golang-continuous-integration
samber/cc-skills-golang
Production-grade CI/CD pipelines for Go projects using GitHub Actions — testing, linting, security scanning, and automated releases.
What is golang-continuous-integration?
Configures GitHub Actions workflows for Go projects with testing, linting, SAST, security scanning, code coverage, dependency management, and release automation. Use when setting up CI from scratch, improving existing pipelines, adding security gates, or automating Go binary releases.
- Run unit tests with race detection and coverage reporting across multiple Go versions
- Lint code with golangci-lint and enforce code quality standards
- Perform static analysis with gosec, CodeQL, and Bearer for security vulnerabilities
- Scan dependencies with govulncheck and automate updates via Dependabot or Renovate
- Build and push multi-platform Docker images with container scanning
- Automate binary releases and GitHub Releases with GoReleaser
How to install golang-continuous-integration
npx skills add https://github.com/samber/cc-skills-golang --skill golang-continuous-integration- Go installed and configured in go.mod
- goreleaser: `go install github.com/goreleaser/goreleaser/v2@latest`
- gh (GitHub CLI): `brew install gh`
- GitHub repository with Actions enabled
How to use golang-continuous-integration
- 1.Create `.github/workflows/test.yml` using the test workflow template, adjusting Go version matrix to match your go.mod
- 2.Create `.github/workflows/lint.yml` and configure `.golangci.yml` at the repo root with linting rules
- 3.Create `.github/workflows/security.yml` to run govulncheck, CodeQL, and gosec; optionally configure `.github/codeql/codeql-config.yml`
- 4.Set up dependency management: either `.github/dependabot.yml` for Dependabot or `renovate.json` for Renovate
- 5.Create `.github/workflows/release.yml` and configure GoReleaser if automating binary releases
- 6.Configure branch protection rules to require status checks and approvals before merging
Use cases
- Setting up CI/CD for a new Go project from scratch
- Adding security scanning and SAST to an existing pipeline
- Automating dependency updates with auto-merge for minor/patch versions
- Configuring multi-version Go testing (1.23–1.26 and stable)
- Building and releasing Go binaries across multiple platforms with GoReleaser
- Go developers setting up project CI
- DevOps engineers managing Go project pipelines
- Teams requiring security gates and vulnerability scanning
- Projects needing automated dependency and release management
golang-continuous-integration FAQ
Test against your current go.mod version plus the next 2–3 minor versions and 'stable'. For example, if go.mod specifies 1.25, test [1.25, 1.26, stable]. Use fail-fast: false so failures on one version don't cancel others.
Dependabot is simpler and built-in; use it for basic dependency updates. Renovate is more mature and configurable — it supports native automerge, gomodTidy, better grouping, and monorepo awareness. Choose Renovate if you need advanced features.
The -race flag detects data races — concurrent access to shared memory that can cause undefined behavior. It must run in CI because races are hard to reproduce locally. Use `go test -race -shuffle=on` to randomize test order and catch inter-test dependencies.
Configure thresholds in `codecov.yml` at the repo root. Codecov will report coverage changes on PRs and fail the check if coverage drops below your threshold.
Run govulncheck (detects known vulnerabilities in code paths you call), CodeQL (GitHub's static analysis), gosec (Go-specific security issues), and Bearer (sensitive data flow detection). All are included in the security.yml workflow.
Full instructions (SKILL.md)
Source of truth, from samber/cc-skills-golang.
name: golang-continuous-integration description: "CI/CD pipeline configuration using GitHub Actions for Golang projects — testing, linting, SAST, security scanning, code coverage, Dependabot, Renovate, GoReleaser, code review automation, and release pipelines. Use when setting up or improving Go project CI, configuring GitHub Actions workflows, adding linters or security scanners, automating dependency updates, or adding quality gates." user-invocable: true license: MIT compatibility: Designed for Claude Code or similar AI coding agents, and for projects using Golang. metadata: author: samber version: "1.3.1" openclaw: emoji: "🚀" homepage: https://github.com/samber/cc-skills-golang requires: bins: - go - goreleaser - gh install: - kind: brew formula: goreleaser bins: [goreleaser] - kind: brew formula: gh bins: [gh] - kind: npm package: skills bins: [skills] allowed-tools: Read Edit Write Glob Grep Bash(go:) Bash(golangci-lint:) Bash(git:) Agent WebFetch Bash(goreleaser:) Bash(gh:*) AskUserQuestion
Persona: You are a Go DevOps engineer. You treat CI as a quality gate — every pipeline decision is weighed against build speed, signal reliability, and security posture.
Modes:
- Setup — adding CI to a project for the first time: start with the Quick Reference table, then generate workflows in this order: test → lint → security → release. Prefer the latest stable major version for each GitHub Action.
- Improve — auditing or extending an existing pipeline: read current workflow files first, identify gaps against the Quick Reference table, then propose targeted additions without duplicating existing steps.
Dependencies:
- goreleaser:
go install github.com/goreleaser/goreleaser/v2@latest - gh:
brew install gh
Go Continuous Integration
Set up production-grade CI/CD pipelines for Go projects using GitHub Actions.
Action Versions
The versions in the examples below are reference versions that may be outdated. GitHub Actions release frequently — the current major version for each action (actions/checkout, actions/setup-go, golangci/golangci-lint-action, codecov/codecov-action, goreleaser/goreleaser-action, etc.) may differ from what is shown here.
Quick Reference
| Stage | Tool | Purpose |
|---|---|---|
| Test | go test -race | Unit + race detection |
| Coverage | codecov/codecov-action | Coverage reporting |
| Lint | golangci-lint | Comprehensive linting |
| Vet | go vet | Built-in static analysis |
| SAST | gosec, CodeQL, Bearer | Security static analysis |
| Vuln scan | govulncheck | Known vulnerability detection |
| Docker | docker/build-push-action | Multi-platform image builds |
| Deps | Dependabot / Renovate | Automated dependency updates |
| Release | GoReleaser | Automated binary releases |
| AI Review | Claude Code / Copilot | AI-powered PR review |
Testing
.github/workflows/test.yml — see test.yml
Adapt the Go version matrix to match go.mod:
go 1.23 → matrix: ["1.23", "1.24", "1.25", "1.26", "stable"]
go 1.24 → matrix: ["1.24", "1.25", "1.26", "stable"]
go 1.25 → matrix: ["1.25", "1.26", "stable"]
go 1.26 → matrix: ["1.26", "stable"]
Use fail-fast: false so a failure on one Go version doesn't cancel the others.
Test flags:
-race: CI MUST run tests with the-raceflag (catches data races — undefined behavior in Go)-shuffle=on: Randomize test order to catch inter-test dependencies-coverprofile: Generate coverage datagit diff --exit-code: Fails ifgo mod tidychanges anything
Coverage Configuration
CI SHOULD enforce code coverage thresholds. Configure thresholds in codecov.yml at the repo root — see codecov.yml
Integration Tests
.github/workflows/integration.yml — see integration.yml
Use -count=1 to disable test caching — cached results can hide flaky service interactions.
Linting
golangci-lint MUST be run in CI on every PR. .github/workflows/lint.yml — see lint.yml
golangci-lint Configuration
Create .golangci.yml at the root of the project. See the samber/cc-skills-golang@golang-lint skill for the recommended configuration.
Security & SAST
.github/workflows/security.yml — see security.yml
CI MUST run govulncheck. It only reports vulnerabilities in code paths your project actually calls — unlike generic CVE scanners. CodeQL results appear in the repository's Security tab. Bearer is good at detecting sensitive data flow issues.
CodeQL Configuration
Create .github/codeql/codeql-config.yml to use the extended security query suite — see codeql-config.yml
Available query suites:
- default: Standard security queries
- security-extended: Extra security queries with slightly lower precision
- security-and-quality: Security queries plus maintainability and reliability checks
Container Image Scanning
If the project produces Docker images, Trivy container scanning is included in the Docker workflow — see docker.yml
Dependency Management
Dependabot
.github/dependabot.yml — see dependabot.yml
Minor/patch updates are grouped into a single PR. Major updates get individual PRs since they may have breaking changes.
Auto-Merge for Dependabot
.github/workflows/dependabot-auto-merge.yml — see dependabot-auto-merge.yml
Security warning: This workflow requires
contents: writeandpull-requests: write— these are elevated permissions that allow merging PRs and modifying repository content. Theif: github.actor == 'dependabot[bot]'guard restricts execution to Dependabot only. Do not remove this guard. Note thatgithub.actorchecks are not fully spoof-proof — branch protection rules are the real safety net. Ensure branch protection is configured (see Repository Security Settings) with required status checks and required approvals so that auto-merge only succeeds after all checks pass, regardless of who triggered the workflow.
Renovate (alternative)
Renovate is a more mature and configurable alternative to Dependabot. It supports automerge natively, grouping, scheduling, regex managers, and monorepo-aware updates. If Dependabot feels too limited, Renovate is the go-to choice.
Install the Renovate GitHub App, then create renovate.json at the repo root — see renovate.json
Key advantages over Dependabot:
gomodTidy: Automatically runsgo mod tidyafter updates- Native automerge: No separate workflow needed
- Better grouping: More flexible rules for grouping PRs
- Regex managers: Can update versions in Dockerfiles, Makefiles, etc.
- Monorepo support: Handles Go workspaces and multi-module repos
Release Automation
GoReleaser automates binary builds, checksums, and GitHub Releases. The configuration varies significantly depending on the project type.
Release Workflow
.github/workflows/release.yml — see release.yml
Security warning: This workflow requires
contents: writeto create GitHub Releases. It is restricted to tag pushes (tags: ["v*"]) so it cannot be triggered by pull requests or branch pushes. Only users with push access to the repository can create tags.
GoReleaser for CLI/Programs
Programs need cross-compiled binaries, archives, and optionally Docker images.
.goreleaser.yml — see goreleaser-cli.yml
GoReleaser for Libraries
Libraries don't produce binaries — they only need a GitHub Release with a changelog. Use a minimal config that skips the build.
.goreleaser.yml — see goreleaser-lib.yml
For libraries, you may not even need GoReleaser — a simple GitHub Release created via the UI or gh release create is often sufficient.
GoReleaser for Monorepos / Multi-Binary
When a repository contains multiple commands (e.g., cmd/api/, cmd/worker/).
.goreleaser.yml — see goreleaser-monorepo.yml
Docker Build & Push
For projects that produce Docker images. This workflow builds multi-platform images, generates SBOM and provenance attestations, pushes to both GitHub Container Registry (GHCR) and Docker Hub, and includes Trivy container scanning.
.github/workflows/docker.yml — see docker.yml
Security warning: Permissions are scoped per job: the
container-scanjob only getscontents: read+security-events: write, while thedockerjob getspackages: write(to push to GHCR) andattestations: write+id-token: write(for provenance/SBOM signing). This ensures the scan job cannot push images even if compromised. Thepushflag is set tofalseon pull requests so untrusted code cannot publish images. TheDOCKERHUB_USERNAMEandDOCKERHUB_TOKENsecrets must be configured in the repository secrets settings — never hardcode credentials.
Key details:
- QEMU + Buildx: Required for multi-platform builds (
linux/amd64,linux/arm64). Remove platforms you don't need. push: falseon PRs: Images are built but never pushed on pull requests — this validates the Dockerfile without publishing untrusted code.- Metadata action: Automatically generates semver tags (
v1.2.3→1.2.3,1.2,1), branch tags (main), and SHA tags. - Provenance + SBOM:
provenance: mode=maxandsbom: truegenerate supply chain attestations. These requireattestations: writeandid-token: writepermissions. - Dual registry: Pushes to both GHCR (using
GITHUB_TOKEN, no extra secret needed) and Docker Hub (requiresDOCKERHUB_USERNAME+DOCKERHUB_TOKENsecrets). Remove the Docker Hub login and image line if not needed. - Trivy: Scans the built image for CRITICAL and HIGH vulnerabilities and uploads results to the Security tab.
- Adapt the image names and registries to your project. For GHCR-only, remove the Docker Hub login step and the
docker.io/line fromimages:.
Repository Security Settings
Repository security settings (branch protection, workflow permissions, secrets, environments) form the security foundation for the CI pipeline — these are documented in repo-security.md.
AI-Driven Code Review
Add AI agents as PR reviewers alongside traditional static analysis. When loaded with this skill plugin, the agent applies the relevant Go skills per review area — catching architectural drift, logic bugs, missing error context, and concurrency hazards that linters cannot detect.
Cost note: AI review agents run concurrently per PR. For cost control, remove jobs you don't need or raise the PR trigger filter to specific branches only.
Claude Code
.github/workflows/ai-review.yml — see claude-code-review.yml
The workflow runs parallel jobs, each scoped to a set of review areas and priority level:
| Job | Areas | Priority |
|---|---|---|
quality | Code style, Naming, Documentation, Design patterns | Suggestion-first |
correctness | Error handling, Code safety, Concurrency | Blocking-first |
security | Security, Dependencies | Blocking-first |
quality-depth | Tests, Performance, Observability, Modernize | Mixed |
Additional skills that may be relevant depending on the project: golang-cli, golang-context, golang-data-structures, golang-database, golang-dependency-injection, or any library-specific skill.
The Claude Code GitHub App integration is configured via the /install-github-app command, which sets up the required API secrets.
GitHub Copilot
Copy skills into your repo, then append copilot-review-instructions.md to .github/copilot-instructions.md:
npx skills add https://github.com/samber/cc-skills-golang --agent github-copilot --skill '*' -y --copy
ln -s .agents .copilot
Common Mistakes
| Mistake | Fix |
|---|---|
Missing -race in CI tests | Always use go test -race |
No -shuffle=on | Randomize test order to catch inter-test dependencies |
| Caching integration test results | Use -count=1 to disable caching |
go mod tidy not checked | Add go mod tidy && git diff --exit-code step |
Missing fail-fast: false | One Go version failing shouldn't cancel other jobs |
| Not pinning action versions | GitHub Actions MUST use pinned major versions (e.g. @vN, not @master) |
No permissions block | Follow least-privilege per job |
| Ignoring govulncheck findings | Fix or suppress with justification |
| No AI review in CI | Add Claude Code or Copilot review — catches logic, security, and architectural issues that static analysis misses |
Related Skills
See samber/cc-skills-golang@golang-lint, samber/cc-skills-golang@golang-security, samber/cc-skills-golang@golang-testing, samber/cc-skills-golang@golang-dependency-management, samber/cc-skills-golang@golang-modernize skills.
Related skills
More from samber/cc-skills-golang and the wider catalog.
golang-code-style
Go code style conventions for clarity, control flow, and readability—line breaking, variable declarations, and when comments help.
golang-error-handling
Idiomatic Go error handling: wrapping, inspection, structured logging, and production-grade error tracking.
golang-performance
Go performance optimization patterns: identify bottlenecks with profiling, then apply the right fix.
golang-design-patterns
Idiomatic Go design patterns: functional options, constructors, error handling, resource lifecycle, graceful shutdown, and resilience.
golang-testing
Production-ready Go tests with table-driven patterns, testify integration, parallel execution, fuzzing, and leak detection.
golang-security
Security best practices and vulnerability prevention for Go code—injection, crypto, secrets, and authentication.