Skip to content

Fix pinned Go quality tools on Go 1.26#689

Open
PierrunoYT wants to merge 3 commits into
Gitlawb:mainfrom
PierrunoYT:agent/fix-go126-quality-tools
Open

Fix pinned Go quality tools on Go 1.26#689
PierrunoYT wants to merge 3 commits into
Gitlawb:mainfrom
PierrunoYT:agent/fix-go126-quality-tools

Conversation

@PierrunoYT

@PierrunoYT PierrunoYT commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add repository-managed targets for golangci-lint, govulncheck, and deadcode
  • derive the required toolchain from the module's Go version on Windows and Unix
  • use the same targets in contributor instructions and CI

Root cause

go run package@version selected the tool module's older Go toolchain, which could not load this Go 1.26 module. CI attempted to export a toolchain directive from go.mod, but the module only has a go directive, so the fallback remained auto.

The new Make targets derive go1.26.5 from go list -m and set GOTOOLCHAIN with platform-appropriate syntax before invoking each pinned tool.

Validation

  • go fmt ./... completed
  • go vet ./... passed
  • make vulncheck passed with no vulnerabilities
  • make deadcode ran successfully under Go 1.26.5 and produced its expected advisory report
  • make lint-static ran successfully under Go 1.26.5 and reached the analyzers; it reports the 35 pre-existing advisory findings tracked by chore: fix golangci-lint findings (dead code, ineffassign, staticcheck) #527

Fixes #680

Summary by CodeRabbit

  • Chores

    • Standardized linting, vulnerability scanning, and dead-code checks through Make targets.
    • Added dedicated commands for static linting, vulnerability checks, and dead-code analysis.
    • Updated the available command list to include the new checks.
  • Documentation

    • Updated coding guidance to reference the standardized Make commands for linting and security checks.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@PierrunoYT, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 22 minutes

Your organization has reached its usage spending cap. Adjust your spending cap in the billing tab.

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9ea163ac-c838-4ff2-bc18-4dd8b2d68397

📥 Commits

Reviewing files that changed from the base of the PR and between aab69fa and 2c84a8e.

📒 Files selected for processing (2)
  • Makefile
  • README.md

Walkthrough

The Makefile now centralizes versioned Go lint, deadcode, and vulnerability commands with module-derived toolchain selection. CI and AGENTS.md invoke these targets instead of direct tool commands.

Changes

Go tooling centralization

Layer / File(s) Summary
Makefile toolchain and targets
Makefile
Derives the module Go toolchain, pins analysis tool versions, adds lint-static, deadcode, and vulncheck targets, and lists them in help output.
CI and agent command adoption
.github/workflows/ci.yml, AGENTS.md
Updates advisory CI checks and coding-agent guidance to use the centralized Makefile targets; the deadcode check remains non-blocking.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related PRs

  • Gitlawb/zero#528: Added the CI advisory lint check that this change now routes through make lint-static.
  • Gitlawb/zero#635: Updated agent guidance with pinned lint and vulnerability tool commands that this change replaces with Makefile targets.

Suggested reviewers: euxaristia, gnanam1990

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR implements repository-managed lint, vuln, and dead-code targets and updates CI/docs to use them, satisfying #680's Go 1.26 compatibility goal.
Out of Scope Changes check ✅ Passed The changes stay focused on toolchain-compatible quality checks and related CI/instructions updates with no clear unrelated scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: updating pinned Go quality tools to work with Go 1.26.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
Makefile (1)

6-8: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Update README.md to point to the centralized targets.

The provided context snippet shows that README.md (lines 356-369) still explicitly instructs users to execute the direct go run ...@v2.12.2 and govulncheck@v1.3.0 commands. Please update the README to reference the new make lint-static and make vulncheck targets so the documentation does not drift from the actual intent.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 6 - 8, Update the README instructions for static
linting and vulnerability checking to reference the centralized make lint-static
and make vulncheck targets instead of direct go run commands. Preserve the
surrounding documentation and ensure both commands match the Makefile target
names.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Around line 10-15: Replace the OS-specific TOOLCHAIN_ENV block in the Makefile
with Make’s native export of GOTOOLCHAIN, then remove the $(TOOLCHAIN_ENV)
prefix from the lint-static, deadcode, and vulncheck recipes while preserving
their existing commands.

---

Nitpick comments:
In `@Makefile`:
- Around line 6-8: Update the README instructions for static linting and
vulnerability checking to reference the centralized make lint-static and make
vulncheck targets instead of direct go run commands. Preserve the surrounding
documentation and ensure both commands match the Makefile target names.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8bb55dab-3d6b-4ec8-8400-09c89bbe4469

📥 Commits

Reviewing files that changed from the base of the PR and between 6fc1220 and aab69fa.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • AGENTS.md
  • Makefile

Comment thread Makefile Outdated
@PierrunoYT PierrunoYT marked this pull request as ready for review July 14, 2026 21:05
Copilot AI review requested due to automatic review settings July 14, 2026 21:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces repository-managed make targets to run pinned Go quality/security tools (golangci-lint, govulncheck, deadcode) under the module’s required Go toolchain, and updates contributor documentation and CI to use those targets. This addresses the Go 1.26 module failing to load when tools invoked via go run package@version select an older toolchain.

Changes:

  • Add make lint-static, make vulncheck, and make deadcode targets with pinned tool versions and a derived GOTOOLCHAIN.
  • Update AGENTS.md to instruct contributors/agents to use the new make targets.
  • Update CI security/code-health steps to call the new make targets instead of direct go run ...@version commands.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
Makefile Adds pinned tool targets and derives a Go toolchain value to run them under.
AGENTS.md Switches required lint/security commands to the new make targets.
.github/workflows/ci.yml Uses the new make targets for govulncheck, deadcode, and golangci-lint steps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile Outdated
Comment on lines +4 to +14
GO_VERSION := $(shell go list -m -f "{{.GoVersion}}")
GO_TOOLCHAIN := go$(GO_VERSION)
DEADCODE_VERSION := v0.46.0
GOLANGCI_LINT_VERSION := v2.12.2
GOVULNCHECK_VERSION := v1.3.0

ifeq ($(OS),Windows_NT)
TOOLCHAIN_ENV := set "GOTOOLCHAIN=$(GO_TOOLCHAIN)" &&
else
TOOLCHAIN_ENV := GOTOOLCHAIN=$(GO_TOOLCHAIN)
endif
The Windows_NT branch used cmd.exe syntax (set "..." &&), but GNU Make
runs recipes through sh even on Windows (MSYS/Git Bash), where that
form fails and breaks make lint-static/deadcode/vulncheck. A plain
GOTOOLCHAIN=... prefix works everywhere, so the OS check is gone.

Also switch GO_VERSION/GO_TOOLCHAIN to recursive expansion so
'go list -m' only runs when a tool target actually needs it, instead
of at parse time for every target. Addresses PR review from CodeRabbit
and Copilot.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@jatmn jatmn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found issues that need to be addressed before this is ready.

Findings

  • [P2] Keep the pinned-tool targets usable with native Windows Make shells
    Makefile:49
    These recipes rely on POSIX temporary-assignment syntax (GOTOOLCHAIN=... go run). GNU Make on Windows uses the configured Windows shell, so under a normal cmd.exe setup that token is treated as the command to execute and all three targets fail before Go runs. The PR explicitly claims the targets work on Windows, but the workflow only runs them in the Ubuntu security job. Export the variable through Make (or use a shell-neutral wrapper) and exercise the targets on Windows rather than assuming an MSYS/Git-Bash shell.

  • [P2] Update the public quality-check workflow to the toolchain-pinned commands
    README.md:354
    The README still tells contributors to run the exact version-suffixed go run commands that this PR identifies as selecting an older tool-module Go toolchain and failing to load this Go 1.26.5 module. Only CI and AGENTS.md use the new Make targets, so a contributor following the documented workflow still reproduces #680. Point the lint and vulnerability commands at make lint-static and make vulncheck, and reconcile the adjacent global-install alternative if it is meant to be runnable.

Address code review on PR Gitlawb#689:

- lint-static/deadcode/vulncheck previously set GOTOOLCHAIN via a
  POSIX `VAR=value cmd` recipe prefix. GNU Make on Windows runs
  recipes through whatever SHELL is configured, and under a native
  cmd.exe setup that syntax is invalid — cmd.exe treats the whole
  "GOTOOLCHAIN=go1.26.5" token as the program to run and fails before
  go ever executes (reproduced locally: cmd.exe errors with
  "'MYVAR' is not recognized..." for the equivalent pattern). Switched
  to a target-specific `export`, which sets the variable in the child
  process environment via Make itself, before  is invoked —
  works under sh, cmd.exe, and PowerShell alike (verified against all
  three targets with SHELL := cmd.exe).

- README.md's Code Quality and Security Checks section still told
  contributors to run the raw `go run ...@version` commands this PR
  identifies as selecting the wrong (older) toolchain and failing to
  load this Go 1.26.5 module — only CI and AGENTS.md had been updated
  to the new make targets. Points steps 3-4 at `make lint-static` /
  `make vulncheck` instead, matching AGENTS.md.

Verified end-to-end: `make vulncheck`, `make deadcode`, and `make
lint-static` all run successfully and reach their tools (deadcode's
advisory report and lint-static's 35 pre-existing findings match the
PR's documented baseline).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>

@jatmn jatmn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found issues that need to be addressed before this is ready.

Findings

  • [P2] Keep the derived toolchain to one module when a workspace is active
    Makefile:11
    go list -m lists every main module when GOWORK selects a workspace. Its newline-separated Go versions are flattened by $(shell ...), so the exported value becomes something like GOTOOLCHAIN="go1.26.5 1.25"; all three new targets then fail before their tool runs. Select Zero's module explicitly (or otherwise guarantee a single version) so these checks work from a multi-module workspace.

  • [P2] Do not derive the recovery toolchain through the already-forced Go command
    Makefile:11
    The go list used to compute GO_TOOLCHAIN runs while Make expands the target-specific export, before that export reaches a recipe. Thus an inherited fixed older GOTOOLCHAIN makes this initial command fail on Zero's go 1.26.5 module, and make lint-static, make deadcode, and make vulncheck never get the go1.26.5 setting meant to repair the situation. Derive the version without depending on that forced command, or ensure the probe itself cannot inherit the stale override.

  • [P2] Fix or remove the documented global-install alternative
    README.md:361
    These go install ...@version commands use the same versioned tool modules whose older toolchain selection is the root cause described immediately above. The installed golangci-lint and govulncheck binaries therefore still cannot analyze this Go 1.26.5 project, leaving contributors who follow the advertised alternative with a broken workflow. Document a Go-1.26-compatible installation path (and its invocation), or remove the alternative in favor of the Make targets.

@Vasanthdev2004 Vasanthdev2004 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-ran the three targets' underlying commands under the GOTOOLCHAIN=go1.26.5 pin: vulncheck exits 0 with no vulnerabilities, deadcode exits 0, and golangci-lint loads the module fine (any findings are the pre-existing advisory ones, continue-on-error in CI). Moving the pin from a job-wide GITHUB_ENV awk step into Make target-specific exports scoped to just these three targets is a clean improvement, and the tool versions are unchanged from the old inline CI commands so there's no new trust surface. One trivial nit: the Makefile header comment still says "Run make lint before opening a PR" while AGENTS.md now points at make lint-static/make vulncheck not worth blocking. Approving.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Pinned lint and vulnerability commands cannot analyze the Go 1.26 module

4 participants