Harden CI pipeline: race detector, security scanning, code coverage

[haasonsaas]

Summary

CI runs fmt, proto, vet, and test — solid baseline, but missing important checks for a security-critical system.

Current state

• .github/workflows/ci.yml — Go 1.24, protoc v33.4, four checks
• No race detector (-race flag)
• No security scanning (gosec, trivy)
• No linting (golangci-lint)
• No dependency vulnerability scanning
• No code coverage reporting

Required work

• Add go test -race ./... to catch data races (the budget tracker and memory store use mutexes — races here would be silent corruption)
• Add golangci-lint with a reasonable config (errcheck, gosimple, govet, ineffassign, staticcheck, unused at minimum)
• Add gosec for security-focused static analysis
• Add go mod verify to ensure module checksums are valid
• Add code coverage reporting (upload to Codecov or similar) — set a floor, not a target
• Add dependency vulnerability scanning (govulncheck or nancy)
• Add a make lint target to the Makefile

Files

• .github/workflows/ci.yml — add jobs
• Makefile — add lint, test-race, security-scan targets
• .golangci.yml — linter configuration

Priority

Medium — catches real bugs cheaply.

🤖 Generated with Claude Code