ci: pin golangci-lint, modernize actions, add caching#17
Merged
Conversation
Lint started failing on every new PR because the Makefile downloaded golangci-lint via install.sh from the master branch, which fetches the latest release. golangci-lint v2.12.2 (2026-05-06) has a checksum mismatch between install.sh's hardcoded hash and the CDN binary, breaking every PR opened since. Changes: - Pin golangci-lint to v2.11.4 in both .github/workflows/main.yml and Makefile (single version, two consumers; bump together). - Switch to golangci/golangci-lint-action@v8 in CI. Faster (built-in caching), more stable than running the install script in a Make target. Keeps make check working for local dev with the same pinned version. - Bump actions/checkout v3 to v5 and actions/setup-go v3 to v5. The v3 versions are deprecated and will be force-bumped Sept 2026. - Bump supercharge/redis-github-action 1.4.0 to 1.8.0. - Add cache: true to setup-go invocations. Cuts ~30s off cold runs by caching the Go module download. - Add permissions: contents: read at workflow root. Matches the least-privilege pattern already adopted by other SDK repos. - Extend .github/dependabot.yml with the github-actions ecosystem so action versions and the lint pin auto-update going forward. - Pull install.sh from the pinned version tag in Makefile (not master). install.sh's hardcoded checksums now always match the binary they install. Removes the failure mode that triggered this PR. Out of scope (separate concern): - go.mod declares Go 1.19 (EOL). govulncheck now requires Go 1.25+. Workflow uses go-version: 'stable' to keep vulncheck working; go.mod bump should be a separate PR with semver review. Local verification: - make check installs v2.11.4 cleanly, no checksum errors - golangci-lint reports "0 issues" Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Five compounding changes that turn the CI pipeline from fragile to durable:
golangci-lintto v2.11.4 in both.github/workflows/main.ymlandMakefile. Single pin, two consumers; bumped together.golangci/golangci-lint-action@v8in CI. Built-in caching, more stable than running install.sh from a Make target on every CI run.make checkstill works locally with the same pinned version.actions/checkout@v3 → v5,actions/setup-go@v3 → v5,supercharge/redis-github-action@1.4.0 → 1.8.0. v3 versions deprecate in Sept 2026.cache: truetosetup-goinvocations. Trims ~30s off cold CI runs.permissions: contents: readat workflow root. Matches the least-privilege pattern used by sibling SDK repos..github/dependabot.ymlwith thegithub-actionsecosystem so action versions and the lint pin auto-update going forward.install.shfrom the pinned version tag (notmaster). The script's hardcoded checksums now always match the binary it installs. This is the specific bug that broke every recent PR (v2.12.2's tarball didn't matchmaster/install.sh's expected checksum).Why now
Today's PR #14 (and every PR opened since 2026-05-06) failed at lint with:
Not the PR's fault. The Makefile asked install.sh from
masterfor the latest release; latest was v2.12.2 which has a CDN/script checksum mismatch upstream. Every PR fails the same way until lint is pinned.Out of scope (separate concern)
go.moddeclares Go 1.19 (EOL).govulnchecknow requires Go 1.25+. The workflow usesgo-version: 'stable'to keep vulncheck working under the current go.mod. Bumpinggo.mod's Go version should be a separate PR with semver review for consumers.Local verification
Pinned binary installs cleanly, no checksum errors.
golangci-lint --versionreports2.11.4as expected.Test plan
@dependabot rebaseon Bump github.com/labstack/echo/v4 from 4.12.0 to 4.15.2 #14 to re-run with the fixed lint pipelinegithub-actionsecosystem) auto-bump golangci-lint when v2.11.5+ ships