Skip to content

chore: update golangci-lint config #3306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BradLugo merged 2 commits into from
Jun 26, 2026
+469 −458
Merged

chore: update golangci-lint config #3306

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2d2ec99
chore(ci): remove apollo-ci images
BradLugo Jun 26, 2026
e3ee48e
chore: update golangci-lint config
BradLugo Jun 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 0 additions & 28 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,6 @@ jobs:

pre-build-updater:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -71,8 +69,6 @@ jobs:
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.define-scanner-job-matrix.outputs.matrix).build_and_push }}
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -100,8 +96,6 @@ jobs:

style-check:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand All @@ -119,8 +113,6 @@ jobs:

unit-tests:
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -166,8 +158,6 @@ jobs:
runs-on: ubuntu-latest
needs:
- pre-build-updater
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -211,8 +201,6 @@ jobs:
runs-on: ubuntu-latest
needs:
- generate-genesis-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -260,8 +248,6 @@ jobs:
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.define-scanner-job-matrix.outputs.matrix).build_and_push }}
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -317,8 +303,6 @@ jobs:
runs-on: ubuntu-latest
needs:
- generate-db-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -368,8 +352,6 @@ jobs:
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.define-scanner-job-matrix.outputs.matrix).build_and_push }}
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -441,8 +423,6 @@ jobs:
- generate-scanner-db-bundle
- build-images
runs-on: ubuntu-latest
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
env:
QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
Expand Down Expand Up @@ -487,8 +467,6 @@ jobs:
runs-on: ubuntu-latest
needs:
- generate-genesis-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -606,8 +584,6 @@ jobs:
runs-on: ubuntu-latest
needs:
- generate-db-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand All @@ -634,8 +610,6 @@ jobs:
runs-on: ubuntu-latest
needs:
- generate-db-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -668,8 +642,6 @@ jobs:
runs-on: ubuntu-latest
needs:
- generate-db-dump
container:
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.9
steps:
- name: Checkout
uses: actions/checkout@v6
Expand Down
224 changes: 107 additions & 117 deletions .golangci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,65 +1,52 @@
# Originally copied from github.com/stackrox/stackrox, and regularly kept in-sync manually.

version: "2"

@coderabbitai coderabbitai Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Config version:"
sed -n '1,6p' .golangci.yml

echo
echo "Pinned golangci-lint module(s):"
fd -a '^go\.mod$' tools 2>/dev/null | xargs -r rg -n 'github\.com/golangci/golangci-lint'

echo
echo "Makefile golangci-lint install/run entrypoints:"
rg -n -C2 'github\.com/golangci/golangci-lint(/v2)?/cmd/golangci-lint|\$\(GOLANGCILINT_BIN\) run' Makefile

Repository: stackrox/scanner

Length of output: 1251

🏁 Script executed:

# Example of incorrect vs correct behavior
# Incorrect: matches "third_party" but not "third_party/file.go"
# Correct: matches "third_party/" and "third_party/file.go"
third_party/

Repository: stackrox/scanner

Length of output: 201

Update exclusion path patterns and migrate to the v2 toolchain.

The configuration uses version: "2", but the Makefile installs golangci-lint from the v1 module path (github.com/golangci/golangci-lint at v1.64.8). While v1.64.8 detects v2 configs, consistency requires migrating the tool installation to github.com/golangci/golangci-lint/v2.

More critically, the exclusion patterns (e.g., third_party$) use a trailing $ anchor, which fails to exclude files inside those directories. In golangci-lint, the paths exclusion list treats trailing slashes as directory prefixes. Update the patterns (lines 114–116 and 127–129) to:

  • - third_party/
  • - builtin/
  • - examples/

Also update the v1 install command in the Makefile and tools/linters/go.mod to use the /v2 module path.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.golangci.yml at line 3, The golangci-lint config and toolchain are
mismatched, and the exclusion patterns using trailing $ are not excluding
directory contents. Update the paths exclusions in the golangci-lint config to
use directory-prefix entries for third_party, builtin, and examples, and migrate
the lint tool installation to the /v2 module path in both the Makefile and
tools/linters/go.mod. Keep the version: "2" config aligned with the v2
golangci-lint module and verify the updated exclusions still apply through the
existing golangci-lint settings.

run:
timeout: 16m
modules-download-mode: readonly
go: "1.23"

modules-download-mode: readonly
output:
formats:
- format: colored-line-number
- format: junit-xml
text:
path: stdout
junit-xml:
path: report.xml

issues:
exclude-use-default: false

exclude-rules:
- linters:
- revive
text: "should have a package comment, unless it's in another file for this package"
- linters:
- revive
text: "should not use dot imports"
- linters:
- revive
text: "returns unexported type .* which can be annoying to use"
- linters:
- revive
text: "error strings should not be capitalized or end with punctuation or a newline"
- linters:
- revive
text: "should omit type int from declaration"
- linters:
- revive
text: "don't use leading k in Go names"
- linters:
- revive
text: "package-comments: should have a package comment"
- linters:
- gocritic
path: _test\.go

linters-settings:
gosec:
includes:
- G601 # Implicit memory aliasing of items from a range statement
revive:
rules:
- name: package-comments
disabled: true
- name: error-strings
disabled: true
- name: unexported-return
disabled: true
govet:
enable-all: true
disable:
linters:
# please, do not use `enable-all`: it's deprecated and will be removed soon.
# inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
default: none
enable:
- asciicheck
- copyloopvar
# - errcheck
# - forbidigo
- gocritic
# - exptostd
- gosec
- govet
- ineffassign
# - modernize
- nolintlint
# - protogetter
- revive # replaces golint
- rowserrcheck
- staticcheck
# - wrapcheck
# - nakedret TODO: add in follow-up
- unconvert
# - unparam TODO: add in follow-up
settings:
gosec:
includes:
- G601
govet:
disable:
- shadow
- fieldalignment
settings:
printf: # analyzer name, run `go tool vet help` to see all analyzers
funcs: # run `go tool vet help printf` to see available settings for `printf` analyzer
enable-all: true
settings:
printf:
funcs:
- Print
- Printf
- Println
Expand All @@ -71,69 +58,72 @@ linters-settings:
- Warnf
- Error
- Errorf
gocritic:
enabled-checks:
- commentFormatting
nolintlint:
allow-leading-space: false # require machine-readable nolint directives (i.e. with no leading space)
allow-unused: false # report any unused nolint directives
require-explanation: false # don't require an explanation for nolint directives
require-specific: true # require nolint directives to be specific about which linter is being skipped
staticcheck:
checks: [ all,-ST1000,-ST1001,-ST1003,-ST1005,-SA1019,-SA4001,-ST1016 ]

linters:
# please, do not use `enable-all`: it's deprecated and will be removed soon.
# inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint
disable-all: true
nolintlint:
require-explanation: false
require-specific: true
allow-unused: false
revive:
rules:
- name: package-comments
disabled: true
- name: error-strings
disabled: true
- name: unexported-return
disabled: true
staticcheck:
checks:
- all
- -QF1001
- -QF1002
- -QF1003
- -QF1008
- -SA1019
- -SA4001
- -ST1000
- -ST1001
- -ST1003
- -ST1005
exclusions:
generated: lax
rules:
- linters:
- revive
text: should have a package comment, unless it's in another file for this package
- linters:
- revive
text: should not use dot imports
- linters:
- revive
text: returns unexported type .* which can be annoying to use
- linters:
- revive
text: error strings should not be capitalized or end with punctuation or a newline
- linters:
- revive
text: should omit type int from declaration
- linters:
- revive
text: don't use leading k in Go names
- linters:
- revive
text: 'package-comments: should have a package comment'
- linters:
- gocritic
path: _test\.go
paths:
- third_party$
- builtin$
- examples$
Comment on lines +113 to +116

@coderabbitai coderabbitai Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import re

current = [r"third_party$", r"builtin$", r"examples$"]
proposed = [r"(^|/)third_party(/|$)", r"(^|/)builtin(/|$)", r"(^|/)examples(/|$)"]
paths = [
    "third_party/foo.go",
    "pkg/third_party/foo.go",
    "builtin/foo.go",
    "examples/foo.go",
]

for path in paths:
    print(path)
    print("  current:", any(re.search(p, path) for p in current))
    print("  proposed:", any(re.search(p, path) for p in proposed))
PY

for d in third_party builtin examples; do
  echo
  echo "Sample files under $d, if present:"
  fd . "$d" -t f -d 2 2>/dev/null | head -5 || true
done

Repository: stackrox/scanner

Length of output: 491

Fix path exclusions to correctly exclude directory trees

The current regex patterns third_party$, builtin$, and examples$ in .golangci.yml are insufficient because they only match paths ending exactly at the directory name. Consequently, files inside these directories (e.g., third_party/foo.go) are not excluded and will still be processed by linters/formatters.

Update the patterns in both locations (lines 113–116 and 126–129) to match the directory as a path component.

Suggested update 
     paths:
-    - third_party$
-    - builtin$
-    - examples$
+    - '(^|/)third_party(/|$)'
+    - '(^|/)builtin(/|$)'
+    - '(^|/)examples(/|$)'
@@
     paths:
-    - third_party$
-    - builtin$
-    - examples$
+    - '(^|/)third_party(/|$)'
+    - '(^|/)builtin(/|$)'
+    - '(^|/)examples(/|$)'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
paths:
- third_party$
- builtin$
- examples$
paths:
- '(^|/)third_party(/|$)'
- '(^|/)builtin(/|$)'
- '(^|/)examples(/|$)'
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.golangci.yml around lines 113 - 116, The exclusion patterns in the golangci
config only match the exact directory names, so nested files under those
directories are still linted. Update the path regexes in the duplicated paths
sections of the configuration to match the directory as a path component, using
the existing exclusion entries for third_party, builtin, and examples as the
anchors.

issues:
max-issues-per-linter: 0
max-same-issues: 0
formatters:
enable:
- asciicheck
# - bodyclose
- copyloopvar
# - deadcode
# - depguard
# - dogsled
# - dupl
# - errcheck
# - funlen
# - forbidigo
# - gochecknoglobals
# - gochecknoinits
# - gocognit
# - goconst
- gocritic
# - gocyclo
# - godot
# - godox
# - goerr113
- gofmt
- goimports
- revive # replaces golint
# - gomnd
# - goprintffuncname
- gosec
- gosimple
- govet
- ineffassign
# - interfacer
# - lll
# - maligned
# - misspell
# - nakedret TODO: add in follow-up
# - nestif
- nolintlint
# - prealloc
- rowserrcheck
# - scopelint
- staticcheck
# - structcheck
# - stylecheck
# - testpackage
# - typecheck
# - unconvert TODO: add in follow-up
# - unparam TODO: add in follow-up
# - unused
# - varcheck
# - whitespace
# - wrapcheck TODO: add in follow-up
# - wsl
- gofmt
- goimports
exclusions:
generated: lax
paths:
- third_party$
- builtin$
- examples$
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ $(EASYJSON_BIN): deps
GOLANGCILINT_BIN := $(GOBIN)/golangci-lint
$(GOLANGCILINT_BIN): deps
@echo "+ $@"
@cd tools/linters/ && $(GOINSTALL) github.com/golangci/golangci-lint/cmd/golangci-lint
@cd tools/linters/ && $(GOINSTALL) github.com/golangci/golangci-lint/v2/cmd/golangci-lint

OSSLS_BIN := $(GOBIN)/ossls
$(OSSLS_BIN): deps
Expand Down
Loading
Loading