CI modernization: caching, lint, security scanning, matrix testing

[renecannao]

Summary

• Dependency caching: Added cache: true to actions/setup-go@v5 in all three workflows (main.yml, system.yml, upgrade.yml) for faster CI builds
• Lint job: New lint job in main.yml using golangci/golangci-lint-action@v6
• CVE scanning job: New security job in main.yml running govulncheck ./...
• Go version matrix: Build/test job in main.yml now tests against Go 1.24 and 1.25.7

Implements Phase 2.4 of the orchestrator refresh design spec.

Closes #20

Test plan

• Verify all three workflows pass YAML validation
• Confirm build job runs for both Go 1.24 and 1.25.7
• Confirm lint job runs golangci-lint successfully
• Confirm security job runs govulncheck successfully
• Verify caching reduces build times on subsequent runs

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@renecannao has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 50 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cc979ce2-2d31-4f50-afcc-4b9d1d36ef89

📥 Commits

Reviewing files that changed from the base of the PR and between 5d2170b and ecdde95.

📒 Files selected for processing (3)

• .github/workflows/main.yml
• .github/workflows/system.yml
• .github/workflows/upgrade.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue20-ci-modernization

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Modernizes GitHub Actions CI for orchestrator by adding Go dependency caching, new lint/security jobs, and expanding build/test coverage via a Go version matrix.

Changes:

• Enabled actions/setup-go@v5 module caching across workflows (cache: true).
• Added lint (golangci-lint) and security (govulncheck) jobs to the main CI workflow.
• Updated main.yml build job to run a Go version matrix and disambiguated uploaded artifacts per Go version.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/main.yml	Adds Go matrix build, enables caching, and introduces lint + govulncheck security jobs.
.github/workflows/system.yml	Enables setup-go caching for system tests workflow.
.github/workflows/upgrade.yml	Enables setup-go caching for upgrade tests workflow.

Comments suppressed due to low confidence (1)

.github/workflows/upgrade.yml:24

• actions/setup-go is executed before the first actions/checkout, but cache: true needs the checked-out go.sum to restore/save a module cache. Reorder the steps so checkout happens before setup-go to make caching effective (especially important since this workflow does multiple checkouts later).

    - name: Set up Go
      uses: actions/setup-go@v5
      with:
        go-version: '1.25.7'
        cache: true

    - name: Start local MySQL
      run: sudo /etc/init.d/mysql start

    - name: check out
      uses: actions/checkout@v4

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

actions/setup-go is run before actions/checkout, but cache: true relies on repo files (e.g., go.sum) to compute the cache key. With the current order the cache will be skipped/ineffective. Move the checkout step above setup-go (or provide cache-dependency-path after checkout).

[Copilot]

Using golangci-lint version: latest makes CI non-reproducible and can start failing when a new linter release ships. Pin to a specific golangci-lint version (and bump it intentionally) to keep CI stable.

Suggested change

	version: latest
	version: v1.60.3

[Copilot]

Installing govulncheck with @latest makes the security job non-deterministic and can introduce sudden failures/behavior changes. Prefer pinning to a specific golang.org/x/vuln tag (or vendor it via tools/go.mod) so the workflow is reproducible.

Suggested change

	run: go install golang.org/x/vuln/cmd/govulncheck@latest
	run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.2