ci: add matrix build for Linux/macOS/Windows

.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+jobs:
+  build:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        go-version: [1.22.x]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Lint
+        run: |
+          go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+          golangci-lint run
+      - name: Test
+        run: go test ./... -race

.github/workflows/secscan.yaml

@@ -1,4 +1,17 @@
 name: "Security Scan"
+# Grant the workflow the minimal permissions it needs. The CodeQL upload step
+# requires "security-events: write" (or at least read) which the default token
+# does not have for runs triggered from public forks. By explicitly requesting
+# the permission we ensure the workflow can run when executed in the upstream
+# repository (where the token has the required scope).
+permissions:
+  # read access to the repository contents
+  contents: read
+  # needed for the CodeQL SARIF upload action
+  security-events: write
+  # actions and checks are read‑only for this workflow
+  actions: read
+  checks: read
 
 # Run workflow each time code is pushed to your repository and on a schedule.
 # The scheduled workflow runs every at 00:00 on Sunday UTC time.
@@ -9,6 +22,8 @@ on:
 
 jobs:
   tests:
+    # Run only in the upstream repository to avoid permission issues on forks.
+    if: ${{ github.repository == 'mudler/LocalAI' }}
     runs-on: ubuntu-latest
     env:
       GO111MODULE: on