fix(ci): unblock PR #32 — drop invalid gosec exclude and make Windows build

ysyneu · claude · ysyneu · commit a60df851d4f3 · 2026-04-23T22:14:09.000+08:00
- .golangci.yml: remove G706 from gosec.excludes. golangci-lint v2.1.6 (pinned
  in CI) doesn't know G706 as a gosec rule, so `config verify` rejects the
  config before any linting runs. G706 wasn't enforcing anything in CI anyway.
- workspace: split the sentinel advisory-lock primitive across build-tagged
  files so `go build` / `go test` succeed on windows/amd64. Unix path keeps
  flock(2); Windows path is a no-op stub with a warning log (the runner is
  not shipped on Windows — CI only needs it to compile).

Verified: GOOS=windows go build ./... clean; unix tests PASS; golangci-lint
config verify clean.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.golangci.yml b/.golangci.yml
@@ -47,12 +47,10 @@ linters:
       # Exclude G301 (directory permissions) - workspace needs readable directories
       # Exclude G304 (file inclusion) - paths are validated via safePath()
       # Exclude G306 (file permissions) - workspace files need to be readable
-      # Exclude G706 (log injection) - we use slog structured logging which is inherently safe
       excludes:
         - G301
         - G304
         - G306
-        - G706
 
 formatters:
   enable:
diff --git a/workspace/knowledge.go b/workspace/knowledge.go
@@ -9,7 +9,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"syscall"
 
 	"github.com/flashcatcloud/flashduty-runner/protocol"
 )
@@ -85,13 +84,14 @@ func atomicWriteFile(path string, data []byte, perm os.FileMode) error {
 }
 
 // withSentinelLock opens (or creates) the sentinel file, acquires an exclusive
-// advisory flock on it, calls fn, then releases the lock.  The advisory lock
-// protects concurrent read-modify-write cycles across BYOC sessions that share
-// the same filesystem (e.g. multiple Safari instances writing to the same
-// worknode workspace root).
+// advisory lock on it via the platform-specific acquireSentinelLock helper,
+// calls fn, then releases the lock.  The advisory lock protects concurrent
+// read-modify-write cycles across BYOC sessions that share the same
+// filesystem (e.g. multiple Safari instances writing to the same worknode
+// workspace root).
 //
-// Note: syscall.Flock is available on Linux and macOS.  The runner is deployed
-// on those platforms only; Windows is not supported today.
+// The lock primitive is split across knowledge_flock_unix.go (flock(2)) and
+// knowledge_flock_windows.go (no-op; the runner is not supported on Windows).
 func withSentinelLock(sentinelPath string, fn func() error) error {
 	// Open or create the sentinel file just to acquire the lock fd.
 	// We do NOT read/write through this fd to keep flock + atomic-write
@@ -104,13 +104,11 @@ func withSentinelLock(sentinelPath string, fn func() error) error {
 		_ = lockFile.Close()
 	}()
 
-	fd := int(lockFile.Fd()) //nolint:gosec // os.File.Fd returns uintptr but the underlying OS fd is always a valid int on unix
-	if err := syscall.Flock(fd, syscall.LOCK_EX); err != nil {
-		return fmt.Errorf("failed to acquire sentinel lock: %w", err)
+	release, err := acquireSentinelLock(lockFile)
+	if err != nil {
+		return err
 	}
-	defer func() {
-		_ = syscall.Flock(fd, syscall.LOCK_UN)
-	}()
+	defer release()
 
 	return fn()
 }
diff --git a/workspace/knowledge_flock_unix.go b/workspace/knowledge_flock_unix.go
@@ -0,0 +1,20 @@
+//go:build !windows
+
+package workspace
+
+import (
+	"fmt"
+	"os"
+	"syscall"
+)
+
+// acquireSentinelLock takes an exclusive advisory flock(2) on f and returns a
+// release function that removes the lock. Used by withSentinelLock to serialise
+// read-modify-write cycles on the sentinel JSON across concurrent BYOC sessions.
+func acquireSentinelLock(f *os.File) (release func(), err error) {
+	fd := int(f.Fd()) //nolint:gosec // os.File.Fd returns uintptr but the underlying OS fd is always a valid int on unix
+	if err := syscall.Flock(fd, syscall.LOCK_EX); err != nil {
+		return nil, fmt.Errorf("failed to acquire sentinel lock: %w", err)
+	}
+	return func() { _ = syscall.Flock(fd, syscall.LOCK_UN) }, nil
+}
diff --git a/workspace/knowledge_flock_windows.go b/workspace/knowledge_flock_windows.go
@@ -0,0 +1,17 @@
+//go:build windows
+
+package workspace
+
+import (
+	"log/slog"
+	"os"
+)
+
+// acquireSentinelLock is a no-op on Windows. The runner is not shipped on
+// Windows; this stub exists only so `go build` and `go test` succeed on
+// windows/amd64 in CI. Concurrent sessions on Windows would race on the
+// sentinel file — acceptable for a non-production platform.
+func acquireSentinelLock(_ *os.File) (release func(), err error) {
+	slog.Warn("sentinel advisory lock skipped on windows (runner not supported on this platform)")
+	return func() {}, nil
+}
