This directory contains GitHub Actions workflows for automated CI/CD pipelines.
The learn-go project uses GitHub Actions for:
- Continuous Integration (CI)
- Security Scanning
- Docker Image Building
- Kubernetes Deployment Testing
File: .github/workflows/dockerimage.yml
Purpose: Complete CI/CD pipeline including code quality, testing, security scanning, Docker building, and deployment.
- Push:
main,developbranches - Pull Request:
main,developbranches - Tags:
v*(e.g., v1.0.0, v1.2.3)
- Runs on:
ubuntu-latest - Purpose: Code quality and style checks
- Steps:
- Checkout code
- Setup Go 1.21
- Install linters (golint, staticcheck)
- Run
go fmt(formatting check) - Run
go vet(static analysis) - Run
golint(style checking) - Run
staticcheck(advanced static analysis) - Verify module dependencies
Duration: ~1-2 minutes
- Runs on:
ubuntu-latest - Strategy: Matrix testing across Go 1.20, 1.21, 1.22
- Purpose: Run unit and integration tests with coverage
- Steps:
- Checkout code
- Setup Go (matrix version)
- Download dependencies
- Run tests with coverage
- Generate coverage report
- Upload coverage to Codecov
Coverage Target: >79% Duration: ~2-3 minutes per Go version
- Runs on:
ubuntu-latest - Purpose: Scan for security vulnerabilities
- Steps:
- Checkout code
- Setup Go 1.21
- Download dependencies
- Run
govulncheck(Go vulnerability scanner) - Run
gosec(Go security scanner)
Duration: ~2-3 minutes
- Runs on:
ubuntu-latest - Needs:
[lint, test] - Permissions:
- contents: read
- packages: write
- security-events: write
- Purpose: Build and push multi-architecture Docker images
- Steps:
- Checkout code
- Setup Docker Buildx (multi-platform support)
- Login to GitHub Container Registry (GHCR)
- Extract metadata (tags, labels)
- Build and push Docker image
- Platforms: linux/amd64, linux/arm64
- Tags: branch name, PR number, semver, sha
- Build args: BUILD_DATE, VCS_REF, VERSION
- Run Trivy vulnerability scanner on image
- Upload Trivy results to GitHub Security tab
Image Registry: ghcr.io
Duration: ~5-8 minutes
- Runs on:
ubuntu-latest - Needs:
[build] - Condition: Only on
mainbranch - Environment: staging (https://staging.learn-go.example.com)
- Purpose: Deploy to staging Kubernetes environment
- Steps:
- Checkout code
- Setup Kind cluster
- Deploy application with:
- 2 replicas
- Liveness probe: /ping
- Readiness probe: /healthz
- LoadBalancer service
- Wait for deployment rollout
- Verify deployment status
Duration: ~5-10 minutes
- Runs on:
ubuntu-latest - Needs:
[build] - Condition: Only on version tags (v*)
- Environment: production (https://learn-go.example.com)
- Purpose: Deploy to production environment
- Steps:
- Checkout code
- Deploy to production (customizable)
Note: Currently a placeholder for actual production deployment
Duration: Depends on implementation
File: .github/workflows/k8s-deployment.yml
Purpose: Validate and test Kubernetes deployments in an isolated environment.
- Push:
mainbranch - Pull Request:
mainbranch - Tags:
v*
- Runs on:
ubuntu-latest - Purpose: Validate Kubernetes manifest syntax
- Steps:
- Checkout code
- Install kubeval
- Validate all YAML manifests in k8s/ directory
Duration: ~1 minute
- Runs on:
ubuntu-latest - Needs:
[validate-k8s] - Purpose: Full end-to-end deployment testing
- Steps:
- Checkout code
- Setup Kind cluster
- Build Docker image
- Load image into Kind
- Wait for cluster to be ready
- Display cluster information
- Create/apply Kubernetes manifests
- Deploy application
- Test all endpoints (/, /ping, /healthz)
- Show application logs
- Cleanup
Configuration:
Replicas: 2
Container Port: 8080
Environment Variables:
- GO_ENV: production
- PORT: 8080
- HOST: 0.0.0.0
Probes:
Liveness: GET /ping (every 30s)
Readiness: GET /healthz (every 10s)
Service Type: ClusterIPDuration: ~8-12 minutes
No secrets are required for basic functionality. The workflows use:
GITHUB_TOKEN: Automatically provided by GitHub ActionsCODECOV_TOKEN: (Optional) For Codecov integration
Defined in workflow files:
REGISTRY:ghcr.io(GitHub Container Registry)IMAGE_NAME:${{ github.repository }}GO_VERSION:1.21
The workflows require the following permissions:
contents: read- Read repository codepackages: write- Push to GitHub Container Registrysecurity-events: write- Upload security scan results
Add these badges to your README:
[](https://github.com/dxas90/learn-go/actions)
[](https://github.com/dxas90/learn-go/actions)# Install linters
go install golang.org/x/lint/golint@latest
go install honnef.co/go/tools/cmd/staticcheck@latest
# Run checks
go fmt ./...
go vet ./...
golint ./...
staticcheck ./...
go mod verify# Build multi-arch image (requires Docker Buildx)
docker buildx create --use
docker buildx build --platform linux/amd64,linux/arm64 -t learn-go:test .
# Or build for current platform
docker build -t learn-go:test .# Install security tools
go install golang.org/x/vuln/cmd/govulncheck@latest
go install github.com/securego/gosec/v2/cmd/gosec@latest
# Run scans
govulncheck ./...
gosec -fmt=json -out=gosec-results.json ./...
# Scan Docker image with Trivy
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest image learn-go:test# Install Kind
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
chmod +x ./kind
sudo mv ./kind /usr/local/bin/
# Create cluster
kind create cluster --name test-cluster
# Build and load image
docker build -t learn-go:test .
kind load docker-image learn-go:test --name test-cluster
# Deploy
kubectl apply -f k8s/
# Test
kubectl port-forward svc/learn-go-service 8080:80 &
curl http://localhost:8080/healthz
# Cleanup
kind delete cluster --name test-clusterIssue: Code formatting or linting errors
Solution:
# Fix formatting
go fmt ./...
# Check for specific issues
go vet ./...
golint ./...
staticcheck ./...Issue: Test failures or insufficient coverage
Solution:
# Run tests locally
go test ./... -v
# Check coverage
go test ./... -coverprofile=coverage.out
go tool cover -func=coverage.outIssue: Vulnerabilities detected
Solution:
# Check for vulnerabilities
govulncheck ./...
# Update dependencies
go get -u ./...
go mod tidy
# Review and fix security issues
gosec ./...Issue: Permission denied when pushing to GHCR
Solution:
- Ensure workflow has
packages: writepermission - Verify GITHUB_TOKEN is active
- Check if package exists and has correct permissions
Issue: Endpoints not responding in Kind cluster
Solution:
# Check pod status
kubectl get pods -A
# Check logs
kubectl logs -l app=learn-go
# Verify service
kubectl get svc
kubectl describe svc learn-go-service
# Test connectivity
kubectl port-forward svc/learn-go-service 8080:80
curl http://localhost:8080/healthz- Branch Protection: Require workflows to pass before merging
- Status Checks: Enable required status checks for critical jobs
- Caching: Workflows use Go module caching for faster builds
- Matrix Testing: Test across multiple Go versions
- Security: Regular security scans on every PR
- Semantic Versioning: Use tags (v1.0.0) for releases
- Environments: Use GitHub Environments for deployment approvals
- Secrets Management: Never commit secrets; use GitHub Secrets
- Go to repository → Actions tab
- Click on specific workflow to see runs
- View logs, artifacts, and deployment status
Workflows may produce:
- Coverage reports
- Security scan results (SARIF format)
- Build logs
Configure notifications:
- Settings → Notifications → Actions
- Set up Slack/Discord webhooks for critical failures