From cc-skills-golang
Configures GitHub Actions CI/CD pipelines for Go projects covering testing, linting, SAST, security scans, coverage, Dependabot, Renovate, GoReleaser, and releases.
npx claudepluginhub samber/cc --plugin cc-skills-golangThis skill is limited to using the following tools:
**Persona:** You are a Go DevOps engineer. You treat CI as a quality gate — every pipeline decision is weighed against build speed, signal reliability, and security posture.
assets/codecov.ymlassets/codeql-config.ymlassets/dependabot-auto-merge.ymlassets/dependabot.ymlassets/docker.ymlassets/goreleaser-cli.ymlassets/goreleaser-lib.ymlassets/goreleaser-monorepo.ymlassets/integration.ymlassets/lint.ymlassets/release.ymlassets/renovate.jsonassets/security.ymlassets/test.ymlevals/evals.jsonreferences/repo-security.mdCreates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Persona: You are a Go DevOps engineer. You treat CI as a quality gate — every pipeline decision is weighed against build speed, signal reliability, and security posture.
Modes:
Set up production-grade CI/CD pipelines for Go projects using GitHub Actions.
The versions in the examples below are reference versions that may be outdated. GitHub Actions release frequently — the current major version for each action (actions/checkout, actions/setup-go, golangci/golangci-lint-action, codecov/codecov-action, goreleaser/goreleaser-action, etc.) may differ from what is shown here.
| Stage | Tool | Purpose |
|---|---|---|
| Test | go test -race | Unit + race detection |
| Coverage | codecov/codecov-action | Coverage reporting |
| Lint | golangci-lint | Comprehensive linting |
| Vet | go vet | Built-in static analysis |
| SAST | gosec, CodeQL, Bearer | Security static analysis |
| Vuln scan | govulncheck | Known vulnerability detection |
| Docker | docker/build-push-action | Multi-platform image builds |
| Deps | Dependabot / Renovate | Automated dependency updates |
| Release | GoReleaser | Automated binary releases |
.github/workflows/test.yml — see test.yml
Adapt the Go version matrix to match go.mod:
go 1.23 → matrix: ["1.23", "1.24", "1.25", "1.26", "stable"]
go 1.24 → matrix: ["1.24", "1.25", "1.26", "stable"]
go 1.25 → matrix: ["1.25", "1.26", "stable"]
go 1.26 → matrix: ["1.26", "stable"]
Use fail-fast: false so a failure on one Go version doesn't cancel the others.
Test flags:
-race: CI MUST run tests with the -race flag (catches data races — undefined behavior in Go)-shuffle=on: Randomize test order to catch inter-test dependencies-coverprofile: Generate coverage datagit diff --exit-code: Fails if go mod tidy changes anythingCI SHOULD enforce code coverage thresholds. Configure thresholds in codecov.yml at the repo root — see codecov.yml
.github/workflows/integration.yml — see integration.yml
Use -count=1 to disable test caching — cached results can hide flaky service interactions.
golangci-lint MUST be run in CI on every PR. .github/workflows/lint.yml — see lint.yml
Create .golangci.yml at the root of the project. See the samber/cc-skills-golang@golang-lint skill for the recommended configuration.
.github/workflows/security.yml — see security.yml
CI MUST run govulncheck. It only reports vulnerabilities in code paths your project actually calls — unlike generic CVE scanners. CodeQL results appear in the repository's Security tab. Bearer is good at detecting sensitive data flow issues.
Create .github/codeql/codeql-config.yml to use the extended security query suite — see codeql-config.yml
Available query suites:
If the project produces Docker images, Trivy container scanning is included in the Docker workflow — see docker.yml
.github/dependabot.yml — see dependabot.yml
Minor/patch updates are grouped into a single PR. Major updates get individual PRs since they may have breaking changes.
.github/workflows/dependabot-auto-merge.yml — see dependabot-auto-merge.yml
Security warning: This workflow requires
contents: writeandpull-requests: write— these are elevated permissions that allow merging PRs and modifying repository content. Theif: github.actor == 'dependabot[bot]'guard restricts execution to Dependabot only. Do not remove this guard. Note thatgithub.actorchecks are not fully spoof-proof — branch protection rules are the real safety net. Ensure branch protection is configured (see Repository Security Settings) with required status checks and required approvals so that auto-merge only succeeds after all checks pass, regardless of who triggered the workflow.
Renovate is a more mature and configurable alternative to Dependabot. It supports automerge natively, grouping, scheduling, regex managers, and monorepo-aware updates. If Dependabot feels too limited, Renovate is the go-to choice.
Install the Renovate GitHub App, then create renovate.json at the repo root — see renovate.json
Key advantages over Dependabot:
gomodTidy: Automatically runs go mod tidy after updatesGoReleaser automates binary builds, checksums, and GitHub Releases. The configuration varies significantly depending on the project type.
.github/workflows/release.yml — see release.yml
Security warning: This workflow requires
contents: writeto create GitHub Releases. It is restricted to tag pushes (tags: ["v*"]) so it cannot be triggered by pull requests or branch pushes. Only users with push access to the repository can create tags.
Programs need cross-compiled binaries, archives, and optionally Docker images.
.goreleaser.yml — see goreleaser-cli.yml
Libraries don't produce binaries — they only need a GitHub Release with a changelog. Use a minimal config that skips the build.
.goreleaser.yml — see goreleaser-lib.yml
For libraries, you may not even need GoReleaser — a simple GitHub Release created via the UI or gh release create is often sufficient.
When a repository contains multiple commands (e.g., cmd/api/, cmd/worker/).
.goreleaser.yml — see goreleaser-monorepo.yml
For projects that produce Docker images. This workflow builds multi-platform images, generates SBOM and provenance attestations, pushes to both GitHub Container Registry (GHCR) and Docker Hub, and includes Trivy container scanning.
.github/workflows/docker.yml — see docker.yml
Security warning: Permissions are scoped per job: the
container-scanjob only getscontents: read+security-events: write, while thedockerjob getspackages: write(to push to GHCR) andattestations: write+id-token: write(for provenance/SBOM signing). This ensures the scan job cannot push images even if compromised. Thepushflag is set tofalseon pull requests so untrusted code cannot publish images. TheDOCKERHUB_USERNAMEandDOCKERHUB_TOKENsecrets must be configured in the repository secrets settings — never hardcode credentials.
Key details:
linux/amd64,linux/arm64). Remove platforms you don't need.push: false on PRs: Images are built but never pushed on pull requests — this validates the Dockerfile without publishing untrusted code.v1.2.3 → 1.2.3, 1.2, 1), branch tags (main), and SHA tags.provenance: mode=max and sbom: true generate supply chain attestations. These require attestations: write and id-token: write permissions.GITHUB_TOKEN, no extra secret needed) and Docker Hub (requires DOCKERHUB_USERNAME + DOCKERHUB_TOKEN secrets). Remove the Docker Hub login and image line if not needed.docker.io/ line from images:.After creating workflow files, ALWAYS tell the developer to configure GitHub repository settings (branch protection, workflow permissions, secrets, environments) — see repo-security.md
| Mistake | Fix |
|---|---|
Missing -race in CI tests | Always use go test -race |
No -shuffle=on | Randomize test order to catch inter-test dependencies |
| Caching integration test results | Use -count=1 to disable caching |
go mod tidy not checked | Add go mod tidy && git diff --exit-code step |
Missing fail-fast: false | One Go version failing shouldn't cancel other jobs |
| Not pinning action versions | GitHub Actions MUST use pinned major versions (e.g. @vN, not @master) |
No permissions block | Follow least-privilege per job |
| Ignoring govulncheck findings | Fix or suppress with justification |
See samber/cc-skills-golang@golang-lint, samber/cc-skills-golang@golang-security, samber/cc-skills-golang@golang-testing, samber/cc-skills-golang@golang-dependency-management skills.