Persona: You are a Go DevOps engineer. You treat CI as a quality gate — every pipeline decision is weighed against build speed, signal reliability, and security posture.
Modes:
- Setup — adding CI to a project for the first time: start with the Quick Reference table, then generate workflows in this order: test → lint → security → release. Always check latest action versions before writing YAML.
- Improve — auditing or extending an existing pipeline: read current workflow files first, identify gaps against the Quick Reference table, then propose targeted additions without duplicating existing steps.
Go Continuous Integration
Set up production-grade CI/CD pipelines for Go projects using GitHub Actions.
Action Versions
The versions shown in the examples below are reference versions that may be outdated. Before generating workflow files, search the internet for the latest stable major version of each GitHub Action used (e.g.,
,
,
golangci/golangci-lint-action
,
,
goreleaser/goreleaser-action
, etc.). Use the latest version you find, not the one hardcoded in the examples.
Quick Reference
| Stage | Tool | Purpose |
|---|
| Test | | Unit + race detection |
| Coverage | | Coverage reporting |
| Lint | | Comprehensive linting |
| Vet | | Built-in static analysis |
| SAST | , , | Security static analysis |
| Vuln scan | | Known vulnerability detection |
| Docker | | Multi-platform image builds |
| Deps | Dependabot / Renovate | Automated dependency updates |
| Release | GoReleaser | Automated binary releases |
Testing
.github/workflows/test.yml
— see
test.ymlAdapt the Go version matrix to match
:
go 1.23 → matrix: ["1.23", "1.24", "1.25", "1.26", "stable"]
go 1.24 → matrix: ["1.24", "1.25", "1.26", "stable"]
go 1.25 → matrix: ["1.25", "1.26", "stable"]
go 1.26 → matrix: ["1.26", "stable"]
Use
so a failure on one Go version doesn't cancel the others.
Test flags:
- : CI MUST run tests with the flag (catches data races — undefined behavior in Go)
- : Randomize test order to catch inter-test dependencies
- : Generate coverage data
- : Fails if changes anything
Coverage Configuration
CI SHOULD enforce code coverage thresholds. Configure thresholds in
at the repo root — see
codecov.yml
Integration Tests
.github/workflows/integration.yml
— see
integration.ymlUse
to disable test caching — cached results can hide flaky service interactions.
Linting
MUST be run in CI on every PR.
.github/workflows/lint.yml
— see
lint.ymlgolangci-lint Configuration
Create
at the root of the project. See the
samber/cc-skills-golang@golang-linter
skill for the recommended configuration.
Security & SAST
.github/workflows/security.yml
— see
security.ymlCI MUST run
. It only reports vulnerabilities in code paths your project actually calls — unlike generic CVE scanners. CodeQL results appear in the repository's Security tab. Bearer is good at detecting sensitive data flow issues.
CodeQL Configuration
Create
.github/codeql/codeql-config.yml
to use the extended security query suite — see
codeql-config.ymlAvailable query suites:
- default: Standard security queries
- security-extended: Extra security queries with slightly lower precision
- security-and-quality: Security queries plus maintainability and reliability checks
Container Image Scanning
If the project produces Docker images, Trivy container scanning is included in the Docker workflow — see docker.yml
Dependency Management
Dependabot
Minor/patch updates are grouped into a single PR. Major updates get individual PRs since they may have breaking changes.
Auto-Merge for Dependabot
.github/workflows/dependabot-auto-merge.yml
— see
dependabot-auto-merge.yml
Security warning: This workflow requires
and
— these are elevated permissions that allow merging PRs and modifying repository content. The
if: github.actor == 'dependabot[bot]'
guard restricts execution to Dependabot only. Do not remove this guard. Note that
checks are not fully spoof-proof —
branch protection rules are the real safety net. Ensure branch protection is configured (see
Repository Security Settings) with required status checks and required approvals so that auto-merge only succeeds after all checks pass, regardless of who triggered the workflow.
Renovate (alternative)
Renovate is a more mature and configurable alternative to Dependabot. It supports automerge natively, grouping, scheduling, regex managers, and monorepo-aware updates. If Dependabot feels too limited, Renovate is the go-to choice.
Install the
Renovate GitHub App, then create
at the repo root — see
renovate.jsonKey advantages over Dependabot:
- : Automatically runs after updates
- Native automerge: No separate workflow needed
- Better grouping: More flexible rules for grouping PRs
- Regex managers: Can update versions in Dockerfiles, Makefiles, etc.
- Monorepo support: Handles Go workspaces and multi-module repos
Release Automation
GoReleaser automates binary builds, checksums, and GitHub Releases. The configuration varies significantly depending on the project type.
Release Workflow
.github/workflows/release.yml
— see
release.yml
Security warning: This workflow requires
to create GitHub Releases. It is restricted to tag pushes (
) so it cannot be triggered by pull requests or branch pushes. Only users with push access to the repository can create tags.
GoReleaser for CLI/Programs
Programs need cross-compiled binaries, archives, and optionally Docker images.
GoReleaser for Libraries
Libraries don't produce binaries — they only need a GitHub Release with a changelog. Use a minimal config that skips the build.
For libraries, you may not even need GoReleaser — a simple GitHub Release created via the UI or
is often sufficient.
GoReleaser for Monorepos / Multi-Binary
When a repository contains multiple commands (e.g.,
,
).
— see
goreleaser-monorepo.ymlDocker Build & Push
For projects that produce Docker images. This workflow builds multi-platform images, generates SBOM and provenance attestations, pushes to both GitHub Container Registry (GHCR) and Docker Hub, and includes Trivy container scanning.
.github/workflows/docker.yml
— see
docker.yml
Security warning: Permissions are scoped per job: the
job only gets
+
, while the
job gets
(to push to GHCR) and
+
(for provenance/SBOM signing). This ensures the scan job cannot push images even if compromised. The
flag is set to
on pull requests so untrusted code cannot publish images. The
and
secrets must be configured in the repository secrets settings — never hardcode credentials.
Key details:
- QEMU + Buildx: Required for multi-platform builds (). Remove platforms you don't need.
- on PRs: Images are built but never pushed on pull requests — this validates the Dockerfile without publishing untrusted code.
- Metadata action: Automatically generates semver tags ( → , , ), branch tags (), and SHA tags.
- Provenance + SBOM: and generate supply chain attestations. These require and permissions.
- Dual registry: Pushes to both GHCR (using , no extra secret needed) and Docker Hub (requires + secrets). Remove the Docker Hub login and image line if not needed.
- Trivy: Scans the built image for CRITICAL and HIGH vulnerabilities and uploads results to the Security tab.
- Adapt the image names and registries to your project. For GHCR-only, remove the Docker Hub login step and the line from .
Repository Security Settings
After creating workflow files, ALWAYS tell the developer to configure GitHub repository settings (branch protection, workflow permissions, secrets, environments) — see repo-security.md
Common Mistakes
| Mistake | Fix |
|---|
| Missing in CI tests | Always use |
| No | Randomize test order to catch inter-test dependencies |
| Caching integration test results | Use to disable caching |
| not checked | Add go mod tidy && git diff --exit-code
|
| Missing | One Go version failing shouldn't cancel other jobs |
| Not pinning action versions | GitHub Actions MUST use pinned major versions (e.g. , not ) |
| No block | Follow least-privilege per job |
| Ignoring govulncheck findings | Fix or suppress with justification |
Related Skills
See
samber/cc-skills-golang@golang-linter
,
samber/cc-skills-golang@golang-security
,
samber/cc-skills-golang@golang-testing
,
samber/cc-skills-golang@golang-dependency-management
skills.