chore(ci): update golang (#5)

tuannvm · web-flow · commit 33bddcfd0d3b · 2025-11-01T06:38:45.000-07:00
* chore(ci): update golang

Signed-off-by: Tommy Nguyen &lt;tuannvm@hotmail.com&gt;

* ci(workflow): update review workflow to verify latest versions

Signed-off-by: Tommy Nguyen &lt;tuannvm@hotmail.com&gt;

* ci: add build and test workflows; add golangci config

Signed-off-by: Tommy Nguyen &lt;tuannvm@hotmail.com&gt;

---------

Signed-off-by: Tommy Nguyen &lt;tuannvm@hotmail.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,177 @@
+name: Build & Verify Pipeline
+
+on:
+  push:
+    branches: [main]
+    paths-ignore:
+      - "**.md"
+      - ".github/ISSUE_TEMPLATE/**"
+      - ".gitignore"
+  pull_request:
+    paths-ignore:
+      - "**.md"
+      - ".github/ISSUE_TEMPLATE/**"
+      - ".gitignore"
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write # Required for SLSA provenance
+  security-events: write # Required for uploading security results
+  pull-requests: read
+  checks: write
+
+env:
+  GO_VERSION: "1.24.9"
+
+jobs:
+  # Static analysis and code quality check
+  verify:
+    name: Code Quality
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+          check-latest: true
+
+      - name: Install dependencies
+        run: |
+          go mod download
+          go mod verify
+
+      - name: Check Go mod tidy
+        run: |
+          go mod tidy
+          if ! git diff --quiet go.mod go.sum; then
+            echo "go.mod or go.sum is not tidy, run 'go mod tidy'"
+            git diff go.mod go.sum
+            exit 1
+          fi
+
+      - name: Install golangci-lint
+        uses: golangci/golangci-lint-action@v8
+        with:
+          version: latest
+          args: --timeout=5m
+          install-mode: binary
+          skip-pkg-cache: true
+          skip-build-cache: true
+
+      - name: Run linters
+        run: golangci-lint run
+
+  # Security vulnerability scanning and SBOM generation
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    needs: verify
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Run Go Vulnerability Check
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
+
+      - name: Run dependency scan
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          timeout: "10m"
+
+      - name: Upload security scan results
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-results.sarif"
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0.20.9
+        with:
+          format: spdx-json
+          output-file: sbom.spdx.json
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v5
+        with:
+          name: sbom
+          path: sbom.spdx.json
+          retention-days: 30
+
+  # Run unit and integration tests with code coverage
+  test:
+    name: Run Tests
+    runs-on: ubuntu-latest
+    needs: verify
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Run tests
+        run: go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v5
+        with:
+          file: ./coverage.txt
+          flags: unittests
+          fail_ci_if_error: false
+
+  # Simple build verification (for PRs and non-main branches)
+  build:
+    name: Build Verification
+    runs-on: ubuntu-latest
+    needs: [verify, security]
+    # Only run for PRs or pushes to non-main branches
+    if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Build all packages
+        run: go build -v ./...
+
+      - name: Build examples
+        run: |
+          for example in $(find examples -name main.go 2>/dev/null); do
+            echo "Building $example..."
+            go build "$example"
+          done
diff --git a/.github/workflows/cursor.yml b/.github/workflows/cursor.yml
@@ -51,12 +51,19 @@ jobs:
           Objectives:
           1) Re-check existing review comments and reply resolved when addressed.
           2) Review the current PR diff and flag only clear, high-severity issues.
-          3) Leave very short inline comments (1-2 sentences) on changed lines only and a brief summary at the end.
+          3) Verify language and library versions against latest releases using web search.
+          4) Leave very short inline comments (1-2 sentences) on changed lines only and a brief summary at the end.
 
           Procedure:
           - Get existing comments: gh pr view --json comments
           - Get diff: gh pr diff
           - Get changed files with patches to compute inline positions: gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files --paginate --jq '.[] | {filename,patch}'
+          - IMPORTANT: When reviewing files that specify versions (go.mod, package.json, requirements.txt, Dockerfile, GitHub Actions workflows, etc.), MUST search the web for:
+            - Latest stable versions of languages (Go, Node.js, Python, etc.)
+            - Latest versions of libraries/dependencies
+            - Latest versions of base images (Docker)
+            - Latest versions of GitHub Actions
+            - Compare found versions with what's in the PR and flag outdated versions
           - Compute exact inline anchors for each issue (file path + diff position). Comments MUST be placed inline on the changed line in the diff, not as top-level comments.
           - Detect prior top-level "no issues" style comments authored by this bot (match bodies like: "✅ no issues", "No issues found", "LGTM").
           - If CURRENT run finds issues and any prior "no issues" comments exist:
@@ -74,14 +81,16 @@ jobs:
             - Obvious logic errors with incorrect behavior
             - Clear performance anti-patterns with measurable impact
             - Definitive security vulnerabilities
+            - Outdated language/library/dependency/action versions (use web search to verify latest)
+            - Deprecated APIs or patterns (search documentation for current best practices)
           - Avoid duplicates: skip if similar feedback already exists on or near the same lines.
 
           Commenting rules:
           - Max 10 inline comments total; prioritize the most critical issues
           - One issue per comment; place on the exact changed line
           - All issue comments MUST be inline (anchored to a file and line/position in the PR diff)
           - Natural tone, specific and actionable; do not mention automated or high-confidence
-          - Use emojis: 🚨 Critical 🔒 Security ⚡ Performance ⚠️ Logic ✅ Resolved ✨ Improvement
+          - Use emojis: 🚨 Critical 🔒 Security ⚡ Performance ⚠️ Logic 📦 Outdated Version 🔄 Deprecated ✅ Resolved ✨ Improvement
 
           Submission:
           - If there are NO issues to report and an existing top-level comment indicating "no issues" already exists (e.g., "✅ no issues", "No issues found", "LGTM"), do NOT submit another comment. Skip submission to avoid redundancy.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ permissions:
   contents: read
 
 env:
-  GO_VERSION: "1.25"
+  GO_VERSION: "1.24.9"
 
 jobs:
   test:
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,9 @@
+# Define the configuration version
+version: "2"
+
+run:
+  timeout: 5m
+  modules-download-mode: readonly
+
+linters:
+  default: standard
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/tuannvm/oauth-mcp-proxy
 
-go 1.24.0
+go 1.24.9
 
 require (
 	github.com/coreos/go-oidc/v3 v3.16.0
