ci-workflows

---

Common Continuous Integration (CI) workflows and setup for go-openapi repos.

• shared github action workflows
• shared dependabot configuration (BLOCKED)
• shared golangci-lint configuration (BLOCKED)

Announcements

• 2025-12-19 : new community chat on discord
  • a new discord community channel is available to be notified of changes and support users
  • our venerable Slack channel remains open, and will be eventually discontinued on 2026-03-31

You may join the discord community by clicking the invite link on the discord badge (also above).

Or join our Slack channel:

Status

Development is active. We are regularly adding more shared workflows to standardize CI across go-openapi repos.

NOTE: at this moment, it is difficult to share the configurations for dependabot and golangci-lint, so these are not shared yet.

Example

go-test.yml

Basic usage

You reuse a workflow like so:

name: go test

permissions:
  pull-requests: read
  contents: read

on:
  push:
    branches:
      - master

  pull_request:

jobs:
  test:
    uses: go-openapi/ci-workflows/.github/workflows/go-test.yml@master
    secrets: inherit

It is recommended to pin the git ref master with a commit sha, and let dependabot keep you up to date. Like so:

    uses: go-openapi/ci-workflows/.github/workflows/go-test.yml@b28a8b978a5ee5b7f4241ffafd6cc6163edb5dfd # v0.1.0

Permissions

Make sure your job permissions match the requirements of the called shared workflow.

Example:

name: "CodeQL"

on:
  push:
    branches: [ "master" ]
  pull_request:
    branches: [ "master" ]
    paths-ignore: # remove this clause if CodeQL is a required check
      - '**/*.md'
  schedule:
    - cron: '39 19 * * 5'

permissions:
  contents: read

jobs:
  codeql:
    permissions:  # <- grant permissions at the job level that match the requirements of the called workflow
      contents: read
      security-events: write
    uses: ./.github/workflows/codeql.yml
    secrets: inherit

Available workflows [v0.1.0]

Dependencies automation

• auto-merge.yml:
  • auto-merge dependabot updates, with dependency group rules
  • auto-merge go-openapi bot updates

Test automation

• go-test.yml: go unit tests

  • includes:
    • fuzz-test.yml: orchestrates fuzz testing with a cached corpus
    • collect-coverage.yml: (common) collect & publish test coverage (to codecov)
    • collect-reports.yml: (common) collect & publish test reports (to codecov and github)

• go-test-monorepo.yml: go unit tests, with support for go mono-repos (same features)

NOTE: for mono-repos, the workflow works best with go1.25 and go.work declaring all your modules and committed to git.

Security

• codeql.yml: CodeQL workflow for go and github actions
• scanner.yml: trivy & govulncheck scans

Release automation

• bump-release.yml: manually triggered workflow to cut a release
• tag-release.yml: cut a release on push tag
• release.yml: (common) release & release notes build

NOTE: mono-repos are not supported yet.

Release notes are produced using git-cliff. The configuration may be set using a .cliff.toml file. The default configuration is the .cliff.toml in this repo (uses remote config).

Documentation quality

• contributors.yml: updates CONTRIBUTORS.md

Motivation

It took a while (well something like 10 years...), but we eventually managed to align all checks, tests and dependabot rules declared in the family of go-openapi repos.

Now we'd like to be able to maintain, enrich and improve these checks without worrying too much about the burden of replicating the stuff about a dozen times.

Change log

See https://github.com/go-openapi/ci-workflows/releases

Licensing

This content ships under the SPDX-License-Identifier: Apache-2.0.

Other documentation

• All-time contributors
• Contributing guidelines
• Maintainers documentation
• Code style
• Roadmap

Cutting a new release

Maintainers can cut a new release by either:

• running this workflow
• or pushing a semver tag
  • signed tags are preferred
  • The tag message is prepended to release notes