.github/workflows/ci.yml

name: ci
on:
  push:
    branches:
      - main
    paths-ignore:
      - '**.md'
  pull_request:
    branches:
      - main
    path-ignore:
      - '**.md'
      
jobs:
  build-test:
    name: Build & Test
    runs-on: ${{ matrix.operating-system }}
    env:
      GO111MODULE: on
    strategy:
      matrix:
        operating-system: [ubuntu-latest, windows-latest, macos-latest]
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: '0'
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.17
      - name: Build
        run: go build -v ./...
      - name: Test
        run: go test -v ./... -race -coverprofile="coverage.txt" -covermode=atomic
      - name: Publish codecov report
        uses: codecov/codecov-action@v2
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: coverage.txt
          flags: unittests
          name: ${{ env.GITHUB_REF }} (${{ matrix.operating-system }})
          fail_ci_if_error: true

  audit:
    name: Security & Code Quality
    runs-on: ubuntu-latest
    needs: build-test
    env:
      GO111MODULE: on
    permissions:
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: '0'
      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          args: ./...
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.17
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v1
        with:
          languages: go
      - name: CodeQL Autobuild
        uses: github/codeql-action/autobuild@v1
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v1

  version: 
    name: Version release
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    outputs:
      new_tag: ${{ steps.version.outputs.new_tag }}
      changelog: ${{ steps.version.outputs.changelog }}
    steps:
    - uses: actions/checkout@v2
      with:
        fetch-depth: '0'
    - name: Bump version and push tag
      id: version
      uses: mathieudutour/github-tag-action@v5.6
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        release_branches: main
    - name: Generate token
      id: generate_token
      uses: tibdex/github-app-token@v1
      with:
        app_id: ${{ secrets.RELEASE_APP_ID }}
        private_key: ${{ secrets.RELEASE_APP_SECRET }}
    - name: Create a GitHub release
      uses: actions/create-release@v1
      env:
        GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
      with:
        tag_name: ${{ steps.version.outputs.new_tag }}
        release_name: Release ${{ steps.version.outputs.new_tag }}
        body: ${{ steps.version.outputs.changelog }}