build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1

[dependabot]

Bumps golangci/golangci-lint-action from 9.2.0 to 9.2.1.

Release notes

Sourced from golangci/golangci-lint-action's releases.

v9.2.1

What's Changed

IMPORTANT: this is the first immutable release.

Changes

• chore: improve workflows by @​ldez in golangci/golangci-lint-action#1394

Dependencies

• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1325
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1326
• build(deps): bump the dependencies group with 4 updates by @​dependabot[bot] in golangci/golangci-lint-action#1327
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1328
• build(deps): bump @​types/node from 25.0.2 to 25.0.3 in the dependencies group by @​dependabot[bot] in golangci/golangci-lint-action#1329
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1330
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1332
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1333
• build(deps): bump the dependencies group with 6 updates by @​dependabot[bot] in golangci/golangci-lint-action#1334
• build(deps-dev): bump the dev-dependencies group with 4 updates by @​dependabot[bot] in golangci/golangci-lint-action#1335
• build(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1336
• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1337
• build(deps): bump @​types/node from 25.0.9 to 25.0.10 in the dependencies group by @​dependabot[bot] in golangci/golangci-lint-action#1338
• build(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 by @​dependabot[bot] in golangci/golangci-lint-action#1339
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1340
• build(deps-dev): bump the dev-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1344
• build(deps): bump fast-xml-parser from 5.3.4 to 5.3.6 by @​dependabot[bot] in golangci/golangci-lint-action#1346
• build(deps): bump minimatch by @​dependabot[bot] in golangci/golangci-lint-action#1348
• build(deps): bump minimatch from 3.1.3 to 3.1.5 by @​dependabot[bot] in golangci/golangci-lint-action#1350
• build(deps): bump fast-xml-parser from 5.3.6 to 5.4.1 by @​dependabot[bot] in golangci/golangci-lint-action#1351
• build(deps): bump fast-xml-parser from 5.4.1 to 5.5.6 by @​dependabot[bot] in golangci/golangci-lint-action#1357
• build(deps): bump fast-xml-parser from 5.5.6 to 5.5.7 by @​dependabot[bot] in golangci/golangci-lint-action#1358
• build(deps-dev): bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in golangci/golangci-lint-action#1359
• build(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in golangci/golangci-lint-action#1364
• build(deps): bump yaml from 2.8.2 to 2.8.3 by @​dependabot[bot] in golangci/golangci-lint-action#1365
• build(deps): bump brace-expansion by @​dependabot[bot] in golangci/golangci-lint-action#1370
• build(deps-dev): bump the dev-dependencies group across 1 directory with 7 updates by @​ldez in golangci/golangci-lint-action#1374
• build(deps): bump github/codeql-action from 4 to 4.35.2 by @​dependabot[bot] in golangci/golangci-lint-action#1384
• build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 by @​dependabot[bot] in golangci/golangci-lint-action#1386
• build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 by @​dependabot[bot] in golangci/golangci-lint-action#1389
• build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 by @​dependabot[bot] in golangci/golangci-lint-action#1391

Full Changelog: golangci/golangci-lint-action@v9.2.0...v9.2.1

Commits

• 82606bf chore: prepare release v9.2.1
• 97c8387 chore: improve workflows (#1394)
• 28d0a19 build(deps): bump the dependencies group across 1 directory with 2 updates
• 633fbc7 build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#1391)
• 59f43e2 build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 (#1389)
• 9eb174e build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 (#1386)
• 4f52504 build(deps): bump github/codeql-action from 4 to 4.35.2 (#1384)
• 6f87dfd docs: update examples
• c9500d7 chore: improve workflows
• 03b1faa chore: improve issue templates
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-23 13:01 UTC / May 23, 2026, 9:01 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Updates the CI lint workflow's golangci/golangci-lint-action reference from v9.2.0 to v9.2.1.

Reproducibility: not applicable. this is a bot dependency bump to a CI action, not a bug report. The source check is the one-line workflow ref difference between current main and the PR head.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: The patch is a clean, narrow dependency bump with no concrete review findings; validation depends on normal CI rather than contributor proof.

Rank-up moves:

• none

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This is a Dependabot bot PR, so contributor real-behavior proof is not required; the relevant validation is the workflow check run on the PR head.

Next step before merge
No repair lane is needed because the PR is already the narrow dependency update; the remaining action is normal CI and workflow-owner review.

Security
Cleared: The security-sensitive surface is limited to one existing GitHub Action version ref, with no new permissions, secrets, scripts, dependency sources, or downloaded artifacts introduced by the PR.

Review details

Best possible solution:

Let the one-line workflow dependency bump proceed through CI and the existing .github/workflows/ owner review path.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a bot dependency bump to a CI action, not a bug report. The source check is the one-line workflow ref difference between current main and the PR head.

Is this the best way to solve the issue?

Yes; updating the existing action reference in the existing lint step is the narrow maintainable way to take this patch release, with CI and workflow-owner review as validation.

Label justifications:

• P3: This is a low-risk CI dependency maintenance PR with no user-facing runtime behavior change.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and The patch is a clean, narrow dependency bump with no concrete review findings; validation depends on normal CI rather than contributor proof.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot PR, so contributor real-behavior proof is not required; the relevant validation is the workflow check run on the PR head.

What I checked:

• Current main uses old action ref: Current main pins the lint step to golangci/golangci-lint-action@v9.2.0, so the PR is not already implemented on the default branch. (.github/workflows/ci.yml:31, 638fa1c4565c)
• PR diff is one workflow dependency update: The PR head changes only .github/workflows/ci.yml, replacing v9.2.0 with v9.2.1 in the lint action step. (.github/workflows/ci.yml:31, 24414a49ea0a)
• Upstream action tags exist: The upstream action repository advertises both refs/tags/v9.2.0 and refs/tags/v9.2.1, matching the requested patch bump.
• Workflow ownership surface: Repository CODEOWNERS routes .github/workflows/ changes to @openclaw/openclaw-secops, so normal workflow-owner review is the right merge path. (.github/CODEOWNERS:4, 638fa1c4565c)
• Workflow history: git blame shows the current CI workflow and lint action pin were introduced in commit 118dea0a308d764b1f27ac535118af8676f0ddaa during the v0.9.1 release. (.github/workflows/ci.yml:31, 118dea0a308d)

Likely related people:

• Peter Steinberger: Blame and file history show the current CI workflow, CODEOWNERS baseline, and golangci/golangci-lint-action@v9.2.0 pin came from the v0.9.1 release commit. (role: workflow introducer; confidence: high; commits: 118dea0a308d; files: .github/workflows/ci.yml, .github/CODEOWNERS)
• Vincent Koc: The current main tip recently touched .github/CODEOWNERS and actionlint/Crabbox workflow-adjacent security surfaces, making this a likely routing candidate for CI ownership context. (role: recent adjacent workflow/security contributor; confidence: medium; commits: 638fa1c4565c; files: .github/CODEOWNERS, .github/actionlint.yaml, .crabbox.yaml)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 638fa1c4565c.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Tiny Diff Drake

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: finds missing screenshots.
Image traits: location branch lighthouse; accessory shell-shaped keyboard; palette amber, ink, and glacier blue; mood sleepy but ready; pose guarding a tiny green check; shell smooth pearl shell; lighting soft studio lighting; background quiet workflow signs.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Tiny Diff Drake in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.