ci: overhaul pipeline — caching, GoReleaser, govulncheck #30

Merged

lerko merged 5 commits from ci/pipeline-overhaul into main 2026-05-27 00:37:32 +00:00

Conversation 0 Commits 5 Files Changed 7

+176 -83

lerko commented 2026-05-26 22:39:06 +00:00

Owner

Copy Link

Copy Source

Summary

• Add module + build cache to CI (was only caching go-build, missing go/pkg/mod)
• Declare explicit Alpine container instead of relying on runner image
• Drop redundant go vet (already covered by golangci-lint govet linter)
• Add govulncheck job for dependency CVE scanning
• Add GoReleaser config for Gitea-native binary releases + checksums + changelog
• Replace .github/workflows/docker.yml with .gitea/workflows/release.yml
• Docker multiarch (amd64+arm64) via buildx in release workflow
• Dockerfile: add --mount=type=cache for mod/build, add -trimpath

Secrets required

• RELEASE_TOKEN — Gitea API token (write:repository)
• DOCKERHUB_USERNAME — Docker Hub username
• DOCKERHUB_TOKEN — Docker Hub access token

Expected CI improvement

~5min → ~2min on cache hit. Release workflow produces binary tarballs + checksums + Docker images on tag push.

## Summary - Add module + build cache to CI (was only caching go-build, missing go/pkg/mod) - Declare explicit Alpine container instead of relying on runner image - Drop redundant go vet (already covered by golangci-lint govet linter) - Add govulncheck job for dependency CVE scanning - Add GoReleaser config for Gitea-native binary releases + checksums + changelog - Replace .github/workflows/docker.yml with .gitea/workflows/release.yml - Docker multiarch (amd64+arm64) via buildx in release workflow - Dockerfile: add --mount=type=cache for mod/build, add -trimpath ## Secrets required - `RELEASE_TOKEN` — Gitea API token (write:repository) - `DOCKERHUB_USERNAME` — Docker Hub username - `DOCKERHUB_TOKEN` — Docker Hub access token ## Expected CI improvement ~5min → ~2min on cache hit. Release workflow produces binary tarballs + checksums + Docker images on tag push.

lerko added 2 commits 2026-05-26 22:39:06 +00:00

ci: overhaul pipeline — caching, GoReleaser, govulncheck ... 5aab391b74

- Add module + build cache to CI (was only caching go-build, not go/pkg/mod)
- Declare explicit Alpine container instead of relying on runner image
- Drop redundant go vet (already in golangci-lint)
- Add govulncheck job for dependency CVE scanning
- Add GoReleaser config for Gitea-native binary releases + checksums
- Replace .github/workflows/docker.yml with .gitea/workflows/release.yml
- Docker multiarch (amd64+arm64) via buildx in release workflow
- Dockerfile: add --mount=type=cache for mod/build, add -trimpath

fix(ci): rename GITEA_TOKEN to RELEASE_TOKEN ... f0ff87c0d0

Gitea reserves the GITEA_ prefix for repo action secrets.

lerko added 1 commit 2026-05-26 22:44:12 +00:00

fix(ci): remove explicit container, use sh shell ... 7d4ef1f594

Act runner is Alpine-based — container: directive breaks node-based
actions (checkout, setup-go). Runner already has apk natively.
Added shell: sh to all jobs since runner lacks bash.

lerko added 1 commit 2026-05-27 00:12:47 +00:00

chore: bump Go 1.24.4 → 1.26.3, Alpine 3.21 → 3.23 ... 2cd3dcddb4

Go 1.24 EOL since Feb 2026. Fixes 33 stdlib vulns found by
govulncheck (database/sql, os/exec, net/http). Gets Green Tea GC.

lerko added 1 commit 2026-05-27 00:20:25 +00:00

fix(deps): bump golang.org/x/crypto v0.47.0 → v0.52.0 ... b1935aa682

Fixes 7 vulns (GO-2026-5014 through GO-2026-5023) found by govulncheck.
Also bumps x/net, x/sys, x/text, x/sync, x/mod, x/tools to latest.

lerko merged commit ea721601ab into main 2026-05-27 00:37:32 +00:00

lerko deleted branch ci/pipeline-overhaul 2026-05-27 00:37:32 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

lerko (Tyler Koenig)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerkolabs/uptop#30