添加安全转义功能以及增补注释和文档

Author: yyle88

.github/workflows/release.yml

@@ -0,0 +1,118 @@
+name: create-release
+
+on:
+  push:
+    branches:
+      - main  # 监听 main 分支的 push 操作（编译和测试/代码检查）
+    tags:
+      - 'v*'  # 监听以 'v' 开头的标签的 push 操作（发布 Release）
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: true
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v8
+        with:
+          version: latest
+          args: --timeout=5m
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go: [ "1.22.x", "1.23.x", "1.24.x", "1.25.x", "stable" ]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go }}
+          cache: true
+
+      - name: Run govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-input: ${{ matrix.go }}
+          go-package: ./...
+        continue-on-error: true  # 报错时允许工作流继续执行，因为项目依赖的底层包也会有错，很难做到百分百没问题，只打印检测结果就行
+
+      - name: Run test
+        run: make test COVERAGE_DIR=/tmp/coverage
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: test-results-${{ matrix.go }}
+          path: /tmp/coverage/
+          retention-days: 30
+
+      - name: Send goveralls coverage
+        uses: shogo82148/actions-goveralls@v1
+        with:
+          path-to-profile: /tmp/coverage/combined.txt
+          flag-name: Go-${{ matrix.go }}
+          parallel: true
+        if: ${{ github.event.repository.fork == false }}  # 仅在非 fork 时上传覆盖率
+
+  check-coverage:
+    name: Check coverage
+    needs: [ test ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: shogo82148/actions-goveralls@v1
+        with:
+          parallel-finished: true
+        if: ${{ github.event.repository.fork == false }}  # 仅在非 fork 时检查覆盖率
+
+  # 代码质量分析
+  code-analysis:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+
+      - name: Auto Build
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+
+  # 发布 Release
+  release:
+    name: Release a new version
+    needs: [ lint, test, check-coverage, code-analysis ]
+    runs-on: ubuntu-latest
+    # 仅在推送标签时执行 - && - 仅在非 fork 时执行发布
+    if: ${{ github.event.repository.fork == false && success() && startsWith(github.ref, 'refs/tags/v') }}
+    steps:
+      # 1. 检出代码
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # 获取完整历史用于生成更好的 release notes
+
+      # 2. 创建 Release 和上传源码包
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Makefile

@@ -0,0 +1,10 @@
+COVERAGE_DIR ?= .coverage.out
+
+# cp from: https://github.com/yyle88/gormrepo/blob/c31435669714611c9ebde6975060f48cd5634451/Makefile#L4
+test:
+	@if [ -d $(COVERAGE_DIR) ]; then rm -r $(COVERAGE_DIR); fi
+	@mkdir $(COVERAGE_DIR)
+	make test-with-flags TEST_FLAGS='-v -race -covermode atomic -coverprofile $$(COVERAGE_DIR)/combined.txt -bench=. -benchmem -timeout 20m'
+
+test-with-flags:
+	@go test $(TEST_FLAGS) ./...