chore: bump deps, bump GitHub Actions, widen Go support matrix#10
Merged
chore: bump deps, bump GitHub Actions, widen Go support matrix#10
Conversation
- `go get -u all` + `go mod tidy`, bumping:
- github.com/nlnwa/whatwg-url v0.5.0 -> v0.6.2
- github.com/bits-and-blooms/bitset v1.14.3 -> v1.24.4 (indirect)
- golang.org/x/exp to 2026-04-10
- golang.org/x/net v0.29.0 -> v0.53.0 (indirect, clears two moderate
Dependabot alerts — unreachable per govulncheck but bumped for
downstream hygiene)
- golang.org/x/text v0.18.0 -> v0.36.0 (indirect)
- go directive moves to 1.25.0 so the module builds on every currently
maintained Go release (1.25 and 1.26) and no older one.
- CI matrix now tests `['oldstable', 'stable']` so both maintained
versions are exercised automatically as Go rolls forward.
govulncheck reports 0 vulnerabilities. `go test -race ./...` passes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- actions/checkout v4 -> v6, actions/setup-go v5 -> v6,
golangci/golangci-lint-action v6 -> v9. shogo82148/actions-goveralls
stays on v1 (still the current major).
- Set GOTOOLCHAIN=local so setup-go's requested Go version is actually
used; without it the `oldstable` matrix entry can silently upgrade to
`stable` via the toolchain directive.
- golangci-lint-action v7+ uses golangci-lint v2, whose default lint
set is broader than v1's and trips on three pre-existing style rules.
Add a minimal .golangci.yml disabling them with the reason inline:
- ST1012: exported FooError variables are public API, renaming would
break consumers.
- ST1020 / ST1021: exported symbols are documented with a link to
the corresponding WHATWG spec paragraph, which is more useful than
a synthetic "Foo does..." sentence for a spec-conforming impl.
Fix the one DefaultPorts godoc (ST1022) in place rather than
silencing it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Without go-version, setup-go defaulted to 1.24 in the lint job, which is below the go.mod 1.25.0 floor; with GOTOOLCHAIN=local preventing auto-upgrade, golangci-lint failed to load packages. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates module dependencies and CI tooling to keep the project current, expand tested Go versions, and accommodate golangci-lint v2 defaults.
Changes:
- Bumped Go dependencies (
go get -u all,go mod tidy) and updatedgodirective to1.25.0. - Updated GitHub Actions versions and expanded CI Go matrix to
oldstable+stable, withGOTOOLCHAIN=local. - Added
.golangci.ymland adjustedDefaultPortsgodoc to align with newer linting behavior.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
parser.go |
Refines DefaultPorts documentation (exported map) for lint compliance/clarity. |
go.mod |
Updates Go version directive and dependency versions. |
go.sum |
Refreshes dependency checksums after upgrades/tidy. |
.golangci.yml |
Introduces golangci-lint configuration to suppress specific Staticcheck style rules. |
.github/workflows/ci.yaml |
Bumps action versions, expands Go test matrix, and sets GOTOOLCHAIN. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- DefaultPorts godoc: spell out that mutating the exported map is only safe during package initialization / before concurrent use, since it is a plain Go map with no locking. - CI env comment: the go.mod here has no toolchain directive, so rephrase GOTOOLCHAIN=local's rationale in terms of Go's automatic toolchain download behavior in general. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
go get -u all+go mod tidy. Notable:whatwg-urlv0.5.0 → v0.6.2,x/netv0.29.0 → v0.53.0 (indirect, closes the two open Dependabot alerts — unreachable per govulncheck but bumped for downstream hygiene).godirective set to1.25.0so the module builds on every currently maintained Go release (1.25, 1.26).['oldstable', 'stable']so both maintained versions are exercised automatically as Go rolls forward.actions/checkoutv4 → v6,actions/setup-gov5 → v6,golangci/golangci-lint-actionv6 → v9.shogo82148/actions-goverallsstays on v1 (still current major).GOTOOLCHAIN: localat the workflow level so theoldstablematrix entry isn't silently upgraded via atoolchaindirective.golangci-lint-actionv7+ uses golangci-lint v2, whose default lint set trips on pre-existing style rules. Added a minimal.golangci.ymldisabling three with inline justification (exportedFooErrorpublic API →ST1012; spec-URL godocs →ST1020/ST1021) and fixed the oneDefaultPortsgodoc in place.govulncheck ./...reports 0 vulnerabilities.go test -race ./...andgolangci-lint runboth clean.