Add race, gofmt, smoke-test, staticcheck, govulncheck, CodeQL to CI#4
Merged
Conversation
Match librarr's CI hardening (see librarr commit 755c4a8). The existing
'go build + go test' workflow now gates every PR on:
- gofmt -l (formatter enforcement)
- go build (binary compiles)
- go test -race -count=1 -v (race detector + no cache)
- go vet
- staticcheck (latest)
- govulncheck (latest, scans against Go 1.25 stdlib so the 1.24.x stdlib
CVEs that affect local runs disappear)
- smoke test — boots the binary on port 15001 with DATA_DIR=/tmp/smoke-data,
waits up to 15s for /api/health, then confirms /api/openapi.json and
/torznab/api?t=caps respond. Greps boot log for panic/fatal.
- docker build job verifies the Dockerfile still produces an image.
Plus a new CodeQL workflow (security-and-quality queries) that runs on
push, PR, and weekly cron so post-merge dependency CVEs surface without
manual intervention.
Bumped CI Go to 1.25.x (matches the Dockerfile). go.mod's 1.24.0 floor
unchanged.
Pre-push verification ran the full gate suite locally — all clean,
including the new smoke test.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
CI's govulncheck caught GO-2025-3770: Host header injection leading to open redirect in chi's RedirectSlashes (chi v5.2.1 -> fixed in v5.2.2). Bumping to v5.2.5 to clear the finding and pick up subsequent patches. No code changes — chi's API is stable across this range.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Match librarr's CI hardening. Every PR is now gated on the same suite that protects librarr (see librarr commit
755c4a8).What changed
.github/workflows/test.yml— replaces the barego build + go testgofmt -w .would fix locally)DATA_DIR=/tmp/smoke-data, waits up to 15s for/api/health, then confirms the new/api/openapi.jsonand/torznab/api?t=capsendpoints respond. Greps boot log for panic/fatal.1.25.xto match the Dockerfile.go.mod's1.24.0floor unchanged..github/workflows/codeql.yml— newSecurity-and-quality queries, runs on push + PR + weekly cron (Mon 04:23 UTC). Surfaces post-merge dependency CVEs without manual intervention.
What had to be fixed for these gates to pass
gofmt -w .(no behavioral changes — just whitespace and import-block ordering).internal/api/api.go:775—for ... append(all, c)→append(all, custom...)(S1011)internal/api/handlers_extra.go:248— numeric403→http.StatusForbidden(ST1013)internal/search/filter_test.go:238— redundant nil check beforelen()(S1009)Test plan
go test -race -count=1 ./...clean, govulncheck clean against the binary's actual build target (1.25), smoke test bound +/api/health,/api/openapi.json,/torznab/api?t=capsall return 200, no panic/fatal in boot log.