docker · doringeman · May 13, 2026 · May 13, 2026 · May 13, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,10 +26,14 @@ jobs:
           go-version: ${{ steps.versions.outputs.go-version }}
           cache: true
 
+      - name: Load golangci-lint version
+        id: golangci-lint-version
+        run: echo "version=$(grep '^GOLANGCI_LINT_VERSION=' .versions | cut -d= -f2)" >> "$GITHUB_OUTPUT"
+
       - name: Install golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20
         with:
-          version: v2.10.1
+          version: ${{ steps.golangci-lint-version.outputs.version }}
           install-only: true
 
       - name: Run linting for ${{ matrix.goos }}

diff --git a/.golangci.yml b/.golangci.yml
@@ -149,6 +149,7 @@ linters:
         - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
         - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
         - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
+        - G122 # G122: Filesystem operation in Walk/WalkDir callback; fixing requires os.Root refactor.
         - G703 # G703: Path traversal via taint analysis; too many false positives.
         - G704 # G704: SSRF via taint analysis; too many false positives on internal HTTP clients.
         - G705 # G705: XSS via taint analysis; too many false positives.

diff --git a/.versions b/.versions
@@ -1,4 +1,5 @@
 GO_VERSION=1.25
+GOLANGCI_LINT_VERSION=v2.12.2
 VLLM_VERSION=0.19.1
 VLLM_UPSTREAM_VERSION=0.19.0
 VLLM_METAL_RELEASE=v0.2.0-20260420-142150

diff --git a/pkg/distribution/oci/remote/range_redirect_test.go b/pkg/distribution/oci/remote/range_redirect_test.go
@@ -459,7 +459,7 @@ func TestRangeTransport_MaxRedirectsExceeded(t *testing.T) {
 
 	// Server that always redirects to itself (infinite redirect loop).
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		http.Redirect(w, r, r.URL.String(), http.StatusFound)
+		http.Redirect(w, r, r.URL.String(), http.StatusFound) //nolint:gosec // G710: intentional self-redirect to test redirect-limit logic
 	}))
 	defer srv.Close()
 

diff --git a/pkg/inference/scheduling/http_handler.go b/pkg/inference/scheduling/http_handler.go
@@ -483,7 +483,8 @@ func (h *HTTPHandler) Configure(w http.ResponseWriter, r *http.Request) {
 
 	// Preload the model in the background by calling handleOpenAIInference with preload-only context.
 	// This makes Compose preload the model as well as it calls `configure` by default.
-	go func() {
+	userAgent := r.UserAgent()
+	go func() { //nolint:gosec // G118: context.Background intentional — preload must outlive the request context
 		preloadBody, err := json.Marshal(OpenAIInferenceRequest{Model: configureRequest.Model})
 		if err != nil {
 			h.scheduler.log.Warn("failed to marshal preload request body", "error", err)
@@ -501,7 +502,7 @@ func (h *HTTPHandler) Configure(w http.ResponseWriter, r *http.Request) {
 			h.scheduler.log.Warn("failed to create preload request", "error", err)
 			return
 		}
-		preloadReq.Header.Set("User-Agent", r.UserAgent())
+		preloadReq.Header.Set("User-Agent", userAgent)
 		if backend != nil {
 			preloadReq.SetPathValue("backend", backend.Name())
 		}