From e2b6a29d551ba53296fb39647881e5d168a18ee7 Mon Sep 17 00:00:00 2001 From: htjulia Date: Sun, 5 Jul 2026 22:04:23 +0900 Subject: [PATCH 1/3] ci: add github actions ci pipeline MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - gate every PR and push to main through the Makefile's verification discipline: gofmt → vet → race tests (with coverage) → official Lua 5.4 conformance fixtures, so the repo's pre-push gate now runs remotely - add CI-only hardening the Makefile doesn't cover: govulncheck plus a cross-platform build matrix (ubuntu/macos/windows) proving the README's portability claim; bench runs observationally (non-gating) - trigger only on source-affecting paths so doc-only changes skip CI Tags: #ci #github-actions Co-Authored-By: htjulia --- .github/workflows/ci.yml | 130 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..bedc108 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,130 @@ +# GitHub Actions CI — mirrors the Makefile's verification discipline +# (vet → test/race → conformance → build, plus bench) on pull requests and +# pushes to main, and only when source files change (doc-only changes are +# skipped). The Makefile is the single source of truth: jobs call `make ` +# where a target exists; the extra hardening steps (gofmt gate, govulncheck, +# cross-platform build, coverage) are CI-only and call `go` directly. +# +# luapure is a zero-dependency pure-Go port, so there is no go.sum: `make test` +# is already race-enabled and `make conformance` runs the official Lua 5.4 +# fixtures as a hard gate. + +name: CI + +on: + push: + branches: [main] + paths: + - "**/*.go" + - "go.mod" + - "Makefile" + - "conformance/**" + - "_lua5.4-tests/**" + - "_glue5.4-tests/**" + - ".github/workflows/ci.yml" + pull_request: + paths: + - "**/*.go" + - "go.mod" + - "Makefile" + - "conformance/**" + - "_lua5.4-tests/**" + - "_glue5.4-tests/**" + - ".github/workflows/ci.yml" + +concurrency: + group: ci-${{ github.ref }} + cancel-in-progress: true + +jobs: + # Fast fail on formatting before spending time on the heavier jobs. + format: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v7 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + - name: gofmt + run: | + unformatted=$(gofmt -l .) + if [ -n "$unformatted" ]; then + echo "These files are not gofmt-clean:"; echo "$unformatted" + exit 1 + fi + + # The canonical pre-push gate: vet → race-enabled tests (with coverage) → + # official Lua 5.4 conformance fixtures. Equivalent to `make check` minus the + # build step (which the cross-platform build job below proves separately). + verify: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v7 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod # tracks the toolchain pinned in go.mod + cache: true # build cache, keyed on go.mod (no go.sum: zero deps) + - run: make vet + # `make test` is `go test -race -count=1 ./...`; add a coverage profile. + # covermode=atomic is required under -race. + - name: test (race, with coverage) + run: go test -race -covermode=atomic -coverprofile=coverage.out -count=1 ./... + - name: conformance (official Lua 5.4 fixtures) + run: make conformance + - name: upload coverage + uses: actions/upload-artifact@v7 + with: + name: coverage + path: coverage.out + if-no-files-found: warn + + # Scan dependencies and code for known vulnerabilities. + govulncheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v7 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + cache: true + - name: govulncheck + env: + # govulncheck@latest requires a newer Go than go.mod pins; allow the + # toolchain to auto-upgrade for the tool install. setup-go v6 defaults + # GOTOOLCHAIN to "local", which otherwise blocks this. + GOTOOLCHAIN: auto + run: | + go install golang.org/x/vuln/cmd/govulncheck@latest + govulncheck ./... + + # build runs only after verify passes, mirroring the Makefile's + # "build only after tests pass", and proves the engine + all `go` targets are + # cross-platform. `make` isn't assumed on Windows, so call `go` directly. + build: + needs: verify + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v7 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + cache: true + - run: go vet ./... + - run: go build ./... + + # bench is observational, not a gate — a slow/noisy run must not fail CI. + bench: + needs: verify + runs-on: ubuntu-latest + continue-on-error: true + steps: + - uses: actions/checkout@v7 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + cache: true + - run: make bench From a7c2d715bd5ce52ff556aeeccad9dac4ab4e075e Mon Sep 17 00:00:00 2001 From: htjulia Date: Sun, 5 Jul 2026 22:13:23 +0900 Subject: [PATCH 2/3] style: gofmt-align version constants in luaconf.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - the new CI gofmt gate flagged misaligned trailing comments on the LuaRelease/Version consts; no semantic change chore: raise minimum Go to 1.25.11 - CI govulncheck flagged 4 stdlib advisories present in the go1.24.x standard library — GO-2026-5037 (crypto/x509), GO-2026-4971 (net), GO-2026-4602 (os), GO-2026-4601 (net/url) - all are fixed in the go1.25.x stdlib; bump the go directive so builds pull the patched standard library and the govulncheck gate passes - raises this library's minimum Go requirement to 1.25.11 Tags: #ci #security #gofmt Co-Authored-By: htjulia --- go.mod | 2 +- lua/luaconf.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1ab0010..9f6d4c5 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module github.com/htcom-code/lua-pure -go 1.24 +go 1.25.11 diff --git a/lua/luaconf.go b/lua/luaconf.go index df08987..e9ef983 100644 --- a/lua/luaconf.go +++ b/lua/luaconf.go @@ -32,8 +32,8 @@ package luapure // here and to Lua via the _LUAPURE_VERSION global. const ( LuaVersion = "Lua 5.4" // == _VERSION; PUC LUA_VERSION (DO NOT CHANGE) - LuaRelease = "5.4.8" // PUC patch level this engine tracks - Version = "0.1.0" // luapure implementation version + LuaRelease = "5.4.8" // PUC patch level this engine tracks + Version = "0.1.0" // luapure implementation version ) // VersionString returns the full implementation banner, e.g. From dcdd20e5325785523a0da5fd92d90b3ffa624107 Mon Sep 17 00:00:00 2001 From: htjulia Date: Sun, 5 Jul 2026 22:21:05 +0900 Subject: [PATCH 3/3] chore(release): prepare v0.1.2 - bump the engine Version constant to 0.1.2 (exposed to Lua as _LUAPURE_VERSION and by the debug MCP adapters); it had been left at 0.1.0 through the 0.1.1 release, so the banner now reports the real release version - add the [0.1.2] CHANGELOG entry covering the new CI pipeline and the Go 1.25.11 security bump docs: state the Go 1.25.11 minimum in the README - update the Go badge and the requirements line to 1.25.11 so the public library advertises the correct minimum after the stdlib security bump Tags: #release #docs #changelog Co-Authored-By: htjulia --- CHANGELOG.md | 22 ++++++++++++++++++++++ README.md | 5 +++-- cmd/luadbg-mcp/main.go | 2 +- debugmcp/server.go | 2 +- lua/luaconf.go | 4 ++-- 5 files changed, 29 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d76834e..a2ab1f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,28 @@ separately from the luapure release version. - Performance: keep narrowing the speed/allocation gap to the reference (see [`ROADMAP.md`](ROADMAP.md) for the current levers). +## [0.1.2] — 2026-07-05 + +Tooling and security. No API or observable-behaviour change; conformance +stays at 30/33. + +### Added +- **Continuous integration.** A GitHub Actions workflow + ([`.github/workflows/ci.yml`](.github/workflows/ci.yml)) now gates every pull + request and push to `main`: gofmt → `go vet` → race-enabled tests with + coverage → the official Lua 5.4 conformance fixtures. CI-only hardening adds + `govulncheck`, a cross-platform build matrix (Linux/macOS/Windows), and an + observational (non-gating) benchmark run. + +### Changed +- **Minimum Go raised to 1.25.11.** `govulncheck` flagged four advisories in + the go1.24.x standard library — GO-2026-5037 (`crypto/x509`), GO-2026-4971 + (`net`), GO-2026-4602 (`os`), and GO-2026-4601 (`net/url`) — all fixed in + go1.25.x. Bumping the `go` directive pulls the patched standard library. +- **Version constant synced.** `Version` (exposed to Lua as `_LUAPURE_VERSION`, + and reported by the debug MCP adapters) now tracks the release version; it had + been left at `0.1.0` through the 0.1.1 release. + ## [0.1.1] — 2026-06-29 Performance and documentation. No API or observable-behaviour change; diff --git a/README.md b/README.md index 75900a4..8cffc8f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # LuaPure — a pure Go Lua VM [![Go Reference](https://pkg.go.dev/badge/github.com/htcom-code/lua-pure/lua.svg)](https://pkg.go.dev/github.com/htcom-code/lua-pure/lua) -[![Go 1.24+](https://img.shields.io/badge/Go-1.24%2B-00ADD8.svg)](go.mod) +[![Go 1.25.11+](https://img.shields.io/badge/Go-1.25.11%2B-00ADD8.svg)](go.mod) [![Lua 5.4.8](https://img.shields.io/badge/Lua-5.4.8-000080.svg)](https://www.lua.org/) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) [![Status: alpha](https://img.shields.io/badge/status-alpha-orange.svg)](#project-status) @@ -61,7 +61,8 @@ or tag if you depend on it. [`ROADMAP.md`](ROADMAP.md) tracks what comes next go get github.com/htcom-code/lua-pure/lua ``` -Requires Go 1.24 (uses the `weak` package for weak tables). +Requires Go 1.25.11 (the `weak` package for weak tables needs 1.24; the +1.25.11 floor also clears known standard-library security advisories). ## Quickstart diff --git a/cmd/luadbg-mcp/main.go b/cmd/luadbg-mcp/main.go index f6c5410..c36e1d3 100644 --- a/cmd/luadbg-mcp/main.go +++ b/cmd/luadbg-mcp/main.go @@ -59,7 +59,7 @@ func main() { NewState: newState, Source: resolver, Name: "luapure-debug", - Version: "0.1.0", + Version: "0.1.2", } t := debugmcp.NewStdioTransport(os.Stdin, os.Stdout, nil) diff --git a/debugmcp/server.go b/debugmcp/server.go index 7216e2e..9983538 100644 --- a/debugmcp/server.go +++ b/debugmcp/server.go @@ -148,7 +148,7 @@ func (s *Server) initialize(params json.RawMessage) any { name = "luapure-debug" } if version == "" { - version = "0.1.0" + version = "0.1.2" } return map[string]any{ "protocolVersion": ver, diff --git a/lua/luaconf.go b/lua/luaconf.go index e9ef983..ac1cce8 100644 --- a/lua/luaconf.go +++ b/lua/luaconf.go @@ -33,11 +33,11 @@ package luapure const ( LuaVersion = "Lua 5.4" // == _VERSION; PUC LUA_VERSION (DO NOT CHANGE) LuaRelease = "5.4.8" // PUC patch level this engine tracks - Version = "0.1.0" // luapure implementation version + Version = "0.1.2" // luapure implementation version ) // VersionString returns the full implementation banner, e.g. -// "luapure 0.1.0 (Lua 5.4.8)". It is the value exposed to Lua as the global +// "luapure 0.1.2 (Lua 5.4.8)". It is the value exposed to Lua as the global // _LUAPURE_VERSION. func VersionString() string { return "luapure " + Version + " (Lua " + LuaRelease + ")"