bsv-blockchain · mrz1836 · Oct 30, 2025 · Oct 30, 2025
@@ -36,6 +36,11 @@ GO_PRIMARY_VERSION=1.24.x
 # Set to same as primary to test with single version only
 GO_SECONDARY_VERSION=1.24.x
 
+# Govulncheck-specific Go version for vulnerability scanning
+# Uses newer Go version for accurate standard library vulnerability detection
+# Override this in .env.custom if needed for compatibility
+GOVULNCHECK_GO_VERSION=1.25.x
+
 # ================================================================================================
 # 📦 GO MODULE CONFIGURATION
 # ================================================================================================
@@ -73,6 +78,7 @@ PREFERRED_GITHUB_TOKEN=GH_PAT_TOKEN
 
 # Core Features
 ENABLE_BENCHMARKS=true                 # Run benchmark tests
+ENABLE_CACHE_WARMING=true              # Warm Go module and build caches
 ENABLE_CODE_COVERAGE=true              # Generate coverage reports via go-coverage
 ENABLE_FUZZ_TESTING=true               # Run fuzz tests (Go 1.18+)
 ENABLE_RACE_DETECTION=true             # Enable Go race detector
@@ -225,14 +231,15 @@ REDIS_CACHE_FORCE_PULL=false           # Force pull Redis images even when cache
 # 🪄 MAGE-X CONFIGURATION
 # ================================================================================================
 
-MAGE_X_VERSION=v1.7.6                                         # https://github.com/mrz1836/mage-x/releases
+MAGE_X_VERSION=v1.7.9                                         # https://github.com/mrz1836/mage-x/releases
+MAGE_X_USE_LOCAL=false                                        # Use local version for development
 MAGE_X_AUTO_DISCOVER_BUILD_TAGS=true                          # Enable auto-discovery of build tags
 MAGE_X_AUTO_DISCOVER_BUILD_TAGS_EXCLUDE=race,custom           # Comma-separated list of tags to exclude
 MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea    # Format exclusion paths (comma-separated directories to exclude from formatting)
 MAGE_X_GITLEAKS_VERSION=8.28.0                                # https://github.com/gitleaks/gitleaks/releases
 MAGE_X_GOFUMPT_VERSION=v0.9.1                                 # https://github.com/mvdan/gofumpt/releases
 MAGE_X_GOLANGCI_LINT_VERSION=v2.5.0                           # https://github.com/golangci/golangci-lint/releases
-MAGE_X_GORELEASER_VERSION=v2.12.2                             # https://github.com/goreleaser/goreleaser/releases
+MAGE_X_GORELEASER_VERSION=v2.12.7                             # https://github.com/goreleaser/goreleaser/releases
 MAGE_X_GOVULNCHECK_VERSION=v1.1.4                             # https://pkg.go.dev/golang.org/x/vuln
 MAGE_X_GO_SECONDARY_VERSION=1.24.x                            # Secondary Go version for MAGE-X (also our secondary)
 MAGE_X_GO_VERSION=1.24.x                                      # Primary Go version for MAGE-X (also our primary)

@@ -31,6 +31,10 @@ inputs:
   runner-os:
     description: "Runner OS for cache key (e.g., ubuntu-latest, windows-latest)"
     required: true
+  use-local:
+    description: "Build from local source instead of downloading release"
+    required: false
+    default: 'false'
 
 outputs:
   cache-hit:
@@ -48,37 +52,65 @@ runs:
     # --------------------------------------------------------------------
     - name: 💾 Restore magex binary cache
       id: magex-cache
+      if: inputs.use-local != 'true'
       uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
       with:
         path: |
           ~/.cache/magex-bin
         key: ${{ inputs.runner-os }}-magex-${{ inputs.magex-version }}
 
     # --------------------------------------------------------------------
-    # Make cached magex usable by copying to GOPATH/bin and adding to PATH
+    # Install cached binary to PATH when remote cache hits
     # --------------------------------------------------------------------
-    - name: 🛠️ Make cached magex usable
+    - name: 📦 Install cached MAGE-X to PATH (remote mode)
+      if: inputs.use-local != 'true' && steps.magex-cache.outputs.cache-hit == 'true'
       shell: bash
       run: |
-        set -euo pipefail
-        BIN_DIR="$HOME/.cache/magex-bin"
-        MAGEX_BIN="$BIN_DIR/magex"
-
-        # If we restored a cache, copy/link it into GOPATH/bin.
-        if [[ -f "$MAGEX_BIN" ]]; then
-          echo "✅ Using cached magex binary"
-          mkdir -p "$(go env GOPATH)/bin"
-          cp "$MAGEX_BIN" "$(go env GOPATH)/bin/"
-        fi
+        echo "📦 Installing cached MAGE-X binary to PATH..."
 
-        # Make sure the binary location is on PATH for *all* subsequent steps.
+        # Copy cached binary to GOPATH and add to PATH
+        mkdir -p "$(go env GOPATH)/bin"
+        cp ~/.cache/magex-bin/magex "$(go env GOPATH)/bin/magex"
+        chmod +x "$(go env GOPATH)/bin/magex"
         echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
 
+        echo "✅ Cached MAGE-X binary installed to PATH"
+
     # --------------------------------------------------------------------
-    # Detect platform and download MAGE-X binary *only* when the cache was empty.
+    # Restore local build cache (commit-specific for local builds)
     # --------------------------------------------------------------------
-    - name: ✅ Download MAGE-X binary (cache miss)
-      if: steps.magex-cache.outputs.cache-hit != 'true'
+    - name: 💾 Restore magex binary cache (local)
+      id: magex-local-cache
+      if: inputs.use-local == 'true'
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      with:
+        path: |
+          ~/.cache/magex-local
+        key: ${{ inputs.runner-os }}-local-magex-${{ github.sha }}
+        # No restore-keys: local builds are commit-specific only to prevent stale cache issues
+
+    # --------------------------------------------------------------------
+    # Install cached binary to PATH when local cache hits
+    # --------------------------------------------------------------------
+    - name: 📦 Install cached MAGE-X to PATH (local mode)
+      if: inputs.use-local == 'true' && steps.magex-local-cache.outputs.cache-hit == 'true'
+      shell: bash
+      run: |
+        echo "📦 Installing cached MAGE-X binary to PATH..."
+
+        # Copy cached binary to GOPATH and add to PATH
+        mkdir -p "$(go env GOPATH)/bin"
+        cp ~/.cache/magex-local/magex "$(go env GOPATH)/bin/magex"
+        chmod +x "$(go env GOPATH)/bin/magex"
+        echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
+
+        echo "✅ Cached MAGE-X binary installed to PATH"
+
+    # --------------------------------------------------------------------
+    # Download MAGE-X binary for remote mode when cache misses
+    # --------------------------------------------------------------------
+    - name: ✅ Download MAGE-X binary (remote mode only)
+      if: inputs.use-local != 'true' && steps.magex-cache.outputs.cache-hit != 'true'
       shell: bash
       run: |
         echo "⬇️ Cache miss – downloading MAGE-X binary..."
@@ -142,21 +174,60 @@ runs:
 
         echo "✅ Found magex binary at: $MAGEX_BINARY"
 
-        # Make it executable and copy to GOPATH/bin
+        # Make it executable and copy to cache directory
         chmod +x "$MAGEX_BINARY"
-        mkdir -p "$(go env GOPATH)/bin"
-        cp "$MAGEX_BINARY" "$(go env GOPATH)/bin/magex"
-
-        # Copy to cache directory for future runs
         mkdir -p ~/.cache/magex-bin
         cp "$MAGEX_BINARY" ~/.cache/magex-bin/magex
 
+        # Copy to GOPATH and add to PATH for subsequent steps
+        mkdir -p "$(go env GOPATH)/bin"
+        cp ~/.cache/magex-bin/magex "$(go env GOPATH)/bin/magex"
+        echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
+
         # Cleanup
         cd /
         rm -rf "$TEMP_DIR"
 
         echo "✅ MAGE-X binary downloaded and cached"
 
+    # --------------------------------------------------------------------
+    # Build MAGE-X from local source (when use-local is true)
+    # --------------------------------------------------------------------
+    - name: 🔨 Build MAGE-X from local source
+      id: build-local
+      if: inputs.use-local == 'true' && steps.magex-local-cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        echo "📦 Building local development version of MAGE-X"
+        cd "$GITHUB_WORKSPACE"
+
+        # Check if source directory exists (we're in mage-x repo with full checkout)
+        if [ ! -d "./cmd/magex" ]; then
+          echo "❌ ERROR: ./cmd/magex directory not found"
+          echo "❌ use-local=true requires mage-x repository with full checkout"
+          echo "❌ Either set use-local=false or ensure full repository checkout"
+          exit 1
+        fi
+
+        # Build from local source
+        echo "🔨 Building magex from ./cmd/magex..."
+        go build -v -o /tmp/magex ./cmd/magex
+        chmod +x /tmp/magex
+
+        # Show version for debugging
+        /tmp/magex --version || echo "⚠️  Version check skipped"
+
+        # Copy to local cache for future runs
+        mkdir -p ~/.cache/magex-local
+        cp /tmp/magex ~/.cache/magex-local/magex
+
+        # Add magex to PATH for subsequent steps
+        mkdir -p "$(go env GOPATH)/bin"
+        cp ~/.cache/magex-local/magex "$(go env GOPATH)/bin/magex"
+        echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
+
+        echo "✅ MAGE-X built from local source and cached"
+
     # --------------------------------------------------------------------
     # Verify MAGE-X installation and set outputs
     # --------------------------------------------------------------------
@@ -167,19 +238,29 @@ runs:
         echo "🔍 Verifying MAGE-X installation..."
 
         # Test that magex is available and working
-        if command -v magex >/dev/null 2>&1; then
-          MAGEX_VERSION=$(magex --version 2>/dev/null | grep -E '^\s+Version:' | awk '{print $2}' || echo "unknown")
-          echo "✅ MAGE-X is available: $MAGEX_VERSION"
+        if ! command -v magex >/dev/null 2>&1; then
+          echo "❌ ERROR: MAGE-X is not available in PATH" >&2
+          exit 1
+        fi
 
-          # Determine installation method
-          if [[ "${{ steps.magex-cache.outputs.cache-hit }}" == "true" ]]; then
+        MAGEX_VERSION=$(magex --version 2>/dev/null | grep -E '^\s+Version:' | awk '{print $2}' || echo "unknown")
+        echo "✅ MAGE-X $MAGEX_VERSION is available"
+
+        # Determine installation method based on mode and cache status
+        if [[ "${{ inputs.use-local }}" == "true" ]]; then
+          if [[ "${{ steps.magex-local-cache.outputs.cache-hit }}" == "true" ]]; then
             echo "method=cached" >> $GITHUB_OUTPUT
-            echo "📋 Installation method: Restored from cache"
+            echo "📋 Installation method: Cached (local build)"
           else
-            echo "method=fresh" >> $GITHUB_OUTPUT
-            echo "📋 Installation method: Fresh binary download"
+            echo "method=fresh-build" >> $GITHUB_OUTPUT
+            echo "📋 Installation method: Fresh build from source"
           fi
         else
-          echo "❌ ERROR: MAGE-X is not available in PATH" >&2
-          exit 1
+          if [[ "${{ steps.magex-cache.outputs.cache-hit }}" == "true" ]]; then
+            echo "method=cached" >> $GITHUB_OUTPUT
+            echo "📋 Installation method: Cached (remote download)"
+          else
+            echo "method=fresh-download" >> $GITHUB_OUTPUT
+            echo "📋 Installation method: Fresh download from releases"
+          fi
         fi
@@ -223,14 +223,14 @@ runs:
         if [ -n "$GO_MODULE_DIR" ]; then
           echo "🔧 Running build commands from directory: $GO_MODULE_DIR"
           # Use configured parallelism to avoid OOM on GitHub Actions runners
-          (cd "$GO_MODULE_DIR" && magex build:prebuild p="$PARALLEL_JOBS" strategy=smart)
+          (cd "$GO_MODULE_DIR" && magex build:prebuild p="$PARALLEL_JOBS" strategy="${MAGE_X_BUILD_STRATEGY:-smart}" batch_size="${MAGE_X_BUILD_BATCH_SIZE:-20}" batch_delay="${MAGE_X_BUILD_BATCH_DELAY_MS:-0}" exclude="${MAGE_X_BUILD_EXCLUDE_PATTERN:-}")
 
           echo "🏗️ Building stdlib for host platform..."
           (cd "$GO_MODULE_DIR" && magex install:stdlib)
         else
           echo "🔧 Running build commands from repository root"
           # Use configured parallelism to avoid OOM on GitHub Actions runners
-          magex build:prebuild p="$PARALLEL_JOBS" strategy=smart
+          magex build:prebuild p="$PARALLEL_JOBS" strategy="${MAGE_X_BUILD_STRATEGY:-smart}" batch_size="${MAGE_X_BUILD_BATCH_SIZE:-20}" batch_delay="${MAGE_X_BUILD_BATCH_DELAY_MS:-0}" exclude="${MAGE_X_BUILD_EXCLUDE_PATTERN:-}"
 
           echo "🏗️ Building stdlib for host platform..."
           magex install:stdlib

@@ -47,7 +47,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/init@5fe9434cd24fe243e33e7f3305f8a5b519b70280 # v4.31.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/autobuild@5fe9434cd24fe243e33e7f3305f8a5b519b70280 # v4.31.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
       #    uses a compiled language
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/analyze@5fe9434cd24fe243e33e7f3305f8a5b519b70280 # v4.31.1
@@ -159,6 +159,7 @@ jobs:
         with:
           magex-version: ${{ env.MAGE_X_VERSION }}
           runner-os: ${{ matrix.os }}
+          use-local: ${{ env.MAGE_X_USE_LOCAL }}
 
       # --------------------------------------------------------------------
       # Setup Redis service using composite action with caching

@@ -109,6 +109,7 @@ jobs:
         with:
           magex-version: ${{ env.MAGE_X_VERSION }}
           runner-os: ${{ inputs.primary-runner }}
+          use-local: ${{ env.MAGE_X_USE_LOCAL }}
 
       # --------------------------------------------------------------------
       # Run go vet with sequential execution to avoid memory issues
@@ -231,16 +232,6 @@ jobs:
           echo "GOMODCACHE=$HOME/go/pkg/mod"          >> $GITHUB_ENV
           echo "GOLANGCI_LINT_CACHE=$HOME/.cache/golangci-lint" >> $GITHUB_ENV
 
-      # --------------------------------------------------------------------
-      # Extract golangci-lint version (MAGE-X managed)
-      # --------------------------------------------------------------------
-      - name: 🔍 Use MAGE-X managed golangci-lint version
-        id: golangci-lint-version
-        run: |
-          # MAGE-X handles golangci-lint version automatically
-          echo "✅ Using MAGE-X managed golangci-lint version"
-          echo "version=${{ env.MAGE_X_GOLANGCI_LINT_VERSION }}" >> $GITHUB_OUTPUT
-
       # --------------------------------------------------------------------
       # Setup Go with caching and version management
       # --------------------------------------------------------------------
@@ -270,6 +261,7 @@ jobs:
         with:
           magex-version: ${{ env.MAGE_X_VERSION }}
           runner-os: ${{ inputs.primary-runner }}
+          use-local: ${{ env.MAGE_X_USE_LOCAL }}
 
       # --------------------------------------------------------------------
       # Restore Cache golangci-lint
@@ -279,7 +271,7 @@ jobs:
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ${{ env.GOLANGCI_LINT_CACHE }}
-          key: ${{ inputs.primary-runner }}-golangci-lint-analysis-${{ hashFiles('.golangci.json', env.GO_SUM_FILE) }}-${{ steps.golangci-lint-version.outputs.version }}
+          key: ${{ inputs.primary-runner }}-golangci-lint-analysis-${{ hashFiles('.golangci.json', env.GO_SUM_FILE) }}
 
       - name: 🔍 Debug cache usage
         run: |
@@ -409,6 +401,7 @@ jobs:
         with:
           magex-version: ${{ env.MAGE_X_VERSION }}
           runner-os: ${{ inputs.primary-runner }}
+          use-local: ${{ env.MAGE_X_USE_LOCAL }}
 
       # --------------------------------------------------------------------
       # Get yamlfmt version from MAGE-X

@@ -138,6 +138,7 @@ jobs:
         with:
           magex-version: ${{ env.MAGE_X_VERSION }}
           runner-os: ${{ inputs.primary-runner }}
+          use-local: ${{ env.MAGE_X_USE_LOCAL }}
 
       # --------------------------------------------------------------------
       # Extract GoReleaser version from environment

@@ -204,12 +204,14 @@ jobs:
 
       # --------------------------------------------------------------------
       # Setup Go with caching and version management
+      # Uses GOVULNCHECK_GO_VERSION if set, otherwise falls back to primary version
+      # This allows govulncheck to use a newer Go version for accurate stdlib vulnerability detection
       # --------------------------------------------------------------------
       - name: 🏗️ Setup Go with Cache
         id: setup-govulncheck
         uses: ./.github/actions/setup-go-with-cache
         with:
-          go-version: ${{ inputs.go-primary-version }}
+          go-version: ${{ env.GOVULNCHECK_GO_VERSION || inputs.go-primary-version }}
           matrix-os: ${{ inputs.primary-runner }}
           go-primary-version: ${{ inputs.go-primary-version }}
           go-secondary-version: ${{ inputs.go-primary-version }}
@@ -231,6 +233,7 @@ jobs:
         with:
           magex-version: ${{ env.MAGE_X_VERSION }}
           runner-os: ${{ inputs.primary-runner }}
+          use-local: ${{ env.MAGE_X_USE_LOCAL }}
 
       # --------------------------------------------------------------------
       # Restore (and later save) a compact cache for the govulncheck binary