Commit e422f24
authored
Add Go lint/vuln tooling and CI checks (#5)
## Summary
- add a root `.golangci.yml` baseline using golangci-lint v2 config
- add `make lint` and `make vuln` targets with binary presence checks
- add a dedicated CI `lint` job running golangci-lint and govulncheck on
pull requests
- add `golangci-lint` and `govulncheck` to the Nix devshell package set
- bump Go toolchain target to 1.25.7 and fix revive findings in
package/blank-import comments
## Validation
- `nix develop -c golangci-lint version`
- `nix develop -c govulncheck -version`
- `make lint`
- `make vuln`
- `GOFLAGS=-mod=vendor go test ./...`
- `GOFLAGS=-mod=vendor go build ./...`
---
<details>
<summary>📋 Implementation Plan</summary>
# Plan: Add Go linting, vulnerability scanning, CI integration, and
devshell tools
## Context / Why
This repository is currently a minimal Go skeleton with CI for
vendoring, tests, and build, but no linting or vulnerability scanning.
The goal is to add a pragmatic, high-signal lint/vuln baseline that:
- runs locally via `make` targets,
- runs in GitHub Actions on PRs,
- and is available in the Nix devshell.
This gives fast feedback early, keeps code quality consistent as the
project grows, and preserves the repo’s existing vendoring conventions.
## Evidence
- **Repo structure + current automation**: Explore report `2dddbb994b`
confirmed:
- `Makefile` has `vendor/test/build/verify-vendor/codegen` only.
- `.github/workflows/ci.yaml` has one `test` job and vendor
verification.
- `flake.nix` devshell includes `go`, `gnumake`, `git`, `goreleaser`.
- `.golangci.yml` and any `govulncheck` usage are absent.
- **Version/pin compatibility**: Explore report `8ffb06210e` validated:
- `golangci/golangci-lint-action@v9` is current/recommended.
- `golang/govulncheck-action@v1` is valid/current major.
- `golangci-lint` v2.x supports planned config keys.
- `pkgs.golangci-lint` and `pkgs.govulncheck` are expected in nixpkgs
unstable.
- **Primary-source action usage**:
- `https://github.com/golangci/golangci-lint-action`
- `https://github.com/golang/govulncheck-action`
## Implementation details
### 1) Add root `.golangci.yml` with a strict, low-noise baseline
Create `.golangci.yml` using golangci-lint v2 schema and enforce vendor
mode to align with repo conventions.
```yaml
version: "2"
run:
timeout: 5m
modules-download-mode: vendor
linters:
enable:
- bodyclose
- errorlint
- gofumpt
- gosec
- misspell
- nilerr
- revive
issues:
max-issues-per-linter: 0
max-same-issues: 0
linters-settings:
gofumpt:
extra-rules: true
```
Notes:
- Keep default linters enabled
(errcheck/govet/staticcheck/unused/ineffassign/gosimple).
- Start with high-signal extras; avoid deprecated/noisy linters.
### 2) Extend `Makefile` with fail-fast lint/vuln targets
Update `.PHONY` and add targets that assert required binaries exist
before execution.
```makefile
.PHONY: vendor test build verify-vendor codegen lint vuln
lint: $(VENDOR_STAMP)
@command -v golangci-lint >/dev/null || (echo "golangci-lint not found; use nix develop" && exit 1)
GOFLAGS=$(GOFLAGS) golangci-lint run ./...
vuln: $(VENDOR_STAMP)
@command -v govulncheck >/dev/null || (echo "govulncheck not found; use nix develop" && exit 1)
GOFLAGS=$(GOFLAGS) govulncheck ./...
```
Why this shape:
- Defensive checks produce immediate, actionable failures.
- `GOFLAGS=$(GOFLAGS)` preserves current `-mod=vendor` behavior.
### 3) Integrate lint + vuln checks into `.github/workflows/ci.yaml`
Add a dedicated `lint` job (parallel with `test`) per golangci action
guidance.
```yaml
jobs:
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true
- name: Verify vendor is up to date
run: |
go mod tidy
go mod vendor
git diff --exit-code -- go.mod go.sum vendor/
- name: Run golangci-lint
uses: golangci/golangci-lint-action@v9
with:
version: v2.8
args: --timeout=5m ./...
- name: Run govulncheck
uses: golang/govulncheck-action@v1
with:
go-version-file: go.mod
go-package: ./...
test:
...
```
Implementation notes:
- Keep existing `test` job logic intact; no behavioral regression for
current checks.
- Use major-version action pinning consistent with current workflow
style.
### 4) Add linter/vuln binaries to `flake.nix` devshell
Extend the `packages` list in the default shell.
```nix
packages = with pkgs; [
go
gnumake
git
goreleaser
golangci-lint
govulncheck
];
```
This guarantees local parity with CI and avoids ad-hoc installs.
## Validation plan
After implementation, run:
1. `nix develop -c golangci-lint version`
2. `nix develop -c govulncheck -version`
3. `make lint`
4. `make vuln`
5. `go test ./...`
6. `go build ./...`
And ensure CI workflow syntax/behavior by opening a PR and confirming
both `lint` and `test` jobs execute successfully.
</details>
---
_Generated with [\`mux\`](https://github.com/coder/mux) • Model:
`openai:gpt-5.3-codex` • Thinking: `xhigh`_1 parent 68aaf00 commit e422f24
9 files changed
Lines changed: 107 additions & 7 deletions
File tree
- .github/workflows
- internal
- controller
- deps
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
13 | 48 | | |
14 | 49 | | |
15 | 50 | | |
| |||
68 | 103 | | |
69 | 104 | | |
70 | 105 | | |
71 | | - | |
| 106 | + | |
72 | 107 | | |
73 | 108 | | |
74 | 109 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
5 | | - | |
| 5 | + | |
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| |||
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
21 | 30 | | |
22 | 31 | | |
23 | 32 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
| 28 | + | |
| 29 | + | |
28 | 30 | | |
29 | 31 | | |
30 | 32 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
1 | 2 | | |
2 | 3 | | |
3 | 4 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
8 | | - | |
9 | | - | |
10 | | - | |
11 | | - | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
12 | 12 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
1 | 2 | | |
2 | 3 | | |
3 | 4 | | |
| |||
0 commit comments