internal/ci: add base steps for the common Go checks and staticcheck

Downstream github packages can use these as needed,
setting the working-directory parameter for multi-module repositories.

The staticcheck step is switched from the upstream action to `go tool`,
because the action hard-codes STATICCHECK_CACHE under `runner.temp`,
which Namespace confirmed to be incompatible with their volume caching
due to the nature of `runner.temp` being wiped once a job finishes.

We already planned to move towards `go tool staticcheck` once Go 1.24
came out, so take advantage of the situation and do the jump now.
We can do this in the cue repo, even though it still supports 1.23,
because we only run staticcheck on CI on the latest Go version.

Note that we add the tool dependency in a new internal/tools.mod module,
so as to keep go.mod as small as possible, and not have MVS mix
tooling dependencies with our regular dependencies.

Signed-off-by: Daniel Martí <[email protected]>
Change-Id: Ia2a50a4addec22cf20e9e24f444442874e22e8be
Reviewed-on: https://cue.gerrithub.io/c/cue-lang/cue/+/1218982
Reviewed-by: Paul Jolly <[email protected]>
Unity-Result: CUE porcuepine <[email protected]>
TryBot-Result: CUEcueckoo <[email protected]>

Author: mvdan

.github/workflows/trybot.yaml

@@ -88,7 +88,6 @@ jobs:
         uses: namespacelabs/nscloud-cache-action@v1
         with:
           cache: go
-          path: ${{ runner.temp }}/staticcheck
       - if: |-
           github.repository == 'cue-lang/cue' && (((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
           Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test'))
@@ -139,18 +138,17 @@ jobs:
           cd internal/_e2e
           go test -race
       - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ns-linux-amd64-large')
-        name: Go checks
         run: |-
+          go mod tidy -diff
           go vet ./...
-          go mod tidy
-          (cd internal/_e2e && go test -run=-)
       - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ns-linux-amd64-large')
-        name: staticcheck
-        uses: dominikh/staticcheck-action@v1
-        with:
-          version: "2025.1"
-          install-go: false
-          use-cache: false
+        name: Verify the end-to-end tests still build
+        run: go test -run=-
+        working-directory: ./internal/_e2e
+      - if: (matrix.go-version == '1.24.x' && matrix.runner == 'ns-linux-amd64-large')
+        env:
+          STATICCHECK_CACHE: /cache/staticcheck
+        run: go tool -modfile=internal/tools.mod staticcheck ./...
       - if: |-
           (((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
           Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.24.x' && matrix.runner == 'ns-linux-amd64-large')

internal/ci/base/github.cue

@@ -153,11 +153,10 @@ curlGitHubAPI: {
 // Our runner profiles on Namespace are already configured to only update
 // the cache when they run from one of the protected branches.
 //
-// We cache for Go (GOCACHE and GOMODCACHE) and for staticcheck by default,
-// as the majority of our repos use Go with staticcheck,
-// noting that staticcheck-action puts STATICCHECK_CACHE under runner.temp.
-// These default caches are harmless for repos not using Go or staticcheck.
-// TODO(mvdan): move away from staticcheck-action once we require Go 1.24 or later.
+// We cache for Go (GOCACHE and GOMODCACHE) by default, as most repos use it.
+// These default caches are harmless for repos not using Go.
+//
+// Note that `${NSC_CACHE_PATH}` (`/cache`) is always mounted as a cache volume.
 setupCaches: {
 	#additionalCaches: [...string] // with.cache
 
@@ -175,11 +174,15 @@ setupCaches: {
 					"go",
 				], #additionalCaches])
 				let cachePaths = list.Concat([[
-					"${{ runner.temp }}/staticcheck",
+					// nothing here for now.
 				], #additionalCachePaths])
 
-				cache: strings.Join(cacheModes, "\n")
-				path:  strings.Join(cachePaths, "\n")
+				if len(cacheModes) > 0 {
+					cache: strings.Join(cacheModes, "\n")
+				}
+				if len(cachePaths) > 0 {
+					path:  strings.Join(cachePaths, "\n")
+				}
 			}
 		},
 
@@ -195,6 +198,29 @@ setupCaches: {
 	]
 }
 
+// TODO: consider adding more checks as per https://github.com/golang/go/issues/42119.
+goChecks: githubactions.#Step & {
+	run: """
+		go mod tidy -diff
+		go vet ./...
+		"""
+}
+
+staticcheck: githubactions.#Step & {
+	#modfile: string | *"" // an optional -modfile flag to not use the main go.mod
+	let gotool = [
+		if #modfile != "" {
+		    "go tool -modfile=\(#modfile)"
+		},
+		"go tool",
+	][0]
+
+	// TODO(mvdan): swap "/cache" for "${{ env.NSC_CACHE_PATH }}" once Namespace wires up that env var
+	// for the workspace environment. See: https://discord.com/channels/975088590705012777/1397128547797176340
+	env: STATICCHECK_CACHE: "/cache/staticcheck" // persist its cache
+	run: "\(gotool) staticcheck ./..."
+}
+
 // isProtectedBranch is an expression that evaluates to true if the
 // job is running as a result of pushing to one of protectedBranchPatterns.
 // It would be nice to use the "contains" builtin for simplicity,

internal/ci/github/trybot.cue

@@ -159,29 +159,17 @@ workflows: trybot: _repo.bashWorkflow & {
 		// For now, to save CI resources, just run the checks on one matrix job.
 		if: _isLatestLinux
 	}] & [
+		_repo.goChecks,
 		{
-			name: "Go checks"
-			// Also ensure that the end-to-end tests in ./internal/_e2e, which are only run
+			name: "Verify the end-to-end tests still build"
+			// Ensure that the end-to-end tests in ./internal/_e2e, which are only run
 			// on pushes to protected branches, still build correctly before merging.
-			//
-			// TODO: consider adding more checks as per https://github.com/golang/go/issues/42119.
-			run: """
-				go vet ./...
-				go mod tidy
-				(cd internal/_e2e && go test -run=-)
-				"""
-		}, {
-			name: "staticcheck"
-			// TODO(mvdan): once we can do 'go tool staticcheck' with Go 1.24+,
-			// then using this action is probably no longer worthwhile.
-			// Note that we should then persist staticcheck's cache too.
-			uses: "dominikh/staticcheck-action@v1"
-			with: {
-				version:      "2025.1" // Pin a version for determinism.
-				"install-go": false    // We install Go ourselves.
-				"use-cache":  false    // We use a volume cache instead.
-			}
+			"working-directory": "./internal/_e2e"
+			run: "go test -run=-"
 		},
+		// Note that we don't want tooling dependencies in the go.mod file,
+		// given how many downstreams rely on the cue module having few dependencies.
+		_repo.staticcheck & {#modfile: "internal/tools.mod"},
 	]
 
 	_checkTags: githubactions.#Step & {

internal/tools.mod

@@ -0,0 +1,17 @@
+// This module exists just so that we can track extra tooling dependencies
+// to be used via `go tool` without polluting the main go.mod file.
+// TODO(mvdan): once we stabilize on this model, have CI ensure this module is tidy too.
+module test/tools
+
+go 1.23.0
+
+tool honnef.co/go/tools/cmd/staticcheck
+
+require (
+	github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c // indirect
+	golang.org/x/exp/typeparams v0.0.0-20231108232855-2478ac86f678 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
+	honnef.co/go/tools v0.6.1 // indirect
+)

internal/tools.sum

@@ -0,0 +1,13 @@
+github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs=
+github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ=
+golang.org/x/exp/typeparams v0.0.0-20231108232855-2478ac86f678 h1:1P7xPZEwZMoBoz0Yze5Nx2/4pxj6nw9ZqHWXqP0iRgQ=
+golang.org/x/exp/typeparams v0.0.0-20231108232855-2478ac86f678/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
+golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
+honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
+honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=