Conversation
There was a problem hiding this comment.
Pull request overview
This PR syncs CI/CD infrastructure from the upstream source repository by replacing the monolithic .github/.env.base configuration with a modular .github/env/ layout, updating workflows/actions to consume the new loader, and adding resiliency improvements for artifact downloads.
Changes:
- Replaced
.github/.env.basewith modular.github/env/*.envfiles plus a sharedload-env.shloader and documentation. - Updated composite actions and workflows to load configuration from
.github/env/and adjusted associated outputs/documentation. - Added/updated GitHub Actions utilities (notably resilient artifact download behavior) and refreshed pinned action SHAs.
Reviewed changes
Copilot reviewed 32 out of 32 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/sync-labels.yml | Updates sparse checkout to include .github/env for modular config loading. |
| .github/workflows/stale-check.yml | Updates docs/sparse checkout to use .github/env modular config. |
| .github/workflows/scorecard.yml | Bumps pinned upload-sarif action SHA/version. |
| .github/workflows/pull-request-management.yml | Switches to .github/env and adds fork PR skip condition. |
| .github/workflows/pull-request-management-fork.yml | Switches to .github/env and adds same-repo PR skip condition; aligns comments. |
| .github/workflows/fortress.yml | Updates fortress metadata and replaces legacy env outputs with modular counts. |
| .github/workflows/fortress-warm-cache.yml | Updates sparse checkout to include .github/env. |
| .github/workflows/fortress-test-magex.yml | Updates sparse checkout to include .github/env. |
| .github/workflows/fortress-setup-config.yml | Replaces legacy env discovery outputs with modular env file/var counts in summary. |
| .github/workflows/fortress-coverage.yml | Updates user-facing guidance text to point at modular env file locations. |
| .github/workflows/fortress-completion-tests.yml | Updates user-facing guidance to reference modular env file locations. |
| .github/workflows/dependabot-auto-merge.yml | Updates comments and sparse checkout to use .github/env. |
| .github/workflows/codeql-analysis.yml | Bumps pinned CodeQL action SHAs/versions. |
| .github/workflows/auto-merge-on-approval.yml | Updates comments and sparse checkout to use .github/env. |
| .github/tech-conventions/pre-commit.md | Updates documentation to reference modular env layout. |
| .github/tech-conventions/commit-branch-conventions.md | Updates documentation to reference modular env layout. |
| .github/env/load-env.sh | Adds modular env loader to source .env fragments in order. |
| .github/env/README.md | Documents modular env structure, load order, and override strategy. |
| .github/env/20-workflows.env | Introduces workflow automation configuration variables (stale/labels/auto-merge/PR mgmt). |
| .github/env/20-redis.env | Introduces Redis service configuration variables for workflows/tests. |
| .github/env/10-security.env | Introduces security tool configuration variables and versions. |
| .github/env/10-pre-commit.env | Introduces go-pre-commit configuration variables and tool versions. |
| .github/env/10-mage-x.env | Introduces mage-x configuration variables and tool versions. |
| .github/env/10-coverage.env | Introduces go-coverage configuration variables and reporting behavior. |
| .github/env/00-core.env | Introduces core CI defaults (Go versions, runners, feature flags, timeouts). |
| .github/docs/workflows.md | Adds documentation index for workflows and config entrypoint. |
| .github/docs/repository-features.md | Adds repository feature overview and links to relevant automation/docs. |
| .github/actions/load-env/action.yml | Reworks env loading to use load-env.sh and produce workflow-consumable outputs. |
| .github/actions/download-artifact-resilient/action.yml | Adds fallback behavior when artifact listing fails and improves error messaging. |
| .github/CODEOWNERS | Updates ownership patterns for new .github/env and tech conventions paths. |
| .github/.yamlfmt | Excludes modular env directory from YAML formatting tooling. |
| .github/.env.base | Deletes the former monolithic env file in favor of modular files. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # shellcheck source=/dev/null | ||
| source "$env_file" | ||
| ((count++)) |
There was a problem hiding this comment.
load-env.sh runs with set -e, and ((count++)) returns exit status 1 on the first iteration (because the expression evaluates to 0). This will cause the loader to exit after sourcing the first .env file. Use a non-zero arithmetic form like ((++count)) / ((count+=1)) to avoid set -e aborts.
| ((count++)) | |
| ((++count)) |
| # Extract all exported variables to JSON for workflow compatibility | ||
| echo "📦 Extracting environment variables to JSON..." | ||
| ENV_JSON=$(env | grep -E '^[A-Z_][A-Z0-9_]*=' | while IFS='=' read -r key value; do | ||
| # Escape special characters in value for JSON | ||
| escaped_value=$(printf '%s' "$value" | jq -Rs '.') | ||
| echo "{\"$key\": $escaped_value}" | ||
| done | jq -s 'add // {}') |
There was a problem hiding this comment.
The action builds env-json from env, which captures the entire runner environment (PATH, HOME, GITHUB_, RUNNER_, etc.), not just config from .github/env/*.env. Downstream parse-env writes every key to GITHUB_ENV, so this can overwrite critical runner/GitHub variables and create hard-to-debug behavior. Consider constructing JSON only from keys defined in the modular env files (e.g., parse keys from .github/env/*.env and printenv them), or restrict to an allowlist/prefix set.
| echo "❌ ERROR: Failed to load environment configuration" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
There was a problem hiding this comment.
This loader no longer reads .github/.env.custom, but the repo still contains .github/.env.custom with active overrides (e.g., GO_COVERAGE_PROVIDER=codecov, GO_SECONDARY_VERSION=1.23.x). As a result, existing project-specific settings will silently stop applying. Either migrate those overrides into the modular .github/env/ files (e.g., add a repo-specific 90-project.env) or have load-env.sh/this action source .github/.env.custom for backward compatibility.
| # Backward compatibility: load .github/.env.custom if present | |
| CUSTOM_ENV_FILE=".github/.env.custom" | |
| if [[ -f "$CUSTOM_ENV_FILE" ]]; then | |
| echo "🧩 Loading project-specific overrides from $CUSTOM_ENV_FILE" | |
| # Source after modular envs so project overrides take precedence | |
| source "$CUSTOM_ENV_FILE" | |
| fi |
| echo "↪ Falling back to direct download attempt (skipping preflight list)" | ||
|
|
||
| DOWNLOAD_CMD="gh run download ${{ github.run_id }} --pattern \"$ARTIFACT_PATTERN\" --dir \"$ARTIFACT_PATH\"" | ||
| if timeout "$DOWNLOAD_TIMEOUT" bash -c "$DOWNLOAD_CMD"; then | ||
| echo "✅ Successfully downloaded artifacts via fallback" | ||
| DOWNLOAD_SUCCESS=true | ||
| ARTIFACTS_FOUND=1 | ||
| break |
There was a problem hiding this comment.
DOWNLOAD_CMD is assembled as a single shell string and executed via bash -c, which is vulnerable to input containing quotes/shell metacharacters in ARTIFACT_PATTERN/ARTIFACT_PATH (action inputs). Prefer invoking gh run download with a bash array (no bash -c) so arguments are passed safely without shell interpretation.
| | [fortress.yml](../workflows/fortress.yml) | Runs the GoFortress security and testing workflow, including linting, testing, releasing, and vulnerability checks. | | ||
| | [pull-request-management.yml](../workflows/pull-request-management.yml) | Labels PRs by branch prefix, assigns a default user if none is assigned, and welcomes new contributors with a comment. | | ||
| | [scorecard.yml](../workflows/scorecard.yml) | Runs [OpenSSF](https://openssf.org/) Scorecard to assess supply chain security. | | ||
| | [stale.yml](../workflows/stale-check.yml) | Warns about (and optionally closes) inactive issues and PRs on a schedule or manual trigger. | |
There was a problem hiding this comment.
The link text says stale.yml but the actual workflow file is stale-check.yml. Update the table entry label to match the filename to avoid confusion for readers.
| | [stale.yml](../workflows/stale-check.yml) | Warns about (and optionally closes) inactive issues and PRs on a schedule or manual trigger. | | |
| | [stale-check.yml](../workflows/stale-check.yml) | Warns about (and optionally closes) inactive issues and PRs on a schedule or manual trigger. | |
| * **Relentless Dependency & Vulnerability Scans** via [Dependabot](https://dependabot.com) (runs daily at 8am to ensure broadcast dependencies are always current), [Nancy](https://github.com/sonatype-nexus-community/nancy), and [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck). | ||
| * **Security Posture by Default** with [CodeQL](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning), [OpenSSF Scorecard](https://openssf.org), and secret‑leak detection via [gitleaks](https://github.com/gitleaks/gitleaks). | ||
| * **Automatic Syndication** to [pkg.go.dev](https://pkg.go.dev/) on every release for instant godoc visibility. | ||
| * **Polished Community Experience** using rich templates for [Issues & PRs](https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-go-broadcastsitory). |
There was a problem hiding this comment.
This URL looks malformed: ...configuring-issue-templates-for-go-broadcastsitory (extra 'sitory'). It likely 404s; please correct the link target.
| * **Polished Community Experience** using rich templates for [Issues & PRs](https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-go-broadcastsitory). | |
| * **Polished Community Experience** using rich templates for [Issues & PRs](https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository). |
| .github/scripts/* @mrz1836 | ||
| .github/workflows/* @mrz1836 | ||
| .github/env/* @mrz1836 | ||
| .github/.env.base @mrz1836 |
There was a problem hiding this comment.
CODEOWNERS still lists .github/.env.base, but that file is deleted in this PR. Leaving stale paths is confusing and can mislead reviewers about where configuration lives; remove or replace with the new .github/env/* entries only.
| .github/.env.base @mrz1836 |
| # | ||
| # Maintainer: @mrz1836 | ||
| # Repository: https://github.com/mrz1836/go-fortress | ||
| # Repository: https://github.com/mrz1836/go-broadcast |
There was a problem hiding this comment.
The header comment now points to https://github.com/mrz1836/go-broadcast as the repository for GoFortress. If this is meant to reference the fortress project/template, this URL looks incorrect and may confuse maintainers troubleshooting CI provenance; consider updating it to the correct upstream/tooling repo or to this repository.
| # Repository: https://github.com/mrz1836/go-broadcast | |
| # Repository: https://github.com/mrz1836/go-fortress |
What Changed
.github/.env.baseconfiguration file (550 lines) with a modular.github/env/directory structure containing separate environment files00-core.env,10-coverage.env,10-mage-x.env,10-pre-commit.env,10-security.env,20-redis.env, and20-workflows.envload-env.shshell script to source environment files in order and aREADME.mddocumenting the new structure.github/actions/load-env/action.ymlto use the new modular approach with theload-env.shscript.github/actions/download-artifact-resilient/action.ymlcomposite action for resilient artifact downloads with retry logic.github/workflows/fortress-setup-config.ymlreusable workflow to centralize environment configuration loading.github/tech-conventions/(commit-branch-conventions.md, pre-commit.md).github/CODEOWNERSand.github/.yamlfmtconfiguration filesWhy It Was Necessary
.env.basefile was difficult to maintain, navigate, and understand - splitting into focused modules improves maintainability and clarityTesting Performed
load-envaction andfortress-setup-configreusable workflowload-env.shscriptdownload-artifact-resilientaction includes proper retry logic and error handling for artifact operationsImpact / Risk
.github/.env.basemust migrate to the new.github/env/structure - however, the load-env action maintains backward compatibility