From 0bb4a7b4e2e9cf40060e819b351e08c41373e59e Mon Sep 17 00:00:00 2001 From: Joel Bennett Date: Sat, 20 Sep 2025 21:38:45 -0400 Subject: [PATCH 1/5] Stop lint from running on tags --- .github/workflows/development.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index 3e02585555..0f8b2882a5 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -1,5 +1,11 @@ name: Development -on: [ push, pull_request ] +on: + push: + branches: + - "*" + pull_request: + branches: + - master jobs: lint: name: golangci-lint From 266a73ff6e0219a3deaa1f98baba12bf2d17fded Mon Sep 17 00:00:00 2001 From: Joel Bennett Date: Sat, 20 Sep 2025 21:59:35 -0400 Subject: [PATCH 2/5] Skip linting on doc file changes --- .github/workflows/development.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index 0f8b2882a5..e60b84b472 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -2,10 +2,17 @@ name: Development on: push: branches: - - "*" + - master + paths-ignore: + - '**/*.md' + - '**/*.txt' pull_request: branches: - master + paths-ignore: + - '**/*.md' + - '**/*.txt' + jobs: lint: name: golangci-lint From 4c1b81bdf2fc7967c7319f6dff938cb0a96b3ecb Mon Sep 17 00:00:00 2001 From: Joel Bennett Date: Sat, 20 Sep 2025 22:04:30 -0400 Subject: [PATCH 3/5] Updating the codeql template --- .github/workflows/codeql-analysis.yml | 103 +++++++++++++++++--------- 1 file changed, 66 insertions(+), 37 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 19ea9b6734..6a3c333c29 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -3,69 +3,98 @@ # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. -name: "CodeQL" +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" on: push: - branches: [ master ] + branches: [ "master" ] pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] + branches: [ "master" ] schedule: - - cron: '0 16 * * 1' + - cron: '20 8 * * 6' jobs: analyze: - name: Analyze - runs-on: ubuntu-latest + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read strategy: fail-fast: false matrix: - # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] - language: [ 'go' ] - # Learn more... - # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection - + include: + - language: actions + build-mode: none + - language: go + build-mode: autobuild + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v5 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 + uses: actions/checkout@v4 - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From 8475739ba1e541fbc09916ace959d41fb870502b Mon Sep 17 00:00:00 2001 From: Joel Bennett Date: Sat, 20 Sep 2025 22:17:46 -0400 Subject: [PATCH 4/5] Update the golangci-lint config --- .golangci.yaml | 348 +++++++++++++++++-------------------------------- 1 file changed, 117 insertions(+), 231 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index 745df2d467..76e841006f 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,247 +1,133 @@ -# For full documentation of the configuration options please -# see: https://github.com/golangci/golangci-lint#config-file. - -# options for analysis running +version: "2" run: - # default concurrency is the available CPU number - # concurrency: 4 - - # timeout for analysis, e.g. 30s, 5m, default is 1m - deadline: 5m - - # exit code when at least one issue was found, default is 1 issues-exit-code: 1 - - # include test files or not, default is true tests: true - - # list of build tags, all linters use it. Default is empty list. - build-tags: - - # which dirs to skip: they won't be analyzed; - # can use regexp here: generated.*, regexp is applied on full path; - # default value is empty list, but next dirs are always skipped independently - # from this option's value: - # vendor$, third_party$, testdata$, examples$, Godeps$, builtin$ - skip-dirs: gateway/bridgemap$ - - # which files to skip: they will be analyzed, but issues from them - # won't be reported. Default value is empty list, but there is - # no need to include all autogenerated files, we confidently recognize - # autogenerated files. If it's not please let us know. - skip-files: - - -# output configuration options -output: - # colored-line-number|line-number|json|tab|checkstyle, default is "colored-line-number" - format: colored-line-number - - # print lines of code with issue, default is true - print-issued-lines: true - - # print linter name in the end of issue text, default is true - print-linter-name: true - - -# all available settings of specific linters, we can set an option for -# a given linter even if we deactivate that same linter at runtime -linters-settings: - errcheck: - # report about not checking of errors in type assertions: `a := b.(MyStruct)`; - # default is false: such cases aren't reported by default. - check-type-assertions: false - - # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`; - # default is false: such cases aren't reported by default. - check-blank: false - govet: - # report about shadowed variables - check-shadowing: true - golint: - # minimal confidence for issues, default is 0.8 - min-confidence: 0.8 - gofmt: - # simplify code: gofmt with `-s` option, true by default - simplify: true - goimports: - # put imports beginning with prefix after 3rd-party packages; - # it's a comma-separated list of prefixes - local-prefixes: github.com - gocyclo: - # minimal code complexity to report, 30 by default (but we recommend 10-20) - min-complexity: 15 - maligned: - # print struct with more effective memory layout or not, false by default - suggest-new: true - dupl: - # tokens count to trigger issue, 150 by default - threshold: 150 - goconst: - # minimal length of string constant, 3 by default - min-len: 3 - # minimal occurrences count to trigger, 3 by default - min-occurrences: 3 - depguard: - list-type: blacklist - include-go-root: false - packages: - # List of packages that we would want to blacklist for... reasons. - misspell: - # Correct spellings using locale preferences for US or UK. - # Default is to use a neutral variety of English. - # Setting locale to US will correct the British spelling of 'colour' to 'color'. - lll: - # max line length, lines longer will be reported. Default is 120. - # '\t' is counted as 1 character by default, and can be changed with the tab-width option - line-length: 150 - # tab width in spaces. Default to 1. - tab-width: 1 - unused: - # treat code as a program (not a library) and report unused exported identifiers; default is false. - # XXX: if you enable this setting, unused will report a lot of false-positives in text editors: - # if it's called for subdir of a project it can't find funcs usages. All text editor integrations - # with golangci-lint call it on a directory with the changed file. - check-exported: false - unparam: - # Inspect exported functions, default is false. Set to true if no external program/library imports your code. - # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors: - # if it's called for subdir of a project it can't find external interfaces. All text editor integrations - # with golangci-lint call it on a directory with the changed file. - check-exported: false - nakedret: - # make an issue if func has more lines of code than this setting and it has naked returns; default is 30 - max-func-lines: 0 # Warn on all naked returns. - prealloc: - # XXX: we don't recommend using this linter before doing performance profiling. - # For most programs usage of prealloc will be a premature optimization. - - # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them. - # True by default. - simple: true - range-loops: true # Report preallocation suggestions on range loops, true by default - for-loops: false # Report preallocation suggestions on for loops, false by default - gocritic: - # which checks should be enabled; can't be combined with 'disabled-checks'; - # default are: [appendAssign assignOp caseOrder dupArg dupBranchBody dupCase flagDeref - # ifElseChain regexpMust singleCaseSwitch sloppyLen switchTrue typeSwitchVar underef - # unlambda unslice rangeValCopy defaultCaseOrder]; - # all checks list: https://github.com/go-critic/checkers - # disabled for now - hugeParam - enabled-checks: - - appendAssign - - assignOp - - boolExprSimplify - - builtinShadow - - captLocal - - caseOrder - - commentedOutImport - - defaultCaseOrder - - dupArg - - dupBranchBody - - dupCase - - dupSubExpr - - elseif - - emptyFallthrough - - ifElseChain - - importShadow - - indexAlloc - - methodExprCall - - nestingReduce - - offBy1 - - ptrToRefParam - - regexpMust - - singleCaseSwitch - - sloppyLen - - switchTrue - - typeSwitchVar - - typeUnparen - - underef - - unlambda - - unnecessaryBlock - - unslice - - valSwap - - wrapperFunc - - yodaStyleExpr - - -# linters that we should / shouldn't run linters: - enable-all: true + default: all disable: + - asasalint + - cyclop + - decorder + - depguard + - err113 + - errname + - errorlint + - exhaustive + - exhaustruct + - forbidigo - gochecknoglobals - - lll - - maligned - - prealloc - - wsl - - gomnd - - godox - - goerr113 - - testpackage - godot - - interfacer + - godox - goheader - - noctx - - gci - - errorlint - - nlreturn - - exhaustivestruct - - forbidigo - - wrapcheck - - varnamelen + - gomoddirectives + - grouper + - importas - ireturn - - errorlint - - tparallel - - wrapcheck - - paralleltest + - lll + - maintidx - makezero - - thelper - - cyclop - - revive - - importas - - gomoddirectives + - mnd + - nlreturn + - noctx + - paralleltest + - prealloc - promlinter + - revive - tagliatelle - - errname - - typecheck - - grouper - - decorder - - maintidx - - exhaustruct - - asasalint - - execinquery - - nosnakecase - - exhaustive - testifylint - - mnd - - depguard -# rules to deal with reported isues + - testpackage + - thelper + - tparallel + - varnamelen + - wrapcheck + - wsl + settings: + dupl: + threshold: 150 + errcheck: + check-type-assertions: false + check-blank: false + goconst: + min-len: 3 + min-occurrences: 3 + gocritic: + enabled-checks: + - appendAssign + - assignOp + - boolExprSimplify + - builtinShadow + - captLocal + - caseOrder + - commentedOutImport + - defaultCaseOrder + - dupArg + - dupBranchBody + - dupCase + - dupSubExpr + - elseif + - emptyFallthrough + - ifElseChain + - importShadow + - indexAlloc + - methodExprCall + - nestingReduce + - offBy1 + - ptrToRefParam + - regexpMust + - singleCaseSwitch + - sloppyLen + - switchTrue + - typeSwitchVar + - typeUnparen + - underef + - unlambda + - unnecessaryBlock + - unslice + - valSwap + - wrapperFunc + - yodaStyleExpr + gocyclo: + min-complexity: 15 + lll: + line-length: 150 + tab-width: 1 + nakedret: + max-func-lines: 0 + prealloc: + simple: true + range-loops: true + for-loops: false + unparam: + check-exported: false + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + paths: + - third_party$ + - builtin$ + - examples$ issues: - # List of regexps of issue texts to exclude, empty list by default. - # But independently from this option we use default exclude patterns, - # it can be disabled by `exclude-use-default: false`. To list all - # excluded by default patterns execute `golangci-lint run --help` - exclude: - - # Independently from option `exclude` we use default exclude patterns, - # it can be disabled by this option. To list all - # excluded by default patterns execute `golangci-lint run --help`. - # Default value for this option is true. - exclude-use-default: true - - # Maximum issues count per one linter. Set to 0 to disable. Default is 50. - max-per-linter: 0 - - # Maximum count of issues with the same text. Set to 0 to disable. Default is 3. max-same-issues: 0 - - # Show only new issues: if there are unstaged changes or untracked files, - # only those changes are analyzed, else only changes in HEAD~ are analyzed. - # It's a super-useful option for integration of golangci-lint into existing - # large codebase. It's not practical to fix all existing issues at the moment - # of integration: much better don't allow issues in new code. - # Default is false. + new-from-rev: HEAD~1 new: false - - # Show only new issues created after git revision `REV` - new-from-rev: "HEAD~1" +formatters: + enable: + - gofmt + - gofumpt + - goimports + settings: + gofmt: + simplify: true + goimports: + local-prefixes: + - github.com + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ From 386230b2b814428e4d6e0d2c98a312ce521dca5c Mon Sep 17 00:00:00 2001 From: Joel Bennett Date: Sat, 20 Sep 2025 22:40:45 -0400 Subject: [PATCH 5/5] Fix go version --- .github/workflows/development.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index e60b84b472..528f1f0360 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -29,7 +29,7 @@ jobs: test-build-upload: strategy: matrix: - go-version: [ 1.25.x ] + go-version: [ 1.22 ] platform: [ ubuntu-latest ] runs-on: ${{ matrix.platform }} steps: @@ -37,7 +37,6 @@ jobs: uses: actions/setup-go@v6 with: go-version: ${{ matrix.go-version }} - stable: false - name: Checkout code uses: actions/checkout@v5 with: