Skip to content

Commit e422f24

Browse files
authored
Add Go lint/vuln tooling and CI checks (#5)
## Summary - add a root `.golangci.yml` baseline using golangci-lint v2 config - add `make lint` and `make vuln` targets with binary presence checks - add a dedicated CI `lint` job running golangci-lint and govulncheck on pull requests - add `golangci-lint` and `govulncheck` to the Nix devshell package set - bump Go toolchain target to 1.25.7 and fix revive findings in package/blank-import comments ## Validation - `nix develop -c golangci-lint version` - `nix develop -c govulncheck -version` - `make lint` - `make vuln` - `GOFLAGS=-mod=vendor go test ./...` - `GOFLAGS=-mod=vendor go build ./...` --- <details> <summary>📋 Implementation Plan</summary> # Plan: Add Go linting, vulnerability scanning, CI integration, and devshell tools ## Context / Why This repository is currently a minimal Go skeleton with CI for vendoring, tests, and build, but no linting or vulnerability scanning. The goal is to add a pragmatic, high-signal lint/vuln baseline that: - runs locally via `make` targets, - runs in GitHub Actions on PRs, - and is available in the Nix devshell. This gives fast feedback early, keeps code quality consistent as the project grows, and preserves the repo’s existing vendoring conventions. ## Evidence - **Repo structure + current automation**: Explore report `2dddbb994b` confirmed: - `Makefile` has `vendor/test/build/verify-vendor/codegen` only. - `.github/workflows/ci.yaml` has one `test` job and vendor verification. - `flake.nix` devshell includes `go`, `gnumake`, `git`, `goreleaser`. - `.golangci.yml` and any `govulncheck` usage are absent. - **Version/pin compatibility**: Explore report `8ffb06210e` validated: - `golangci/golangci-lint-action@v9` is current/recommended. - `golang/govulncheck-action@v1` is valid/current major. - `golangci-lint` v2.x supports planned config keys. - `pkgs.golangci-lint` and `pkgs.govulncheck` are expected in nixpkgs unstable. - **Primary-source action usage**: - `https://github.com/golangci/golangci-lint-action` - `https://github.com/golang/govulncheck-action` ## Implementation details ### 1) Add root `.golangci.yml` with a strict, low-noise baseline Create `.golangci.yml` using golangci-lint v2 schema and enforce vendor mode to align with repo conventions. ```yaml version: "2" run: timeout: 5m modules-download-mode: vendor linters: enable: - bodyclose - errorlint - gofumpt - gosec - misspell - nilerr - revive issues: max-issues-per-linter: 0 max-same-issues: 0 linters-settings: gofumpt: extra-rules: true ``` Notes: - Keep default linters enabled (errcheck/govet/staticcheck/unused/ineffassign/gosimple). - Start with high-signal extras; avoid deprecated/noisy linters. ### 2) Extend `Makefile` with fail-fast lint/vuln targets Update `.PHONY` and add targets that assert required binaries exist before execution. ```makefile .PHONY: vendor test build verify-vendor codegen lint vuln lint: $(VENDOR_STAMP) @command -v golangci-lint >/dev/null || (echo "golangci-lint not found; use nix develop" && exit 1) GOFLAGS=$(GOFLAGS) golangci-lint run ./... vuln: $(VENDOR_STAMP) @command -v govulncheck >/dev/null || (echo "govulncheck not found; use nix develop" && exit 1) GOFLAGS=$(GOFLAGS) govulncheck ./... ``` Why this shape: - Defensive checks produce immediate, actionable failures. - `GOFLAGS=$(GOFLAGS)` preserves current `-mod=vendor` behavior. ### 3) Integrate lint + vuln checks into `.github/workflows/ci.yaml` Add a dedicated `lint` job (parallel with `test`) per golangci action guidance. ```yaml jobs: lint: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: go.mod cache: true - name: Verify vendor is up to date run: | go mod tidy go mod vendor git diff --exit-code -- go.mod go.sum vendor/ - name: Run golangci-lint uses: golangci/golangci-lint-action@v9 with: version: v2.8 args: --timeout=5m ./... - name: Run govulncheck uses: golang/govulncheck-action@v1 with: go-version-file: go.mod go-package: ./... test: ... ``` Implementation notes: - Keep existing `test` job logic intact; no behavioral regression for current checks. - Use major-version action pinning consistent with current workflow style. ### 4) Add linter/vuln binaries to `flake.nix` devshell Extend the `packages` list in the default shell. ```nix packages = with pkgs; [ go gnumake git goreleaser golangci-lint govulncheck ]; ``` This guarantees local parity with CI and avoids ad-hoc installs. ## Validation plan After implementation, run: 1. `nix develop -c golangci-lint version` 2. `nix develop -c govulncheck -version` 3. `make lint` 4. `make vuln` 5. `go test ./...` 6. `go build ./...` And ensure CI workflow syntax/behavior by opening a PR and confirming both `lint` and `test` jobs execute successfully. </details> --- _Generated with [\`mux\`](https://github.com/coder/mux) • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh`_
1 parent 68aaf00 commit e422f24

9 files changed

Lines changed: 107 additions & 7 deletions

File tree

.github/workflows/ci.yaml

Lines changed: 36 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,41 @@ permissions:
1010
contents: read
1111

1212
jobs:
13+
lint:
14+
runs-on: ubuntu-latest
15+
steps:
16+
- name: Checkout
17+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
18+
with:
19+
persist-credentials: false
20+
21+
- name: Set up Go
22+
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
23+
with:
24+
go-version-file: go.mod
25+
cache: true
26+
27+
- name: Verify vendor is up to date
28+
run: |
29+
go mod tidy
30+
go mod vendor
31+
git diff --exit-code -- go.mod go.sum vendor/
32+
33+
- name: Run golangci-lint
34+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
35+
with:
36+
version: v2.8
37+
args: --timeout=5m ./...
38+
39+
- name: Run golangci-lint formatter checks
40+
run: go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0 fmt --diff
41+
42+
- name: Run govulncheck
43+
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1
44+
with:
45+
go-version-file: go.mod
46+
go-package: ./...
47+
1348
test:
1449
runs-on: ubuntu-latest
1550
steps:
@@ -68,7 +103,7 @@ jobs:
68103

69104
publish-main:
70105
name: Publish GHCR :main
71-
needs: [test, lint-actions]
106+
needs: [test, lint, lint-actions]
72107
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
73108
runs-on: ubuntu-latest
74109
permissions:

.golangci.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
version: "2"
2+
3+
run:
4+
timeout: 5m
5+
modules-download-mode: vendor
6+
7+
linters:
8+
enable:
9+
- bodyclose
10+
- errorlint
11+
- gosec
12+
- misspell
13+
- nilerr
14+
- revive
15+
16+
formatters:
17+
enable:
18+
- gofumpt
19+
settings:
20+
gofumpt:
21+
extra-rules: true
22+
23+
issues:
24+
max-issues-per-linter: 0
25+
max-same-issues: 0

Makefile

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ GOFLAGS ?= -mod=vendor
22
VENDOR_STAMP := vendor/.modules.stamp
33
MODULE_FILES := go.mod $(wildcard go.sum)
44

5-
.PHONY: vendor test build verify-vendor codegen
5+
.PHONY: vendor test build lint vuln verify-vendor codegen
66

77
$(VENDOR_STAMP): $(MODULE_FILES)
88
go mod tidy
@@ -18,6 +18,15 @@ test: $(VENDOR_STAMP)
1818
build: $(VENDOR_STAMP)
1919
GOFLAGS=$(GOFLAGS) go build ./...
2020

21+
lint: $(VENDOR_STAMP)
22+
@command -v golangci-lint >/dev/null || (echo "golangci-lint not found; use nix develop" && exit 1)
23+
GOFLAGS=$(GOFLAGS) golangci-lint run ./...
24+
GOFLAGS=$(GOFLAGS) golangci-lint fmt --diff
25+
26+
vuln: $(VENDOR_STAMP)
27+
@command -v govulncheck >/dev/null || (echo "govulncheck not found; use nix develop" && exit 1)
28+
GOFLAGS=$(GOFLAGS) govulncheck ./...
29+
2130
verify-vendor:
2231
go mod tidy
2332
go mod vendor

flake.lock

Lines changed: 27 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

flake.nix

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@
2525
goreleaser
2626
actionlint
2727
zizmor
28+
golangci-lint
29+
govulncheck
2830
];
2931
};
3032
}

go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/coder/coder-k8s
22

3-
go 1.25.6
3+
go 1.25.7
44

55
require (
66
k8s.io/apimachinery v0.35.0

internal/controller/codercontrolplane_controller.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
// Package controller contains Kubernetes controllers for coder-k8s resources.
12
package controller
23

34
import (

internal/deps/deps.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@
55
package deps
66

77
import (
8-
_ "k8s.io/apimachinery/pkg/runtime"
9-
_ "k8s.io/client-go/kubernetes"
10-
_ "k8s.io/code-generator"
11-
_ "sigs.k8s.io/controller-runtime/pkg/client"
8+
_ "k8s.io/apimachinery/pkg/runtime" // Keep apimachinery runtime dependency vendored.
9+
_ "k8s.io/client-go/kubernetes" // Keep client-go kubernetes client vendored.
10+
_ "k8s.io/code-generator" // Keep code-generator scripts vendored.
11+
_ "sigs.k8s.io/controller-runtime/pkg/client" // Keep controller-runtime client vendored.
1212
)

main.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
// Package main provides the entrypoint for the coder-k8s binary.
12
package main
23

34
import (

0 commit comments

Comments
 (0)