.result }} | Required |"
echo "| 💾 Warm Cache | ${{ needs.warm-cache.result }} | ${{ needs.setup.outputs.cache-warming-enabled == 'true' && 'Optional' || 'Skipped' }} |"
echo "| 🔒 Security | ${{ needs.security.result }} | Required |"
echo "| 📊 Code Quality | ${{ needs.code-quality.result }} | Required |"
echo "| 🪝 Pre-commit | ${{ needs.pre-commit.result }} | ${{ needs.setup.outputs.pre-commit-enabled == 'true' && 'Required' || 'Skipped' }} |"
echo "| 🧪 Test Suite | ${{ needs.test-suite.result }} | ${{ needs.setup.outputs.go-tests-enabled == 'true' && 'Required' || 'Skipped' }} |"
echo "| 🏃 Benchmarks | ${{ needs.benchmarks.result }} | Optional ⚠️ |"
echo ""
if [[ "${{ needs.benchmarks.result }}" == "failure" ]]; then
echo "⚠️ **Note**: Benchmarks failed but are currently non-blocking."
fi
} >> "$GITHUB_STEP_SUMMARY"
# --------------------------------------------------------------------
# Fail the workflow *only* when a dependency actually failed/canceled
# - 'skipped' is OK (e.g. feature flag off)
# - Benchmarks are currently optional (can fail without blocking)
# --------------------------------------------------------------------
- name: ❌ Fail if any required job errored
if: ${{ always() }}
run: |
FAILED=false
# Check required jobs (these must pass)
if [[ "${{ needs.setup.result }}" == "failure" || "${{ needs.setup.result }}" == "cancelled" ]]; then
echo "❌ Setup failed or was cancelled" >&2
FAILED=true
fi
if [[ "${{ needs.test-magex.result }}" == "failure" || "${{ needs.test-magex.result }}" == "cancelled" ]]; then
echo "❌ Test MAGE-X failed or was cancelled" >&2
FAILED=true
fi
if [[ "${{ needs.security.result }}" == "failure" || "${{ needs.security.result }}" == "cancelled" ]]; then
echo "❌ Security scans failed or were cancelled" >&2
FAILED=true
fi
if [[ "${{ needs.code-quality.result }}" == "failure" || "${{ needs.code-quality.result }}" == "cancelled" ]]; then
echo "❌ Code quality checks failed or were cancelled" >&2
FAILED=true
fi
if [[ "${{ needs.pre-commit.result }}" == "failure" || "${{ needs.pre-commit.result }}" == "cancelled" ]]; then
echo "❌ Pre-commit checks failed or were cancelled" >&2
FAILED=true
fi
# Only check test-suite if it was enabled
if [[ "${{ needs.setup.outputs.go-tests-enabled }}" == "true" ]]; then
if [[ "${{ needs.test-suite.result }}" == "failure" || "${{ needs.test-suite.result }}" == "cancelled" ]]; then
echo "❌ Test suite failed or was cancelled" >&2
FAILED=true
fi
fi
# Check benchmarks (currently optional - just warn if they fail)
if [[ "${{ needs.benchmarks.result }}" == "failure" ]]; then
echo "⚠️ Benchmarks failed (non-blocking)" >&2
fi
if [[ "$FAILED" == "true" ]]; then
echo "❌ One or more required jobs failed – see details above." >&2
exit 1
fi
# --------------------------------------------------------------------
# Succeed if all required jobs passed or were skipped
# --------------------------------------------------------------------
- name: ✅ Mark workflow success
if: ${{ !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
run: |
echo "🎉 All required checks passed (skipped jobs are considered OK)."
# ----------------------------------------------------------------------------------
# Release Version (FORK-UNSAFE: PRs never trigger this, but extra fork safety included)
# ----------------------------------------------------------------------------------
release:
name: 🚀 Release Version
needs: [load-env, setup, test-magex, test-suite, security, code-quality, pre-commit]
# Only run on successful tag pushes from same repository (not forks)
# Allow release even if test-suite was skipped (when ENABLE_GO_TESTS=false)
if: |
!cancelled() &&
startsWith(github.ref, 'refs/tags/v') &&
needs.setup.outputs.is-fork-pr != 'true' &&
needs.setup.result == 'success' &&
needs.test-magex.result == 'success' &&
(needs.test-suite.result == 'success' || needs.test-suite.result == 'skipped') &&
needs.security.result == 'success' &&
needs.code-quality.result == 'success' &&
needs.pre-commit.result == 'success'
uses: ./.github/workflows/fortress-release.yml
with:
env-json: ${{ needs.load-env.outputs.env-json }}
primary-runner: ${{ needs.setup.outputs.primary-runner }}
go-primary-version: ${{ needs.setup.outputs.go-primary-version }}
golangci-lint-version: ${{ needs.code-quality.outputs.golangci-lint-version }}
go-sum-file: ${{ needs.setup.outputs.go-sum-file }}
secrets:
github-token: ${{ secrets.GH_PAT_TOKEN != '' && secrets.GH_PAT_TOKEN || secrets.GITHUB_TOKEN }}
slack-webhook: ${{ secrets.SLACK_WEBHOOK || '' }}
permissions:
contents: write # Required: goreleaser needs to create GitHub releases
# ----------------------------------------------------------------------------------
# Workflow Completion Report
# ----------------------------------------------------------------------------------
completion-report:
name: 📊 Workflow Completion Report
if: always() && !contains(fromJSON('["failure", "cancelled"]'), needs.setup.result) && !contains(fromJSON('["failure", "cancelled"]'), needs.test-magex.result)
needs: [load-env, setup, test-magex, pre-commit, security, code-quality, test-suite, benchmarks, release, status-check]
permissions:
contents: read # Read repository content for completion report
actions: read # Required for artifact downloads
uses: ./.github/workflows/fortress-completion-report.yml
with:
benchmarks-result: ${{ needs.benchmarks.result }}
code-quality-result: ${{ needs.code-quality.result }}
pre-commit-result: ${{ needs.pre-commit.result }}
env-json: ${{ needs.load-env.outputs.env-json }}
primary-runner: ${{ needs.setup.outputs.primary-runner }}
release-result: ${{ needs.release.result }}
security-result: ${{ needs.security.result }}
setup-result: ${{ needs.setup.result }}
start-epoch: ${{ needs.setup.outputs.start-epoch }}
start-time: ${{ needs.setup.outputs.start-time }}
status-check-result: ${{ needs.status-check.result }}
test-magex-result: ${{ needs.test-magex.result }}
test-matrix: ${{ needs.setup.outputs.test-matrix }}
test-suite-result: ${{ needs.test-suite.result }}
gofortress-version: ${{ needs.setup.outputs.gofortress-version }}
gofortress-released: ${{ needs.setup.outputs.gofortress-released }}
is-fork-pr: ${{ needs.setup.outputs.is-fork-pr }}
fork-security-mode: ${{ needs.setup.outputs.fork-security-mode }}