diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000000..85966baa5287 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,32 @@ +name: CI +on: + push: + branches: [master] + pull_request: + branches: [master] +jobs: + build: + strategy: + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + go-version: [1.22.x] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v4 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ matrix.go-version }} + - name: Cache Go modules + uses: actions/cache@v4 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + - name: Lint + run: | + go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest + golangci-lint run + - name: Test + run: go test ./... -race diff --git a/.github/workflows/secscan.yaml b/.github/workflows/secscan.yaml index a8bac30dd1f7..dd67db649563 100644 --- a/.github/workflows/secscan.yaml +++ b/.github/workflows/secscan.yaml @@ -1,4 +1,17 @@ name: "Security Scan" +# Grant the workflow the minimal permissions it needs. The CodeQL upload step +# requires "security-events: write" (or at least read) which the default token +# does not have for runs triggered from public forks. By explicitly requesting +# the permission we ensure the workflow can run when executed in the upstream +# repository (where the token has the required scope). +permissions: + # read access to the repository contents + contents: read + # needed for the CodeQL SARIF upload action + security-events: write + # actions and checks are read‑only for this workflow + actions: read + checks: read # Run workflow each time code is pushed to your repository and on a schedule. # The scheduled workflow runs every at 00:00 on Sunday UTC time. @@ -9,6 +22,8 @@ on: jobs: tests: + # Run only in the upstream repository to avoid permission issues on forks. + if: ${{ github.repository == 'mudler/LocalAI' }} runs-on: ubuntu-latest env: GO111MODULE: on