sync: update 5 files from source repository (#51)

Author: mrz1836

.github/.env.base

@@ -291,7 +291,7 @@ NANCY_EXCLUDES=CVE-2024-38513,CVE-2023-45142
 # Github Secret(s): OSSI_USERNAME and OSSI_TOKEN
 
 # Security Tools
-GITLEAKS_VERSION=8.29.0                # https://github.com/gitleaks/gitleaks/releases
+GITLEAKS_VERSION=8.29.1                # https://github.com/gitleaks/gitleaks/releases
 GOVULNCHECK_VERSION=v1.1.4             # https://pkg.go.dev/golang.org/x/vuln
 NANCY_VERSION=v1.0.51                  # https://github.com/sonatype-nexus-community/nancy/releases
 
@@ -300,7 +300,7 @@ NANCY_VERSION=v1.0.51                  # https://github.com/sonatype-nexus-commu
 # ================================================================================================
 
 # Pre-Commit System
-GO_PRE_COMMIT_VERSION=v1.4.2             # https://github.com/mrz1836/go-pre-commit/releases
+GO_PRE_COMMIT_VERSION=v1.4.3             # https://github.com/mrz1836/go-pre-commit/releases
 GO_PRE_COMMIT_USE_LOCAL=false            # Use local version for development
 
 # System Settings
@@ -312,6 +312,7 @@ GO_PRE_COMMIT_PARALLEL_WORKERS=2
 GO_PRE_COMMIT_LOG_LEVEL=debug
 GO_PRE_COMMIT_MAX_FILE_SIZE_MB=10
 GO_PRE_COMMIT_MAX_FILES_OPEN=100
+GO_PRE_COMMIT_DEBUG=false                # Enable verbose debug output for tool caching and locations
 
 # File Detection Strategy for CI
 # true = Check all repository files (comprehensive but slower)
@@ -322,7 +323,7 @@ GO_PRE_COMMIT_ALL_FILES=true
 GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.6.2     # https://github.com/golangci/golangci-lint/releases
 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2             # https://github.com/mvdan/gofumpt/releases
 GO_PRE_COMMIT_GOIMPORTS_VERSION=latest         # https://github.com/golang/tools
-GO_PRE_COMMIT_GITLEAKS_VERSION=v8.29.0         # https://github.com/gitleaks/gitleaks/releases
+GO_PRE_COMMIT_GITLEAKS_VERSION=v8.29.1         # https://github.com/gitleaks/gitleaks/releases
 
 # Build tags for golangci-lint and other tools
 GO_PRE_COMMIT_BUILD_TAGS=

.github/workflows/auto-merge-on-approval.yml

@@ -88,6 +88,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write # Required: Update PR status and enable auto-merge
+      issues: write # Required: Add labels and create comments
     outputs:
       action-taken: ${{ steps.process.outputs.action }}
       pr-number: ${{ github.event.pull_request.number }}

.github/workflows/fortress-code-quality.yml

@@ -273,7 +273,48 @@ jobs:
           echo "version=${{ env.MAGE_X_GOLANGCI_LINT_VERSION }}" >> $GITHUB_OUTPUT
 
       # --------------------------------------------------------------------
-      # Restore Cache golangci-lint
+      # Cache golangci-lint binary (prevents re-downloading)
+      # --------------------------------------------------------------------
+      - name: 💾 Restore golangci-lint binary cache
+        id: cache-golangci-lint-binary
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cache/golangci-lint-bin
+          key: ${{ inputs.primary-runner }}-golangci-lint-binary-${{ env.MAGE_X_GOLANGCI_LINT_VERSION }}
+
+      # --------------------------------------------------------------------
+      # Install cached golangci-lint binary to GOPATH/bin
+      # --------------------------------------------------------------------
+      - name: 📦 Install cached golangci-lint binary
+        if: steps.cache-golangci-lint-binary.outputs.cache-hit == 'true'
+        run: |
+          echo "📦 Restoring cached golangci-lint binary..."
+          GOPATH_BIN="$(go env GOPATH)/bin"
+          mkdir -p "$GOPATH_BIN"
+
+          if [[ -f ~/.cache/golangci-lint-bin/golangci-lint ]]; then
+            cp ~/.cache/golangci-lint-bin/golangci-lint "$GOPATH_BIN/"
+            chmod +x "$GOPATH_BIN/golangci-lint"
+            echo "✅ Cached golangci-lint binary installed to $GOPATH_BIN"
+            echo "📍 Version: $(golangci-lint --version | head -n1 || echo 'version check failed')"
+          else
+            echo "⚠️ Cache hit but binary not found, will install via MAGE-X"
+          fi
+
+      # --------------------------------------------------------------------
+      # Cache golangci-lint build cache (prevents re-compiling)
+      # --------------------------------------------------------------------
+      - name: 💾 Cache golangci-lint build cache
+        id: cache-golangci-lint-build
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cache/go-build
+          key: ${{ inputs.primary-runner }}-go-build-golangci-${{ env.MAGE_X_GOLANGCI_LINT_VERSION }}-${{ hashFiles('**/*.go') }}
+          restore-keys: |
+            ${{ inputs.primary-runner }}-go-build-golangci-${{ env.MAGE_X_GOLANGCI_LINT_VERSION }}-
+
+      # --------------------------------------------------------------------
+      # Cache golangci-lint analysis results
       # --------------------------------------------------------------------
       - name: 💾 Cache golangci-lint analysis
         id: cache-golangci-lint
@@ -313,6 +354,24 @@ jobs:
 
           echo "✅ Code linting completed successfully"
 
+      # --------------------------------------------------------------------
+      # Save golangci-lint binary to cache (on cache miss)
+      # --------------------------------------------------------------------
+      - name: 💾 Save golangci-lint binary to cache
+        if: steps.cache-golangci-lint-binary.outputs.cache-hit != 'true'
+        run: |
+          echo "💾 Caching golangci-lint binary for future runs..."
+          GOPATH_BIN="$(go env GOPATH)/bin"
+          mkdir -p ~/.cache/golangci-lint-bin
+
+          if [[ -f "$GOPATH_BIN/golangci-lint" ]]; then
+            cp "$GOPATH_BIN/golangci-lint" ~/.cache/golangci-lint-bin/
+            echo "✅ golangci-lint binary cached"
+            echo "📊 Binary size: $(du -h "$GOPATH_BIN/golangci-lint" | cut -f1)"
+          else
+            echo "⚠️ golangci-lint binary not found at $GOPATH_BIN, cannot cache"
+          fi
+
       # --------------------------------------------------------------------
       # Summary of golangci-lint results
       # --------------------------------------------------------------------
@@ -324,7 +383,8 @@ jobs:
           echo "|---|---|" >> $GITHUB_STEP_SUMMARY
           echo "| **Configuration** | Custom ruleset via .golangci.json |" >> $GITHUB_STEP_SUMMARY
           echo "| **Version** | ${{ steps.golangci-lint-version.outputs.version }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| **Cache** | 💾 Analysis cache enabled |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Binary Cache** | ${{ steps.cache-golangci-lint-binary.outputs.cache-hit == 'true' && '💚 Cache Hit' || '📦 Downloaded & Cached' }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Analysis Cache** | 💾 Enabled |" >> $GITHUB_STEP_SUMMARY
           echo "| **Result** | ✅ All checks passed |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "🎯 **Code quality standards met - no linting issues found.**" >> $GITHUB_STEP_SUMMARY

.github/workflows/fortress-pre-commit.yml

@@ -131,7 +131,9 @@ jobs:
 
       # --------------------------------------------------------------------
       # Restore (and later save) a compact cache for go-pre-commit tools
-      # (golangci-lint, gofumpt) to avoid reinstalling on every run
+      # Primary: gitleaks (installed as binary by go-pre-commit)
+      # Note: golangci-lint, gofumpt, goimports are managed by MAGE-X/other workflows
+      # Cache key includes all versions to invalidate when any tool version changes
       # --------------------------------------------------------------------
       - name: 💾 Restore go-pre-commit tools cache
         id: go-pre-commit-tools-cache
@@ -157,12 +159,13 @@ jobs:
           if [[ -f "$GO_PRE_COMMIT_BIN" ]]; then
             echo "✅ Using cached go-pre-commit binary"
             cp "$GO_PRE_COMMIT_BIN" "$GOPATH_BIN/"
+            chmod +x "$GOPATH_BIN/go-pre-commit"
           fi
 
           # If we restored tools cache, copy them to GOPATH/bin
           if [[ -d "$TOOLS_DIR" ]]; then
             echo "✅ Using cached go-pre-commit tools"
-            for tool in golangci-lint gofumpt; do
+            for tool in golangci-lint gofumpt gitleaks goimports; do
               if [[ -f "$TOOLS_DIR/$tool" ]]; then
                 echo "  • Restoring cached $tool"
                 cp "$TOOLS_DIR/$tool" "$GOPATH_BIN/"
@@ -535,6 +538,53 @@ jobs:
             echo "files_found=false" >> $GITHUB_OUTPUT
           fi
 
+      # --------------------------------------------------------------------
+      # Debug: Show tool locations before go-pre-commit runs
+      # Only runs when GO_PRE_COMMIT_DEBUG=true
+      # --------------------------------------------------------------------
+      - name: 🔍 Debug tool locations (before execution)
+        if: steps.install-pre-commit.outputs.install_success == 'true' || steps.install-pre-commit-cached.outputs.install_success == 'true'
+        run: |
+          # Skip debug output unless explicitly enabled
+          if [[ "${{ env.GO_PRE_COMMIT_DEBUG }}" != "true" ]]; then
+            echo "🔍 Debug mode disabled (set GO_PRE_COMMIT_DEBUG=true to enable)"
+            exit 0
+          fi
+
+          echo "🔍 Checking tool locations BEFORE go-pre-commit execution..."
+          echo "============================================================"
+          GOPATH_BIN="$(go env GOPATH)/bin"
+          echo ""
+          echo "📂 GOPATH/bin contents ($GOPATH_BIN):"
+          if [[ -d "$GOPATH_BIN" ]]; then
+            for tool in golangci-lint gofumpt gitleaks goimports go-pre-commit; do
+              if [[ -f "$GOPATH_BIN/$tool" ]]; then
+                SIZE=$(du -h "$GOPATH_BIN/$tool" 2>/dev/null | cut -f1)
+                echo "  ✅ $tool: $SIZE"
+              else
+                echo "  ❌ $tool: NOT FOUND"
+              fi
+            done
+          else
+            echo "  ❌ Directory does not exist"
+          fi
+          echo ""
+          echo "📂 ~/.cache/go-pre-commit contents:"
+          if [[ -d "$HOME/.cache/go-pre-commit" ]]; then
+            echo "  Directory exists"
+            find "$HOME/.cache/go-pre-commit" -type f -name "golangci-lint" -o -name "gofumpt" -o -name "gitleaks" -o -name "goimports" 2>/dev/null || echo "  No tools found"
+          else
+            echo "  ❌ Directory does not exist"
+          fi
+          echo ""
+          echo "📂 ~/.cache/go-pre-commit-tools contents:"
+          if [[ -d "$HOME/.cache/go-pre-commit-tools" ]]; then
+            ls -lah "$HOME/.cache/go-pre-commit-tools" 2>/dev/null || echo "  Empty"
+          else
+            echo "  ❌ Directory does not exist"
+          fi
+          echo "============================================================"
+
       # --------------------------------------------------------------------
       # Run pre-commit checks
       # --------------------------------------------------------------------
@@ -644,12 +694,73 @@ jobs:
           echo ""
           echo "✅ All pre-commit checks passed successfully"
 
+      # --------------------------------------------------------------------
+      # Debug: Show tool locations after go-pre-commit runs
+      # Only runs when GO_PRE_COMMIT_DEBUG=true
+      # --------------------------------------------------------------------
+      - name: 🔍 Debug tool locations (after execution)
+        if: always() && (steps.install-pre-commit.outputs.install_success == 'true' || steps.install-pre-commit-cached.outputs.install_success == 'true')
+        run: |
+          # Skip debug output unless explicitly enabled
+          if [[ "${{ env.GO_PRE_COMMIT_DEBUG }}" != "true" ]]; then
+            echo "🔍 Debug mode disabled (set GO_PRE_COMMIT_DEBUG=true to enable)"
+            exit 0
+          fi
+
+          echo "🔍 Checking tool locations AFTER go-pre-commit execution..."
+          echo "==========================================================="
+          GOPATH_BIN="$(go env GOPATH)/bin"
+          echo ""
+          echo "📂 GOPATH/bin contents ($GOPATH_BIN):"
+          if [[ -d "$GOPATH_BIN" ]]; then
+            for tool in golangci-lint gofumpt gitleaks goimports go-pre-commit; do
+              if [[ -f "$GOPATH_BIN/$tool" ]]; then
+                SIZE=$(du -h "$GOPATH_BIN/$tool" 2>/dev/null | cut -f1)
+                VERSION=$("$GOPATH_BIN/$tool" --version 2>&1 | head -1 || echo "unknown")
+                echo "  ✅ $tool: $SIZE - $VERSION"
+              else
+                echo "  ❌ $tool: NOT FOUND"
+              fi
+            done
+          else
+            echo "  ❌ Directory does not exist"
+          fi
+          echo ""
+          echo "📂 ~/.cache/go-pre-commit contents:"
+          if [[ -d "$HOME/.cache/go-pre-commit" ]]; then
+            echo "  📊 Directory exists - checking for tools:"
+            find "$HOME/.cache/go-pre-commit" -type f \( -name "golangci-lint" -o -name "gofumpt" -o -name "gitleaks" -o -name "goimports" \) -exec ls -lh {} \; 2>/dev/null || echo "    No tools found"
+            echo "  📊 Directory size: $(du -sh "$HOME/.cache/go-pre-commit" 2>/dev/null | cut -f1)"
+          else
+            echo "  ❌ Directory does not exist"
+          fi
+          echo ""
+          echo "📂 ~/.cache/go-pre-commit-tools contents:"
+          if [[ -d "$HOME/.cache/go-pre-commit-tools" ]]; then
+            echo "  📊 Directory exists:"
+            ls -lah "$HOME/.cache/go-pre-commit-tools" 2>/dev/null || echo "    Empty"
+            echo "  📊 Directory size: $(du -sh "$HOME/.cache/go-pre-commit-tools" 2>/dev/null | cut -f1)"
+          else
+            echo "  ❌ Directory does not exist"
+          fi
+          echo ""
+          echo "📂 Searching entire home directory for tool binaries:"
+          echo "  (This may take a moment...)"
+          for tool in golangci-lint gofumpt gitleaks goimports; do
+            echo "  🔍 Searching for $tool:"
+            find "$HOME" -type f -name "$tool" 2>/dev/null | head -5 | sed 's/^/    /' || echo "    Not found"
+          done
+          echo "==========================================================="
+
       # --------------------------------------------------------------------
       # Cache tools that were installed during pre-commit execution
-      # This step ensures tools like golangci-lint and gofumpt are cached for future runs
+      # Primary tool: gitleaks (installed as binary by go-pre-commit)
+      # Note: golangci-lint, gofumpt, goimports are not installed as binaries
+      #       (managed by MAGE-X or invoked via go run by go-pre-commit)
+      # Runs on every successful execution to ensure cache is always complete and up-to-date
       # --------------------------------------------------------------------
       - name: 💾 Cache go-pre-commit tools after installation
-        if: steps.go-pre-commit-tools-cache.outputs.cache-hit != 'true' && (steps.install-pre-commit.outputs.install_success == 'true' || steps.install-pre-commit-cached.outputs.install_success == 'true')
+        if: steps.install-pre-commit.outputs.install_success == 'true' || steps.install-pre-commit-cached.outputs.install_success == 'true'
         run: |
           set -euo pipefail  # Enable strict error handling
           echo "💾 Caching go-pre-commit tools..."
@@ -660,7 +771,7 @@ jobs:
           mkdir -p "$TOOLS_DIR"
 
           # Cache tools that may have been installed by go-pre-commit
-          for tool in golangci-lint gofumpt; do
+          for tool in golangci-lint gofumpt gitleaks goimports; do
             if [[ -f "$GOPATH_BIN/$tool" ]]; then
               echo "  • Caching $tool"
               cp "$GOPATH_BIN/$tool" "$TOOLS_DIR/"

.github/workflows/fortress.yml

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------------------
 #  🏰 GoFortress - Enterprise-grade CI/CD fortress for Go applications
 #
-#  Version: 1.1.0 | Released: 2025-09-15
+#  Version: 1.2.0 | Released: 2025-11-20
 #
 #  Built Strong. Tested Harder.
 #