Skip to content

Upgrade golangci-lint in CI runner and Makefile #4861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
amanfcp wants to merge 8 commits into
base: main
Choose a base branch
from
+25 −15
Open

Upgrade golangci-lint in CI runner and Makefile #4861

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a8c5afa
upgrade golangci-lint
amanfcp Apr 2, 2026
6b5f57a
upgrade golangci-lint to v2 via go tool and align local/CI lint confi…
amanfcp Apr 2, 2026
7d854b4
pinned version script for local/CI parity
amanfcp Apr 2, 2026
50ad0ab
resolve golangci-lint binary via GOPATH to avoid PATH shadowing
amanfcp Apr 2, 2026
5f1ea1e
Merge branch 'main' into amaan/upgrade-golangci-lint-v2
amanfcp Apr 2, 2026
c6a6c1c
use golangci-lint-action@v7 in CI with prebuilt binary to avoid Go 1.…
amanfcp Apr 2, 2026
e4792de
Merge branch 'amaan/upgrade-golangci-lint-v2' of github.com:trufflese…
amanfcp Apr 2, 2026
96c2de8
Merge branch 'main' into amaan/upgrade-golangci-lint-v2
amanfcp Apr 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 1 addition & 15 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,21 +20,7 @@ jobs:
with:
go-version: "1.24"
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
# Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
version: latest
# Optional: working directory, useful for monorepos
# working-directory: somedir

# Optional: golangci-lint command line arguments.
args: --enable bodyclose --enable copyloopvar --enable misspell --timeout 10m

# Optional: if set to true then the action don't cache or restore ~/go/pkg.
# skip-pkg-cache: true

# Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
# skip-build-cache: true
run: ./scripts/lint.sh
semgrep:
name: semgrep
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ check:
go vet $(shell go list ./... | grep -v /vendor/)

lint:
golangci-lint run --enable bodyclose --enable copyloopvar --enable misspell --out-format=colored-line-number --timeout 10m
./scripts/lint.sh

test-failing:
CGO_ENABLED=0 go test -timeout=5m $(shell go list ./... | grep -v /vendor/) | grep FAIL
Expand Down
21 changes: 21 additions & 0 deletions scripts/lint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/usr/bin/env bash
set -euo pipefail

GOLANGCI_LINT_VERSION="v2.11.4"

# TODO: Re-enable errcheck and staticcheck once pre-existing issues are resolved.
LINT_ARGS="--disable errcheck,staticcheck --enable bodyclose,copyloopvar,misspell --timeout 10m"
Copy link
Copy Markdown

@cursor cursor bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Disabling default linters errcheck and staticcheck reduces coverage

Medium Severity

The new LINT_ARGS adds --disable errcheck,staticcheck, which was not present in the old configuration. Previously, both CI and Makefile only used --enable flags on top of defaults, meaning errcheck (unchecked error returns) and staticcheck (comprehensive static analysis, now including gosimple and stylecheck in v2) were actively running. The codebase even has existing nolint:errcheck and nolint:staticcheck comments proving these linters were in use. Silently disabling two core default linters significantly weakens lint coverage for a PR described only as an "upgrade."

Fix in Cursor Fix in Web

Copy link
Copy Markdown
Contributor Author

@amanfcp amanfcp Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't decided on this yet

Copy link
Copy Markdown
Contributor Author

@amanfcp amanfcp Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can leave a TODO comment and address this in a follow up PR.

Copy link
Copy Markdown
Contributor

@bryanbeverly bryanbeverly Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, agreed. Let's create a ticket for this so we can make sure we re-enable these with v2.


GOBIN="$(go env GOPATH)/bin"
GOLANGCI_LINT="${GOBIN}/golangci-lint"

# Install the required version if missing or mismatched.
if [[ -x "${GOLANGCI_LINT}" ]] && "${GOLANGCI_LINT}" version 2>&1 | grep -q "${GOLANGCI_LINT_VERSION#v}"; then
Copy link
Copy Markdown

@cursor cursor bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unanchored version grep may match wrong versions

Low Severity

The version check uses grep -q "${GOLANGCI_LINT_VERSION#v}" which matches 2.11.4 as a substring. This would incorrectly match future versions like 2.11.40 or 2.11.41, causing the script to skip installation and run the wrong version. Using grep -qw (word-boundary match) would prevent false substring matches.

Fix in Cursor Fix in Web

Copy link
Copy Markdown
Contributor Author

@amanfcp amanfcp Apr 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patch updates are a non-issue I think

Copy link
Copy Markdown
Contributor

@bryanbeverly bryanbeverly Apr 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dug into this a little and added a comment below
#4861 (comment)

Copy link
Copy Markdown
Contributor

@bryanbeverly bryanbeverly Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version check uses grep -q which matches substrings — 2.11.4 would incorrectly match a future 2.11.40, causing the script to skip installation and run the wrong version.

Note that the commonly suggested grep -qw fix is also fragile here: -w uses word-boundary characters ([a-zA-Z0-9_]), so if the version output ever includes a v prefix (e.g. v2.11.4), the v is a word character and the match would fail entirely.

A safer approach is to extract and compare the version exactly:

installed_version=$("${GOLANGCI_LINT}" version 2>&1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)
if [[ "${installed_version}" == "${GOLANGCI_LINT_VERSION#v}" ]]; then
    echo "golangci-lint ${GOLANGCI_LINT_VERSION} found"
else
    echo "Installing golangci-lint ${GOLANGCI_LINT_VERSION}..."
    curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "${GOBIN}" "${GOLANGCI_LINT_VERSION}"
fi

echo "golangci-lint ${GOLANGCI_LINT_VERSION} found"
else
echo "Installing golangci-lint ${GOLANGCI_LINT_VERSION}..."
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@"${GOLANGCI_LINT_VERSION}"
fi
Comment on lines +9 to +18
Copy link
Copy Markdown
Contributor

@bryanbeverly bryanbeverly Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script only looks for golangci-lint in $GOPATH/bin, so if someone already has the correct version installed elsewhere on PATH (e.g. via Homebrew at /opt/homebrew/bin/golangci-lint), it will re-download and install a second copy.

Consider checking PATH first before falling back to the $GOPATH/bin location:

if command -v golangci-lint &>/dev/null && golangci-lint version 2>&1 | grep -q "${GOLANGCI_LINT_VERSION#v}"; then
    GOLANGCI_LINT="$(command -v golangci-lint)"
    echo "golangci-lint ${GOLANGCI_LINT_VERSION} found at ${GOLANGCI_LINT}"
elif [[ -x "${GOLANGCI_LINT}" ]] && "${GOLANGCI_LINT}" version 2>&1 | grep -q "${GOLANGCI_LINT_VERSION#v}"; then
    echo "golangci-lint ${GOLANGCI_LINT_VERSION} found at ${GOLANGCI_LINT}"
else
    echo "Installing golangci-lint ${GOLANGCI_LINT_VERSION}..."
    curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "${GOBIN}" "${GOLANGCI_LINT_VERSION}"
fi

This preserves the version-pinning guarantee while respecting existing installations.


# shellcheck disable=SC2086
"${GOLANGCI_LINT}" run ${LINT_ARGS}
Loading