Refactor CI and CQ

Author: ufukty

.github/workflows/ci.yml

@@ -1,62 +1,29 @@
 name: CI
 
 on:
-  push: {}
-  pull_request: {}
+  push:
+  pull_request:
 
 jobs:
-  go:
-    name: Go fmt, lint, build and test
+  Go:
     runs-on: ubuntu-latest
+    defaults:
+      run: { working-directory: backend }
     steps:
-      - name: check out code
-        uses: actions/checkout@v4
-
-      - name: set up go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.24.4"
-
-      - name: Cache Go modules
-        uses: actions/cache@v4
-        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-go-${{ hashFiles('backend/go.sum') }}
-          restore-keys: ${{ runner.os }}-go-
-
-      - name: go fmt
-        working-directory: backend
-        run: go fmt ./...
-
-      - name: get dependencies
-        working-directory: backend
-        run: go mod download
-
-      - name: check go.mod is tidy
-        working-directory: backend
-        run: |
-          go mod tidy
-          git diff --exit-code go.mod go.sum
-
-      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v8
-        with:
-          version: v2.1.0
-          working-directory: backend
-
-      - name: run tests
-        working-directory: backend
-        run: go test ./...
-
-  shell-lint:
-    name: Shell script linting
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with: { go-version-file: backend/go.mod, cache-dependency-path: backend/go.sum, cache: true }
+      - run: go fmt ./...
+      - run: go mod download
+      - run: go mod verify
+      - run: go mod tidy; git diff --exit-code go.mod go.sum
+      - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
+        with: { working-directory: backend }
+      - run: go test -race -v ./...
+
+  Shell:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install shellcheck
-        run: sudo apt-get update && sudo apt-get install -y shellcheck
-
-      - name: Run shellcheck
-        run: shellcheck $(find . -type f -name '*.sh' -not -path '*/site-packages/*' -not -path '*/vendor/*' -not -path '*/node_modules/*')
+      - uses: actions/checkout@v6
+      - run: sudo apt-get update && sudo apt-get install -y shellcheck
+      - run: shellcheck $(find . -type f -name '*.sh' -not -path '*/site-packages/*' -not -path '*/vendor/*' -not -path '*/node_modules/*')

.github/workflows/cq.yml

@@ -0,0 +1,62 @@
+name: Code Quality
+
+on:
+  push: { branches: [main] }
+  pull_request: { branches: [main] }
+  workflow_dispatch:
+  schedule: [cron: "30 4 * * *"]
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: read-all
+
+jobs:
+  Actions:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions: { security-events: write }
+    steps:
+      - uses: actions/checkout@v6
+      - uses: github/codeql-action/init@v4
+        with: { languages: actions, build-mode: none, queries: security-and-quality }
+      - uses: github/codeql-action/analyze@v4
+        with: { category: "/language:actions" }
+
+  Go:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions: { security-events: write }
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with: { go-version-file: go.mod, cache: true }
+      - run: go mod download
+      - run: go build ./...
+      - uses: github/codeql-action/init@v4
+        with: { languages: go, build-mode: autobuild, queries: security-and-quality }
+      - uses: github/codeql-action/analyze@v4
+        with: { category: "/language:go" }
+
+  JavaScript:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions: { security-events: write }
+    steps:
+      - uses: actions/checkout@v6
+      - uses: github/codeql-action/init@v4
+        with: { languages: javascript-typescript, build-mode: none, queries: security-and-quality }
+      - uses: github/codeql-action/analyze@v4
+        with: { category: "/language:javascript-typescript" }
+
+  Python:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions: { security-events: write }
+    steps:
+      - uses: actions/checkout@v6
+      - uses: github/codeql-action/init@v4
+        with: { languages: python, build-mode: none, queries: security-and-quality }
+      - uses: github/codeql-action/analyze@v4
+        with: { category: "/language:python" }