Skip to content

ci: Modernize dev tooling and add workflows#6

Merged
amcloudf merged 2 commits into
masterfrom
add_workflows_update_tooling
Jul 6, 2026
Merged

ci: Modernize dev tooling and add workflows#6
amcloudf merged 2 commits into
masterfrom
add_workflows_update_tooling

Conversation

@amcloudf

@amcloudf amcloudf commented Jul 6, 2026

Copy link
Copy Markdown
Member

Proposed Changes:

  • Modernized .golangci.yml to golangci-lint v2 config.

    • Pins config to Go 1.25.
    • Keeps a CI-safe baseline that passes current code.
    • Enables correctness/security-focused linters: bodyclose, durationcheck, errorlint, gosec, govet, nil*, nolintlint, staticcheck, etc.
  • Updated Makefile.

    • Added ci / verify orchestration.
    • Added/updated targets:
      • mod-verify
      • fmt
      • fmt-check
      • lint
      • lint-fix
      • lint-ci
      • vet
      • vuln
      • test-db-setup
      • test-env-check
      • coverage
      • build
    • Uses pinned golangci-lint via:
      • go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
    • Adds clear local test env validation instead of cryptic MySQL errors.
  • Added GitHub Actions workflow at .github/workflows/ci.yml.

    • Runs on PRs and pushes to master.
    • Starts MySQL 8.4 service.
    • Sets all required ETHBLOCKS_* test env vars.
    • Runs:
      • module verification
      • formatting check
      • lint
      • vet
      • vulnerability scan
      • DB-backed tests
      • build
      • coverage artifact upload
  • Added Dependabot config at .github/dependabot.yml.

    • Monthly, grouped version updates for gomod and github-actions.
    • Minimal by design (no cooldown/labels/PR limits) for a single public Go module.
    • Security updates are enabled via repo Settings toggles, not this file.
  • Added a PR template at .github/pull_request_template.md.

    • Checklist wired to this repo's Make targets and a Conventional Commits PR title.
  • Updated Go/dependencies enough to make the gate viable.

    • go.mod now targets Go 1.25.11.
    • Upgraded github.com/ethereum/go-ethereum to v1.17.0.
    • Updated transitive deps via go mod tidy.

Vulnerability scan handling

govulncheck now only reports one reachable advisory:

  • GO-2026-4479 in github.com/pion/dtls/v2
  • Fixed version: N/A

Because there is no upstream fixed version, I added a narrow allowlist:

GOVULNCHECK_KNOWN ?= GO-2026-4479

Any new/unacknowledged vulnerability still fails make vuln and CI.

How did you test it?

Ran the whole CI pipeline locally, step by step in workflow order.

Passed locally:

make mod-verify
make fmt-check
make lint
make vet
make vuln
make test
make build

Notes for the reviewer

  • Toolchain: Go 1.23 (EOL) -> 1.25.11; go-ethereum 1.16.1 -> 1.17.0.
  • GO-2026-4479 (transitive pion/dtls, not reachable by our code) is
    intentionally acknowledged in make vuln.
  • MySQL 8.4 compatibility update for schema: blob DEFAULT '' -> blob.
  • Removed redundant revive.toml, staticcheck.conf, errcheck_excludes.txt. Configuration included in .golangci.yml.
  • Tests hit a live public RPC (ETHBLOCKS_CLIENT); swap for a keyed URL via
    secrets if CI flakes on the network.

Checklist

  • Code is formatted (make fmt-check)
  • Linting passes, incl. gosec and misspell (make lint)
  • Static analysis passes (make vet)
  • No new dependency vulnerabilities (make vuln)
  • Tests pass, and I added/updated tests for my changes (make test)
  • The full quality gate passes locally (make verify)
  • I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test:.

@amcloudf
amcloudf merged commit 279bcc8 into master Jul 6, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant