ci(github): add lint/test/security workflows and pre-commit; pin Go/tooling #7
Conversation
…ooling - Add GitHub Actions workflows: lint.yml, test.yml, security.yml; update go.yml and codeql.yml; remove codacy.yml. - Introduce pre-commit with hooks (golangci-lint, gci import sort, go mod tidy, unit tests) and helper scripts. - Pin toolchain via .project-settings.env (GO_VERSION=1.25.5, GOLANGCI_LINT_VERSION=v2.7.2, BUF_VERSION=v1.62.1) and set PROTO_ENABLED=false. - Refresh quality configs: update .golangci.yaml and replace cspell.config.yaml with cspell.json. - Add .dockerignore and markdown lint configuration (.mdlrc/.mdl_style.rb). - Enhance Makefile with lint/test targets and proto tasks (buf format/lint/breaking). - Minor code/test cleanups in retrier.go, timer.go and related tests to satisfy linting and normalize behavior. No breaking changes.
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive CI/CD infrastructure including GitHub Actions workflows for linting, testing, and security scanning, along with pre-commit hooks and tooling configuration. However, there are several critical issues with version specifications throughout the changes.
Key Changes:
- Add GitHub Actions workflows (lint.yml, test.yml, security.yml) and pre-commit configuration
- Pin toolchain versions via .project-settings.env for Go, golangci-lint, and buf
- Update linter configurations (.golangci.yaml) and replace cspell.config.yaml with cspell.json
- Enhance Makefile with comprehensive lint/test/security targets
Reviewed changes
Copilot reviewed 29 out of 30 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| timer.go | Add nolint directive and clarifying comment for empty range loop |
| retrier.go | Fix typo in error message ("is nil" → "be nil"), reformat long error message, add nolint directive |
| tests/timer_test.go | Use modern range syntax and add spacing between test blocks |
| tests/retrier_test.go | Add spacing between test blocks, improve error checking with errors.Is, use b.Loop() in benchmark |
| go.mod | Update Go version to 1.25.5 and bump ewrap dependency to v1.3.5 |
| go.sum | Update checksums for dependency changes |
| .project-settings.env | New file pinning GO_VERSION=1.25.5, GOLANGCI_LINT_VERSION=v2.7.2, BUF_VERSION=v1.62.1 |
| .golangci.yaml | Update Go version to 1.25.5, increase concurrency, enable all revive rules with custom config |
| cspell.json | New spell checker config replacing cspell.config.yaml |
| cspell.config.yaml | Removed in favor of JSON format |
| Makefile | Add .project-settings.env inclusion, new lint/sec/proto targets, update toolchain installation |
| .dockerignore | New Docker ignore patterns for Go projects |
| .mdlrc | New markdown linter config referencing .mdl_style.rb |
| .mdl_style.rb | New markdown linter style rules |
| .pre-commit-config.yaml | Add cspell, hadolint, markdownlint hooks; remove golangci-lint and unit-test from local hooks |
| .pre-commit-ci-config.yaml | New separate pre-commit config for CI environment |
| .pre-commit/unit-test-hook | Add support for reading GO_VERSION from .project-settings.env |
| .pre-commit/golangci-lint-hook | Update to use .project-settings.env for version, add build-tags flag |
| .pre-commit/go-mod-hook | New hook for go mod verify and tidy |
| .pre-commit/gci-hook | Update to read GCI_PREFIX from .project-settings.env |
| .pre-commit/gci-hook.bak | Backup copy of gci-hook with similar updates |
| .github/workflows/test.yml | New workflow for running tests with race detector and coverage |
| .github/workflows/security.yml | New workflow for security scanning with govulncheck and gosec |
| .github/workflows/pre-commit.yml | New workflow running pre-commit checks in CI |
| .github/workflows/lint.yml | New workflow for comprehensive linting (gci, gofumpt, staticcheck, golangci-lint) |
| .github/workflows/go.yml | Simplify to basic build and test, pin Go version to 1.25 |
| .github/workflows/codeql.yml | Update action versions and adjust cron schedule |
| .github/workflows/golangci-lint.yml | Removed in favor of consolidated lint.yml workflow |
| .github/workflows/codacy.yml | Removed Codacy security scanning |
| .github/FUNDING.yml | Add YAML frontmatter |
Comments suppressed due to low confidence (1)
.pre-commit/golangci-lint-hook:37
- The golangci-lint pre-commit hook installs
golangci-lintby piping a remote script fromhttps://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.shdirectly intoshwithout pinning to an immutable identifier or verifying integrity. A compromise of the upstream repo or theHEADref would result in arbitrary code execution on any developer or CI runner that executes this hook. Fetch the installer at a fixed commit or release artifact and verify its checksum/signature instead of usingcurl ... | shfrom a mutable branch tip.
install_dependencies() {
# check if golangci-lint is installed or not
if ! command -v golangci-lint >/dev/null 2>&1; then
echo "installing golangci-lint ${GOLANGCI_LINT_VERSION}..."
# binary will be $(go env GOPATH)/bin/golangci-lint
curl -sSfL "${GOLANGCI_LINT_INSTALL_URL}" | sh -s -- -b "$(go env GOPATH)/bin" "${GOLANGCI_LINT_VERSION}"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # default in next version, remove then | ||
| rule 'MD007', :indent => 3 | ||
|
|
||
| rule "MD029", style => "one" |
There was a problem hiding this comment.
The hash rocket syntax is incorrect. In Ruby, it should be :style => "one" (with colon before the key) or use the modern syntax style: "one" (recommended).
| rule "MD029", style => "one" | |
| rule "MD029", :style => "one" |
|
|
||
| @echo "Installing golangci-lint $(GOLANGCI_LINT_VERSION)...\n" | ||
| $(call check_command_exists,golangci-lint) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "$$(go env GOPATH)/bin" $(GOLANGCI_LINT_VERSION) | ||
| $(call check_command_exists,golangci-lint) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "$(go env GOPATH)/bin" $(GOLANGCI_LINT_VERSION) |
There was a problem hiding this comment.
The shell command substitution is missing quotes. The line should be sh -s -- -b "$$(go env GOPATH)/bin" with quotes around the command substitution to handle paths with spaces correctly.
| $(call check_command_exists,golangci-lint) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "$(go env GOPATH)/bin" $(GOLANGCI_LINT_VERSION) | |
| $(call check_command_exists,golangci-lint) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "$$(go env GOPATH)/bin" $(GOLANGCI_LINT_VERSION) |
| source "${ROOT_DIR}/.project-settings.env" | ||
| fi | ||
|
|
||
| GCI_PREFIX="${GCI_PREFIX:-#PROJECT}" |
There was a problem hiding this comment.
The default GCI_PREFIX value 'github.com/hyp3rd/starter' does not match the actual module path 'github.com/hyp3rd/go-again' (from go.mod and .project-settings.env). This will cause incorrect import grouping. The default should match the actual module path or use the value from .project-settings.env.
| GCI_PREFIX="${GCI_PREFIX:-#PROJECT}" | |
| GCI_PREFIX="${GCI_PREFIX:-github.com/hyp3rd/go-again}" |
|
|
||
| bench: | ||
| cd tests && go test -bench=. -benchmem -benchtime=4s . -timeout 30m | ||
| go test -bench=. -benchtime=3s -benchmem -run=^-memprofile=mem.out ./... |
There was a problem hiding this comment.
The bench target has an invalid flag combination. The -run=^-memprofile=mem.out flag is malformed. It should be -run=^$ to skip regular tests and -memprofile=mem.out as a separate flag (not combined with -run).
| go test -bench=. -benchtime=3s -benchmem -run=^-memprofile=mem.out ./... | |
| go test -bench=. -benchtime=3s -benchmem -run=^$ -memprofile=mem.out ./... |
Makefile
Outdated
| GOLANGCI_LINT_VERSION ?= v2.7.2 | ||
| BUF_VERSION ?= v1.62.1 | ||
| GO_VERSION ?= 1.25.5 | ||
| GCI_PREFIX ?= github.com/hyp3rd/starter |
There was a problem hiding this comment.
The GCI_PREFIX value 'github.com/hyp3rd/starter' does not match the actual module path 'github.com/hyp3rd/go-again' (from go.mod). This will cause incorrect import grouping. Please update to use the correct module path.
| GCI_PREFIX ?= github.com/hyp3rd/starter | |
| GCI_PREFIX ?= github.com/hyp3rd/go-again |
| // - The context is used to cancel the retries, or set a deadline if the `retryableFunc` hangs. | ||
| // | ||
| //nolint:cyclop,funlen // 13 out of 12 is acceptable for this method. | ||
| //nolint:cyclop,funlen ,revive// 13 out of 12 is acceptable for this method. |
There was a problem hiding this comment.
The nolint directive has incorrect spacing. There should be no space before the comment delimiter. The format should be //nolint:cyclop,funlen,revive without spaces between the comma and the next linter name, and without a space before //.
| //nolint:cyclop,funlen ,revive// 13 out of 12 is acceptable for this method. | |
| //nolint:cyclop,funlen,revive // 13 out of 12 is acceptable for this method. |
.pre-commit/gci-hook
Outdated
| source "${ROOT_DIR}/.project-settings.env" | ||
| fi | ||
|
|
||
| GCI_PREFIX="${GCI_PREFIX:-github.com/hyp3rd/starter}" |
There was a problem hiding this comment.
The default GCI_PREFIX value 'github.com/hyp3rd/starter' does not match the actual module path 'github.com/hyp3rd/go-again' (from go.mod and .project-settings.env). This will cause incorrect import grouping if the environment variable is not set. The default should match the actual module path.
| GCI_PREFIX="${GCI_PREFIX:-github.com/hyp3rd/starter}" | |
| GCI_PREFIX="${GCI_PREFIX:-github.com/hyp3rd/go-again}" |
| b.ResetTimer() | ||
| for i := 0; i < b.N; i++ { | ||
|
|
||
| for b.Loop() { |
There was a problem hiding this comment.
The b.Loop() method is only available in Go 1.24 and later. Since the PR pins Go to 1.25.5 (which doesn't exist), and if you meant to use an earlier Go version, this will cause a compilation error. Additionally, the b.ResetTimer() call that was removed is typically needed before the loop to exclude setup time from benchmark measurements.
| @echo "Installing golangci-lint $(GOLANGCI_LINT_VERSION)...\n" | ||
| $(call check_command_exists,golangci-lint) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "$$(go env GOPATH)/bin" $(GOLANGCI_LINT_VERSION) | ||
| $(call check_command_exists,golangci-lint) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "$(go env GOPATH)/bin" $(GOLANGCI_LINT_VERSION) |
There was a problem hiding this comment.
The prepare-base-tools target downloads and executes golangci-lint via curl ... | sh from a mutable GitHub URL (https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh) without any integrity verification. If the upstream repository or the HEAD reference is compromised, arbitrary code would run in your CI/dev environment with access to the checkout and any configured secrets. Pin this install to an immutable reference (for example, a specific commit hash or release script) and add a checksum/signature verification step instead of piping the script directly into sh.
- pre-commit gci-hook, Makefile: default GCI_PREFIX -> github.com/hyp3rd/go-again to match this repo. - cspell: add 'nosec' to dictionary to allow inline suppression tags. - retrier: mark jitter RNG call with ''#nosec G404' since non-crypto randomness is intended for backoff jitter. No functional behavior changes; addresses tooling/lint configuration.
…hing to do with security.
No breaking changes.