From fd8ea6c92dcfaa8930bab0732735f0d0066f4abf Mon Sep 17 00:00:00 2001 From: Bisu Ghalan Date: Sat, 11 Jul 2026 08:33:53 +0545 Subject: [PATCH] ci: harden CI/CD pipeline and fix configuration gaps - CI: add explicit `go build ./...` gate, run on the `dev` branch too (active dev branch had no push CI), and isolate the govulncheck scan into a separate advisory job (continue-on-error) so a tool/network hiccup can't block the deploy gate. - .gitattributes: force LF line endings so `gofmt` checks are deterministic across OSes (Windows CRLF was making local gofmt flag every file). - .gitignore/.dockerignore: ignore build artifacts (*.exe, tg-githubbot, bot) so the Windows binary can't be committed or baked into the image. - Dockerfile: copy tzdata into the final stage for correct time handling. - render.yaml: point healthCheckPath at the dedicated /healthz endpoint. - docker-compose.yml: default USE_POLLING to true for local dev. Co-Authored-By: Claude --- .dockerignore | 8 +++++++- .gitattributes | 1 + .github/workflows/ci.yml | 21 ++++++++++++++++++++- .gitignore | 3 +++ Dockerfile | 3 +++ docker-compose.yml | 2 +- render.yaml | 2 +- 7 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 .gitattributes diff --git a/.dockerignore b/.dockerignore index 28bf33a..a498c7c 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,6 +1,12 @@ .git .idea +.github .env +.gitignore Dockerfile docker-compose.yml -**/*.md +render.yaml +sample.env +*.exe +bot +tg-githubbot diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..6313b56 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +* text=auto eol=lf diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0b388af..9b5bf6a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,12 +6,13 @@ on: branches: - master - main + - dev permissions: contents: read jobs: - test: + build-and-test: runs-on: ubuntu-latest steps: - name: Check out repository @@ -28,11 +29,29 @@ jobs: unformatted="$(gofmt -l ./cmd ./internal)" test -z "$unformatted" || (echo "$unformatted" && exit 1) + - name: Build + run: go build ./... + - name: Vet run: go vet ./... - name: Test run: go test ./... -count=1 + # Advisory only: a govulncheck/network hiccup must not block the deploy gate. + vulnerability-scan: + runs-on: ubuntu-latest + needs: build-and-test + continue-on-error: true + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + - name: Vulnerability scan run: go run golang.org/x/vuln/cmd/govulncheck@latest ./... diff --git a/.gitignore b/.gitignore index de03f38..9e6979e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ .idea .env +*.exe +bot +tg-githubbot diff --git a/Dockerfile b/Dockerfile index 0528922..de468df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,6 +28,9 @@ RUN addgroup -S app && adduser -S -G app app # Copy the CA certificates from builder COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +# Copy timezone data so time formatting/local times are correct outside UTC +COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo + # Copy the built binary COPY --from=builder /app/tg-githubbot . diff --git a/docker-compose.yml b/docker-compose.yml index ca38c1b..b25d2e9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,7 +16,7 @@ services: - MONGODB_URI=mongodb://mongo:27017 - DATABASE_NAME=${DATABASE_NAME:-github_bot} - ENCRYPTION_KEY=${ENCRYPTION_KEY} - - USE_POLLING=${USE_POLLING:-false} + - USE_POLLING=${USE_POLLING:-true} - PORT=8080 depends_on: - mongo diff --git a/render.yaml b/render.yaml index d7143ae..545f92b 100644 --- a/render.yaml +++ b/render.yaml @@ -6,7 +6,7 @@ services: dockerfilePath: ./Dockerfile dockerContext: . autoDeploy: true - healthCheckPath: / + healthCheckPath: /healthz envVars: - key: PORT value: 10000