-
Notifications
You must be signed in to change notification settings - Fork 0
122 lines (117 loc) · 3.76 KB
/
sin-code-release.yml
File metadata and controls
122 lines (117 loc) · 3.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: sin-code Release
on:
push:
tags:
- 'v*'
permissions:
contents: write
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.24.3'
- name: Test
run: go test -v ./cmd/sin-code/... 2>&1 | tee test-output.txt
- name: Vet
run: go vet ./cmd/sin-code/...
- name: govulncheck
# Blocking for non-stdlib CVEs; stdlib CVEs (Go 1.24.3) are expected until Go 1.25.
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./cmd/sin-code/... > govulncheck-output.txt 2>&1 || true
# Check for non-stdlib vulnerabilities (3rd-party dependencies).
# If found, fail the pipeline. Stdlib CVEs are expected and don't block.
if grep -q "Found in:" govulncheck-output.txt && ! grep -q "Standard library" govulncheck-output.txt; then
echo "❌ CRITICAL: Non-stdlib CVEs detected in dependencies!"
cat govulncheck-output.txt
exit 1
fi
if grep -q "Standard library" govulncheck-output.txt; then
echo "⚠️ WARNING: Stdlib CVEs detected (Go 1.24.3, will be fixed in Go 1.25). Not blocking."
fi
echo "✅ govulncheck passed: no non-stdlib CVEs found."
- name: Upload govulncheck artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: govulncheck-output
path: govulncheck-output.txt
build:
name: Build
needs: test
strategy:
matrix:
include:
- goos: linux
goarch: amd64
ext: ''
- goos: linux
goarch: arm64
ext: ''
- goos: darwin
goarch: amd64
ext: ''
- goos: darwin
goarch: arm64
ext: ''
- goos: windows
goarch: amd64
ext: '.exe'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.24.3'
- name: Build
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
run: |
set -e
VERSION=${GITHUB_REF_NAME}
go version
go env GOOS GOARCH
go mod download
go build -v -ldflags "-s -w -X main.Version=${VERSION} -X github.com/OpenSIN-Code/SIN-Code-Bundle/cmd/sin-code/internal.ServerVersion=${VERSION}" -o sin-code${{ matrix.ext }} ./cmd/sin-code
- name: Archive
run: |
ARCH="${{ matrix.goos }}-${{ matrix.goarch }}"
mkdir -p dist
ls -la sin-code${{ matrix.ext }} || echo "Binary not found"
if [ "${{ matrix.goos }}" = "windows" ]; then
zip -j "dist/sin-code-${ARCH}.zip" "sin-code${{ matrix.ext }}"
else
tar -czf "dist/sin-code-${ARCH}.tar.gz" -C . "sin-code${{ matrix.ext }}"
fi
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: sin-code-${{ matrix.goos }}-${{ matrix.goarch }}
path: dist/*
release:
name: Release
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
path: artifacts
pattern: sin-code-*
merge-multiple: true
- name: Create checksums
run: |
cd artifacts
sha256sum * > checksums.txt
- name: Release
uses: softprops/action-gh-release@v2
with:
files: artifacts/*
body: |
Unified sin-code binary with 13 subcommands, MCP server mode, and cross-platform builds.
generate_release_notes: true