Merge pull request #72 from thepwagner-org/golang-coverage

golang: capture coverage as HTML artifact

.github/workflows/build.yaml

@@ -1,23 +1,25 @@
-name: Build
+# Example repository: https://github.com/thepwagner-org/debian
+
 on:
   workflow_call:
     secrets:
       token:
         required: true
         description: GitHub token
 
-permissions:
-  contents: read
-  packages: write
-  pull-requests: write
-  id-token: write
+permissions: {}
 
 env:
   DOCKER_BUILDKIT: 1
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      pull-requests: write
+      id-token: write
     steps:
       - name: "🌎 Fetching code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.github/workflows/check.yaml

@@ -1,4 +1,5 @@
-name: Check
+# Example repository: https://github.com/thepwagner-org/debian
+
 on:
   workflow_call:
     inputs:
@@ -17,14 +18,15 @@ on:
         required: true
         description: A non-Actions GitHub token, so Actions will react to pushes.
 
-permissions:
-  contents: write
-  packages: read
-  pull-requests: write
+permissions: {}
 
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: read
+      pull-requests: write
     steps:
       - name: "🌎 Fetching code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.github/workflows/ci-golang.yaml → .github/workflows/golang-test.yaml

@@ -1,4 +1,5 @@
-name: CI (Golang)
+# Example repository: https://github.com/thepwagner/github-token-factory-oidc
+
 on:
   workflow_call:
     inputs:
@@ -23,7 +24,13 @@ jobs:
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: ${{inputs.go-version-file}}
-      - run: go test -v -race ./...
+      - run: go test -v -coverprofile=coverage.out -race ./...
+      - run: go tool cover -html=coverage.out -o=coverage.html
+      - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        with:
+          name: code-coverage-report
+          path: coverage.html
+          retention-days: 1
 
   lint:
     runs-on: ubuntu-latest

.github/workflows/publish.yaml

@@ -1,23 +1,24 @@
-name: Publish
+# Example repository: https://github.com/thepwagner-org/debian
+
 on:
   workflow_call:
     secrets:
       token:
         required: true
         description: GitHub token
 
-permissions:
-  contents: read
-  packages: write
-  id-token: write
+permissions: {}
 
 env:
   DOCKER_BUILDKIT: 1
 
 jobs:
   publish:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
     steps:
       - name: "🌎 Fetching code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

README.md

@@ -8,7 +8,8 @@ These are GitHub Actions reusable workflows:
 I'm currently using Trivy to generate SBOMs including vulnerabilty scans, and loving it!
 
 You can see these in use in:
-* https://github.com/thepwagner-org/debian-bullseye - base image
+* https://github.com/thepwagner-org/debian - base image
 * https://github.com/thepwagner-org/duplicity - consumer image
+* https://github.com/thepwagner/github-token-factory-oidc - golang app
 
 This repo is also a demonstration of versioning reusable workflows: changes are staged in the `main` branch, but most users of the workflows follow tagged releases and are pushed updates via RenovateBot pull request - [example](https://github.com/thepwagner-org/debian-bullseye/pull/162).