Skip to content

CI hardening: permissions block, codecov thresholds, cache no-op, dead trigger, SHA pinning, dependabot, Go-floor matrix #85

Description

@MasterOfBinary

Checklist from a CI/tooling audit of .github/workflows/go.yml (validated @ 58cee73):

  • Add permissions: contents: read — the job pipes a remote install script to sh and holds CODECOV_TOKEN, with the default (potentially write) token scope.
  • Codecov patch thresholdcodecov.yml (added in docs: fix godoc rendering and restore full AGENTS.md mirror #80) sets only a project threshold; the patch status has none, and coverage of ctx-cancellation arms is scheduler-dependent, so patch checks go red on correct PRs (bit PR fix(batch): panic recovery, deadlock-safe error sends, bounded prealloc, Done() race #65). Add a small patch threshold or carry-forward, and consider fail_ci_if_error for the upload step (currently silent).
  • setup-go cache is a guaranteed-warn no-op — zero deps, no go.sum: set cache: false and drop the no-op go mod download step.
  • Remove the dead travis-test push trigger (branch doesn't exist).
  • Run gofmt/lint/codecov once, not per matrix leg — currently duplicated on 1.25.x and 1.26.x (wasted minutes, double upload).
  • SHA-pin third-party actions — especially codecov/codecov-action (token-holding, prior supply-chain history).
  • Add dependabot.yml for the github-actions ecosystem (ci: update workflow for latest Go versions #61 was exactly this toil, done by hand).
  • Decide the Go floor — go.mod says go 1.18 and README/CLAUDE.md promise "Go 1.18 or later", but CI tests only 1.25.x/1.26.x, so the floor is an untested claim (a stdlib API from 1.19+ would pass CI and break documented users). Either add an oldest-supported leg or bump the directive and all docs together.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions