Summary
golangci-lint needs to access packages in GOMODCACHE, which sits outside the repository directory. In Codex CLI that location is not reachable without elevated permissions, so running golangci-lint run ./... without elevation always fails with:
go tool github.com/golangci/golangci-lint/cmd/golangci-lint run ./...
level=error msg="Running error: context loading failed: no go files to analyze: running `go mod tidy` may solve the problem"
Because Codex decides whether to elevate by heuristically interpreting command output, it misclassifies this message as “no elevation required,” so the lint cannot succeed unless permissions are raised.
With approval_policy=on-request, the user can still force elevation manually, but under approval_policy=on-failure the CLI refuses to elevate altogether, so golangci-lint becomes unusable.
Steps to Reproduce
approval_policy=on-request
- Start Codex CLI with
approval_policy=on-request.
- In a Go project, execute
golangci-lint run ./... without elevation.
- The command fails every time with:
go tool github.com/golangci/golangci-lint/cmd/golangci-lint run ./...
level=error msg="Running error: context loading failed: no go files to analyze: running `go mod tidy` may solve the problem"
- Ask Codex explicitly to rerun the same command with elevated permissions; once elevated, the lint succeeds.
approval_policy=on-failure
- Start Codex CLI with
approval_policy=on-failure.
- Execute
golangci-lint run ./....
- The CLI prints the same error and blocks the command.
- Because the CLI has already decided elevation is unnecessary, the user has no way to request it, so the lint never succeeds.
Expected Behavior
- approval_policy=on-request: When
golangci-lint requires elevated permissions, the CLI should prompt or otherwise make it clear that elevation is needed.
- approval_policy=on-failure: Even if the heuristic misclassifies the failure, the user should still have an explicit option to request elevation manually.
Actual Behavior
- approval_policy=on-request: The CLI does not elevate automatically, but the user can succeed by explicitly requesting elevation.
- approval_policy=on-failure: The CLI blocks elevation entirely based on its heuristic decision, making
golangci-lint unusable.
Environment
- macOS 15.6.1 (24G90)
- Codex CLI 0.49.0
- Go 1.25.3 (darwin/arm64)
- golangci-lint 1.64.8
Summary
golangci-lintneeds to access packages inGOMODCACHE, which sits outside the repository directory. In Codex CLI that location is not reachable without elevated permissions, so runninggolangci-lint run ./...without elevation always fails with:Because Codex decides whether to elevate by heuristically interpreting command output, it misclassifies this message as “no elevation required,” so the lint cannot succeed unless permissions are raised.
With
approval_policy=on-request, the user can still force elevation manually, but underapproval_policy=on-failurethe CLI refuses to elevate altogether, sogolangci-lintbecomes unusable.Steps to Reproduce
approval_policy=on-request
approval_policy=on-request.golangci-lint run ./...without elevation.approval_policy=on-failure
approval_policy=on-failure.golangci-lint run ./....Expected Behavior
golangci-lintrequires elevated permissions, the CLI should prompt or otherwise make it clear that elevation is needed.Actual Behavior
golangci-lintunusable.Environment