gosec/.github/workflows/ci.yml at caf8857bbd3276599d0176b0528e9712bb0b5bec · securego/gosec · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: CI
on: # zizmor: ignore[dangerous-triggers]
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  pull_request_target:
    branches:
      - master

permissions:
  contents: read

jobs:
  test:
    if: github.event_name != 'pull_request_target'
    strategy:
      matrix:
        version:
          - go-version: "1.25.11"
            golangci: "latest"
          - go-version: "1.26.4"
            golangci: "latest"
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      GO111MODULE: on
    steps:
      - name: Setup go ${{ matrix.version.go-version }}
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: ${{ matrix.version.go-version }}
      - name: Checkout Source
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          persist-credentials: false
      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: lint
        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9
        with:
          version: ${{ matrix.version.golangci }}
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master # zizmor: ignore[unpinned-uses]
        with:
          args: '-exclude-dir=testdata ./...'
      - name: Run Tests
        run: make test
      - name: Perf Diff
        run: make perf-diff
  taint-perf-guard:
    if: github.event_name != 'pull_request_target'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      GO111MODULE: on
      BENCH_COUNT: "5"
    steps:
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: "1.26.4"
      - name: Checkout Source
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          persist-credentials: false
      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Check taint benchmark regression
        run: bash tools/check_taint_benchmark.sh
  barry-ai-security-review:
    if: github.event_name == 'pull_request_target'
    runs-on: ubuntu-latest
    environment: security-review
    permissions:
      contents: read
      security-events: write
      pull-requests: write
    steps:
      - name: Checkout Source
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
      - name: Run Barry AI Security Review
        id: barry
        uses: ccojocar/barry@main # zizmor: ignore[unpinned-uses]
        continue-on-error: true
        with:
          google-api-key: ${{ secrets.GOOGLE_API_KEY }}
          github-token: ${{ secrets.GITHUB_TOKEN }}
          false-positive-filtering-instructions: .github/barry/custom-gosec-false-positive-filter
          custom-security-scan-instructions: .github/barry/custom-gosec-security-scan-instructions
          validator-model: gemini-3-flash-preview
          autofix-model: gemini-3-flash-preview
          output-format: sarif
      - name: Upload SARIF to GitHub Security Center
        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
        if: steps.barry.outcome == 'success'
        with:
          sarif_file: ${{ github.workspace }}/barry-results.sarif
  coverage:
    if: github.event_name != 'pull_request_target'
    needs: [test, taint-perf-guard]
    runs-on: ubuntu-latest
    permissions:
      contents: read
    env:
      GO111MODULE: on
    steps:
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version: "1.26.4"
      - name: Checkout Source
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          persist-credentials: false
      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Create Test Coverage
        run: make test-coverage
      - name: Upload Test Coverage
        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: true