DEV Community: Giovanni De Giorgio The latest articles on DEV Community by Giovanni De Giorgio (@gdegiorgio). https://dev.to/gdegiorgio https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2279719%2F697c396d-7d20-4dfe-ab74-78120f53ddc9.jpeg DEV Community: Giovanni De Giorgio https://dev.to/gdegiorgio en 👷🏻‍♂️ Golang CI/CD Done Right: Build a Rock-Solid Pipeline with GitHub Actions Giovanni De Giorgio Wed, 09 Jul 2025 10:04:11 +0000 https://dev.to/gdegiorgio/golang-cicd-done-right-build-a-rock-solid-pipeline-with-github-actions-4dok https://dev.to/gdegiorgio/golang-cicd-done-right-build-a-rock-solid-pipeline-with-github-actions-4dok <h3> 🚀 TL;DR </h3> <ul> <li>Did you know I just came back from a vacation? 🌴</li> <li>Built a simple Go CLI with Cobra</li> <li>Automated PR checks, linting, and testing with GitHub Actions</li> <li>Enforced Conventional Commits and semantic versioning</li> <li>Generated changelogs and cross-platform releases with Goreleaser</li> <li>Secured the pipeline using CodeQL and Dependabot</li> </ul> <h2> 🌴 About My Vacation </h2> <p>I just got back from a much-needed vacation, and during that time, I finally sat down and read The Phoenix Project. If you’re not familiar with it, it’s a novel about IT, DevOps, and the chaos that can happen when delivery processes are broken.</p> <p>It’s part entertaining, part terrifying, and completely inspiring.</p> <p>So when I returned to my Golang CLI projects, I decided to revisit and improve my CI/CD setup from the ground up. In this post, I will walk you through the stack I ended up with: a clean, modular, and production-ready CI/CD pipeline built entirely with GitHub Actions.</p> <p>Let’s dive in.</p> <h2> 💡 What I Learned from <em>The Phoenix Project</em> </h2> <p>The story really drove home how much trouble teams can get into without:</p> <ul> <li>Automated security checks to catch vulnerabilities early</li> <li>Reliable, automated testing to prevent regressions</li> <li>Controlled deployments that minimize risk</li> <li>Formal change management to track and govern what gets released</li> </ul> <p>Without these safeguards, teams face outages, firefighting, and lost time, problems that could have been avoided with better automation and process.</p> <p>This reinforced for me that CI/CD is more than just running builds and tests. It’s about embedding <strong>control, safety, and visibility</strong> into every step of software delivery.</p> <h2> 🦫 Create a Simple Golang Application </h2> <p>I’ve always been fascinated by how easy and powerful it is to build CLI applications in Go. With the help of <a href="https://github.com/spf13/cobra" rel="noopener noreferrer">Cobra</a>, creating a structured, user-friendly command-line tool takes just a few lines of code.</p> <p><code>main.go</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="s">"github.com/spf13/cobra"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">var</span> <span class="n">rootCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="s">"hello-cli"</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"A simple CLI that says hello"</span><span class="p">,</span> <span class="n">Run</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="p">{</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Hello, world!"</span><span class="p">)</span> <span class="p">},</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">Execute</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>main_test.go</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"bytes"</span> <span class="s">"strings"</span> <span class="s">"testing"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">TestHelloCLI</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">buf</span> <span class="n">bytes</span><span class="o">.</span><span class="n">Buffer</span> <span class="k">var</span> <span class="n">rootCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="s">"hello-cli"</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"A simple CLI that says hello"</span><span class="p">,</span> <span class="n">Run</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="p">{</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Hello, world!"</span><span class="p">)</span> <span class="p">},</span> <span class="p">}</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">SetOut</span><span class="p">(</span><span class="o">&amp;</span><span class="n">buf</span><span class="p">)</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">SetArgs</span><span class="p">([]</span><span class="kt">string</span><span class="p">{})</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">Execute</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"Command failed: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">output</span> <span class="o">:=</span> <span class="n">buf</span><span class="o">.</span><span class="n">String</span><span class="p">()</span> <span class="n">expected</span> <span class="o">:=</span> <span class="s">"Hello, world!</span><span class="se">\n</span><span class="s">"</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">TrimSpace</span><span class="p">(</span><span class="n">output</span><span class="p">)</span> <span class="o">!=</span> <span class="n">strings</span><span class="o">.</span><span class="n">TrimSpace</span><span class="p">(</span><span class="n">expected</span><span class="p">)</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"unexpected output:</span><span class="se">\n</span><span class="s"> got: %q</span><span class="se">\n</span><span class="s"> want: %q"</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="n">expected</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go run main.go Hello, world! </code></pre> </div> <h2> 📝 It All Starts with a Pull Request </h2> <p>The first step in building a reliable CI/CD pipeline is to ensure consistency and quality at the source your pull requests. If every PR follows a standard format and passes basic checks, the rest of the pipeline becomes much more predictable and automated.</p> <p>To enable automated versioning and changelog generation later in the pipeline, I decided to adopt <a href="https://www.conventionalcommits.org/" rel="noopener noreferrer">Conventional Commits</a>. These are structured commit messages that follow a simple pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>feat: add new controller endpoint fix: resolve panic on nil pointer in handler chore: update dependencies </code></pre> </div> <p>The next step is to <strong>automate enforcement</strong>. Manual checks don’t scale.</p> <p>The goal here is simple:</p> <ul> <li>✅ Ensure PR Title follows Conventional Commits</li> <li>✅ Ensure all code builds successfully</li> <li>✅ Run tests automatically</li> <li>✅ Enforce formatting and linting rules</li> </ul> <p><code>.github/workflows/pr-checks.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Pull Request checks</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">🔨 Build , Lint &amp; Test</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Go</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-go@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">go-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">go mod tidy</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build project</span> <span class="na">run</span><span class="pi">:</span> <span class="s">go build -v ./...</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">go test -v ./...</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">golangci/golangci-lint-action@v8</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2.1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint Pull Request Title</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">amannn/action-semantic-pull-request@v5</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GH_TOKEN }}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3eyasnvnflesee7wzzb1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3eyasnvnflesee7wzzb1.png" alt="Pull Request Checks" width="800" height="681"></a></p> <p>The initial results are promising, confirming our basic CI checks work as expected. Now, let’s push forward and expand the pipeline’s capabilities.</p> <h2> 🆕 Version please! </h2> <p>In The Phoenix Project, Bill Palmer, the VP of IT Operations, faces major headaches because developers are inconsistently managing versioning and leading to confusion, deployment failures, and firefighting. This real-world scenario highlights how crucial it is to properly version every code change.</p> <p>With structured commit messages in place, we can now introduce <strong>semantic versioning</strong> and automate <strong>changelog generation</strong> directly within our CI/CD pipeline.</p> <p>By analyzing commit history, we can:</p> <ul> <li>Determine the appropriate version bump (major, minor, or patch)</li> <li>Automatically generate a well-formatted <code>CHANGELOG.md</code> </li> <li>Create and push a GitHub tag for the release</li> </ul> <p>This not only enforces consistent versioning across releases, but also removes the manual overhead of maintaining changelogs and tagging code, a critical step toward reliable, reproducible deployments.</p> <p>Once the project is ready for a new release, we can trigger an <strong>on-demand GitHub Actions workflow</strong> to automatically generate a new tag based on commit history.</p> <p><code>.github/workflows/create-new-tag.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Release a new version</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">workflow_dispatch</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">release-tag</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Tag repository</span> <span class="na">id</span><span class="pi">:</span> <span class="s">tagRepo</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">anothrNick/github-tag-action@1.36.0</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GH_TOKEN }}</span> <span class="na">WITH_V</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">DEFAULT_BUMP</span><span class="pi">:</span> <span class="s">patch</span> </code></pre> </div> <p>We can now respond to new tag events by automatically generating and publishing a changelog.</p> <p><code>.github/workflows/changelog.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Generate Changelog</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">v[0-9]+.[0-9]+.[0-9]+</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">changelog</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate and Commit Changelog</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">requarks/changelog-action@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GH_TOKEN }}</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">${{ github.ref_name }}</span> <span class="na">commitMessage</span><span class="pi">:</span> <span class="s2">"</span><span class="s">docs(changelog):</span><span class="nv"> </span><span class="s">update</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">${{</span><span class="nv"> </span><span class="s">github.ref_name</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">outputFile</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CHANGELOG.md"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create GitHub Release</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">ncipollo/release-action@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">${{ github.ref_name }}</span> <span class="na">bodyFile</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CHANGELOG.md"</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GH_TOKEN }}</span> </code></pre> </div> <p>As our CLI evolves, it’s important to demonstrate how feature development ties directly into our CI/CD workflow. Let’s implement a simple enhancement: a <code>--name</code> flag that allows users to personalize the greeting message.</p> <p>For example, running the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go run main.go --name Giovanni </code></pre> </div> <p>Should output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Hello, Giovanni! </code></pre> </div> <p><code>main.go</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="s">"github.com/spf13/cobra"</span> <span class="p">)</span> <span class="k">var</span> <span class="n">name</span> <span class="kt">string</span> <span class="k">var</span> <span class="n">rootCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="s">"hello-cli"</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"A simple CLI that says hello"</span><span class="p">,</span> <span class="n">Run</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">name</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Hello, %s!</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="s">"Hello, world!"</span><span class="p">)</span> <span class="p">}</span> <span class="p">},</span> <span class="p">}</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">Flags</span><span class="p">()</span><span class="o">.</span><span class="n">StringVar</span><span class="p">(</span><span class="o">&amp;</span><span class="n">name</span><span class="p">,</span> <span class="s">"name"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">"Custom name to include in greeting"</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">Execute</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Println</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Once our pull request has been reviewed, approved, and successfully merged, ensuring all checks have passed, we can trigger the release workflow. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fii28sd04qpk1vrpyef9y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fii28sd04qpk1vrpyef9y.png" alt="Release Workflow" width="800" height="264"></a></p> <p>Aaaaaand, here we go! 🚀</p> <p>With everything in place, our pipeline now effortlessly handles releases, tagging, changelog updates and letting us focus on what truly matters: writing great code.</p> <h2> 📦 Stop running <code>go run main.go</code> </h2> <p>We’re almost there but there’s one crucial piece missing. </p> <p>We don’t want to clone the entire project every time I want to run <code>hello-cli</code>; I need to execute the binary directly. And here’s the twist: I have a Raspberry Pi with an ARM processor, a Mac with Apple Silicon, and a tiny Linux box so I want my binary to run seamlessly everywhere!</p> <p>To solve this challenge, I’ll be using <a href="https://goreleaser.com/" rel="noopener noreferrer"><strong>Goreleaser</strong></a> a powerful tool that automates building and publishing binaries for multiple platforms. With a single configuration YAML file, Goreleaser simplifies cross-platform releases, ensuring our CLI runs smoothly on ARM, Apple Silicon, Linux, and more all without manual hassle.</p> <p><code>.goreleaser.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="m">2</span> <span class="na">project_name</span><span class="pi">:</span> <span class="s">hello-cli</span> <span class="na">dist</span><span class="pi">:</span> <span class="s">bin</span> <span class="na">builds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">hello-cli</span> <span class="na">main</span><span class="pi">:</span> <span class="s">main.go</span> <span class="na">goos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">linux</span> <span class="pi">-</span> <span class="s">darwin</span> <span class="na">goarch</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">amd64</span> <span class="pi">-</span> <span class="s">arm64</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">hello-cli-win</span> <span class="na">main</span><span class="pi">:</span> <span class="s">main.go</span> <span class="na">goos</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">windows</span> <span class="na">goarch</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">amd64</span> <span class="pi">-</span> <span class="s">arm64</span> <span class="na">archives</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">default</span> <span class="na">ids</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">hello-cli</span><span class="pi">]</span> <span class="na">formats</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">tar.gz</span><span class="pi">]</span> <span class="na">name_template</span><span class="pi">:</span> <span class="s2">"</span><span class="s">hello-cli_{{</span><span class="nv"> </span><span class="s">.Os</span><span class="nv"> </span><span class="s">}}_{{</span><span class="nv"> </span><span class="s">.Arch</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">LICENSE.txt</span> <span class="pi">-</span> <span class="s">README.md</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">hello-cli-win</span> <span class="na">ids</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">hello-cli-win</span><span class="pi">]</span> <span class="na">formats</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">zip</span><span class="pi">]</span> <span class="na">name_template</span><span class="pi">:</span> <span class="s2">"</span><span class="s">hello-cli_{{</span><span class="nv"> </span><span class="s">.Os</span><span class="nv"> </span><span class="s">}}_{{</span><span class="nv"> </span><span class="s">.Arch</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">files</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">LICENSE.txt</span> <span class="pi">-</span> <span class="s">README.md</span> <span class="na">release</span><span class="pi">:</span> <span class="na">github</span><span class="pi">:</span> <span class="na">owner</span><span class="pi">:</span> <span class="s">gdegiorgio</span> <span class="na">name</span><span class="pi">:</span> <span class="s">golang-rock-solid-cicd</span> <span class="na">changelog</span><span class="pi">:</span> <span class="na">use</span><span class="pi">:</span> <span class="s">git</span> </code></pre> </div> <p><code>.github/workflows/package-hello-cli.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Release Packages</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">v[0-9]+.[0-9]+.[0-9]+</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Go</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-go@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">go-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.24.3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install GoReleaser</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">goreleaser/goreleaser-action@v6</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">~&gt;</span><span class="nv"> </span><span class="s">v2'</span> <span class="na">args</span><span class="pi">:</span> <span class="s">release --clean</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GH_TOKEN }}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9baxmoblk6juikeuulfg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9baxmoblk6juikeuulfg.png" alt="Binary Packages" width="800" height="729"></a></p> <p>That’s really incredible, don’t you think? 🤯</p> <h2> 🔐 Securing Your Application: CodeQL and Dependabot </h2> <p>No CI/CD pipeline is complete without a strong focus on <strong>security</strong> and <strong>dependency management</strong>. As your application grows, so does the attack surface and the complexity of keeping everything up to date. Fortunately, GitHub provides two powerful tools to help us stay ahead: <strong>CodeQL</strong> and <strong>Dependabot</strong>.</p> <h3> 🧠 CodeQL: Automated Security Analysis </h3> <p><a href="https://codeql.github.com/" rel="noopener noreferrer"><strong>CodeQL</strong></a> is GitHub’s semantic code analysis engine. It allows you to query your codebase like a database, identifying security vulnerabilities and logic flaws before they make it to production.</p> <p>Once integrated into your workflow, CodeQL will:</p> <ul> <li>Automatically scan your code</li> <li>Detect common vulnerability patterns like SQL injection, command injection, or unsafe deserialization</li> </ul> <p>By running CodeQL scans regularly, you introduce a <strong>proactive layer of defense</strong> directly into your development cycle, catching bugs early and enforcing security hygiene with minimal effort.</p> <p><code>.github/workflows/codeql.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CodeQL"</span> <span class="na">on</span><span class="pi">:</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">analyze</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Analyze</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">actions</span><span class="pi">:</span> <span class="s">read</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">security-events</span><span class="pi">:</span> <span class="s">write</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">fail-fast</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">language</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">go</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Initialize CodeQL</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/init@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">languages</span><span class="pi">:</span> <span class="s">${{ matrix.language }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Autobuild</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/autobuild@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Perform CodeQL Analysis</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/analyze@v3</span> </code></pre> </div> <h3> 🔄 Dependabot: Automated Dependency Updates </h3> <p>Modern applications rely on open-source libraries and keeping those up to date is essential. <a href="https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically" rel="noopener noreferrer"><strong>Dependabot</strong></a> helps you do exactly that by automatically scanning your <code>go.mod</code> and other dependency files, opening pull requests when:</p> <ul> <li>A newer version is available</li> <li>A known vulnerability has been reported in a dependency</li> </ul> <p><code>.github/dependabot.yml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="m">2</span> <span class="na">updates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">package-ecosystem</span><span class="pi">:</span> <span class="s">gomod</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">/</span> <span class="na">schedule</span><span class="pi">:</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">daily</span> </code></pre> </div> <h2> ✅ Wrap-Up: A Pipeline You Can Trust </h2> <p>In this journey, we started with a simple idea :</p> <p>building a lightweight CLI tool in Go and used it as a foundation to construct a solid, secure, and automated CI/CD workflow using GitHub Actions.</p> <p>By layering in tools and best practices like:</p> <ul> <li> <strong>PR-based checks</strong> for linting, testing, and compiling</li> <li> <strong>Semantic commit enforcement</strong> to drive meaningful versioning</li> <li> <strong>Automated changelog generation</strong> and <strong>release tagging</strong> </li> <li> <strong>Multi-platform binary publishing</strong> with Goreleaser</li> <li> <strong>Security scanning</strong> with CodeQL</li> <li> <strong>Dependency hygiene</strong> via Dependabot</li> </ul> <p>…we’ve established a pipeline that not only supports continuous delivery, but also builds trust through automation, clarity, and repeatability.</p> <p>Whether you’re building a toy CLI or the next critical internal tool, think of this as a good foundation you can tweak and grow depending on what your project needs.</p> <h2> 📚 References </h2> <ul> <li> <p>🗂️ <a href="https://github.com/gdegiorgio/golang-rock-solid-cicd" rel="noopener noreferrer"><strong>hello-cli GitHub Repository</strong></a></p> <p>The sample project used throughout this post. Explore the code, workflows, and automation setup.</p> </li> <li> <p>📘 <strong>The Phoenix Project</strong> – Gene Kim, Kevin Behr, George Spafford</p> <p>A novel that inspired this post’s focus on flow, feedback, and continual improvement in software delivery.</p> </li> <li> <p>🧰 <a href="https://docs.github.com/en/actions" rel="noopener noreferrer"><strong>GitHub Actions</strong></a></p> <p>Automate, customize, and execute software workflows directly in your GitHub repo.</p> </li> <li> <p>🛡️ <a href="https://codeql.github.com/" rel="noopener noreferrer"><strong>CodeQL</strong></a></p> <p>GitHub’s static analysis engine for discovering vulnerabilities in your code.</p> </li> <li> <p>🔄 <a href="https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically" rel="noopener noreferrer"><strong>Dependabot</strong></a></p> <p>Keeps your dependencies up-to-date and secure with automated pull requests.</p> </li> <li> <p>📦 <a href="https://goreleaser.com/" rel="noopener noreferrer"><strong>Goreleaser</strong></a></p> <p>Build and release Go binaries for multiple platforms with ease.</p> </li> <li> <p>🐍 <a href="https://github.com/spf13/cobra" rel="noopener noreferrer"><strong>Cobra CLI Framework</strong></a></p> <p>A widely-used library for building powerful CLI applications in Go.</p> </li> <li> <p>📓 <a href="https://www.conventionalcommits.org/en/v1.0.0/" rel="noopener noreferrer"><strong>Conventional Commits</strong></a></p> <p>A standardized format for writing commit messages that power semantic versioning.</p> </li> </ul> go githubactions cicd github ⚡Supercharge Your Feature Flags Using OpenFeature + AWS Parameter Store Giovanni De Giorgio Tue, 24 Jun 2025 09:36:48 +0000 https://dev.to/gdegiorgio/supercharge-your-feature-flags-using-openfeature-aws-parameter-store-1iak https://dev.to/gdegiorgio/supercharge-your-feature-flags-using-openfeature-aws-parameter-store-1iak <p>A feature flag is a mechanism that allows specific functionality within an application to be enabled or disabled dynamically, without deploying new code. Feature flags play a pivotal role in modern DevOps practices by enabling teams to manage feature rollouts, control exposure to end users, and reduce risk during deployments.</p> <p>They are commonly used to disable incomplete or experimental features in production environments, enable gradual rollouts (such as canary or blue-green deployments), or restrict access to premium functionality based on user entitlements. </p> <h3> ☁️ Managing Flags via AWS Parameter Store </h3> <p>For those of us working with AWS on a daily basis, <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html" rel="noopener noreferrer">AWS Systems Manager Parameter Store</a> is a familiar and trusted service. It’s often used to store configuration values like URLs, hostnames, environment variables, and other runtime settings—allowing applications to reference them securely at build or execution time.</p> <p>Beyond basic configuration management, Parameter Store also integrates seamlessly with AWS Secrets Manager, making it a convenient choice for managing sensitive data such as API keys, tokens, and credentials in a secure and auditable way.</p> <p>Let us now imagine that we need to manage via Parameter Store a feature flag to enable the new version of the dashboard that we have just deployed to production.</p> <p><code>feature/new-dashboard</code></p> <p>Let's create the parameter within Parameter Store using the AWS CLI<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ssm put-parameter <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"/feature/new-dashboard"</span> <span class="se">\</span> <span class="nt">--type</span> <span class="s2">"String"</span> <span class="se">\</span> <span class="nt">--value</span> <span class="s2">"true"</span> </code></pre> </div> <p>At this point our feature flag is ready to be retrieved through the AWS SDK</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ee65ropkdhao1ifbfax.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ee65ropkdhao1ifbfax.png" alt="Retrieve Feature Flag from AWS SSM" width="800" height="222"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">SSMClient</span><span class="p">,</span> <span class="nx">GetParameterCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@aws-sdk/client-ssm</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ssmClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SSMClient</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">us-east-1</span><span class="dl">"</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getFeatureFlag</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ssmClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span> <span class="k">new</span> <span class="nc">GetParameterCommand</span><span class="p">({</span> <span class="na">Name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/feature/new-dashboard</span><span class="dl">"</span> <span class="p">})</span> <span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">Parameter</span><span class="p">?.</span><span class="nx">Value</span><span class="p">;</span> <span class="p">}</span> <span class="nf">getFeatureFlag</span><span class="p">();</span> </code></pre> </div> <p>It might all seem great on the surface: </p> <ul> <li>Simple setup</li> <li>Solid integration, </li> <li>No extra tools to manage</li> </ul> <p>But there’s a catch.</p> <h3> 🔒 The Cloud vendor lock-in problem </h3> <p>When you build your applications tightly around a specific cloud provider’s service you gain seamless integration and convenience. However, this also creates a dependency on that provider’s ecosystem, commonly referred to as cloud vendor lock-in.</p> <p>Lock-in means that moving your application, data, or infrastructure to another cloud provider becomes difficult, costly, or risky. This can limit your flexibility to:</p> <ul> <li>Switch to alternative cloud platforms for cost savings or compliance.</li> <li>Adopt best-of-breed tools that work across multiple clouds.</li> <li>Maintain a consistent deployment process in hybrid or multi-cloud environments.</li> </ul> <p>In the context of feature flags, relying exclusively on AWS Parameter Store or a similar cloud-native service means your flag management is tightly coupled to AWS. Changing providers would require rewriting parts of your application, retraining your team, and potentially risking downtime or bugs.</p> <h3> 📖 The role of OpenFeature </h3> <p><a href="https://openfeature.dev/" rel="noopener noreferrer">OpenFeature</a> is an open specification that offers a vendor-neutral, community-driven API for feature flagging. It is designed to integrate seamlessly with any feature flag management tool or custom in-house solution.</p> <p>By abstracting the feature flag evaluation process, OpenFeature allows you to switch between different platforms or consolidate multiple flag management systems with greater ease and flexibility.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgv94trweqo3751zapiw9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgv94trweqo3751zapiw9.png" alt="OpenFeature multi provider" width="800" height="444"></a></p> <p>Let's refactor the code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">OpenFeature</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@openfeature/server-sdk</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AwsSsmProvider</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@openfeature/aws-ssm-provider</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">providerConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">ssmClientConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">region</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">eu-west-1</span><span class="dl">"</span> <span class="p">}</span> <span class="nx">cacheOpts</span> <span class="o">=</span> <span class="p">{</span> <span class="na">enabled</span> <span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1">// disable native caching feature </span> <span class="p">}</span> <span class="k">await</span> <span class="nx">OpenFeature</span><span class="p">.</span><span class="nf">setProviderAndWait</span><span class="p">(</span><span class="k">new</span> <span class="nc">AwsSsmProvider</span><span class="p">(</span><span class="nx">providerConfig</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">OpenFeature</span><span class="p">.</span><span class="nf">getClient</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isEnabled</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getBooleanValue</span><span class="p">(</span><span class="dl">'</span><span class="s1">feature/new-dashboard</span><span class="dl">'</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">isEnabled</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">New dashboard feature is enabled</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>As demonstrated in the example, invoking <code>setProviderAndWait</code>successfully configures the OpenFeature SDK with the AWS SSM provider. This setup enables seamless retrieval of feature flag values from AWS Parameter Store.</p> <p>Additionally, the <code>getBooleanValue</code> method includes support for a default fallback value, ensuring that the application maintains expected behavior even if the feature flag evaluation fails or the flag is not defined.</p> <h3> 🏁 Wrapping Up </h3> <p>Leveraging AWS Parameter Store for feature flag management offers a seamless and secure way to control feature rollout in your applications. However, by integrating OpenFeature, you gain the flexibility of a vendor-neutral API that reduces cloud lock-in and simplifies multi-provider strategies.</p> <p>Give OpenFeature a try in your next project and experience the freedom of standardized feature flag management across platforms!</p> <h3> 🔗 References </h3> <ul> <li><p>Feature flag — Wikipedia<br> <a href="https://en.wikipedia.org/wiki/Feature_toggle" rel="noopener noreferrer">https://en.wikipedia.org/wiki/Feature_toggle</a></p></li> <li><p>OpenFeature Official Website<br> <a href="https://openfeature.dev/" rel="noopener noreferrer">https://openfeature.dev/</a></p></li> <li><p>OpenFeature Documentation (including supported providers and SDKs)<br> <a href="https://openfeature.dev/docs/reference/intro" rel="noopener noreferrer">https://openfeature.dev/docs/reference/intro</a></p></li> <li><p>OpenFeature GitHub Repositories (contributing and source code)<br> <a href="https://github.com/open-feature" rel="noopener noreferrer">https://github.com/open-feature</a></p></li> <li><p>AWS Systems Manager Parameter Store<br> <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html" rel="noopener noreferrer">https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html</a></p></li> </ul> featureflags openfeature cloud aws