From b0e385adffd986762adf8fa575785ee44a90b877 Mon Sep 17 00:00:00 2001
From: jakedoublev <jake.vanvorhis@virtru.com>
Date: Tue, 7 Apr 2026 13:11:35 -0400
Subject: [PATCH 1/2] chore(ci): add pathconcat custom linter plugin

Integrates github.com/jakedoublev/pathconcat as a golangci-lint module
plugin to detect string-based path/URL concatenation (x + "/" + y,
fmt.Sprintf with path separators, strings.Join with "/") and suggest
path.Join, filepath.Join, or url.JoinPath instead.

- Add .custom-gcl.yml to build custom golangci-lint binary with plugin
- Enable pathconcat in .golangci.yaml with ignore-strings for FQN patterns
- Update Makefile go-lint target to build and use custom-gcl binary
- Update CI workflow to build custom binary and restore --new-from-rev

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
---
 .custom-gcl.yml               |  5 +++++
 .github/workflows/checks.yaml | 15 +++++++++------
 .gitignore                    |  1 +
 .golangci.yaml                | 10 ++++++++++
 Makefile                      |  9 ++++++---
 5 files changed, 31 insertions(+), 9 deletions(-)
 create mode 100644 .custom-gcl.yml

diff --git a/.custom-gcl.yml b/.custom-gcl.yml
new file mode 100644
index 0000000000..abd6b10a0b
--- /dev/null
+++ b/.custom-gcl.yml
@@ -0,0 +1,5 @@
+version: v2.8.0
+name: custom-gcl
+plugins:
+  - module: github.com/jakedoublev/pathconcat
+    version: v0.1.0
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index 4035b1508a..96b1fb1b06 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -87,13 +87,16 @@ jobs:
           name: govulncheck-failure-${{ strategy.job-index }}
           path: /tmp/govulncheck-failure-${{ strategy.job-index }}.txt
           retention-days: 1
+      - name: install golangci-lint
+        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.8.0
+      - name: build custom golangci-lint
+        run: golangci-lint custom
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
-        with:
-          version: v2.8.0
-          working-directory: ${{ matrix.directory }}
-          skip-cache: true
-          only-new-issues: true
+        run: >-
+          ${{ github.workspace }}/custom-gcl run
+          -c ${{ github.workspace }}/.golangci.yaml
+          ${{ github.event_name == 'pull_request' && format('--new-from-rev={0}', github.event.pull_request.base.sha) || '' }}
+        working-directory: ${{ matrix.directory }}
       - if: matrix.directory == 'service'
         run: .github/scripts/init-temp-keys.sh
       - run: go test ./... -short
diff --git a/.gitignore b/.gitignore
index b55a187b95..970812d911 100644
--- a/.gitignore
+++ b/.gitignore
@@ -32,6 +32,7 @@ tmp-gen/
 /examples/examples
 /**/kas-*.pem
 /opentdf
+/custom-gcl
 /sdkjava/target
 /serviceapp
 /service/opentdf
diff --git a/.golangci.yaml b/.golangci.yaml
index 19cdbd1217..8e4d817fcf 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -48,6 +48,7 @@ linters:
     - nolintlint
     - nonamedreturns
     - nosprintfhostport
+    - pathconcat
     - perfsprint
     - predeclared
     - promlinter
@@ -73,6 +74,15 @@ linters:
     - wastedassign
     - whitespace
   settings:
+    custom:
+      pathconcat:
+        type: module
+        description: "Detects string path/URL concatenation; suggests filepath.Join, path.Join, or url.JoinPath"
+        settings:
+          ignore-strings:
+            - "/attr/"
+            - "/value/"
+            - "/obl/"
     errcheck:
       check-type-assertions: true
     exhaustive:
diff --git a/Makefile b/Makefile
index 035da1d35e..b6ee884c9f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 # make
 # To run all lint checks: `LINT_OPTIONS= make lint`
 
-.PHONY: all build clean connect-wrapper-generate docker-build fix fmt go-lint license lint proto-generate proto-lint sdk/sdk test tidy toolcheck
+.PHONY: all build clean connect-wrapper-generate custom-gcl docker-build fix fmt go-lint license lint proto-generate proto-lint sdk/sdk test tidy toolcheck
 
 MODS=protocol/go lib/ocrypto lib/fixtures lib/flattening lib/identifier sdk service examples
 HAND_MODS=lib/ocrypto lib/fixtures lib/flattening lib/identifier sdk service examples
@@ -56,11 +56,14 @@ proto-lint:
 			exit $$exit_code; \
 		fi)
 
-go-lint:
+custom-gcl:
+	golangci-lint custom
+
+go-lint: custom-gcl
 	status=0; \
 	for m in $(HAND_MODS); do \
 		echo "Linting module: $$m"; \
-		(cd "$$m" && golangci-lint run $(LINT_OPTIONS) ) || status=1; \
+		(cd "$$m" && $(ROOT_DIR)/custom-gcl run $(LINT_OPTIONS) ) || status=1; \
 	done; \
 	exit $$status
 

From 619d077569b3d0bb9acdf2b14a769998cf7b2890 Mon Sep 17 00:00:00 2001
From: jakedoublev <jake.vanvorhis@virtru.com>
Date: Tue, 7 Apr 2026 13:38:48 -0400
Subject: [PATCH 2/2] chore(ci): bump pathconcat to v0.3.0

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
---
 .custom-gcl.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.custom-gcl.yml b/.custom-gcl.yml
index abd6b10a0b..ad5cdc2166 100644
--- a/.custom-gcl.yml
+++ b/.custom-gcl.yml
@@ -2,4 +2,4 @@ version: v2.8.0
 name: custom-gcl
 plugins:
   - module: github.com/jakedoublev/pathconcat
-    version: v0.1.0
+    version: v0.3.0