CI Pipeline Workflow¶

The ci.yml workflow provides a complete CI pipeline by orchestrating all other workflows.

Usage¶

jobs:
  ci:
    uses: go-gamma/actions/.github/workflows/ci.yml@v1
    with:
      go-version: '1.24'
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

Execution Flow¶

flowchart TB
    subgraph "Phase 1: Quality Checks (Parallel)"
        direction LR
        T["🧪 Test<br/>go test -race<br/>coverage upload"]
        L["🔍 Lint<br/>golangci-lint<br/>50+ linters"]
        S["🔒 Security<br/>gosec<br/>govulncheck"]
    end

    subgraph "Phase 2: Build Verification"
        B["🔨 Build Matrix<br/>Linux | macOS | Windows"]
    end

    T --> B
    L --> B
    S --> B

Inputs¶

Input	Type	Default	Description
`go-version`	string	`'1.24'`	Go version
`go-version-file`	string	`''`	Path to go.mod
`working-directory`	string	`'.'`	Code directory
`skip-lint`	boolean	`false`	Skip linting
`skip-security`	boolean	`false`	Skip security scan
`skip-build`	boolean	`false`	Skip build matrix
`platforms`	string	`'ubuntu-latest,...'`	Build platforms
`race-detection`	boolean	`true`	Enable race detector
`upload-coverage`	boolean	`true`	Upload to Codecov
`upload-sarif`	boolean	`true`	Upload to Code Scanning
`fail-on-vulns`	boolean	`true`	Fail on vulnerabilities
`only-new-issues`	boolean	`false`	New lint issues only

Secrets¶

Secret	Required	Description
`CODECOV_TOKEN`	No	Codecov upload token

Permissions¶

For SARIF upload to GitHub Code Scanning, you must pass permissions to the workflow:

permissions:
  contents: read
  security-events: write  # Required for SARIF upload

jobs:
  ci:
    uses: go-gamma/actions/.github/workflows/ci.yml@v1
    permissions:
      contents: read
      security-events: write

Optional SARIF Upload

If you don't provide security-events: write, security scanning still runs but SARIF upload is skipped gracefully.

Examples¶

Full Configuration¶

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write

jobs:
  ci:
    uses: go-gamma/actions/.github/workflows/ci.yml@v1
    permissions:
      contents: read
      security-events: write
    with:
      go-version: '1.24'
      race-detection: true
      upload-coverage: true
      upload-sarif: true
      fail-on-vulns: true
      only-new-issues: ${{ github.event_name == 'pull_request' }}
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

Library Only (No Build)¶

jobs:
  ci:
    uses: go-gamma/actions/.github/workflows/ci.yml@v1
    with:
      go-version: '1.24'
      skip-build: true  # No binary to build

Fast Feedback¶

jobs:
  ci:
    uses: go-gamma/actions/.github/workflows/ci.yml@v1
    with:
      go-version: '1.24'
      skip-security: true  # Faster for feature branches
      platforms: 'ubuntu-latest'  # Single platform

Job Dependencies¶

The build phase waits for all quality checks:

If test fails → build is skipped
If lint fails → build is skipped
If security fails → build is skipped

When phases are skipped, dependencies adjust automatically.