[Sync] Update project files from source repository (8e4f0da)

[mrz1836]

What Changed

• Updated actions/checkout action from v6.0.1 (commit 8e8c483) to v6.0.2 (commit de0fac2) in the fortress-code-quality workflow
• Modified the "Go vet (sequential)" step to continue-on-error and capture outputs, including run-govet step ID and govet-exit-code/govet-status outputs
• Changed error handling to write results to govet-output.log file and use exit 0 instead of exit 1 to allow summary generation
• Added package counting output to log file and modified echo statements to use tee for dual output to console and log file
• Restructured the go vet loop to capture exit codes in GOVET_EXIT_CODE variable and write detailed failure information to log file with tee -a
• Added job summary generation after go vet completion that creates a markdown summary with package statistics, error details from log file, and overall status

Why It Was Necessary

• The checkout action update brings the latest v6.0.2 improvements and fixes from the upstream action
• The go vet error handling needed to be non-blocking to ensure summary generation occurs even when static analysis finds issues
• Capturing detailed output to a log file enables better visibility of go vet results in the job summary without failing the workflow prematurely

Testing Performed

• Verify the checkout action works correctly with the updated commit hash de0fac2
• Test go vet execution with both successful and failing scenarios to ensure log file creation and summary generation
• Validate that the continue-on-error behavior allows the workflow to proceed to summary generation regardless of vet results

Impact / Risk

• Low risk - The checkout action version bump is a minor patch update within the same major version
• Improved visibility - Go vet results are now captured in structured logs and displayed in job summaries for easier debugging
• Workflow behavior change - The go vet step no longer immediately fails the job, which may mask failures if downstream steps don't properly check the outputs

[Copilot]

Pull request overview

Syncs GitHub Actions workflow changes from the upstream repository, primarily updating actions/checkout and enhancing CI reporting for code quality and security scan steps.

Changes:

• Bumped actions/checkout pin from v6.0.1 to v6.0.2 across workflows.
• Updated fortress-code-quality to capture go vet / lint / format outputs, generate job summaries, and defer failing until after summaries/logs are produced.
• Updated fortress-security-scans to capture Nancy / govulncheck / gitleaks outputs, add annotations/summaries/artifacts, and fail after reporting.

Reviewed changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.github/workflows/auto-merge-on-approval.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/codeql-analysis.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/dependabot-auto-merge.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-benchmarks.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-code-quality.yml	Add non-blocking execution + log capture + summaries/artifacts for go vet, golangci-lint, and format checks; update checkout pin.
.github/workflows/fortress-completion-finalize.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-completion-report.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-completion-statistics.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-completion-tests.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-coverage.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-pre-commit.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-release.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-security-scans.yml	Replace/reshape scan steps to capture outputs, add annotations/summaries/artifacts, and fail after reporting; update checkout pin.
.github/workflows/fortress-setup-config.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-test-fuzz.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-test-magex.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-test-matrix.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-test-validation.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress-warm-cache.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/fortress.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/pull-request-management-fork.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/pull-request-management.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/scorecard.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/stale-check.yml	Update actions/checkout pin to v6.0.2.
.github/workflows/sync-labels.yml	Update actions/checkout pin to v6.0.2 (multiple checkout steps).

Comments suppressed due to low confidence (1)

.github/workflows/fortress-code-quality.yml:132

• This step relies on continue-on-error and the later Fail job if issues found gate, but the script still runs with the default -e behavior and can exit early (e.g., if cd "$GO_MODULE_DIR" fails) before writing govet-status/govet-exit-code outputs. In that case the workflow may incorrectly pass because the final failure step won’t trigger. Recommend ensuring the script always writes outputs (e.g., disable -e for the whole step and capture errors into GOVET_EXIT_CODE, or use an EXIT trap to set outputs) so unexpected failures can’t be silently skipped.

        run: |
          echo "🚀 Running static analysis with go vet (sequential mode)..."
          GO_MODULE_DIR="${{ env.GO_MODULE_DIR }}"
          GOVET_EXIT_CODE=0

          # Run go vet on packages sequentially to reduce memory usage
          if [ -n "$GO_MODULE_DIR" ]; then
            echo "🔧 Running go vet from directory: $GO_MODULE_DIR"
            cd "$GO_MODULE_DIR"
          else

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PACKAGES=$(go list ./... 2>/dev/null | grep -v /vendor/) pipeline can return a non-zero status when grep produces no output (e.g., when all packages are filtered out), which will be treated here as a go list failure and short-circuit the step. Consider splitting go list from filtering (or making the filter non-fatal) so an empty package list is handled by the TOTAL == 0 branch instead of being misreported as a command failure.