Skip to content

ci: lint with go vet, pin Go from go.mod#21

Merged
jabawack81 merged 1 commit into
mainfrom
ci/lint-go-vet
Jul 4, 2026
Merged

ci: lint with go vet, pin Go from go.mod#21
jabawack81 merged 1 commit into
mainfrom
ci/lint-go-vet

Conversation

@jabawack81

@jabawack81 jabawack81 commented Jul 4, 2026

Copy link
Copy Markdown
Member

Why

Every PR (including Dependabot #20) has been failing its build check — but not because of the change. The lint step dies with:

can't load config: the Go language version (go1.24) used to build golangci-lint is lower than the targeted Go version (1.25.0)

golangci-lint-action@v4 + version: latest installs a linter built on go1.24, which refuses to lint a module targeting go 1.25, and setup-go was pinned to a stale 1.23.0.

What

  • Replace the golangci-lint step with go vet ./... — matches the make lint command documented in the Makefile/AGENTS.md, and removes the linter-vs-Go-version treadmill.
  • Read the Go version from go.mod (go-version-file) so it can't drift again.
  • Bump deprecated actions/cache@v3v4.

Verified locally (go1.25.0)

go build, go test -race, and go vet all pass.

Unblocks #20.

Summary by CodeRabbit

  • Chores
    • Updated the Go build and test workflow to use newer automation actions and follow the Go version from the project configuration.
    • Added an extra Go validation step to catch issues earlier during checks.
    • Removed one linter step from the workflow.

The build was failing on every PR: golangci-lint (latest, built on go1.24)
refuses to lint a module targeting go1.25, and setup-go was pinned to a stale
1.23.0. Switch the lint step to `go vet` (matching the Makefile/AGENTS.md lint
command) and read the Go version from go.mod so it can't drift again. Bump the
deprecated actions/cache@v3 to v4.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XmZfFD3t4UYB7TKstGj8QP
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Updates the Go GitHub Actions workflow: bumps actions/cache to v4 and actions/setup-go to v5 (using go-version-file instead of a hardcoded version), adds a go vet ./... step, and removes the golangci-lint step.

Changes

CI Workflow Update

Layer / File(s) Summary
Go workflow action and step updates
.github/workflows/go.yml
Cache action bumped to v4, setup-go bumped to v5 with go-version-file: go.mod, go vet ./... added, golangci-lint step removed.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Poem

A hop, a skip, a workflow spin,
New cache, new setup, vet steps in.
The linter waved and hopped away,
Fresh Go tools for a brighter day! 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main CI changes: replacing golangci-lint with go vet and reading the Go version from go.mod.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/go.yml:
- Line 24: The workflow uses unpinned GitHub Actions references, so update both
actions/cache and actions/setup-go in the go workflow to be pinned to specific
commit SHAs instead of version tags. Follow the existing actions/checkout
pattern in the same file by replacing the tag-based references with SHA-pinned
ones and adding the version comment convention used in the repo. Focus on the
cache and Go setup steps so the workflow remains functionally the same while
satisfying the supply-chain hardening rule.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 02cc8fb5-0cfe-42e1-9f6d-684e15645a5e

📥 Commits

Reviewing files that changed from the base of the PR and between 29ae0ea and 34199dd.

📒 Files selected for processing (1)
  • .github/workflows/go.yml
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: build
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/go.yml

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (1)
.github/workflows/go.yml (1)

34-39: LGTM!

Comment thread .github/workflows/go.yml

- name: Cache Go modules
uses: actions/cache@v3
uses: actions/cache@v4

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Pin actions to a commit SHA for supply-chain hardening.

zizmor flags both actions/cache@v4 and actions/setup-go@v5 as unpinned. Tag references can be moved/re-tagged; pinning to a commit SHA (with a version comment) is the recommended hardening practice. This mirrors the existing actions/checkout@v4 pattern in the file, so it's a repo-wide convention rather than a new regression, but worth addressing given the blanket policy the linter is enforcing.

🔒 Example of SHA-pinning
-        uses: actions/cache@v4
+        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf22 # v4.2.0
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0

Also applies to: 34-34

🧰 Tools
🪛 zizmor (1.26.1)

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go.yml at line 24, The workflow uses unpinned GitHub
Actions references, so update both actions/cache and actions/setup-go in the go
workflow to be pinned to specific commit SHAs instead of version tags. Follow
the existing actions/checkout pattern in the same file by replacing the
tag-based references with SHA-pinned ones and adding the version comment
convention used in the repo. Focus on the cache and Go setup steps so the
workflow remains functionally the same while satisfying the supply-chain
hardening rule.

Source: Linters/SAST tools

@jabawack81 jabawack81 added this pull request to the merge queue Jul 4, 2026
Merged via the queue into main with commit 84d44e7 Jul 4, 2026
2 checks passed
@jabawack81 jabawack81 deleted the ci/lint-go-vet branch July 4, 2026 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant