feat(hardening) Harden the CFN handler #157

	name: presubmit

	on:
	pull_request:
	branches:
	- dev

	env:
	GO_VERSION: 1.23.x
	ZIG_VERSION: 0.13.0
	GOLINT_ARGS: -v --allow-parallel-runners --timeout=10m --disable errcheck

	jobs:
	build:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout ⤵️
	uses: actions/checkout@v4

	- name: Version 🔢
	shell: bash
	id: version
	run: \|
	if [ "${{ github.event_name }}" == "pull_request" ]; then
	echo "GIT_SHA_SHORT="$(echo "${{ github.event.pull_request.head.sha }}" \| head -c 8)"" >> "$GITHUB_OUTPUT"
	exit 0
	fi
	echo "GIT_SHA_SHORT="$(git log --format="%H" -n 1 \| head -c 8)"" >> "$GITHUB_OUTPUT"

	- name: Setup Go 🛠️
	uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Setup Zig 🛠️
	uses: goto-bus-stop/setup-zig@v2
	with:
	version: ${{ env.ZIG_VERSION }}

	- name: Test pkg library 🧪
	run: \|
	cd pkg
	go test -race -mod=readonly ./...

	- name: Test 🧪
	run: \|
	cd runtimes/cloudformation
	go test -race -mod=readonly ./...

	- name: Lint 🪥
	uses: golangci/golangci-lint-action@v6
	with:
	version: v1.60
	working-directory: ./runtimes/cloudformation/cmd/handler
	args: ${{ env.GOLINT_ARGS }}

	- name: Run GoReleaser 🏗️
	id: goreleaser
	uses: goreleaser/goreleaser-action@v6
	with:
	args: build --clean --snapshot --parallelism=1
	workdir: ./runtimes/cloudformation
	env:
	BUILD_VERSION: ${{ steps.version.outputs.GIT_SHA_SHORT }}
	GORELEASER_CURRENT_TAG: "0.0.0"

	- name: Archive Artifacts
	uses: actions/upload-artifact@v4
	with:
	name: handler-${{ steps.version.outputs.GIT_SHA_SHORT }}
	path: \|
	./runtimes/cloudformation/dist

Provide feedback