ci: bump the github-actions group with 3 updates #1638
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| test: | |
| name: Tests | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| env: | |
| BASECAMP_NO_KEYRING: "1" | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Check SDK provenance | |
| run: make provenance-check | |
| - name: Check module tidiness | |
| run: make tidy-check | |
| - name: Check naming (no stale legacy references) | |
| run: make check-naming | |
| - name: Run unit tests | |
| run: go test -tags dev -v ./... | |
| - name: Build binary | |
| run: go build -tags dev -o bin/basecamp ./cmd/basecamp | |
| - name: Smoke test | |
| run: | | |
| ./bin/basecamp --version | |
| ./bin/basecamp --help | head -5 | |
| - name: Validate release build (no dev tag) | |
| run: | | |
| go build -o bin/basecamp-release ./cmd/basecamp | |
| go test -v ./internal/commands/ -run TestStub | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Run golangci-lint | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 | |
| with: | |
| version: v2.11.1 | |
| args: --build-tags dev | |
| lint-actions: | |
| name: GitHub Actions audit | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run actionlint | |
| uses: rhysd/actionlint@393031adb9afb225ee52ae2ccd7a5af5525e03e8 # v1.7.11 | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 | |
| with: | |
| advanced-security: false | |
| security: | |
| name: Security | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Run govulncheck | |
| # @latest intentional — pinning delays scanning improvements and | |
| # new Go version support for no meaningful reproducibility gain. | |
| run: | | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck -tags dev ./... | |
| race-check: | |
| name: Race Detection | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| env: | |
| BASECAMP_NO_KEYRING: "1" | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Run tests with race detector | |
| run: go test -tags dev -race -v ./... | |
| integration: | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| env: | |
| BASECAMP_NO_KEYRING: "1" | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Cache BATS | |
| id: cache-bats | |
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to the cache used by tag-push workflows | |
| with: | |
| path: ~/.local | |
| key: bats-1.11.0-home | |
| - name: Install BATS | |
| if: steps.cache-bats.outputs.cache-hit != 'true' | |
| run: | | |
| git clone --depth 1 --branch v1.11.0 https://github.com/bats-core/bats-core.git /tmp/bats-core | |
| /tmp/bats-core/install.sh ~/.local | |
| - name: Add BATS to PATH | |
| run: echo "$HOME/.local/bin" >> "$GITHUB_PATH" | |
| - name: Run BATS integration tests | |
| run: make test-e2e | |
| cli-surface: | |
| name: CLI Surface Check | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| env: | |
| BASECAMP_NO_KEYRING: "1" | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Build and snapshot PR surface | |
| run: | | |
| make build | |
| scripts/check-cli-surface.sh ./bin/basecamp /tmp/current-surface.txt | |
| - name: Build and snapshot baseline surface | |
| run: | | |
| SCRIPT_DIR="$(pwd)/scripts" | |
| git worktree add /tmp/baseline-tree origin/main | |
| cd /tmp/baseline-tree | |
| make build | |
| "$SCRIPT_DIR/check-cli-surface.sh" ./bin/basecamp /tmp/baseline-surface.txt | |
| - name: Compare surfaces | |
| run: scripts/check-cli-surface-diff.sh /tmp/baseline-surface.txt /tmp/current-surface.txt | |
| - name: Cleanup worktree | |
| if: always() | |
| run: git worktree remove /tmp/baseline-tree --force 2>/dev/null || true | |
| skill-eval: | |
| name: Skill Evals | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Check for skill or eval changes | |
| id: filter | |
| uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 | |
| with: | |
| filters: | | |
| skill: | |
| - 'skills/basecamp/SKILL.md' | |
| - 'skill-evals/**' | |
| - name: Set up Ruby | |
| if: steps.filter.outputs.skill == 'true' | |
| uses: ruby/setup-ruby@13e7a03dc3ac6c3798f4570bfead2aed4d96abfb # v1.244.0 | |
| with: | |
| ruby-version: '3.3' | |
| - name: Run skill evals | |
| if: steps.filter.outputs.skill == 'true' | |
| env: | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} # zizmor: ignore[secrets-outside-env] -- fork PRs don't receive secrets so untrusted code never sees the key; adding an environment would block PR-triggered runs | |
| run: | | |
| if [ -z "$ANTHROPIC_API_KEY" ]; then | |
| echo "::warning::ANTHROPIC_API_KEY not configured, skipping skill evals" | |
| exit 0 | |
| fi | |
| make skill-eval | |
| benchmarks: | |
| name: Benchmarks | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| continue-on-error: true | |
| env: | |
| BASECAMP_NO_KEYRING: "1" | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 2 | |
| persist-credentials: false | |
| - name: Check for benchmark-relevant changes | |
| id: filter | |
| uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 | |
| with: | |
| filters: | | |
| bench: | |
| - 'internal/api/**' | |
| - 'internal/names/**' | |
| - 'internal/dateparse/**' | |
| - 'internal/output/**' | |
| - 'go.mod' | |
| - 'go.sum' | |
| - name: Set up Go | |
| if: steps.filter.outputs.bench == 'true' | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Run benchmarks | |
| if: steps.filter.outputs.bench == 'true' | |
| run: go test -tags dev -bench=. -benchmem -count=3 -run='^$' ./internal/... | tee benchmarks.txt | |
| - name: Download previous benchmark baseline | |
| if: steps.filter.outputs.bench == 'true' | |
| uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: benchmarks-baseline.txt | |
| key: benchmarks-baseline-${{ github.sha }} | |
| restore-keys: | | |
| benchmarks-baseline- | |
| - name: Install benchstat | |
| if: steps.filter.outputs.bench == 'true' | |
| run: go install golang.org/x/perf/cmd/benchstat@latest | |
| - name: Compare benchmarks | |
| if: steps.filter.outputs.bench == 'true' && hashFiles('benchmarks-baseline.txt') != '' | |
| run: | | |
| echo "## Benchmark Comparison" >> "$GITHUB_STEP_SUMMARY" | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| benchstat benchmarks-baseline.txt benchmarks.txt >> "$GITHUB_STEP_SUMMARY" 2>&1 || true | |
| echo '```' >> "$GITHUB_STEP_SUMMARY" | |
| - name: Check for significant regression | |
| if: steps.filter.outputs.bench == 'true' && hashFiles('benchmarks-baseline.txt') != '' | |
| run: | | |
| benchstat benchmarks-baseline.txt benchmarks.txt > comparison.txt 2>&1 || true | |
| if grep -E '\+[2-9][0-9]\.[0-9]+%|\+[1-9][0-9][0-9]+' comparison.txt; then | |
| echo "::error::Performance regression detected (>20% slower). See benchmark comparison in step summary." | |
| exit 1 | |
| fi | |
| - name: Save benchmark baseline | |
| if: steps.filter.outputs.bench == 'true' | |
| run: cp benchmarks.txt benchmarks-baseline.txt | |
| - name: Cache benchmark baseline | |
| if: steps.filter.outputs.bench == 'true' | |
| uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: benchmarks-baseline.txt | |
| key: benchmarks-baseline-${{ github.sha }} | |
| - name: Upload benchmark results | |
| if: steps.filter.outputs.bench == 'true' | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: benchmarks | |
| path: benchmarks.txt | |
| retention-days: 30 |