Merge pull request #11 from ogulcanaydogan/docs/openssf-badge-readme #33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@v7 | |
| with: | |
| version: v2.11.1 | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| - name: Run tests | |
| run: go test -v -race -coverprofile=coverage.out ./... | |
| - name: Check coverage | |
| run: | | |
| COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | tr -d '%') | |
| echo "Coverage: ${COVERAGE}%" | |
| if [ "$(echo "$COVERAGE < 80" | bc -l)" -eq 1 ]; then | |
| echo "::error::Coverage ${COVERAGE}% is below 80% threshold" | |
| exit 1 | |
| fi | |
| - name: Upload coverage | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: coverage | |
| path: coverage.out | |
| test-ml: | |
| name: Test (ML) | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ml') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| - name: Install ONNX Runtime | |
| run: | | |
| ONNX_VERSION=1.16.3 | |
| wget -q https://github.com/microsoft/onnxruntime/releases/download/v${ONNX_VERSION}/onnxruntime-linux-x64-${ONNX_VERSION}.tgz | |
| tar -xzf onnxruntime-linux-x64-${ONNX_VERSION}.tgz | |
| sudo cp onnxruntime-linux-x64-${ONNX_VERSION}/lib/* /usr/local/lib/ | |
| sudo ldconfig | |
| rm -rf onnxruntime-linux-x64-${ONNX_VERSION}* | |
| - name: Download model | |
| run: | | |
| pip install huggingface_hub | |
| python -c "from huggingface_hub import snapshot_download; snapshot_download('ogulcanaydogan/pif-distilbert-injection-classifier', local_dir='ml/output/onnx/quantized')" | |
| continue-on-error: true | |
| - name: Run ML tests | |
| run: | | |
| CGO_ENABLED=1 go test -tags ml -v -race ./pkg/detector/... || echo "ML tests skipped (model not available)" | |
| env: | |
| PIF_TEST_MODEL_PATH: ml/output/onnx/quantized | |
| LD_LIBRARY_PATH: /usr/local/lib | |
| benchmark: | |
| name: Benchmark | |
| runs-on: ubuntu-latest | |
| needs: test | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| - name: Run benchmarks | |
| run: go test -bench=. -benchmem -benchtime=3s ./benchmarks/... 2>/dev/null || echo "No benchmarks yet" | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| needs: test | |
| strategy: | |
| matrix: | |
| goos: [linux, darwin, windows] | |
| goarch: [amd64, arm64] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25.x' | |
| - name: Build CLI | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| run: go build -ldflags="-s -w" -o pif-${{ matrix.goos }}-${{ matrix.goarch }} ./cmd/pif-cli/ | |
| - name: Build Firewall | |
| env: | |
| GOOS: ${{ matrix.goos }} | |
| GOARCH: ${{ matrix.goarch }} | |
| run: go build -ldflags="-s -w" -o pif-firewall-${{ matrix.goos }}-${{ matrix.goarch }} ./cmd/firewall/ |