ci: fix lint (toolchain skew) and vuln (stdlib CVE) gates#22
Merged
Conversation
Two CI gates were red for reasons unrelated to any code change:
- lint: golangci-lint-action / golangci-lint:latest shipped a binary built
with an older Go toolchain, which refuses to analyse a module that targets
a newer Go ("language version ... lower than the targeted Go version").
Build golangci-lint from source with the job's own toolchain instead, so
the linter's Go version stays in lockstep with the module.
- vuln: govulncheck flagged two crypto/x509 stdlib CVEs present in go1.25.10
(fixed in go1.25.11). Pin the toolchain to 1.25.11.
Applied identically to the GitHub Actions workflow and the authoritative
Woodpecker pipeline for mirror parity. CI-only chore; no version bump.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Both failing checks on #21 were environmental, not code:
version: latest/golangci-lint:latestimage) was built with an older Go toolchain and refused to analyse a module targeting a newer Go (exit code 3, "language version ... lower than the targeted Go version"). Fixed by building golangci-lint from source with the job's own toolchain.govulncheckflagged twocrypto/x509stdlib CVEs in go1.25.10, fixed in go1.25.11. Pinned the toolchain to1.25.11.Applied to both
.github/workflows/ci.ymland the authoritative.woodpecker.yml. CI-only; no code or version change. This PR's own run validates the fix.🤖 Generated with Claude Code