From a4227edc72e9b3e87cdb8721281558ba69b3fd58 Mon Sep 17 00:00:00 2001
From: Rafael Richards <rmrich5@gmail.com>
Date: Sun, 14 Jun 2026 14:38:25 -0400
Subject: [PATCH] ci(go): harden reusable go-ci gate with gofmt/vet/govulncheck

Align the shared go-ci.yml with the documented house Go gate
(fmt + vet + golangci-lint + test-race + govulncheck). Previously CI ran
only lint + race-cover + build-matrix, weaker than the local `make check`
contract.

Added to the lint-test job:
- gofmt -l check (fails on any non-gofmt'd file)
- explicit `go vet ./...`
- govulncheck ./... (pinned analyzer v1.1.4, live vuln DB), gated behind a
  new `vuln-check` input (default true) as an escape hatch for un-patchable
  transitive vulns.

Propagates to all 12 repos that consume go-ci.yml@main.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/go-ci.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
index f3c18fa..7d24522 100644
--- a/.github/workflows/go-ci.yml
+++ b/.github/workflows/go-ci.yml
@@ -18,6 +18,12 @@ on:
         description: Run `go run . schema | json.tool` contract check
         type: boolean
         default: true
+      vuln-check:
+        description: >-
+          Run govulncheck against the module's known-vuln database. Escape hatch
+          for the rare case of an un-patchable transitive vuln; keep it on.
+        type: boolean
+        default: true
 
 permissions:
   contents: read
@@ -31,6 +37,17 @@ jobs:
         with:
           go-version: ${{ inputs.go-version }}
           check-latest: true
+      - name: gofmt (must be clean)
+        # The house Go gate starts with `fmt`; CI fails on any non-gofmt'd file
+        # rather than silently reformatting it.
+        run: |
+          unformatted=$(gofmt -l .)
+          if [ -n "$unformatted" ]; then
+            echo "::error::these files are not gofmt-clean:"; echo "$unformatted"
+            exit 1
+          fi
+      - name: vet
+        run: go vet ./...
       - name: lint
         # Build golangci-lint with the repo's Go toolchain: prebuilt releases are
         # built with an older Go and reject newer go.mod language versions.
@@ -40,6 +57,13 @@ jobs:
           "$(go env GOPATH)/bin/golangci-lint" run
       - name: test
         run: go test -race -cover ./...
+      - name: govulncheck (known-vuln dependency + call-graph scan)
+        # Completes the documented house gate (fmt+vet+lint+test-race+govulncheck).
+        # Queries the live Go vuln DB; the pinned binary only fixes the analyzer.
+        if: ${{ inputs.vuln-check }}
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
+          "$(go env GOPATH)/bin/govulncheck" ./...
       - name: schema contract (must emit valid JSON)
         if: ${{ inputs.schema-check }}
         run: go run . schema | python3 -m json.tool > /dev/null