build(ci,tooling): bump Go to 1.25.5, add pre-commit & CI, update deps #16
Conversation
- CI: add lint.yml, test.yml, security.yml; update codeql.yml and go.yml; remove codacy.yml - Tooling: introduce pre-commit with hooks (golangci-lint, go mod tidy, unit tests) - Lint: refresh .golangci.yaml (version=2, concurrency=12, updated excludes/settings) - Project settings: add .project-settings.env (GO_VERSION=1.25.5, GOLANGCI_LINT_VERSION=v2.7.2, GCI_PREFIX) - Examples: move examples/* to __examples/* to keep them out of module packaging/builds - Deps: update go.mod/go.sum (ewrap v1.3.5, grpc v1.78.0, protobuf v1.36.11, genproto rpc rev) - Code: small adjustments in grpc.go, middleware/logger.go, task.go, worker.go to satisfy linters Why: standardize local/CI tooling, improve signal from lint/test/security checks, and align module/dependencies with the upgraded Go toolchain.
There was a problem hiding this comment.
Pull request overview
This PR aims to standardize local and CI tooling by introducing pre-commit hooks, updating CI workflows, refreshing linter configurations, and bumping Go and dependencies. However, the PR contains critical version errors that will prevent the build and CI from working.
Key changes:
- Add comprehensive CI workflows (lint, test, security) and update existing workflows
- Introduce pre-commit configuration with hooks for code quality checks
- Add project settings file and update Makefile with new targets for tooling management
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Major refactor: adds .project-settings.env inclusion, new tooling targets (init, prepare-toolchain, sec), reorganizes lint/test targets; contains critical bugs |
| cspell.json | New spell-checking configuration with comprehensive word list for Go/tooling terms |
| CHANGELOG.md | Minor formatting update: adds version identifiers to section headers for clarity |
| .mdlrc | New markdownlint configuration file pointing to custom style rules |
| .mdl_style.rb | New markdownlint style rules (excludes MD013, configures MD007, MD029) |
| .github/FUNDING.yml | Adds YAML document marker for proper formatting |
| .dockerignore | Adds trailing newline for file consistency |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| GOLANGCI_LINT_VERSION ?= v2.7.2 | ||
| BUF_VERSION ?= v1.62.1 | ||
| GO_VERSION ?= 1.25.5 | ||
| GCI_PREFIX ?= github.com/hyp3rd/starter |
There was a problem hiding this comment.
The default GCI_PREFIX value is set to 'github.com/hyp3rd/starter', which appears to be a placeholder or incorrect value. According to the .project-settings.env file (line 4), the correct value should be 'github.com/hyp3rd/go-worker' to match the actual module name in go.mod. While the .project-settings.env file will override this when included, the fallback default should still be correct.
| GCI_PREFIX ?= github.com/hyp3rd/starter | |
| GCI_PREFIX ?= github.com/hyp3rd/go-worker |
|
|
||
| bench: | ||
| cd tests && go test -bench=. -benchmem -benchtime=4s . -timeout 30m | ||
| go test -bench=. -benchtime=3s -benchmem -run=^-memprofile=mem.out ./... |
There was a problem hiding this comment.
The bench target has incorrect flag syntax. The '-run=^-memprofile=mem.out' should be two separate flags: '-run=^$' (to skip regular tests) and '-memprofile=mem.out' (to enable memory profiling). The current syntax will be interpreted as a single malformed flag value.
| go test -bench=. -benchtime=3s -benchmem -run=^-memprofile=mem.out ./... | |
| go test -bench=. -benchtime=3s -benchmem -run=^$ -memprofile=mem.out ./... |
| pre-commit --version || (echo "pre-commit is not installed, install it with 'pip install pre-commit'" && exit 1) | ||
|
|
||
| @echo "Initializing pre-commit..." | ||
| pre-commit validate-config || pre-commit install && pre-commit install-hooks |
There was a problem hiding this comment.
The logic in this command is potentially incorrect. The '||' operator will cause 'pre-commit install && pre-commit install-hooks' to run only if 'pre-commit validate-config' fails. The intended behavior is likely to validate the config first, then install hooks regardless of validation result. Consider separating these into distinct steps or using ';' instead of '||'.
| pre-commit validate-config || pre-commit install && pre-commit install-hooks | |
| pre-commit validate-config; pre-commit install && pre-commit install-hooks |
| # default in next version, remove then | ||
| rule 'MD007', :indent => 3 | ||
|
|
||
| rule "MD029", style => "one" |
There was a problem hiding this comment.
The 'style' parameter should use a hash rocket (=>) instead of a plain arrow (=>), and the value should use a symbol (:one) instead of a string ("one") to be consistent with Ruby style and the other rule definitions in this file.
| rule "MD029", style => "one" | |
| rule 'MD029', :style => :one |
| $(call check_command_exists,gofumpt) || go install mvdan.cc/gofumpt@latest | ||
|
|
||
| @echo "Installing golangci-lint $(GOLANGCI_LINT_VERSION)...\n" | ||
| $(call check_command_exists,golangci-lint) || curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "$(go env GOPATH)/bin" $(GOLANGCI_LINT_VERSION) |
There was a problem hiding this comment.
The golangci-lint installation uses curl piped directly to sh from a mutable HEAD reference on raw.githubusercontent.com, which is a supply-chain risk because arbitrary script changes upstream would execute with your local or CI environment’s privileges.
An attacker who compromises the golangci-lint repository or the delivery path could inject malicious commands into install.sh, leading to code execution and potential credential or source-code exfiltration during make prepare-toolchain.
To mitigate this, avoid curl|sh installers in automation: either vendor or pin a known script version and verify it with a checksum/signature, or install golangci-lint via version-pinned, integrity-checked mechanisms supported by the ecosystem.
Why: standardize local/CI tooling, improve signal from lint/test/security checks, and align module/dependencies with the upgraded Go toolchain.