GitHub Actions used by go-openapi workflows.
- 2025-12-19 : new community chat on discord
- a new discord community channel is available to be notified of changes and support users
- our venerable Slack channel remains open, and will be eventually discontinued on 2026-03-31
You may join the discord community by clicking the invite link on the discord badge (also above).
Or join our Slack channel:
These actions are currently used by the CI workflows run at github.com/go-openapi.
To use this action in your workflow, reference it using the standard GitHub Actions syntax:
- Install all tools
- uses: go-openapi/[email protected]- Install each tool independently
- uses: go-openapi/gh-actions/install/[email protected]
- uses: go-openapi/gh-actions/install/[email protected]
- uses: go-openapi/gh-actions/install/[email protected]
- uses: go-openapi/gh-actions/install/[email protected]- Download a specific version
- uses: go-openapi/gh-actions/install/[email protected]
with:
version: v0.0.12All tools are currently installed using downloaded released binaries.
CI workflows may use and pin released actions instead of resorting to a go install ...@latest
command.
This is mostly motivated by the need to pin CI dependencies to a specific commit and use only vetted versions of the installed tooling.
Our actions try to install tools from binary releases whenever applicable.
Automated version tracking is obtained thanks to a dummy go.mod module declaration in this repo,
which allows dependabot to track our target tools and post updates.
A vulnerability scan on the source repo of the tools must be passed for such an update to be approved and merged.
An action that waits for all jobs to have run (not just status checks) on a PR.
- uses: go-openapi/gh-actions/ci-jobs/[email protected]
with:
pr-url: ${{ github.event.pull_request.html_url }}
github-token: ${{ secrets.GITHUB_TOKEN }}
# Optional: exclude the current run (default: true)
exclude-current-run: 'true'
# Optional: patterns to match workflow names for exclusion (default: 'auto-merge,contributors')
exclude-workflow-patterns: 'auto-merge,release'Background: This action solves a timing issue where auto-merge triggers as soon as required status checks pass, but non-required jobs (like coverage upload) are still running. The PR gets merged and branch deleted while jobs are still in progress, causing them to fail.
When multiple jobs in the same workflow use this action in parallel, they can end up waiting for each other. The action includes smart defaults to prevent deadlocks:
exclude-current-run: Automatically excludes the current workflow run from the wait list (default:true)exclude-workflow-patterns: Case-insensitive pattern matching against workflow names (default:'auto-merge,contributors')- Patterns use substring matching:
'auto-merge'matches'Dependabot auto-merge','PR auto-merge', etc. - Override the default by providing your own comma-separated list of patterns
- Patterns use substring matching:
Securely configures bot credentials for automated operations including GPG signing and GitHub App authentication. This action addresses the security vulnerability where using secrets[inputs.secret-name] exposes ALL organization secrets to the workflow runner.
Features:
- GPG signing for commits and tags
- GitHub App token generation
- Both features can be enabled independently
- Secure: only passes explicitly named secrets (not all secrets)
- Flexible: works with custom secret names for any organization
Usage example 1: go-openapi repos (using default secret names)
For go-openapi repositories, the action automatically uses the organization's standard secret names (CI_BOT_GPG_PRIVATE_KEY, CI_BOT_GPG_PASSPHRASE, CI_BOT_SIGNING_KEY, CI_BOT_APP_ID, CI_BOT_APP_PRIVATE_KEY) when called with secrets: inherit:
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: go-openapi/gh-actions/ci-jobs/bot-credentials@master
id: bot
with:
enable-gpg-signing: 'true'
enable-github-app: 'true'
# No secret parameters needed! Falls back to go-openapi defaults
gpg-private-key: ${{ secrets.CI_BOT_GPG_PRIVATE_KEY }}
gpg-passphrase: ${{ secrets.CI_BOT_GPG_PASSPHRASE }}
gpg-fingerprint: ${{ secrets.CI_BOT_SIGNING_KEY }}
github-app-id: ${{ secrets.CI_BOT_APP_ID }}
github-app-private-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
- run: |
git commit -m "Signed commit" # Automatically GPG signed
- uses: peter-evans/create-pull-request@v8
with:
token: ${{ steps.bot.outputs.app-token }}Usage example 2: Other organizations (using custom secret names)
For other organizations with different secret names (e.g., personal repos on github.com/fredbi):
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: go-openapi/gh-actions/ci-jobs/bot-credentials@master
id: bot
with:
enable-gpg-signing: 'true'
enable-github-app: 'true'
# Pass your custom secret names explicitly
gpg-private-key: ${{ secrets.FREDBI_GPG_PRIVATE_KEY }}
gpg-passphrase: ${{ secrets.FREDBI_GPG_PASSPHRASE }}
gpg-fingerprint: ${{ secrets.FREDBI_SIGNING_KEY }}
github-app-id: ${{ secrets.FREDBI_APP_ID }}
github-app-private-key: ${{ secrets.FREDBI_APP_PRIVATE_KEY }}
- run: |
git commit -m "Signed commit" # Automatically GPG signed
- uses: peter-evans/create-pull-request@v8
with:
token: ${{ steps.bot.outputs.app-token }}Background: This action was created to solve the security issue identified in ci-workflows#43. Using secrets[inputs.secret-name] causes GitHub Actions to expose ALL organization and repository secrets to the workflow runner. This action requires secrets to be passed as actual values, ensuring only explicitly named secrets are accessible.
This action detects the presence of multiple go modules in a git repo (i.e. a go mono-repo).
It returns a is-monorepo indicator and several ways to iterate over modules
(by module import name, by folder, as JSON - e.g. for matrix jobs -, as bash-compatible lists).
Requires: go setup, git checkout
outputs:
is-monorepo:
description: |
Indicates if the current repo is a go mono repo.
modules-count:
description: |
Counts how many modules have been detected.
modules:
description: |
A JSON array of modules with name (go import path) and path (folder in the current checkout).
paths:
description: |
A JSON array of modules paths
bash-paths:
description: |
A bash-compatible array of modules paths.
bash-subpaths:
description: |
A bash-compatible array of modules paths with the "/..." suffix.
names:
description: |
A JSON array of modules names (import paths)
relative-names:
description: |
A JSON array of modules relative module names (relative imports).
The root module always yields an empty string.
These are pure relative paths without leading "." or "/".
Example: github.com/go-openapi/swag/jsonutils yields "jsonutils"
bash-relative-names:
description: |
A bash-compatible array of modules relative names (relative imports).
The root module always yields an empty string.
These are pure relative paths without leading "." or "/".
Example: github.com/go-openapi/swag/jsonutils yields "jsonutils"
root-module:
description: |
The name (go import path) of the root module in the go mono repo.Usage example
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
outputs:
is-monorepo: ${{ steps.detect-monorepo.outputs.is-monorepo }}
bash-subpaths: ${{ steps.detect-monorepo.outputs.bash-subpaths }}
module-names: ${{ steps.detect-monorepo.outputs.names }}
steps:
-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
-
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version: stable
check-latest: true
cache: true
cache-dependency-path: '**/go.sum'
-
name: Detect go mono-repo
id: detect-monorepo
uses: go-openapi/gh-actions/ci-jobs/detect-go-monorepo@master # v1.4.0
-
name: golangci-lint
if: ${{ steps.detect-monorepo.outputs.is-monorepo != 'true' }}
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
version: latest
only-new-issues: true
skip-cache: true
# Carry out the linting the traditional way, within a shell loop
-
name: Lint multiple modules
if: ${{ steps.detect-monorepo.outputs.is-monorepo == 'true' }}
# golangci-lint doesn't support go.work to lint multiple modules in one single pass
run: |
set -euxo pipefail
git fetch origin master
git show --no-patch --oneline origin/master
while read -r module_location ; do
pushd "${module_location}"
golangci-lint run --new-from-rev origin/master
popd
done < <(echo ${{ steps.detect-monorepo.outputs.bash-paths }})This action detects the current go version and reports the minor version.
Its intent is to report about the availability of certain features useful for testing, that are not available in all instances of a matrix job spanning over multiple go versions.
At this moment, we are mostly interested about the possibility to run a simplified test script
using go test work.
Requires: go setup, git checkout
outputs:
go-minor-version:
description: |
The minor version of go that is installed.
Example: go1.25.4 yields 25
is-gotestwork-supported:
description: |
Tells if go test work is available (e.g. go1.25 and go.work exists)Usage example
jobs:
test:
name: Unit tests mono-repo
needs: [ lint ]
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ ubuntu-latest, macos-latest, windows-latest ]
go: ['oldstable', 'stable' ]
steps:
-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
id: go-setup
with:
go-version: '${{ matrix.go }}'
check-latest: true
cache: true
cache-dependency-path: '**/go.sum'
-
name: Detect go version capabilities
id: detect-go-version
uses: go-openapi/gh-actions/ci-jobs/detect-go-version@master # v1.4.0
-
name: Install gotestsum
uses: go-openapi/gh-actions/install/gotestsum@eb161ed408645b24aaf6120cd5e4a893cf2c0af2 # v1.3.1
-
name: Run unit tests on all modules (go1.25+ with go.work) [monorepo]
if: ${{ needs.lint.outputs.is-monorepo == 'true' && steps.detect-go-version.outputs.is-gotestwork-supported == 'true' }}
# with go.work file enabled, go test recognizes sub-modules and collects all packages to be covered
# without specifying -coverpkg.
# ...This action uses svu to compute the next release tag depending on the request kind of bump (patch, minor, major).
inputs:
bump-patch:
description: Bump a patch version release
type: string
required: false
default: 'true'
bump-minor:
description: Bump a minor version release
type: string
required: false
default: 'false'
bump-major:
description: Bump a major version release
type: string
required: false
default: 'false'outputs:
next-tag:
description: |
The bumped release tag.Usage example
job:
determine-next-tag:
name: Determine next tag [monorepo]
needs: [detect-modules]
if: ${{ needs.detect-modules.outputs.is-monorepo == 'true' }}
runs-on: ubuntu-latest
outputs:
next-tag: ${{ steps.bump-release.outputs.next-tag }}
steps:
-
name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
-
name: Determine next tag
id: bump-release
uses: go-openapi/gh-actions/ci-jobs/next-tag@master # v1.4.0
with:
bump-patch: ${{ inputs.bump-patch }}
bump-minor: ${{ inputs.bump-minor }}
bump-major: ${{ inputs.bump-major }}See https://github.com/go-openapi/gh-actions/releases
This library ships under the SPDX-License-Identifier: Apache-2.0.
Maintainers can cut a new release by either:
- running this workflow
- or pushing a semver tag
- signed tags are preferred
- The tag message is prepended to release notes