a0a611525c
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go, use c.ClientIP() only (respects SetTrustedProxies) MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod MEDIUM-009: Add trial-already-used check in subscription service MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections MEDIUM-011: Mask email in auth handler logs with maskEmail() helper MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats LOW-001: Align frontend password policy to 12 chars (matching backend) LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server LOW-004: Enable xpack.security in Elasticsearch dev/local compose files LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background() LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests) 29/30 findings remediated. 1 noted (LOW-002). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
108 lines
2.7 KiB
YAML
108 lines
2.7 KiB
YAML
name: Backend API CI
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- "veza-backend-api/**"
|
|
- ".github/workflows/backend-ci.yml"
|
|
pull_request:
|
|
paths:
|
|
- "veza-backend-api/**"
|
|
- ".github/workflows/backend-ci.yml"
|
|
|
|
jobs:
|
|
test-unit:
|
|
runs-on: ubuntu-latest
|
|
|
|
defaults:
|
|
run:
|
|
working-directory: veza-backend-api
|
|
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
with:
|
|
go-version: "1.24"
|
|
cache: true
|
|
|
|
- name: Download deps
|
|
run: go mod download
|
|
|
|
- name: Go vet and format check
|
|
run: |
|
|
go vet ./...
|
|
test -z "$(gofmt -l .)"
|
|
working-directory: veza-backend-api
|
|
|
|
- name: Run govulncheck
|
|
run: |
|
|
go install golang.org/x/vuln/cmd/govulncheck@latest
|
|
govulncheck ./...
|
|
|
|
- name: Run unit tests
|
|
run: go test ./internal/handlers/... ./internal/services/... -short -coverprofile=coverage.out -covermode=atomic -timeout 5m
|
|
|
|
- name: Upload coverage report
|
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
|
|
with:
|
|
name: go-coverage
|
|
path: veza-backend-api/coverage.out
|
|
|
|
test-integration:
|
|
runs-on: ubuntu-latest
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
env:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres
|
|
POSTGRES_DB: veza_test
|
|
ports:
|
|
- 5432:5432
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
redis:
|
|
image: redis:7-alpine
|
|
ports:
|
|
- 6379:6379
|
|
options: >-
|
|
--health-cmd "redis-cli ping"
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
|
|
env:
|
|
DATABASE_URL: postgresql://postgres:postgres@localhost:5432/veza_test?sslmode=disable
|
|
REDIS_URL: redis://localhost:6379
|
|
JWT_SECRET: test-jwt-secret-for-ci
|
|
APP_ENV: test
|
|
|
|
defaults:
|
|
run:
|
|
working-directory: veza-backend-api
|
|
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
with:
|
|
go-version: "1.24"
|
|
cache: true
|
|
|
|
- name: Download deps
|
|
run: go mod download
|
|
|
|
- name: Run migrations
|
|
run: go run cmd/migrate_tool/main.go
|
|
continue-on-error: true
|
|
|
|
- name: Run integration tests
|
|
run: go test -tags=integration ./internal/... -timeout 15m
|
|
|