name: CI/CD Pipeline on: push: branches: [ main, develop ] pull_request: branches: [ main ] jobs: test: name: Test runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.24.2' - name: Cache Go modules uses: actions/cache@v4 with: path: | ~/.cache/go-build ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Download dependencies run: go mod download - name: Verify dependencies run: go mod verify - name: Run tests run: go test -v -race -coverprofile=coverage.out ./... - name: Upload coverage to Codecov uses: codecov/codecov-action@v5 with: file: ./coverage.out flags: unittests name: codecov-umbrella build: name: Build runs-on: ubuntu-latest needs: test strategy: matrix: goos: [linux, windows, darwin] goarch: [amd64, arm64] exclude: - goos: windows goarch: arm64 steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.24.2' - name: Cache Go modules uses: actions/cache@v4 with: path: | ~/.cache/go-build ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Download dependencies run: go mod download - name: Build binaries env: GOOS: ${{ matrix.goos }} GOARCH: ${{ matrix.goarch }} run: | mkdir -p bin/${{ matrix.goos }}-${{ matrix.goarch }} # Build CLI go build -ldflags="-s -w" -o bin/${{ matrix.goos }}-${{ matrix.goarch }}/onx${{ matrix.goos == 'windows' && '.exe' || '' }} ./cmd/onx # Build daemon go build -ldflags="-s -w" -o bin/${{ matrix.goos }}-${{ matrix.goarch }}/onxd${{ matrix.goos == 'windows' && '.exe' || '' }} ./cmd/onxd - name: Upload build artifacts uses: actions/upload-artifact@v4 with: name: onyx-${{ matrix.goos }}-${{ matrix.goarch }} path: bin/${{ matrix.goos }}-${{ matrix.goarch }}/ security: name: Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.24.2' - name: Run Gosec Security Scanner uses: securecodewarrior/github-action-gosec@master with: args: './...' - name: Run SAST with Gosec run: | go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest gosec -fmt sarif -out gosec.sarif ./... - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: sarif_file: gosec.sarif lint: name: Lint runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.24.2' - name: Run golangci-lint uses: golangci/golangci-lint-action@v6 with: version: latest args: --timeout=5m release: name: Release runs-on: ubuntu-latest needs: [test, build, security, lint] if: github.ref == 'refs/heads/main' && github.event_name == 'push' steps: - name: Checkout code uses: actions/checkout@v4 - name: Download all artifacts uses: actions/download-artifact@v4 with: path: artifacts/ - name: Create release uses: actions/create-release@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: tag_name: v${{ github.run_number }} release_name: Release v${{ github.run_number }} draft: false prerelease: false - name: Upload release assets uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} asset_path: artifacts/ asset_name: onyx-binaries.zip asset_content_type: application/zip