Skip to content

golangci-lint upgrade to v2.11.4, related fixes#549

Merged
bgentry merged 5 commits intomasterfrom
bg/lint-fixes
Apr 21, 2026
Merged

golangci-lint upgrade to v2.11.4, related fixes#549
bgentry merged 5 commits intomasterfrom
bg/lint-fixes

Conversation

@bgentry
Copy link
Copy Markdown
Contributor

@bgentry bgentry commented Apr 20, 2026
edited
Loading

This repo hadn't had its golangci-lint version updated to the latest. It turns out a few things broke when I ran with that locally:

  • It was trying to lint and rewrite stuff in node_modules, so I had to exclude that.
  • The noctx checks want you to avoid context-free httptest.NewRequest calls, so those were changed to httptest.NewRequestWithContext to leverage the t.Context() as appropriate.
  • gosec flagged caller-provided output paths in packager as a risk. I could have skipped this given its input is constrained by workflows, but it seemed easy enough to accept the fix instead.
  • gosec flagged the code path behind riverui -healthcheck=..., which is an operator-invoked probe of the running server's HTTP health endpoint. I left the behavior alone and added a narrow //nolint:gosec suppression on that specific request path with an explanation of why the warning isn't actionable here.

bgentry added 4 commits April 20, 2026 15:30
@bgentry
exclude node_modules from golangci-lint
41251a0
@bgentry
bump golangci-lint in CI
75b93c8 
The branch updates `.golangci.yaml` and is being linted locally with
`golangci-lint` 2.11.4, but CI was still pinned to 2.9.0. That leaves
local and CI checks evaluating different rule sets and can hide or
invent failures depending on where the lint runs.

Update the workflow pin to 2.11.4 so the GitHub Action fetches the same
linter version used locally. Keeping the versions aligned makes the
branch's lint results reproducible across environments.
@bgentry
replace httptest.NewRequest in tests
c66245a 
Recent `golangci-lint` releases enable the `noctx` checks that now flag
plain `httptest.NewRequest` calls in our tests and shared test helpers.
Those requests were still valid, but they no longer match the context-
aware API the linter expects.

Switch the affected tests and helper code to
`httptest.NewRequestWithContext`, reusing each test's existing context
where possible and falling back to `context.Background()` in the small
helper that has no test context available. This keeps the request setup
behavior the same while satisfying the stricter lint rule.
@bgentry
confine packager writes to output root
54d99c0 
The packager writes `.mod`, `.zip`, and `.info` artifacts under a
caller-provided output directory. Those writes were assembled with
`filepath.Join` and then passed straight to file creation helpers, which
is exactly the pattern `gosec` now flags for path traversal.

Open the version output directory as an `os.Root` and perform the file
writes through that root instead. This keeps the artifact generation
behavior the same, but confines every write to the intended output
subtree even if a filename is malformed or hostile.
@bgentry bgentry requested a review from brandur April 20, 2026 22:02
@brandur
Copy link
Copy Markdown
Collaborator

brandur commented Apr 20, 2026

Hrmm, yeah not sure about that health check one ... did you look at the diff? We add >200 LOCs just related to health checks, not including tests.

What are the consequences if we just disable the gosec instead? It's saying that if someone could inject a variable into your shell, then they could steer the health check to a non-River URL? Couldn't that happen with practically any env-baesd URL configuration? Honestly, it kind of seems like if people are injecting values into your shell, you've got bigger problems than this.

@bgentry
suppress gosec on -healthcheck probe
c5ab83b 
`gosec` flagged the `riverui -healthcheck=...` code path because it
constructs an outbound HTTP request using deployment configuration.
That probe is an operator-invoked check of the running River UI
server's own health endpoint, and we don't treat steering it via env as
a meaningful security boundary in this context.

Keep the existing behavior and add a narrow `//nolint:gosec`
suppression on the request construction and execution lines with an
explanation of why the warning is not actionable here.
@bgentry
Copy link
Copy Markdown
Contributor Author

bgentry commented Apr 21, 2026

@brandur yeah, agreed, gross and totally unnecessary 🤖 I removed it altogether in favor of lint ignore comments

brandur
brandur approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@brandur brandur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Woot. Yep SGTM.

@bgentry bgentry merged commit 15adb8f into master Apr 21, 2026
21 checks passed
@bgentry bgentry deleted the bg/lint-fixes branch April 21, 2026 03:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brandur brandur brandur approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bgentry @brandur