This document describes the continuous integration and deployment setup for the sebuf protoc plugins project.
The sebuf project uses GitHub Actions for CI/CD with the following key features:
- Automated Testing: Multi-platform testing across Go versions
- Code Quality: Linting, formatting, and coverage analysis
- Proto Validation: Automatic validation of protobuf files
- Release Automation: Automated releases with goreleaser
- Local Testing: Full CI pipeline testing locally with act
- Dependency Management: Automated updates via Dependabot
Triggers: Push to main/develop, Pull Requests
Jobs:
- Lint: Code formatting and quality checks
- Test: Matrix testing across Go 1.20-1.22 and Linux/macOS/Windows
- Coverage: Coverage analysis with 85% threshold
- Build: Binary compilation for all plugins (go-http, go-client, ts-client, openapiv3)
- Integration: End-to-end testing with real proto files
Key Features:
- Parallel job execution for speed
- Test result artifacts for debugging
- PR comments with coverage reports
- Caching for dependencies and builds
Triggers: Git tags (v*), Manual workflow dispatch
Jobs:
- Release: GoReleaser for multi-platform binaries
- Docker: Multi-arch container images
- Announce: Automated release announcements
Artifacts:
- Linux, macOS, Windows binaries (amd64, arm64, arm)
- Docker images on Docker Hub and GitHub Container Registry
- Checksums and GPG signatures
- Homebrew formula updates
Triggers: Changes to proto files or buf configuration
Jobs:
- Buf Lint: Proto file linting and formatting
- Breaking Changes: Detection and PR comments
- Compatibility: Testing with multiple protoc versions
- Documentation: Auto-generated proto documentation
# Install act
make ci-setup
# Or manually:
# macOS
brew install act
# Linux
curl -s https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash.actrc: Act configuration with Docker image mappings.env.act: Environment variables for local testing.secrets: Secret values (never commit this file)
# Run full CI pipeline
make ci
# Run specific workflows
make ci-lint # Lint only
make ci-test # Tests only
make ci-proto # Proto validation
# List available workflows
make ci-list
# Validate workflow syntax
make ci-validate
# Clean up act artifacts
make ci-clean- Docker not running: Ensure Docker Desktop is started
- Permission errors: Run with appropriate permissions or use rootless Docker
- Resource limits: Increase Docker memory/CPU limits for large builds
- Cache issues: Run
make ci-cleanto reset
-
Tag the release:
git tag -a v1.0.0 -m "Release v1.0.0" git push origin v1.0.0 -
Automatic process:
- GoReleaser builds binaries for all platforms
- Docker images are built and pushed
- GitHub Release is created with changelog
- Homebrew formula is updated
- Announcement issue is created
# Dry run to test
goreleaser release --clean --snapshot
# Actual release
GITHUB_TOKEN=xxx goreleaser release --cleanThe project enforces strict coverage requirements:
- Total Coverage: 85% minimum
- Package Coverage: 80% minimum
- File Coverage: 70% minimum
- Core Generators: 90% minimum
Coverage is checked on every PR and must pass before merging.
# Generate local coverage report
./scripts/run_tests.sh
# View HTML report
open coverage.html
# Check coverage thresholds
go-test-coverage --config .testcoverage.ymlAutomated dependency updates for:
- Go modules (weekly)
- GitHub Actions (weekly)
- Docker base images (weekly)
Updates are grouped by type and create PRs automatically.
# Update Go dependencies
go get -u ./...
go mod tidy
# Update GitHub Actions (requires manual edit)
# Check for latest versions at:
# https://github.com/actions/checkout/releases
# https://github.com/actions/setup-go/releases-
Create feature branch:
git checkout -b feature/my-feature
-
Make changes and test locally:
make test make lint make ci-test # Test in CI environment
-
Push and create PR:
git push origin feature/my-feature # Create PR on GitHub -
CI automatically:
- Runs tests on multiple platforms
- Checks coverage requirements
- Validates proto files
- Comments with results
-
Merge when green:
- All checks must pass
- Coverage must meet thresholds
- No breaking changes (unless labeled)
# Before committing
make fmt # Format code
make lint-fix # Fix linting issues
make test # Run tests
# Testing CI changes
make ci # Test full pipeline
make ci-validate # Validate workflow syntax
# Release preparation
make build # Build all binaries
make test # Full test suite
git tag -a vX.Y.Z -m "Release vX.Y.Z"- Check Actions tab for build status
- Failed builds send notifications to repo watchers
- Release failures create issues automatically
-
Test failures on Windows:
- Usually path separator issues
- Check
filepath.Join()usage
-
Coverage drops:
- New code needs tests
- Check coverage report for uncovered lines
-
Proto breaking changes:
- Review carefully before merging
- Add
breaking-changelabel if intentional
-
Release failures:
- Check GPG key expiration
- Verify GITHUB_TOKEN permissions
- Ensure tags follow v* pattern
Required secrets for full CI/CD:
GITHUB_TOKEN: Automatically providedDOCKER_USERNAME: Docker Hub usernameDOCKER_PASSWORD: Docker Hub passwordGPG_PRIVATE_KEY: For signing releasesGPG_FINGERPRINT: GPG key fingerprintCODECOV_TOKEN: For coverage uploadsHOMEBREW_TAP_GITHUB_TOKEN: For formula updates
- Dependabot alerts for vulnerabilities
- CodeQL analysis on main branch
- Docker image scanning via registry
- Always test locally first: Use
make cibefore pushing - Keep workflows simple: Complex logic belongs in scripts
- Use matrix builds wisely: Balance coverage vs. build time
- Cache aggressively: Speeds up builds significantly
- Version everything: Tag releases, version binaries
- Document changes: Update CHANGELOG.md
- Monitor metrics: Track build times, failure rates
When modifying CI/CD:
- Test changes locally with act
- Create PR with detailed description
- Test on a fork first if major changes
- Update this documentation
- Consider backward compatibility