Add Go lint/vuln tooling and CI checks

[ThomasK33]

Summary

• add a root .golangci.yml baseline using golangci-lint v2 config
• add make lint and make vuln targets with binary presence checks
• add a dedicated CI lint job running golangci-lint and govulncheck on pull requests
• add golangci-lint and govulncheck to the Nix devshell package set
• bump Go toolchain target to 1.25.7 and fix revive findings in package/blank-import comments

Validation

• nix develop -c golangci-lint version
• nix develop -c govulncheck -version
• make lint
• make vuln
• GOFLAGS=-mod=vendor go test ./...
• GOFLAGS=-mod=vendor go build ./...

---

📋 Implementation Plan

Plan: Add Go linting, vulnerability scanning, CI integration, and devshell tools

Context / Why

This repository is currently a minimal Go skeleton with CI for vendoring, tests, and build, but no linting or vulnerability scanning. The goal is to add a pragmatic, high-signal lint/vuln baseline that:

• runs locally via make targets,
• runs in GitHub Actions on PRs,
• and is available in the Nix devshell.

This gives fast feedback early, keeps code quality consistent as the project grows, and preserves the repo’s existing vendoring conventions.

Evidence

• Repo structure + current automation: Explore report 2dddbb994b confirmed:
  • Makefile has vendor/test/build/verify-vendor/codegen only.
  • .github/workflows/ci.yaml has one test job and vendor verification.
  • flake.nix devshell includes go, gnumake, git, goreleaser.
  • .golangci.yml and any govulncheck usage are absent.
• Version/pin compatibility: Explore report 8ffb06210e validated:
  • golangci/golangci-lint-action@v9 is current/recommended.
  • golang/govulncheck-action@v1 is valid/current major.
  • golangci-lint v2.x supports planned config keys.
  • pkgs.golangci-lint and pkgs.govulncheck are expected in nixpkgs unstable.
• Primary-source action usage:
  • https://github.com/golangci/golangci-lint-action
  • https://github.com/golang/govulncheck-action

Implementation details

1) Add root .golangci.yml with a strict, low-noise baseline

Create .golangci.yml using golangci-lint v2 schema and enforce vendor mode to align with repo conventions.

version: "2"

run:
  timeout: 5m
  modules-download-mode: vendor

linters:
  enable:
    - bodyclose
    - errorlint
    - gofumpt
    - gosec
    - misspell
    - nilerr
    - revive

issues:
  max-issues-per-linter: 0
  max-same-issues: 0

linters-settings:
  gofumpt:
    extra-rules: true

Notes:

• Keep default linters enabled (errcheck/govet/staticcheck/unused/ineffassign/gosimple).
• Start with high-signal extras; avoid deprecated/noisy linters.

2) Extend Makefile with fail-fast lint/vuln targets

Update .PHONY and add targets that assert required binaries exist before execution.

.PHONY: vendor test build verify-vendor codegen lint vuln

lint: $(VENDOR_STAMP)
	@command -v golangci-lint >/dev/null || (echo "golangci-lint not found; use nix develop" && exit 1)
	GOFLAGS=$(GOFLAGS) golangci-lint run ./...

vuln: $(VENDOR_STAMP)
	@command -v govulncheck >/dev/null || (echo "govulncheck not found; use nix develop" && exit 1)
	GOFLAGS=$(GOFLAGS) govulncheck ./...

Why this shape:

• Defensive checks produce immediate, actionable failures.
• GOFLAGS=$(GOFLAGS) preserves current -mod=vendor behavior.

3) Integrate lint + vuln checks into .github/workflows/ci.yaml

Add a dedicated lint job (parallel with test) per golangci action guidance.

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          cache: true

      - name: Verify vendor is up to date
        run: |
          go mod tidy
          go mod vendor
          git diff --exit-code -- go.mod go.sum vendor/

      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
          version: v2.8
          args: --timeout=5m ./...

      - name: Run govulncheck
        uses: golang/govulncheck-action@v1
        with:
          go-version-file: go.mod
          go-package: ./...

  test:
    ...

Implementation notes:

• Keep existing test job logic intact; no behavioral regression for current checks.
• Use major-version action pinning consistent with current workflow style.

4) Add linter/vuln binaries to flake.nix devshell

Extend the packages list in the default shell.

packages = with pkgs; [
  go
  gnumake
  git
  goreleaser
  golangci-lint
  govulncheck
];

This guarantees local parity with CI and avoids ad-hoc installs.

Validation plan

After implementation, run:

1. nix develop -c golangci-lint version
2. nix develop -c govulncheck -version
3. make lint
4. make vuln
5. go test ./...
6. go build ./...

And ensure CI workflow syntax/behavior by opening a PR and confirming both lint and test jobs execute successfully.

---

Generated with `mux` • Model: openai:gpt-5.3-codex • Thinking: xhigh

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 446a113fd9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[ThomasK33]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e16898d1dc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[ThomasK33]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. More of your lovely PRs please.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[ThomasK33]

https://mux.md/GIxkP#f7-Hl0HKYkfs5Q