Skip to content

ci: add golangci-lint as an advisory check#528

Merged
kevincodex1 merged 1 commit into
Gitlawb:mainfrom
euxaristia:ci/add-golangci-lint
Jul 6, 2026
Merged

ci: add golangci-lint as an advisory check#528
kevincodex1 merged 1 commit into
Gitlawb:mainfrom
euxaristia:ci/add-golangci-lint

Conversation

@euxaristia

@euxaristia euxaristia commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

CI currently runs go vet, gofmt -l, tests, govulncheck (hard gate), and an advisory deadcode check (unreachable-from-cmd/* analysis). None of these catch unused private functions/assignments that are locally reachable but never called, or staticcheck-style correctness/readability issues.

Concretely: CodeRabbit's review on #476 flagged truncateHeadTail in internal/tools/bash.go as dead code that "would fail CI", but nothing in this repo actually runs golangci-lint, so it wouldn't have. Running it locally turned up the same finding plus several more that had been sitting on main uncaught, fixed in #527, plus more elsewhere in the repo (internal/sandbox, internal/tui, internal/update) that #527 didn't touch.

deadcode didn't catch any of these because it's a different kind of analysis: whole-program reachability from cmd/* entrypoints, not per-package unused-function detection.

Changes

Add a golangci-lint (advisory) step to the security job, right after deadcode:

  • Scoped to unused, ineffassign, and staticcheck rather than the full default battery, so this doesn't immediately dump the entire default linter set's noise into CI.
  • continue-on-error: true (same as deadcode), so it's visible but non-blocking while the existing findings across the repo get cleaned up incrementally instead of all landing as a wall of failures on unrelated in-flight PRs.
  • Pinned to v2.12.2, invoked via go run the same way govulncheck/deadcode already are, and added to the toolchain-pin comment/step for the same reason (its own module's toolchain resolution can drop below what go.mod requires).

Test plan

  • Ran the exact command locally against main: go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2 run --enable-only unused,ineffassign,staticcheck ./..., confirms it resolves and runs cleanly (42 pre-existing findings surfaced, which is expected and why this lands advisory first).
  • Workflow YAML structure/indentation matches the existing deadcode step exactly.

Summary by CodeRabbit

  • Chores
    • Improved CI security and code-quality checks with clearer toolchain guidance.
    • Added an advisory lint pass to surface additional issues without blocking merges.

go vet, gofmt, govulncheck, and deadcode don't catch unused private
functions/assignments reachable within a package but never called, or
staticcheck-style correctness/readability issues. deadcode's whole-program
reachability analysis specifically missed several of these; golangci-lint's
truncateHeadTail nitpick on Gitlawb#476 assumed it would fail CI, but nothing in
this repo actually ran it.

Scoped to unused, ineffassign, and staticcheck rather than the full default
battery, and continue-on-error like deadcode, so this surfaces the existing
findings across the repo (being cleaned up incrementally per Gitlawb#527) without
blocking in-flight PRs on a big-bang adoption.
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7b5cc1ec-fe98-4a71-a8bb-41a36d7f64ed

📥 Commits

Reviewing files that changed from the base of the PR and between 95ccd5b and 7abf2c6.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Walkthrough

Updated the CI workflow's toolchain-pinning comment to reference golangci-lint, and added a new non-blocking "golangci-lint (advisory)" step running golangci-lint v2.12.2 with continue-on-error, limited to unused, ineffassign, and staticcheck analyzers.

Changes

CI Advisory Lint Step

Layer / File(s) Summary
Advisory lint step and comment update
.github/workflows/ci.yml
Comment updated to mention golangci-lint; new non-blocking advisory step added running pinned golangci-lint v2.12.2 with --enable-only unused,ineffassign,staticcheck and continue-on-error: true.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Related Issues: None referenced.

Related PRs: None referenced.

Suggested labels: ci, chore

Suggested reviewers: None specified.

Since it's advisory and won't block, one nit worth confirming: pin the version consistently and double check continue-on-error doesn't silently mask a broken lint config over time — otherwise this looks safe and low-risk.

Poem:
A comment gets a tiny tweak,
A lint step joins, but doesn't speak
too loudly when it finds a flaw —
advisory only, soft as straw.
Version pinned, three checks in tow,
CodeRabbit nods and lets it go. 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding golangci-lint as a non-blocking advisory CI check.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@jatmn jatmn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Vasanthdev2004

Findings

  • [P2] Link an approved parent issue or get maintainer confirmation for this exception
    CONTRIBUTING.md:19
    The workflow change itself is consistent with the PR description, but this PR does not link an approved parent issue. CONTRIBUTING.md says community PRs must be tied to an existing issue with the issue-approved label, and the PR author only has read permission on the repository, so the team-member exception does not clearly apply. Please link an approved issue for this CI change, or get an explicit maintainer confirmation that this PR should proceed under an exception to the community-PR policy.

@kevincodex1 kevincodex1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kevincodex1 kevincodex1 merged commit 56147a7 into Gitlawb:main Jul 6, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants