Sandbox third-party Go tool steps with geomys/sandboxed-step#517
Draft
arnested wants to merge 9 commits into
Draft
Sandbox third-party Go tool steps with geomys/sandboxed-step#517arnested wants to merge 9 commits into
arnested wants to merge 9 commits into
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #517 +/- ##
==========================================
+ Coverage 36.26% 36.45% +0.19%
==========================================
Files 7 8 +1
Lines 284 288 +4
==========================================
+ Hits 103 105 +2
- Misses 176 179 +3
+ Partials 5 4 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Wrap steps that fetch or execute untrusted Go code (go mod tidy, go generate, go install for chglog/nilaway/wwhrd, and their invocations) in geomys/sandboxed-step@v1.2.0 to isolate them from the runner. Affected checkouts now set persist-credentials: false, as required by the action. Assisted-by: Claude <noreply@anthropic.com>
Add a daily matrix workflow that runs the test suite against both the locked and latest dependency versions inside geomys/sandboxed-step, as an early-warning system for upstream breakage. Bump the govulncheck schedule from weekly to daily and reduce push.yml top-level permissions to contents: read since nothing in that workflow modifies the repo. See https://words.filippo.io/dependabot/ for context. Assisted-by: Claude <noreply@anthropic.com>
arnested
force-pushed
the
geomys/sandboxed-step
branch
from
7df6b26 to
a91fa81
Compare
Replace the journal.Print call inside Logf with a package-level Output function variable that defaults to journald. Tests install a capturing mock via t.Cleanup, which lets them run inside the geomys/sandboxed-step sandbox (no journald socket) and actually assert priority + formatted message instead of just tolerating a panic. Assisted-by: Claude <noreply@anthropic.com>
Drop the license_check job from push.yml and delete .wwhrd.yml. Go module license auditing is no longer being enforced in CI. Assisted-by: Claude <noreply@anthropic.com>
arnested
force-pushed
the
geomys/sandboxed-step
branch
from
4f0f4d5 to
757227b
Compare
Add nilaway and chglog under go.mod's tool directive and switch the workflow steps from `go install ...@latest`/`@main` to `go tool ...`. This pins the tool versions in go.mod (resolvable from the read-only module cache inside the sandbox) and removes the per-step install dance. Assisted-by: Claude <noreply@anthropic.com>
Switch from uploading coverage to codecov.io to enforcing a coverage threshold locally in CI. Start with a 35% total floor (current coverage is 37%) and exclude the test-helper logtest package. No external service or token required. Assisted-by: Claude <noreply@anthropic.com>
Wrap the `go mod edit && go fix && git diff` sequence in both the stable and unstable jobs in geomys/sandboxed-step. The unstable job in particular runs a freshly-released Go toolchain against this repo's source on every scheduled run, so isolating that toolchain's execution is worth the small bit of complexity. Assisted-by: Claude <noreply@anthropic.com>
Move the `go test` + coverage threshold check entirely into the matrix workflow so we run tests once per push instead of duplicating them. The matrix workflow now writes coverage.txt and runs vladopajic on the (go.mod, locked) cell; the push-triggered workflow loses its test and coverage steps. While here: - Rename push.yml -> build.yml and go-tests.yml -> test.yml so the filenames match the convention used by the other workflow files. - Rename workflow names "Build and check" -> "Build" and "Go tests" -> "Test", and the central build job -> "Snapshot" since it produces the snapshot release artifact. - Update release.yml's workflow_run reference accordingly. Assisted-by: Claude <noreply@anthropic.com>
Add github.com/vladopajic/go-test-coverage/v2 under go.mod's tool directive and replace the vladopajic/go-test-coverage@v2 action with a sandboxed `go tool go-test-coverage` invocation. The threshold check now uses the same pinned version locally and in CI, and runs inside the geomys/sandboxed-step sandbox alongside the rest of the Go tool invocations. Assisted-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Wrap steps that fetch or execute untrusted Go code (go mod tidy, go
generate, go install for chglog/nilaway/wwhrd, and their invocations)
in geomys/sandboxed-step@v1.2.0 to isolate them from the runner.
Affected checkouts now set persist-credentials: false, as required by
the action.
Assisted-by: Claude noreply@anthropic.com