Skip to content

geofffranks/spruce

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

820 Commits
.github
.github
 
 
assets
assets
 
 
cmd/spruce
cmd/spruce
 
 
doc
doc
 
 
docs/superpowers/specs
docs/superpowers/specs
 
 
examples
examples
 
 
log
log
 
 
tests
tests
 
 
vendor
vendor
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
.whitesource
.whitesource
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
diff.go
diff.go
 
 
diff_test.go
diff_test.go
 
 
errors.go
errors.go
 
 
evaluator.go
evaluator.go
 
 
evaluator_test.go
evaluator_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
json.go
json.go
 
 
merge.go
merge.go
 
 
merge_test.go
merge_test.go
 
 
op_aws.go
op_aws.go
 
 
op_base64.go
op_base64.go
 
 
op_base64_decode.go
op_base64_decode.go
 
 
op_calc.go
op_calc.go
 
 
op_cartesian_product.go
op_cartesian_product.go
 
 
op_concat.go
op_concat.go
 
 
op_defer.go
op_defer.go
 
 
op_empty.go
op_empty.go
 
 
op_file.go
op_file.go
 
 
op_grab.go
op_grab.go
 
 
op_inject.go
op_inject.go
 
 
op_ips.go
op_ips.go
 
 
op_join.go
op_join.go
 
 
op_keys.go
op_keys.go
 
 
op_load.go
op_load.go
 
 
op_negate.go
op_negate.go
 
 
op_null.go
op_null.go
 
 
op_param.go
op_param.go
 
 
op_prune.go
op_prune.go
 
 
op_raw_env.go
op_raw_env.go
 
 
op_shuffle.go
op_shuffle.go
 
 
op_sort.go
op_sort.go
 
 
op_static_ips.go
op_static_ips.go
 
 
op_stringify.go
op_stringify.go
 
 
op_vault.go
op_vault.go
 
 
operator.go
operator.go
 
 
operator_test.go
operator_test.go
 
 
sort_test.go
sort_test.go
 
 
staticcheck.conf
staticcheck.conf
 
 
vault_test.go
vault_test.go
 
 

Repository files navigation

CI/CD Overview

Workflows

test.yml — PR Checks

Runs on every push and pull request. Single job on ubuntu-latest:

  1. Buildgo build -v ./...
  2. Testgo test across all non-vendor packages
  3. Vetgo vet across all non-vendor packages
  4. staticcheck — static analysis via dominikh/staticcheck-action
  5. gosec — security scanner via securego/gosec

Go version is stable with check-latest: true, so CI always uses the latest released Go.

release.yml — Release Artifacts

Triggers when a GitHub release is created. Builds cross-platform binaries (linux/amd64, linux/arm64, windows/amd64, darwin/amd64, darwin/arm64) with the release tag embedded via -ldflags, then uploads each binary and its SHA1 checksum as release assets.

Uses go-version: stable — artifacts are always built with the latest Go at release time.

codeql-analysis.yml — Security Scanning

Runs CodeQL analysis for Go on pushes and PRs to main, plus a weekly schedule (Tuesdays 23:40 UTC). Catches security vulnerabilities and coding errors.

dependabot-auto-merge.yml — Auto-Merge Dependabot PRs

Triggers on pull_request_target for PRs opened by dependabot[bot]. Uses dependabot/fetch-metadata to classify the version bump, then enables auto-merge (rebase strategy) for patch and minor updates only. Major version bumps are left for manual review.

Auto-merge is gated by branch protection — the PR won't actually merge until the test and Analyze (go) status checks pass.

Security note: This workflow deliberately does not check out PR code. It only reads dependabot metadata and calls gh pr merge. A comment at the top of the file explains why — do not add a checkout step without understanding the pull_request_target security model.

go-version-bump.yml — Go Toolchain Auto-Bump

Runs daily at 14:00 UTC (plus manual workflow_dispatch). Checks go.dev/dl/?mode=json for the latest stable Go release and compares it to the toolchain directive in go.mod. If they differ:

  1. Creates branch auto/bump-go-toolchain-<version>
  2. Runs go mod edit -toolchain=go<version> + go mod tidy
  3. Opens a PR and enables auto-merge (rebase)

Idempotent — if the branch already exists from a prior run, the workflow exits cleanly. The go X.Y minimum-version directive in go.mod is intentionally left alone; only the toolchain line floats.

Keeping Things Fresh

What How Frequency
Go modules Dependabot Weekly PRs, patch/minor auto-merged
GitHub Action pins Dependabot Weekly PRs, patch/minor auto-merged
Go toolchain in go.mod go-version-bump.yml Daily check, PR when new stable ships
Go in CI runners go-version: stable Always latest (no pin to manage)

Branch Protection

main requires the following checks before merge:

  • test — build, test, vet, staticcheck, gosec
  • Analyze (go) — CodeQL security analysis

Auto-merge is enabled. PRs queued with gh pr merge --auto --rebase will merge only after both checks pass.

Configuration Files

About

A BOSH template merge tool

Resources

Readme

License

MIT license
Activity

Stars

451 stars

Watchers

5 watching

Forks

79 forks
Report repository

Releases 87

v1.33.0 Latest
Apr 18, 2026
+ 86 releases

Packages

 
 
 

Contributors

Languages