Skip to content

ci: pin golangci-lint, modernize actions, add caching#17

Merged
donbagger merged 1 commit into
masterfrom
ci/modernize-and-pin-lint
May 11, 2026
Merged

ci: pin golangci-lint, modernize actions, add caching#17
donbagger merged 1 commit into
masterfrom
ci/modernize-and-pin-lint

Conversation

@donbagger

Copy link
Copy Markdown
Contributor

What

Five compounding changes that turn the CI pipeline from fragile to durable:

  1. Pin golangci-lint to v2.11.4 in both .github/workflows/main.yml and Makefile. Single pin, two consumers; bumped together.
  2. Switch to golangci/golangci-lint-action@v8 in CI. Built-in caching, more stable than running install.sh from a Make target on every CI run. make check still works locally with the same pinned version.
  3. Bump deprecated actions: actions/checkout@v3 → v5, actions/setup-go@v3 → v5, supercharge/redis-github-action@1.4.0 → 1.8.0. v3 versions deprecate in Sept 2026.
  4. Add cache: true to setup-go invocations. Trims ~30s off cold CI runs.
  5. Add permissions: contents: read at workflow root. Matches the least-privilege pattern used by sibling SDK repos.
  6. Extend .github/dependabot.yml with the github-actions ecosystem so action versions and the lint pin auto-update going forward.
  7. In the Makefile, pull install.sh from the pinned version tag (not master). The script's hardcoded checksums now always match the binary it installs. This is the specific bug that broke every recent PR (v2.12.2's tarball didn't match master/install.sh's expected checksum).

Why now

Today's PR #14 (and every PR opened since 2026-05-06) failed at lint with:

hash_sha256_verify checksum for golangci-lint-2.12.2-linux-amd64.tar.gz did not verify

Not the PR's fault. The Makefile asked install.sh from master for the latest release; latest was v2.12.2 which has a CDN/script checksum mismatch upstream. Every PR fails the same way until lint is pinned.

Out of scope (separate concern)

go.mod declares Go 1.19 (EOL). govulncheck now requires Go 1.25+. The workflow uses go-version: 'stable' to keep vulncheck working under the current go.mod. Bumping go.mod's Go version should be a separate PR with semver review for consumers.

Local verification

$ make check
golangci/golangci-lint info installed ./bin/golangci-lint
0 issues.

Pinned binary installs cleanly, no checksum errors. golangci-lint --version reports 2.11.4 as expected.

Test plan

Lint started failing on every new PR because the Makefile downloaded
golangci-lint via install.sh from the master branch, which fetches the
latest release. golangci-lint v2.12.2 (2026-05-06) has a checksum
mismatch between install.sh's hardcoded hash and the CDN binary,
breaking every PR opened since.

Changes:

- Pin golangci-lint to v2.11.4 in both .github/workflows/main.yml and
  Makefile (single version, two consumers; bump together).
- Switch to golangci/golangci-lint-action@v8 in CI. Faster (built-in
  caching), more stable than running the install script in a Make
  target. Keeps make check working for local dev with the same
  pinned version.
- Bump actions/checkout v3 to v5 and actions/setup-go v3 to v5. The
  v3 versions are deprecated and will be force-bumped Sept 2026.
- Bump supercharge/redis-github-action 1.4.0 to 1.8.0.
- Add cache: true to setup-go invocations. Cuts ~30s off cold runs
  by caching the Go module download.
- Add permissions: contents: read at workflow root. Matches the
  least-privilege pattern already adopted by other SDK repos.
- Extend .github/dependabot.yml with the github-actions ecosystem so
  action versions and the lint pin auto-update going forward.
- Pull install.sh from the pinned version tag in Makefile (not
  master). install.sh's hardcoded checksums now always match the
  binary they install. Removes the failure mode that triggered this
  PR.

Out of scope (separate concern):

- go.mod declares Go 1.19 (EOL). govulncheck now requires Go 1.25+.
  Workflow uses go-version: 'stable' to keep vulncheck working;
  go.mod bump should be a separate PR with semver review.

Local verification:
- make check installs v2.11.4 cleanly, no checksum errors
- golangci-lint reports "0 issues"

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@donbagger donbagger merged commit 63dffd1 into master May 11, 2026
2 checks passed
@donbagger donbagger deleted the ci/modernize-and-pin-lint branch May 11, 2026 11:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant