From 41ee462e1d6f09eb2d16d8d7e40c643c97878345 Mon Sep 17 00:00:00 2001 From: Joshua Temple Date: Wed, 3 Jun 2026 01:00:02 -0400 Subject: [PATCH 1/5] chore: bump Go toolchain to 1.25.11 across modules Signed-off-by: Joshua Temple --- cluster/go.mod | 2 +- durable/go.mod | 2 +- e2e/go.mod | 2 +- examples/dispatch/go.mod | 2 +- examples/fooddelivery/go.mod | 2 +- examples/sinkflow/go.mod | 2 +- go.work | 2 +- sink/bridge/go.mod | 2 +- sink/cloudwatch/go.mod | 2 +- sink/dynamo/go.mod | 2 +- sink/eventbridge/go.mod | 2 +- sink/file/go.mod | 2 +- sink/firehose/go.mod | 2 +- sink/gcppubsub/go.mod | 2 +- sink/go.mod | 2 +- sink/http/go.mod | 2 +- sink/kafka/go.mod | 2 +- sink/kinesis/go.mod | 2 +- sink/nats/go.mod | 2 +- sink/otel/go.mod | 2 +- sink/prometheus/go.mod | 2 +- sink/redis/go.mod | 2 +- sink/s3/go.mod | 2 +- sink/slog/go.mod | 2 +- sink/sns/go.mod | 2 +- sink/sql/go.mod | 2 +- sink/sqs/go.mod | 2 +- sink/statsd/go.mod | 2 +- sink/timestream/go.mod | 2 +- state/expr/go.mod | 2 +- tools/docsgen/go.mod | 2 +- transport/go.mod | 2 +- wasm/go.mod | 2 +- 33 files changed, 33 insertions(+), 33 deletions(-) diff --git a/cluster/go.mod b/cluster/go.mod index 3e58bde..28fe148 100644 --- a/cluster/go.mod +++ b/cluster/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/cluster -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/state => ../state diff --git a/durable/go.mod b/durable/go.mod index 46b39d1..e56d201 100644 --- a/durable/go.mod +++ b/durable/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/durable -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/state => ../state diff --git a/e2e/go.mod b/e2e/go.mod index 60b1612..88363bb 100644 --- a/e2e/go.mod +++ b/e2e/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/e2e -go 1.25.0 +go 1.25.11 replace ( github.com/stablekernel/crucible/cluster => ../cluster diff --git a/examples/dispatch/go.mod b/examples/dispatch/go.mod index 1b8a211..ef98147 100644 --- a/examples/dispatch/go.mod +++ b/examples/dispatch/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/examples/dispatch -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/state => ../../state diff --git a/examples/fooddelivery/go.mod b/examples/fooddelivery/go.mod index d41e85e..23d6b5b 100644 --- a/examples/fooddelivery/go.mod +++ b/examples/fooddelivery/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/examples/fooddelivery -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/state => ../../state diff --git a/examples/sinkflow/go.mod b/examples/sinkflow/go.mod index 704712b..d41e8b0 100644 --- a/examples/sinkflow/go.mod +++ b/examples/sinkflow/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/examples/sinkflow -go 1.25.0 +go 1.25.11 require ( github.com/stablekernel/crucible/sink v0.0.0 diff --git a/go.work b/go.work index 4b1d0f2..46e5d01 100644 --- a/go.work +++ b/go.work @@ -1,4 +1,4 @@ -go 1.25.0 +go 1.25.11 // Sink modules with a non-stdlib dependency are intentionally NOT listed here: // the SDK-backed destinations (the AWS family, redis, nats, kafka, gcppubsub, diff --git a/sink/bridge/go.mod b/sink/bridge/go.mod index 229bc78..4259449 100644 --- a/sink/bridge/go.mod +++ b/sink/bridge/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/bridge -go 1.25.0 +go 1.25.11 require ( github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/cloudwatch/go.mod b/sink/cloudwatch/go.mod index 55b619d..25c755d 100644 --- a/sink/cloudwatch/go.mod +++ b/sink/cloudwatch/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/cloudwatch -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/sink => ../ diff --git a/sink/dynamo/go.mod b/sink/dynamo/go.mod index eee5a91..0084b4b 100644 --- a/sink/dynamo/go.mod +++ b/sink/dynamo/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/dynamo -go 1.25.0 +go 1.25.11 require github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/eventbridge/go.mod b/sink/eventbridge/go.mod index afc78f4..c24aa8f 100644 --- a/sink/eventbridge/go.mod +++ b/sink/eventbridge/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/eventbridge -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/sink => ../ diff --git a/sink/file/go.mod b/sink/file/go.mod index bd9da2d..3aa45ab 100644 --- a/sink/file/go.mod +++ b/sink/file/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/file -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/sink => ../ diff --git a/sink/firehose/go.mod b/sink/firehose/go.mod index b2acf46..a5e3593 100644 --- a/sink/firehose/go.mod +++ b/sink/firehose/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/firehose -go 1.25.0 +go 1.25.11 require ( github.com/aws/aws-sdk-go-v2 v1.41.9 diff --git a/sink/gcppubsub/go.mod b/sink/gcppubsub/go.mod index 6a248c8..00b0911 100644 --- a/sink/gcppubsub/go.mod +++ b/sink/gcppubsub/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/gcppubsub -go 1.25.0 +go 1.25.11 require github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/go.mod b/sink/go.mod index ff811ad..d29b95a 100644 --- a/sink/go.mod +++ b/sink/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink -go 1.25.0 +go 1.25.11 require github.com/stablekernel/crucible/telemetry v0.0.0 diff --git a/sink/http/go.mod b/sink/http/go.mod index bf380e3..351539d 100644 --- a/sink/http/go.mod +++ b/sink/http/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/http -go 1.25.0 +go 1.25.11 require github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/kafka/go.mod b/sink/kafka/go.mod index c1b2b47..7234372 100644 --- a/sink/kafka/go.mod +++ b/sink/kafka/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/kafka -go 1.25.0 +go 1.25.11 require github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/kinesis/go.mod b/sink/kinesis/go.mod index 99602b5..4244759 100644 --- a/sink/kinesis/go.mod +++ b/sink/kinesis/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/kinesis -go 1.25.0 +go 1.25.11 require ( github.com/aws/aws-sdk-go-v2 v1.41.9 diff --git a/sink/nats/go.mod b/sink/nats/go.mod index 6978f32..738a19d 100644 --- a/sink/nats/go.mod +++ b/sink/nats/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/nats -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/sink => ../ diff --git a/sink/otel/go.mod b/sink/otel/go.mod index cf01fbf..c1824fc 100644 --- a/sink/otel/go.mod +++ b/sink/otel/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/otel -go 1.25.0 +go 1.25.11 require ( github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/prometheus/go.mod b/sink/prometheus/go.mod index b4cd3f4..30065f0 100644 --- a/sink/prometheus/go.mod +++ b/sink/prometheus/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/prometheus -go 1.25.0 +go 1.25.11 require github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/redis/go.mod b/sink/redis/go.mod index d0e5368..5f66a4a 100644 --- a/sink/redis/go.mod +++ b/sink/redis/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/redis -go 1.25.0 +go 1.25.11 require ( github.com/redis/go-redis/v9 v9.20.0 diff --git a/sink/s3/go.mod b/sink/s3/go.mod index 116faa1..b595609 100644 --- a/sink/s3/go.mod +++ b/sink/s3/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/s3 -go 1.25.0 +go 1.25.11 require github.com/aws/aws-sdk-go-v2/service/s3 v1.102.2 diff --git a/sink/slog/go.mod b/sink/slog/go.mod index 0d344fe..18d7f5a 100644 --- a/sink/slog/go.mod +++ b/sink/slog/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/slog -go 1.25.0 +go 1.25.11 require github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/sns/go.mod b/sink/sns/go.mod index c834422..9016a58 100644 --- a/sink/sns/go.mod +++ b/sink/sns/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/sns -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/sink => ../ diff --git a/sink/sql/go.mod b/sink/sql/go.mod index 3b9b6e0..33cefb9 100644 --- a/sink/sql/go.mod +++ b/sink/sql/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/sql -go 1.25.0 +go 1.25.11 require ( github.com/stablekernel/crucible/sink v0.0.0 diff --git a/sink/sqs/go.mod b/sink/sqs/go.mod index 99c07d1..ff316f7 100644 --- a/sink/sqs/go.mod +++ b/sink/sqs/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/sqs -go 1.25.0 +go 1.25.11 require ( github.com/aws/aws-sdk-go-v2 v1.41.9 diff --git a/sink/statsd/go.mod b/sink/statsd/go.mod index 064dc12..a91b30f 100644 --- a/sink/statsd/go.mod +++ b/sink/statsd/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/statsd -go 1.25.0 +go 1.25.11 require ( github.com/DataDog/datadog-go/v5 v5.8.3 diff --git a/sink/timestream/go.mod b/sink/timestream/go.mod index bd129cb..cac02eb 100644 --- a/sink/timestream/go.mod +++ b/sink/timestream/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/sink/timestream -go 1.25.0 +go 1.25.11 require github.com/stablekernel/crucible/sink v0.0.0 diff --git a/state/expr/go.mod b/state/expr/go.mod index 78ff6b5..d0e21bd 100644 --- a/state/expr/go.mod +++ b/state/expr/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/state/expr -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/state => ../ diff --git a/tools/docsgen/go.mod b/tools/docsgen/go.mod index 825cf6d..4e2765b 100644 --- a/tools/docsgen/go.mod +++ b/tools/docsgen/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/tools/docsgen -go 1.25.0 +go 1.25.11 // The generator builds real example machines and renders their diagrams, and // shells out to gomarkdoc for the API reference. It depends on the local state diff --git a/transport/go.mod b/transport/go.mod index 23a8ed8..cfa8d8f 100644 --- a/transport/go.mod +++ b/transport/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/transport -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/state => ../state diff --git a/wasm/go.mod b/wasm/go.mod index c0f1660..d99f8e6 100644 --- a/wasm/go.mod +++ b/wasm/go.mod @@ -1,6 +1,6 @@ module github.com/stablekernel/crucible/wasm -go 1.25.0 +go 1.25.11 replace github.com/stablekernel/crucible/state => ../state From f4100d1bd5a047ed9f1f7d2977239ef65de1a4e7 Mon Sep 17 00:00:00 2001 From: Joshua Temple Date: Wed, 3 Jun 2026 01:00:02 -0400 Subject: [PATCH 2/5] ci: pin GitHub Actions to commit SHAs Signed-off-by: Joshua Temple --- .github/workflows/ci.yml | 32 +++++++++++++++---------------- .github/workflows/docs-deploy.yml | 10 +++++----- .github/workflows/release.yml | 6 +++--- .github/workflows/scorecard.yml | 2 +- .github/workflows/test.yml | 4 ++-- 5 files changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a90b04d..aac6561 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,7 @@ jobs: code: ${{ steps.detect.outputs.code }} docs: ${{ steps.detect.outputs.docs }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - name: Detect non-docs changes @@ -69,8 +69,8 @@ jobs: if: needs.changes.outputs.code == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.26.4" cache-dependency-path: "**/go.sum" @@ -148,8 +148,8 @@ jobs: if: needs.changes.outputs.code == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.26.4" cache-dependency-path: "**/go.sum" @@ -218,8 +218,8 @@ jobs: env: THRESHOLD: "80" steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.26.4" cache-dependency-path: "**/go.sum" @@ -435,11 +435,11 @@ jobs: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: # Need both base and head commits present for the worktree diff. fetch-depth: 0 - - uses: actions/setup-go@v6 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.26.4" cache-dependency-path: "**/go.sum" @@ -511,8 +511,8 @@ jobs: run: working-directory: docs steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.26.4" cache-dependency-path: "**/go.sum" @@ -522,7 +522,7 @@ jobs: - name: Generate API reference + diagrams working-directory: . run: go run ./tools/docsgen - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: "22" cache: npm @@ -567,8 +567,8 @@ jobs: GOWORK: "off" THRESHOLD: "80" steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.26.4" cache-dependency-path: "**/go.sum" @@ -632,8 +632,8 @@ jobs: env: GOWORK: "off" steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.26.4" cache-dependency-path: "**/go.sum" diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index a0ca034..bcf79b8 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -31,8 +31,8 @@ jobs: run: working-directory: docs steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: "1.26.4" cache-dependency-path: "**/go.sum" @@ -42,7 +42,7 @@ jobs: - name: Generate API reference + diagrams working-directory: . run: go run ./tools/docsgen - - uses: actions/setup-node@v5 + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: "22" cache: npm @@ -52,7 +52,7 @@ jobs: - name: Build site run: npm run build - name: Upload Pages artifact - uses: actions/upload-pages-artifact@v5 + uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 with: path: docs/dist @@ -65,4 +65,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9214bba..320c312 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -65,8 +65,8 @@ jobs: MODULE: ${{ needs.resolve.outputs.module }} THRESHOLD: "80" steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ matrix.go }} cache-dependency-path: "**/go.sum" @@ -100,7 +100,7 @@ jobs: TAG: ${{ github.ref_name }} GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - name: Publish GitHub release diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1b724b6..b626844 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -54,6 +54,6 @@ jobs: # Upload the results to GitHub's code-scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d77b13a0df3134d64a457ea9003f600b09fa1c8a # v3.36.1 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8460d77..445dfad 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -26,8 +26,8 @@ jobs: env: MODULES: ${{ inputs.modules }} steps: - - uses: actions/checkout@v6 - - uses: actions/setup-go@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version: ${{ matrix.go }} cache-dependency-path: "**/go.sum" From d8217f50082dacb52c5158bf6aee7e249414a364 Mon Sep 17 00:00:00 2001 From: Joshua Temple Date: Wed, 3 Jun 2026 01:00:02 -0400 Subject: [PATCH 3/5] ci: add CodeQL static analysis Signed-off-by: Joshua Temple --- .github/workflows/codeql.yml | 77 ++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..e9ccffc --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,77 @@ +name: CodeQL + +# Static analysis (SAST) over the Go sources. Runs on every PR and on pushes to +# the default branch, plus a weekly scheduled scan so newly published query +# packs catch existing code. Results land in the code-scanning dashboard. +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '24 6 * * 1' + +# Read-only by default; the analyze job opts into security-events:write. +permissions: + contents: read + +concurrency: + group: codeql-${{ github.ref }} + cancel-in-progress: true + +jobs: + analyze: + name: Analyze (Go) + runs-on: ubuntu-latest + permissions: + # Required to upload CodeQL results to the code-scanning dashboard. + security-events: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + # cache: false is deliberate. CodeQL's Go extractor only sees code that is + # actually compiled while it traces the build; a warm build cache (shared + # with the other CI jobs) would make `go build` a no-op and yield "no source + # code seen during build". Starting cold guarantees real compilation. + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version: "1.26.4" + cache: false + + # Go does not support build-mode: none, so extraction is traced through a + # real build. There is no root module to build and the SDK-backed sink + # destinations live outside the workspace, so the manual build walks the + # in-workspace modules (the same set ci.yml lints and tests) and compiles + # each under the CodeQL tracer. + - name: Initialize CodeQL + uses: github/codeql-action/init@d77b13a0df3134d64a457ea9003f600b09fa1c8a # v3.36.1 + with: + languages: go + build-mode: manual + + - name: Build (CodeQL tracing) + shell: bash + env: + MODULES: "state state/expr durable cluster transport wasm e2e examples/fooddelivery examples/dispatch telemetry telemetry/slog telemetry/otel telemetry/datadog sink sink/bridge sink/file sink/http sink/prometheus sink/slog" + run: | + # Force a cold build cache so every package is recompiled under the + # CodeQL tracer (otherwise nothing is extracted; see cache: false above). + go clean -cache + # Build from inside each module dir (cd, not `go build -C`): the + # extractor traces the in-process compiles, and `-C` re-execs the go + # command in a way the tracer does not follow, which yields an empty + # database ("no source code seen during build"). + for module in $MODULES; do + echo "::group::build ($module)" + ( cd "$module" && go build ./... ) + echo "::endgroup::" + done + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@d77b13a0df3134d64a457ea9003f600b09fa1c8a # v3.36.1 + with: + category: "/language:go" From e01f312a414fc9384b98986af13ce5dc5750ba09 Mon Sep 17 00:00:00 2001 From: Joshua Temple Date: Wed, 3 Jun 2026 01:00:02 -0400 Subject: [PATCH 4/5] ci: extend Dependabot to all Go modules Signed-off-by: Joshua Temple --- .github/dependabot.yml | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4082b85..1a337ac 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,22 +1,26 @@ version: 2 updates: - # Library module: the state kernel. + # Go modules across the whole suite. The "/**" glob covers every module that + # carries a go.mod (the state kernel, telemetry adapters, transport, wasm, the + # sink core, every SDK-backed sink destination, the examples, and the build + # tooling). The SDK destinations are where transitive advisories (x/crypto, + # x/net, x/sys, and the cloud SDKs themselves) surface, so they must be watched + # too. Updates are grouped per module so each module's bumps land in a single + # PR rather than one PR per dependency. - package-ecosystem: gomod - directory: /state + directories: + - "/**" schedule: interval: weekly + groups: + go-modules: + patterns: + - "*" commit-message: prefix: "chore" - # Build-automation module. - - package-ecosystem: gomod - directory: /magefiles - schedule: - interval: weekly - commit-message: - prefix: "chore" - - # GitHub Actions workflows. + # GitHub Actions workflows. Keeps the SHA-pinned action references current + # (Dependabot updates both the pin and its version comment). - package-ecosystem: github-actions directory: / schedule: From 0247ddcdd890ebe6d88df0787d16ee0f75d067ec Mon Sep 17 00:00:00 2001 From: Joshua Temple Date: Wed, 3 Jun 2026 01:24:48 -0400 Subject: [PATCH 5/5] ci: group test checks into state-machine and sink trees Signed-off-by: Joshua Temple --- .github/workflows/ci.yml | 131 ++++---------------------------- .github/workflows/sink.yml | 152 +++++++++++++++++++++++++++++++++++++ .github/workflows/test.yml | 9 ++- 3 files changed, 173 insertions(+), 119 deletions(-) create mode 100644 .github/workflows/sink.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aac6561..0c13750 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -132,16 +132,26 @@ jobs: working-directory: sink/slog run: go run "$GOLANGCI_LINT" run --config "$GITHUB_WORKSPACE/.golangci.yml" ./... - # The race-test matrix lives in a reusable workflow so its legs render as a - # single collapsible tree in the checks UI ("tests / test (1.25.11, …)") rather - # than as flat top-level checks. Keep the module list in sync with the lint, - # vuln, and coverage jobs below. + # The state-machine race-test matrix lives in a reusable workflow so its legs + # render as a single collapsible "state machine tests / …" tree in the checks + # UI rather than as flat top-level checks. The sink-domain legs live in their + # own "sink" tree (see the `sink` job below). Keep this module list in sync + # with the lint, vuln, and coverage jobs below. tests: + name: state machine tests needs: changes if: needs.changes.outputs.code == 'true' uses: ./.github/workflows/test.yml with: - modules: "state state/expr durable cluster transport wasm e2e examples/fooddelivery examples/dispatch telemetry telemetry/slog telemetry/otel telemetry/datadog sink sink/bridge sink/file sink/http sink/prometheus sink/slog" + modules: "state state/expr durable cluster transport wasm e2e examples/fooddelivery examples/dispatch telemetry telemetry/slog telemetry/otel telemetry/datadog" + + # Every sink-domain check (in-workspace race tests, the SDK-backed destination + # matrix, and the integration leg) groups under a single collapsible "sink / …" + # tree via this reusable workflow. + sink: + needs: changes + if: needs.changes.outputs.code == 'true' + uses: ./.github/workflows/sink.yml vuln: needs: changes @@ -532,115 +542,6 @@ jobs: - name: Build site run: npm run build - # The SDK-backed sink destinations are standalone modules kept out of the - # workspace (see go.work / the magefile), so they build with GOWORK=off via - # their own replace directives. Each is one matrix leg across the OS matrix for - # race tests; lint, vuln, and the coverage gate run on Linux. This keeps the - # vendor SDKs out of the core modules' dependency graphs. - sink-destinations: - needs: changes - if: needs.changes.outputs.code == 'true' - strategy: - fail-fast: false - matrix: - os: [ubuntu-latest, macos-latest, windows-latest] - module: - - sink/cloudwatch - - sink/dynamo - - sink/eventbridge - - sink/firehose - - sink/gcppubsub - - sink/kafka - - sink/kinesis - - sink/nats - - sink/otel - - sink/redis - - sink/s3 - - sink/sns - - sink/sql - - sink/sqs - - sink/statsd - - sink/timestream - - examples/sinkflow - runs-on: ${{ matrix.os }} - env: - GOWORK: "off" - THRESHOLD: "80" - steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version: "1.26.4" - cache-dependency-path: "**/go.sum" - - name: test -race - shell: bash - run: go test -C "${{ matrix.module }}" -race ./... - - name: golangci-lint - if: matrix.os == 'ubuntu-latest' - shell: bash - run: go -C "${{ matrix.module }}" run "$GOLANGCI_LINT" run --config "$GITHUB_WORKSPACE/.golangci.yml" ./... - - name: govulncheck - if: matrix.os == 'ubuntu-latest' - shell: bash - run: go -C "${{ matrix.module }}" run "$GOVULNCHECK" ./... - - name: coverage gate - if: matrix.os == 'ubuntu-latest' - shell: bash - run: | - go test -C "${{ matrix.module }}" -covermode=atomic -coverprofile=coverage.out ./... - pct=$(go -C "${{ matrix.module }}" tool cover -func=coverage.out | awk '/^total:/ {sub(/%/,"",$3); print $3}') - echo "total coverage: ${pct}% (threshold ${THRESHOLD}%)" - awk -v p="$pct" -v t="$THRESHOLD" 'BEGIN { exit (p+0 < t+0) ? 1 : 0 }' \ - || { echo "::error::coverage ${pct}% is below the ${THRESHOLD}% threshold"; exit 1; } - - # Integration / E2E leg, behind the `integration` build tag, run with - # GOWORK=off. The hermetic destinations (sql, http, file, slog, prometheus, - # statsd, otel) and the flagship sinkflow example run end-to-end; the - # container-backed destinations drive a real emulator via testcontainers - # (Docker is available on GitHub-hosted ubuntu runners) and skip cleanly if a - # daemon is ever absent. Kept off the default test matrix so the hermetic - # checks stay fast. - integration: - needs: changes - if: needs.changes.outputs.code == 'true' - strategy: - fail-fast: false - matrix: - module: - - sink/file - - sink/http - - sink/prometheus - - sink/slog - - sink/sql - - sink/statsd - - sink/otel - - sink/cloudwatch - - sink/dynamo - - sink/eventbridge - - sink/firehose - - sink/gcppubsub - - sink/kafka - - sink/kinesis - - sink/nats - - sink/redis - - sink/s3 - - sink/sns - - sink/sqs - - sink/timestream - - examples/sinkflow - runs-on: ubuntu-latest - env: - GOWORK: "off" - steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 - with: - go-version: "1.26.4" - cache-dependency-path: "**/go.sum" - - name: integration tests - shell: bash - run: go test -C "${{ matrix.module }}" -tags integration ./... - # Single required status check. Branch protection requires only `gate`, which # aggregates the required jobs: it fails if any of them failed or was # cancelled, and treats a skipped job (docs-only PRs, or PRs that touch no @@ -649,7 +550,7 @@ jobs: # never blocks a merge. gate: if: always() - needs: [changes, lint, tests, vuln, coverage, docs, sink-destinations, integration] + needs: [changes, lint, tests, sink, vuln, coverage, docs] runs-on: ubuntu-latest steps: - name: Fail if a required job did not pass diff --git a/.github/workflows/sink.yml b/.github/workflows/sink.yml new file mode 100644 index 0000000..f421405 --- /dev/null +++ b/.github/workflows/sink.yml @@ -0,0 +1,152 @@ +name: sink + +# Reusable sink test suite. Groups every sink-domain check under a single +# collapsible "sink / …" tree in the checks UI rather than sprawling across the +# top-level check list: +# - unit: race tests for the in-workspace sink modules (Go × OS). +# - sink-destinations: the SDK-backed destinations, built GOWORK=off via their +# own replace directives, with lint/vuln/coverage on Linux. +# - integration: the `integration`-tagged end-to-end leg (GOWORK=off). +# Called by ci.yml so the caller job name ("sink") becomes the tree prefix. +on: + workflow_call: + +env: + GOLANGCI_LINT: github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2 + GOVULNCHECK: golang.org/x/vuln/cmd/govulncheck@v1.3.0 + +permissions: + contents: read + +jobs: + # Race tests for the in-workspace sink modules (sink core + the hermetic, + # SDK-free adapters), across the Go × OS matrix. These live in the workspace, + # so they build without GOWORK=off — same as the state-machine unit matrix. + unit: + strategy: + fail-fast: false + matrix: + go: ["1.25.11", "1.26.4"] + os: [ubuntu-latest, macos-latest, windows-latest] + runs-on: ${{ matrix.os }} + env: + MODULES: "sink sink/bridge sink/file sink/http sink/prometheus sink/slog" + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version: ${{ matrix.go }} + cache-dependency-path: "**/go.sum" + - name: test -race + shell: bash + run: | + for module in $MODULES; do + echo "::group::test -race ($module)" + go test -C "$module" -race ./... + echo "::endgroup::" + done + + # The SDK-backed sink destinations are standalone modules kept out of the + # workspace (see go.work / the magefile), so they build with GOWORK=off via + # their own replace directives. Each is one matrix leg across the OS matrix for + # race tests; lint, vuln, and the coverage gate run on Linux. This keeps the + # vendor SDKs out of the core modules' dependency graphs. + sink-destinations: + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + module: + - sink/cloudwatch + - sink/dynamo + - sink/eventbridge + - sink/firehose + - sink/gcppubsub + - sink/kafka + - sink/kinesis + - sink/nats + - sink/otel + - sink/redis + - sink/s3 + - sink/sns + - sink/sql + - sink/sqs + - sink/statsd + - sink/timestream + - examples/sinkflow + runs-on: ${{ matrix.os }} + env: + GOWORK: "off" + THRESHOLD: "80" + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version: "1.26.4" + cache-dependency-path: "**/go.sum" + - name: test -race + shell: bash + run: go test -C "${{ matrix.module }}" -race ./... + - name: golangci-lint + if: matrix.os == 'ubuntu-latest' + shell: bash + run: go -C "${{ matrix.module }}" run "$GOLANGCI_LINT" run --config "$GITHUB_WORKSPACE/.golangci.yml" ./... + - name: govulncheck + if: matrix.os == 'ubuntu-latest' + shell: bash + run: go -C "${{ matrix.module }}" run "$GOVULNCHECK" ./... + - name: coverage gate + if: matrix.os == 'ubuntu-latest' + shell: bash + run: | + go test -C "${{ matrix.module }}" -covermode=atomic -coverprofile=coverage.out ./... + pct=$(go -C "${{ matrix.module }}" tool cover -func=coverage.out | awk '/^total:/ {sub(/%/,"",$3); print $3}') + echo "total coverage: ${pct}% (threshold ${THRESHOLD}%)" + awk -v p="$pct" -v t="$THRESHOLD" 'BEGIN { exit (p+0 < t+0) ? 1 : 0 }' \ + || { echo "::error::coverage ${pct}% is below the ${THRESHOLD}% threshold"; exit 1; } + + # Integration / E2E leg, behind the `integration` build tag, run with + # GOWORK=off. The hermetic destinations (sql, http, file, slog, prometheus, + # statsd, otel) and the flagship sinkflow example run end-to-end; the + # container-backed destinations drive a real emulator via testcontainers + # (Docker is available on GitHub-hosted ubuntu runners) and skip cleanly if a + # daemon is ever absent. Kept off the default test matrix so the hermetic + # checks stay fast. + integration: + strategy: + fail-fast: false + matrix: + module: + - sink/file + - sink/http + - sink/prometheus + - sink/slog + - sink/sql + - sink/statsd + - sink/otel + - sink/cloudwatch + - sink/dynamo + - sink/eventbridge + - sink/firehose + - sink/gcppubsub + - sink/kafka + - sink/kinesis + - sink/nats + - sink/redis + - sink/s3 + - sink/sns + - sink/sqs + - sink/timestream + - examples/sinkflow + runs-on: ubuntu-latest + env: + GOWORK: "off" + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version: "1.26.4" + cache-dependency-path: "**/go.sum" + - name: integration tests + shell: bash + run: go test -C "${{ matrix.module }}" -tags integration ./... diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 445dfad..4fadbed 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,9 +1,10 @@ name: tests -# Reusable race-test matrix. Runs `go test -race ./...` for every module in the -# suite across the Go × OS matrix. Called by ci.yml so the matrix legs render as -# a single collapsible tree in the checks UI (e.g. "tests / test (1.25.11, -# ubuntu-latest)") instead of cluttering the top-level checks list. +# Reusable race-test matrix for the state-machine modules. Runs `go test -race +# ./...` for each module across the Go × OS matrix. Called by ci.yml so the legs +# render as a single collapsible tree in the checks UI (e.g. "state machine tests +# / test (1.25.11, ubuntu-latest)") instead of cluttering the top-level checks +# list. The sink-domain modules have their own reusable workflow (sink.yml). on: workflow_call: inputs: