diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 265484941..4b1752dda 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,10 +26,14 @@ jobs: go-version: ${{ steps.versions.outputs.go-version }} cache: true + - name: Load golangci-lint version + id: golangci-lint-version + run: echo "version=$(grep '^GOLANGCI_LINT_VERSION=' .versions | cut -d= -f2)" >> "$GITHUB_OUTPUT" + - name: Install golangci-lint uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 with: - version: v2.10.1 + version: ${{ steps.golangci-lint-version.outputs.version }} install-only: true - name: Run linting for ${{ matrix.goos }} diff --git a/.golangci.yml b/.golangci.yml index 0e0929246..879ae1c9d 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -149,6 +149,7 @@ linters: - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions) - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close") - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3) + - G122 # G122: Filesystem operation in Walk/WalkDir callback; fixing requires os.Root refactor. - G703 # G703: Path traversal via taint analysis; too many false positives. - G704 # G704: SSRF via taint analysis; too many false positives on internal HTTP clients. - G705 # G705: XSS via taint analysis; too many false positives. diff --git a/.versions b/.versions index bdd160e63..524d6ecee 100644 --- a/.versions +++ b/.versions @@ -1,4 +1,5 @@ GO_VERSION=1.25 +GOLANGCI_LINT_VERSION=v2.12.2 VLLM_VERSION=0.19.1 VLLM_UPSTREAM_VERSION=0.19.0 VLLM_METAL_RELEASE=v0.2.0-20260420-142150 diff --git a/pkg/distribution/oci/remote/range_redirect_test.go b/pkg/distribution/oci/remote/range_redirect_test.go index 5696a6071..5cb503195 100644 --- a/pkg/distribution/oci/remote/range_redirect_test.go +++ b/pkg/distribution/oci/remote/range_redirect_test.go @@ -459,7 +459,7 @@ func TestRangeTransport_MaxRedirectsExceeded(t *testing.T) { // Server that always redirects to itself (infinite redirect loop). srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - http.Redirect(w, r, r.URL.String(), http.StatusFound) + http.Redirect(w, r, r.URL.String(), http.StatusFound) //nolint:gosec // G710: intentional self-redirect to test redirect-limit logic })) defer srv.Close() diff --git a/pkg/inference/scheduling/http_handler.go b/pkg/inference/scheduling/http_handler.go index de0e04b26..323fbe82d 100644 --- a/pkg/inference/scheduling/http_handler.go +++ b/pkg/inference/scheduling/http_handler.go @@ -483,7 +483,8 @@ func (h *HTTPHandler) Configure(w http.ResponseWriter, r *http.Request) { // Preload the model in the background by calling handleOpenAIInference with preload-only context. // This makes Compose preload the model as well as it calls `configure` by default. - go func() { + userAgent := r.UserAgent() + go func() { //nolint:gosec // G118: context.Background intentional — preload must outlive the request context preloadBody, err := json.Marshal(OpenAIInferenceRequest{Model: configureRequest.Model}) if err != nil { h.scheduler.log.Warn("failed to marshal preload request body", "error", err) @@ -501,7 +502,7 @@ func (h *HTTPHandler) Configure(w http.ResponseWriter, r *http.Request) { h.scheduler.log.Warn("failed to create preload request", "error", err) return } - preloadReq.Header.Set("User-Agent", r.UserAgent()) + preloadReq.Header.Set("User-Agent", userAgent) if backend != nil { preloadReq.SetPathValue("backend", backend.Name()) }