ci(byteport): add golangci-lint linting workflow#119
Conversation
…nale - Add 17 ignore entries for gtk-rs cluster (10), unic-* family (5), proc-macro-error, fxhash — all transitive via Tauri 2.x stack with no safe upgrade and no direct use in BytePort source. - Remove stale RUSTSEC-2024-0436 (paste) ignore (advisory-not-detected per cargo-deny; no longer in dep tree). - cargo deny check advisories: PASS.
The crt.pem was a Sigstore.dev code-signing certificate with 10-minute validity that expired on 2026-11-08. Replace with a descriptive placeholder to prevent accidental re-commit of credentials. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replace terminal escape sequence artifact with proper status stub. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- docs: add SPECS_INDEX.md - fix(ci): replace trufflesecurity/trufflehog with go install approach - fix(ci): upgrade cargo-deny from v2 to v6 - ci: add doc-links.yml workflow - ci: add fr-coverage.yml workflow - ci: add quality-gate.yml workflow Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Delete duplicate ci.yml, rename ci.yaml -> ci.yml (Python/pytest) - Update SPECS_INDEX.md CI table and audit findings - Update SPEC.md CI workflows listing - Update README.md build badge URL Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
the
size:XXL
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 | ||
| with: | ||
| go-version: 'stable' | ||
| - uses: golangci/golangci-lint-action@aa6339a8b9e0e1c4b5e7c4e6f8d7c3a2b1e0d9f8 | ||
| with: | ||
| version: latest |
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| golangci: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 | ||
| with: | ||
| go-version: 'stable' | ||
| - uses: golangci/golangci-lint-action@aa6339a8b9e0e1c4b5e7c4e6f8d7c3a2b1e0d9f8 | ||
| with: | ||
| version: latest |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The golangci-lint workflow runs from the repository root, which has no go.mod or go.work, while all Go modules live under backend/*; running golangci-lint at the root in module mode will fail to resolve these modules, so Go code is not actually linted.
Suggestion: Run golangci-lint per Go module (e.g., a matrix over backend/byteport and backend/nvms with appropriate working-directory or action working-directory inputs) or introduce a go.work at the repo root so module discovery is valid from the workflow's working directory.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/lint.yml
**Line:** 4:13
**Comment:**
*HIGH: The golangci-lint workflow runs from the repository root, which has no go.mod or go.work, while all Go modules live under backend/*; running golangci-lint at the root in module mode will fail to resolve these modules, so Go code is not actually linted.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
| @@ -1,6 +1,7 @@ | |||
| name: OpenSSF Scorecard | |||
| on: | |||
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The Scorecard workflow defines timeout-minutes: 10 inside the on: block, where only event names (e.g., push, schedule) are valid keys; this makes timeout-minutes an invalid event and causes the workflow to be rejected instead of just setting a timeout.
Suggestion: Move the timeout configuration out of the on: block and onto a job (e.g., jobs.analysis.timeout-minutes: 10) so the triggers remain valid and the Scorecard workflow can execute with the intended time limit.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/scorecard.yml
**Line:** 2:8
**Comment:**
*HIGH: The Scorecard workflow defines `timeout-minutes: 10` inside the `on:` block, where only event names (e.g., push, schedule) are valid keys; this makes `timeout-minutes` an invalid event and causes the workflow to be rejected instead of just setting a timeout.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ee6f07d. Configure here.
| issues: | ||
| exclude-use-fallback: false | ||
| max-issues-per-linter: 0 | ||
| max-same-issues: 0 |
There was a problem hiding this comment.
Lint config file missing dot prefix, won't be discovered
High Severity
The config file is named golangci.yml but golangci-lint auto-discovers config files named .golangci.yml, .golangci.yaml, .golangci.toml, or .golangci.json (with a leading dot). The lint workflow doesn't pass a --config flag either, so all the custom linter settings (gosec, gocritic, errcheck config, etc.) will be silently ignored and the linter will run with defaults only. This defeats the primary purpose of the PR.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit ee6f07d. Configure here.
| go-version: 'stable' | ||
| - uses: golangci/golangci-lint-action@aa6339a8b9e0e1c4b5e7c4e6f8d7c3a2b1e0d9f8 | ||
| with: | ||
| version: latest |
There was a problem hiding this comment.
Lint workflow missing working-directory for Go module
High Severity
The lint workflow runs golangci-lint from the repository root, but the root go.mod was deleted in this PR. The Go code lives in backend/byteport/. Without a working-directory setting (as the existing ci.yml and go-ci.yml workflows use), the linter will fail to find a Go module and won't lint any code.
Reviewed by Cursor Bugbot for commit ee6f07d. Configure here.
| const raw = await ghRaw(`repos/${REPO}/contents/${path}.md?ref=main`); | ||
| if (raw) { | ||
| // Last-ditch: raw markdown wrapped in <pre>. | ||
| bodyHtml = `<pre class="raw-md">${raw.replace(/[<>&]/g, (c) => ({ "<": "<", ">": ">", "&": "amp;" })[c] ?? c)}</pre>`; |
There was a problem hiding this comment.
HTML ampersand entity escaped incorrectly as "amp;"
Low Severity
In the raw markdown fallback escaping, "&" is mapped to "amp;" instead of "&". Any & characters in raw markdown content will render as the literal text amp; in the HTML output instead of being properly escaped.
Reviewed by Cursor Bugbot for commit ee6f07d. Configure here.
| name: OpenSSF Scorecard | ||
| on: | ||
| branch_protection_rule: | ||
| timeout-minutes: 10 |
There was a problem hiding this comment.
Scorecard timeout-minutes misplaced inside on: trigger block
Medium Severity
timeout-minutes: 10 is indented under the on: block at the same level as branch_protection_rule: and schedule:, making GitHub Actions interpret it as an event trigger name rather than a timeout setting. The timeout won't be applied. It needs to be either at the job level or moved out of the on: block.
Reviewed by Cursor Bugbot for commit ee6f07d. Configure here.
| type LiveLoaderDataType<C extends keyof LiveContentConfig['collections']> = | ||
| LiveContentConfig['collections'][C]['schema'] extends undefined | ||
| ? ExtractDataType<LiveContentConfig['collections'][C]['loader']> | ||
| : import('astro/zod').infer< | ||
| Exclude<LiveContentConfig['collections'][C]['schema'], undefined> | ||
| >; |
There was a problem hiding this comment.
Suggestion: ExtractDataType is referenced but never declared in this declaration module, so TypeScript cannot resolve LiveLoaderDataType and type-checking for Astro content APIs will fail. Define ExtractDataType (or use the already-declared ExtractLoaderTypes<T>['data']) so this conditional type resolves correctly. [type error]
Severity Level: Major ⚠️
- ❌ Astro content helper types fail: `ExtractDataType` undefined.
- ⚠️ `getLiveCollection` and `getLiveEntry` lack usable typings.
- ⚠️ Astro-aware IDEs show persistent type errors project-wide.Steps of Reproduction ✅
1. Open the Astro-generated type entrypoint `/workspace/BytePort/.astro/types.d.ts`, which
at line 2 contains `/// <reference path="content.d.ts" />`, pulling in
`.astro/content.d.ts` into any TypeScript host used by Astro (IDE language server or
`astro check`).
2. That reference causes TypeScript to load `/workspace/BytePort/.astro/content.d.ts`,
including the exported helpers `getLiveCollection` and `getLiveEntry` whose return types
use `LiveLoaderDataType<C>` at lines 52 and 77 respectively (see
`LiveDataCollectionResult<LiveLoaderDataType<C>, ...>` and
`LiveDataEntryResult<LiveLoaderDataType<C>, ...>`).
3. While parsing the same file, the compiler reaches the definition of
`LiveLoaderDataType<C>` at lines 138–143, where the `true` branch of the conditional uses
`ExtractDataType<LiveContentConfig['collections'][C]['loader']>` even though no `type
ExtractDataType<...>` is declared anywhere in `.astro/content.d.ts`.
4. Because `ExtractDataType` is not defined, TypeScript emits an error such as "Cannot
find name 'ExtractDataType'" when performing type-checking for the Astro project, breaking
type resolution for `getLiveCollection` and `getLiveEntry` wherever Astro's tooling or an
editor relies on these generated declarations.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** .astro/content.d.ts
**Line:** 138:143
**Comment:**
*Type Error: `ExtractDataType` is referenced but never declared in this declaration module, so TypeScript cannot resolve `LiveLoaderDataType` and type-checking for Astro content APIs will fail. Define `ExtractDataType` (or use the already-declared `ExtractLoaderTypes<T>['data']`) so this conditional type resolves correctly.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the project's documentation and specifications to align with the current Go, SvelteKit, and Tauri stack, while introducing a new Astro-based landing page and utility dashboards for QA and observability. Key backend updates include the integration of OpenTelemetry and a fix for the GitHub token refresh payload. The review feedback recommends enhancing type safety in the frontend by defining interfaces for API responses and snapshots instead of using "any", and suggests explicitly listing Go linters in the configuration to prevent build instability from future linter updates.
| check-type-assertions: true | ||
| check-blank: true | ||
| govet: | ||
| enable-all: true |
There was a problem hiding this comment.
Enabling all govet linters can lead to unstable builds when new linters are added. Consider explicitly listing the linters you want to use.
enable: [ "printf", "shadow", "structtag" ]| } | ||
| } | ||
|
|
||
| const meta: any = (await gh(`repos/${REPO}`)) ?? { |
There was a problem hiding this comment.
Avoid using any type for GitHub API responses. Define an interface for the repository metadata to improve type safety.
interface RepoMeta { description: string; stargazers_count: number; pushed_at: string; language: string; homepage: string; } const meta: RepoMeta = (await gh(`repos/${REPO}`)) ?? { description: "", stargazers_count: 0, pushed_at: new Date().toISOString(), language: "Rust", homepage: "" };
| // Build-time snapshot used when the live GitHub API is rate-limited (429) or | ||
| // otherwise unreachable. The snapshot mirrors the exact { data, reason } shape | ||
| // each panel renders so degraded states stay consistent. | ||
| const SNAPSHOT: Record<string, PanelResult<any>> = qaSnapshot as any; |
There was a problem hiding this comment.
Avoid using any type for snapshot data. Define an interface for the snapshot structure to improve type safety.
interface Snapshot { coverage: PanelResult<CoverageReport>; lint: PanelResult<LintReport>; frTrace: PanelResult<FrTraceReport>; } const SNAPSHOT: Snapshot = qaSnapshot as unknown as Snapshot;
Code Review SummaryStatus: Issues Found (Already Documented) | Recommendation: Address existing issues before merge OverviewThe issues identified in this PR have already been reported in existing comments. See below for verification of flagged issues.
Issue Details (click to expand)WARNING (Already Reported)
Other Observations (not in diff)Issues found in unchanged code or configuration:
Files Reviewed (6 files)
Reviewed by laguna-m.1-20260312:free · 821,866 tokens |
User description
Adds golangci-lint workflow and configuration for Go code quality enforcement. Includes workflow YAML, config fixes, and lint resolutions.
Note
Medium Risk
Moderate risk: touches CI/security workflows and adds OpenTelemetry init in the Go backend (startup/shutdown path), which could affect builds and runtime behavior if misconfigured.
Overview
CI/automation is expanded and standardized. Adds
golangci-lintvia newlint.yml+golangci.yml, introduces simple placeholder checks (doc-links.yml,fr-coverage.yml,quality-gate.yml), adds workflowconcurrencyacross several pipelines, and updates action pins/versions (e.g.,actions/checkout@v4,dtolnay/rust-toolchain@stable).trufflehog.ymlis reworked to install/run TruffleHog viago install.Security posture improves. Removes a committed private key (
backend/byteport/byteport-ghkey.pem) and expandsdeny.tomladvisory ignores with explicit justifications.Go backend changes. Adds stdout OpenTelemetry tracing initialization/shutdown in
backend/byteport/main.go, updatesgo.mod/go.sumwith OTel deps, and cleans up GitHub refresh-token request construction/logging inlib/git.go.Docs/landing additions. Adds a sizable spec/metadata refresh (
SPEC.md,SPECS_INDEX.md, README tweaks) and introduces Astro pages for/,/docs/*,/qa,/otel, and/preview/<pr>with committed fallback snapshots (src/data/*) and generated.astrotype stubs.Reviewed by Cursor Bugbot for commit ee6f07d. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Refresh the BytePort site, docs, and quality pages while tightening startup and CI checks
What Changed
/docs,/qa,/otel, and/preview/<pr>pages were added for browsing documentation, viewing quality status, opening an observability panel, and jumping to pull request previews.Impact
✅ Easier project navigation✅ Clearer quality and build status✅ Fewer exposed secrets in logs🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.