From 446a113fd9c906698ddc6616c79e396bb07df28a Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Mon, 9 Feb 2026 11:00:36 +0000 Subject: [PATCH 1/4] Add lint and vulnerability scanning workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add golangci-lint v2 configuration and make targets for lint/vuln. Integrate lint+govulncheck into CI and add tools to Nix devshell. Also bump Go toolchain to 1.25.7 and address revive lint requirements. --- _Generated with [`mux`](https://github.com/coder/mux) • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh`_ --- .github/workflows/ci.yaml | 30 ++++++++++++++++++++++++++++++ .golangci.yml | 25 +++++++++++++++++++++++++ Makefile | 10 +++++++++- flake.lock | 27 +++++++++++++++++++++++++++ flake.nix | 2 ++ go.mod | 2 +- internal/deps/deps.go | 8 ++++---- main.go | 1 + 8 files changed, 99 insertions(+), 6 deletions(-) create mode 100644 .golangci.yml create mode 100644 flake.lock diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 35ba66e0..37c956b2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -10,6 +10,36 @@ permissions: contents: read jobs: + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: true + + - name: Verify vendor is up to date + run: | + go mod tidy + go mod vendor + git diff --exit-code -- go.mod go.sum vendor/ + + - name: Run golangci-lint + uses: golangci/golangci-lint-action@v9 + with: + version: v2.8 + args: --timeout=5m ./... + + - name: Run govulncheck + uses: golang/govulncheck-action@v1 + with: + go-version-file: go.mod + go-package: ./... + test: runs-on: ubuntu-latest steps: diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..2d57f7a8 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,25 @@ +version: "2" + +run: + timeout: 5m + modules-download-mode: vendor + +linters: + enable: + - bodyclose + - errorlint + - gosec + - misspell + - nilerr + - revive + +formatters: + enable: + - gofumpt + settings: + gofumpt: + extra-rules: true + +issues: + max-issues-per-linter: 0 + max-same-issues: 0 diff --git a/Makefile b/Makefile index 1f23ef13..7d5b572e 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ GOFLAGS ?= -mod=vendor VENDOR_STAMP := vendor/.modules.stamp MODULE_FILES := go.mod $(wildcard go.sum) -.PHONY: vendor test build verify-vendor codegen +.PHONY: vendor test build lint vuln verify-vendor codegen $(VENDOR_STAMP): $(MODULE_FILES) go mod tidy @@ -18,6 +18,14 @@ test: $(VENDOR_STAMP) build: $(VENDOR_STAMP) GOFLAGS=$(GOFLAGS) go build ./... +lint: $(VENDOR_STAMP) + @command -v golangci-lint >/dev/null || (echo "golangci-lint not found; use nix develop" && exit 1) + GOFLAGS=$(GOFLAGS) golangci-lint run ./... + +vuln: $(VENDOR_STAMP) + @command -v govulncheck >/dev/null || (echo "govulncheck not found; use nix develop" && exit 1) + GOFLAGS=$(GOFLAGS) govulncheck ./... + verify-vendor: go mod tidy go mod vendor diff --git a/flake.lock b/flake.lock new file mode 100644 index 00000000..e5578c1f --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1770562336, + "narHash": "sha256-ub1gpAONMFsT/GU2hV6ZWJjur8rJ6kKxdm9IlCT0j84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d6c71932130818840fc8fe9509cf50be8c64634f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 15c0ca5d..d9367c6e 100644 --- a/flake.nix +++ b/flake.nix @@ -25,6 +25,8 @@ goreleaser actionlint zizmor + golangci-lint + govulncheck ]; }; } diff --git a/go.mod b/go.mod index 8cb51dd6..8986ddf6 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/coder/coder-k8s -go 1.25.6 +go 1.25.7 require ( k8s.io/apimachinery v0.35.0 diff --git a/internal/deps/deps.go b/internal/deps/deps.go index 37f614a6..e5cccdc5 100644 --- a/internal/deps/deps.go +++ b/internal/deps/deps.go @@ -5,8 +5,8 @@ package deps import ( - _ "k8s.io/apimachinery/pkg/runtime" - _ "k8s.io/client-go/kubernetes" - _ "k8s.io/code-generator" - _ "sigs.k8s.io/controller-runtime/pkg/client" + _ "k8s.io/apimachinery/pkg/runtime" // Keep apimachinery runtime dependency vendored. + _ "k8s.io/client-go/kubernetes" // Keep client-go kubernetes client vendored. + _ "k8s.io/code-generator" // Keep code-generator scripts vendored. + _ "sigs.k8s.io/controller-runtime/pkg/client" // Keep controller-runtime client vendored. ) diff --git a/main.go b/main.go index ee5b0aa2..81cd158e 100644 --- a/main.go +++ b/main.go @@ -1,3 +1,4 @@ +// Package main provides the entrypoint for the coder-k8s binary. package main import ( From 63ada980be9f1c994e80e73b912244188d60cc79 Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Mon, 9 Feb 2026 11:07:04 +0000 Subject: [PATCH 2/4] Fix CI workflow pinning and revive package comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin new CI action references by commit SHA, disable checkout credential persistence in lint job, and add a missing package comment required by revive. --- _Generated with [`mux`](https://github.com/coder/mux) • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh`_ --- .github/workflows/ci.yaml | 10 ++++++---- internal/controller/codercontrolplane_controller.go | 1 + 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 37c956b2..192f653d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,10 +14,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version-file: go.mod cache: true @@ -29,13 +31,13 @@ jobs: git diff --exit-code -- go.mod go.sum vendor/ - name: Run golangci-lint - uses: golangci/golangci-lint-action@v9 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9 with: version: v2.8 args: --timeout=5m ./... - name: Run govulncheck - uses: golang/govulncheck-action@v1 + uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1 with: go-version-file: go.mod go-package: ./... diff --git a/internal/controller/codercontrolplane_controller.go b/internal/controller/codercontrolplane_controller.go index 1f2a7bfc..84940642 100644 --- a/internal/controller/codercontrolplane_controller.go +++ b/internal/controller/codercontrolplane_controller.go @@ -1,3 +1,4 @@ +// Package controller contains Kubernetes controllers for coder-k8s resources. package controller import ( From e16898d1dc2b803dcdbce1e4c8898b7d7047528e Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Mon, 9 Feb 2026 11:14:23 +0000 Subject: [PATCH 3/4] Enforce gofumpt formatter checks in lint workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Address review feedback by enforcing formatter checks via golangci-lint fmt --diff in both Makefile lint target and CI lint job. --- _Generated with [`mux`](https://github.com/coder/mux) • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh`_ --- .github/workflows/ci.yaml | 3 +++ Makefile | 1 + 2 files changed, 4 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 192f653d..1c093f54 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -36,6 +36,9 @@ jobs: version: v2.8 args: --timeout=5m ./... + - name: Run golangci-lint formatter checks + run: go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0 fmt --diff + - name: Run govulncheck uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1 with: diff --git a/Makefile b/Makefile index 7d5b572e..ee75ce71 100644 --- a/Makefile +++ b/Makefile @@ -21,6 +21,7 @@ build: $(VENDOR_STAMP) lint: $(VENDOR_STAMP) @command -v golangci-lint >/dev/null || (echo "golangci-lint not found; use nix develop" && exit 1) GOFLAGS=$(GOFLAGS) golangci-lint run ./... + GOFLAGS=$(GOFLAGS) golangci-lint fmt --diff vuln: $(VENDOR_STAMP) @command -v govulncheck >/dev/null || (echo "govulncheck not found; use nix develop" && exit 1) From 1316afdd2566cd122b05ce6011c9f3474e2fbb8d Mon Sep 17 00:00:00 2001 From: Thomas Kosiewski Date: Mon, 9 Feb 2026 11:22:55 +0000 Subject: [PATCH 4/4] Gate publish-main on lint job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Address Codex review feedback by requiring the publish-main job to wait for lint, test, and lint-actions jobs. This prevents publishing main images when lint or vulnerability checks fail. --- _Generated with [`mux`](https://github.com/coder/mux) • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh`_ --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1c093f54..02400a35 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -103,7 +103,7 @@ jobs: publish-main: name: Publish GHCR :main - needs: [test, lint-actions] + needs: [test, lint, lint-actions] if: github.event_name == 'push' && github.ref == 'refs/heads/main' runs-on: ubuntu-latest permissions: