ci: add PR verification mechanism (lint, tests, gosec, trufflehog)

TeleGhost Dev · TeleGhost Dev · commit 4a74db53518f · 2026-02-14T17:07:37.000+05:00
diff --git a/.github/workflows/verify_pr.yml b/.github/workflows/verify_pr.yml
@@ -0,0 +1,83 @@
+name: Pull Request Verification
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  # --- backend: Go Checks ---
+  backend-checks:
+    name: Backend (Go)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+          cache: true
+
+      - name: Go Format Check
+        run: |
+          if [ "$(gofmt -l . | wc -l)" -gt 0 ]; then
+            echo "The following files are not formatted:"
+            gofmt -l .
+            exit 1
+          fi
+
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+          args: --timeout=5m
+
+      - name: Security Scan (gosec)
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run Tests
+        run: go test -v -short ./...
+
+  # --- frontend: Web Checks ---
+  frontend-checks:
+    name: Frontend (Svelte)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install Dependencies
+        run: |
+          cd frontend
+          npm ci
+
+      - name: Build Check
+        run: |
+          cd frontend
+          npm run build
+
+  # --- security: Secrets Scan ---
+  secrets-scan:
+    name: Secrets Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Secret Scanning
+        uses: trufflesecurity/trufflehog@main
+        with:
+          extra_args: --only-verified
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,49 @@
+linters-settings:
+  govet:
+    check-shadowing: true
+  golint:
+    min-confidence: 0.8
+  gocyclo:
+    min-complexity: 15
+  maligned:
+    suggest-new: true
+  dupl:
+    threshold: 100
+  goconst:
+    min-len: 3
+    min-occurrences: 3
+  misspell:
+    locale: US
+  lll:
+    line-length: 140
+  goimports:
+    local-prefixes: github.com/kiktor12358/TeleGhost
+
+linters:
+  enable:
+    - govet
+    - errcheck
+    - staticcheck
+    - unused
+    - gosimple
+    - structcheck
+    - varcheck
+    - ineffassign
+    - deadcode
+    - typecheck
+    - gocyclo
+    - goconst
+    - misspell
+    - lll
+    - unparam
+    - nakedret
+    - prealloc
+    - whitespace
+
+run:
+  timeout: 5m
+  tests: true
+  skip-dirs:
+    - vendor
+    - android
+    - frontend/node_modules
