# GitHub Actions Workflows

This directory contains the CI/CD workflows for the Devour project.

## Workflows

### 1. CI/CD Pipeline (`ci.yml`)

**Triggers:**
- Push to `main` or `develop` branches
- Pull requests to `main` or `develop` branches
- Release publications

**Jobs:**
- **Test**: Runs unit tests with race detection and uploads coverage to Codecov
- **Lint**: Runs golangci-lint for code quality checks
- **Security**: Scans for security vulnerabilities using Gosec
- **Build**: Builds cross-platform binaries (Linux, Windows, macOS) for amd64/arm64
- **Docker**: Builds and pushes Docker images to Docker Hub
- **Release**: Creates GitHub releases with compiled binaries

### 2. Code Quality (`quality.yml`)

**Triggers:**
- Push to `main` or `develop` branches
- Pull requests to `main` or `develop` branches

**Checks:**
- `go vet` for potential issues
- Code formatting with `gofmt`
- Inefficient assignments with `ineffassign`
- Spelling errors with `misspell`
- Static analysis with `staticcheck`
- TODO/FIXME comment detection
- `go mod tidy` validation
- Code coverage threshold (minimum 80%)
- SonarCloud analysis (optional)

### 3. Dependabot (`dependabot.yml`)

**Features:**
- Weekly dependency updates for Go modules
- Weekly GitHub Actions updates
- Automatic pull requests with dependency updates

## Required Secrets

To enable all features, add these secrets to your GitHub repository:

### Docker Hub Integration
- `DOCKER_USERNAME`: Your Docker Hub username
- `DOCKER_PASSWORD`: Your Docker Hub password or access token

### SonarCloud Integration (Optional)
- `SONAR_TOKEN`: Your SonarCloud project token

## Environment Variables

- `GO_VERSION`: Set to '1.24' (can be updated in workflows)

## Build Artifacts

### Binaries
The CI pipeline builds binaries for:
- Linux (amd64, arm64)
- Windows (amd64)
- macOS (amd64, arm64)

### Docker Images
- Multi-platform images (linux/amd64, linux/arm64)
- Tags: branch name, PR number, semantic version tags

## Coverage Reports

- Test coverage is uploaded to Codecov
- Minimum coverage threshold: 80%
- Coverage reports are generated for each test run

## Security Scanning

- Gosec security scanner runs on every push/PR
- SARIF results are uploaded to GitHub Security tab
- Dependencies are automatically updated by Dependabot

## Local Development

To run the same checks locally:

```bash
# Run tests with coverage
make test-coverage

# Run linting
make lint

# Format code
make fmt

# Build for production
make build-prod

# Build Docker image
make docker
```

## Release Process

1. Create a new tag: `git tag v1.0.0`
2. Push the tag: `git push origin v1.0.0`
3. Create a GitHub release (or let the workflow create it automatically)
4. Binaries and Docker images will be built and published automatically