ci: add golangci-lint configuration#178
Conversation
…nale - Add 17 ignore entries for gtk-rs cluster (10), unic-* family (5), proc-macro-error, fxhash — all transitive via Tauri 2.x stack with no safe upgrade and no direct use in BytePort source. - Remove stale RUSTSEC-2024-0436 (paste) ignore (advisory-not-detected per cargo-deny; no longer in dep tree). - cargo deny check advisories: PASS.
The crt.pem was a Sigstore.dev code-signing certificate with 10-minute validity that expired on 2026-11-08. Replace with a descriptive placeholder to prevent accidental re-commit of credentials. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replace terminal escape sequence artifact with proper status stub. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- docs: add SPECS_INDEX.md - fix(ci): replace trufflesecurity/trufflehog with go install approach - fix(ci): upgrade cargo-deny from v2 to v6 - ci: add doc-links.yml workflow - ci: add fr-coverage.yml workflow - ci: add quality-gate.yml workflow Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Delete duplicate ci.yml, rename ci.yaml -> ci.yml (Python/pytest) - Update SPECS_INDEX.md CI table and audit findings - Update SPEC.md CI workflows listing - Update README.md build badge URL Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 | ||
| with: | ||
| go-version: 'stable' | ||
| - uses: golangci/golangci-lint-action@aa6339a8b9e0e1c4b5e7c4e6f8d7c3a2b1e0d9f8 | ||
| with: | ||
| version: latest |
codeant-ai
Bot
added
the
size:XXL
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.
Reviewed by Cursor Bugbot for commit 2e61349. Configure here.
| go-version: 'stable' | ||
| - uses: golangci/golangci-lint-action@aa6339a8b9e0e1c4b5e7c4e6f8d7c3a2b1e0d9f8 | ||
| with: | ||
| version: latest |
There was a problem hiding this comment.
Lint job wrong module root
High Severity
The new Lint workflow runs golangci-lint from the repository root, but this commit removes the root go.mod and the BytePort backend lives under backend/byteport. Without a working-directory (as in go-ci.yml), the job likely finds no Go module and does not lint the backend the PR intends to cover.
Reviewed by Cursor Bugbot for commit 2e61349. Configure here.
| name: OpenSSF Scorecard | ||
| on: | ||
| branch_protection_rule: | ||
| timeout-minutes: 10 |
There was a problem hiding this comment.
Scorecard timeout invalid placement
Medium Severity
timeout-minutes: 10 was added as a sibling under on: next to schedule and push. Workflow timeouts belong at workflow or job level, not inside trigger configuration, so the Scorecard workflow syntax is invalid and the run may not register or behave as intended.
Reviewed by Cursor Bugbot for commit 2e61349. Configure here.
| const raw = await ghRaw(`repos/${REPO}/contents/${path}.md?ref=main`); | ||
| if (raw) { | ||
| // Last-ditch: raw markdown wrapped in <pre>. | ||
| bodyHtml = `<pre class="raw-md">${raw.replace(/[<>&]/g, (c) => ({ "<": "<", ">": ">", "&": "amp;" })[c] ?? c)}</pre>`; |
There was a problem hiding this comment.
Ampersand escape produces amp;
Low Severity
The raw-markdown fallback escapes & as the literal text amp; instead of the HTML entity &. Ampersands in fetched doc content render incorrectly and the escape map does not match the < / > pattern used for other characters.
Reviewed by Cursor Bugbot for commit 2e61349. Configure here.
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| golangci: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | ||
| - uses: actions/setup-go@0a12ed9e1a4ce4b1a02a5f2dd1e3a9c9e6c7f8b1 | ||
| with: | ||
| go-version: 'stable' | ||
| - uses: golangci/golangci-lint-action@aa6339a8b9e0e1c4b5e7c4e6f8d7c3a2b1e0d9f8 | ||
| with: | ||
| version: latest |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The new golangci-lint workflow runs from the repo root, but this PR removes the root go.mod and all active Go modules live under backend/*, so golangci-lint will fail with "go.mod file not found" instead of linting backend code.
Suggestion: Update the Lint job to run golangci-lint from each Go module directory (at least backend/byteport and backend/nvms), using working-directory or a matrix, mirroring the module-aware patterns already used in go-ci.yml and ci.yml.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/lint.yml
**Line:** 4:13
**Comment:**
*CRITICAL: The new golangci-lint workflow runs from the repo root, but this PR removes the root go.mod and all active Go modules live under backend/*, so golangci-lint will fail with "go.mod file not found" instead of linting backend code.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| return data.tree | ||
| .filter( | ||
| (n: any) => | ||
| n.type === "blob" && | ||
| n.path.startsWith("docs/") && | ||
| (n.path.endsWith(".md") || n.path.endsWith(".mdx")), | ||
| ) | ||
| .map((n: any) => n.path.replace(/^docs\//, "").replace(/\.mdx?$/, "")); | ||
| } | ||
| const paths = await walk(); | ||
| // Always emit a root /docs as well. | ||
| return [ | ||
| { params: { slug: undefined } }, | ||
| ...paths.map((p) => ({ params: { slug: p } })), | ||
| ]; | ||
| } | ||
|
|
||
| // Resolve content for the requested path. | ||
| let title = slug ?? "Docs"; | ||
| let bodyHtml = ""; | ||
| let degraded = false; | ||
| let degradeReason = ""; | ||
|
|
||
| const listing = await ghJson(`repos/${REPO}/contents/${path}?ref=main`); | ||
|
|
||
| if (Array.isArray(listing)) { | ||
| // Directory listing. | ||
| title = slug ?? "Docs"; | ||
| const entries = listing as GhContentEntry[]; | ||
| const items = entries | ||
| .filter((e) => e.type === "dir" || e.name.match(/\.mdx?$/)) | ||
| .map((e) => { | ||
| const href = | ||
| e.type === "dir" | ||
| ? `/docs/${e.path.replace(/^docs\//, "")}` | ||
| : `/docs/${e.path.replace(/^docs\//, "").replace(/\.mdx?$/, "")}`; |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The /docs static generation only emits paths for markdown files and the root, but the directory listing renders links to docs subdirectories (e.g. /docs/adr, /docs/journeys), so clicking those directory links will 404 because no static paths are generated for them.
Suggestion: Include directory slugs from the docs/ tree in getStaticPaths (in addition to file slugs), or switch this route to runtime/SSR rendering so all valid docs directories resolve instead of linking users to missing static pages.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** src/pages/docs/[...slug].astro
**Line:** 85:120
**Comment:**
*HIGH: The /docs static generation only emits paths for markdown files and the root, but the directory listing renders links to docs subdirectories (e.g. /docs/adr, /docs/journeys), so clicking those directory links will 404 because no static paths are generated for them.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished reviewing your PR. |
2 participants
User description
Add golangci-lint configuration for BytePort backend.
Note
Medium Risk
Removes a committed private key and fixes auth-related refresh logic (positive), but also changes CI/secrets scanning paths, adds runtime OTel init, and introduces many doc/CI stubs that may not match actual backend layout until follow-up wiring.
Overview
This is a broad governance/audit pass, not only golangci-lint: it realigns docs with the shipping Go/Gin/SvelteKit/Tauri stack, expands CI, adds observability to the API, removes secrets from the tree, and introduces an Astro project landing with tier-3 routes.
Backend & tooling: Adds root
golangci.yml(strict linters, zero max issues) and a matchingLintworkflow.backend/byteportgains OpenTelemetry stdout tracing inmain.go, dependency bumps, and a fix inlib/git.goso GitHub token refresh JSON-marshals the payload before POST. Rootgo.mod/go.sumare removed; module stays underbackend/byteport.Security & supply chain:
byteport-ghkey.pemis deleted from the repo;crt.pembecomes an explicit expired placeholder.deny.tomlgrows documented RUSTSEC ignores for Tauri transitives. Workflows get concurrency groups, mostlyactions/checkout@v4, and TruffleHog switches from the GitHub Action togo install+ CLI.Docs & index:
SPEC.mdis rewritten as the canonical Go stack spec (API, models, security).SPECS_INDEX.md,STATUS.md,README/CHANGELOGupdates, andci.yaml→ci.ymlbadge fix. New stub workflows (doc-links, fr-coverage, quality-gate) echo phenotype-tooling integration.Landing site (Astro): Adds
src/pagesfor/,/docs/*,/qa,/otel,/preview/[pr], plus committedreadme.htmlandqa-snapshot.jsonfallbacks when GitHub API is unavailable.Reviewed by Cursor Bugbot for commit 2e61349. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Add linting, observability, and a rebuilt docs/landing experience
What Changed
Impact
✅ Fewer failed GitHub token refreshes✅ Clearer deployment and quality checks✅ Easier access to docs, previews, and observability💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.