Skip to content

chore: modernize Go toolchain, CI, and lint setup#2

Open
dwin wants to merge 4 commits into
masterfrom
claude/modernize-go-ci-kRTQa
Open

chore: modernize Go toolchain, CI, and lint setup#2
dwin wants to merge 4 commits into
masterfrom
claude/modernize-go-ci-kRTQa

Conversation

@dwin
Copy link
Copy Markdown
Owner

@dwin dwin commented May 16, 2026

Summary

Modernizes the repository's Go toolchain and CI plumbing, and resolves the lint findings that surfaced as a result.

Tooling

  • build: bump go.mod to Go 1.23; refresh deps (golang.org/x/crypto v0.32.0, latest icrowley/fake, corpix/uarand v0.2.0)
  • build: drop the vendor/ directory (modules-only — libraries shouldn't vendor)
  • ci: remove .travis.yml
  • ci: add .github/workflows/ci.yml running go build -race + go test -race -coverprofile on Go 1.23 and 1.24, plus a golangci-lint v2.5.0 job
  • ci: update codeql-analysis.yml to actions/checkout@v4, actions/setup-go@v5, and github/codeql-action@v3
  • chore: add .golangci.yml (v2 schema) with errcheck, govet (enable-all), staticcheck, gosec, errorlint, gocritic, revive, bodyclose, unparam, prealloc, etc., plus gofmt/goimports formatters
  • docs: drop Travis badge; add CI badge; switch GoDoc → pkg.go.dev
  • chore: .gitignore now covers coverage.out, *.test, and the example binary

Source fixes from new linters

  • fix: errors from scryptHash and base64.Decode were being silently overwritten in Hash, verifyV1, and updateMasterV1. They are now propagated (ineffassign was masking real bugs)
  • refactor: replace naked returns with explicit returns throughout password.go
  • refactor: drop redundant []byte(...) conversions on values already []byte
  • refactor: eliminate variable shadowing of err in encrypt/scryptHash
  • style: lowercase exported error-message strings (ST1005); errors.Is is unaffected
  • test: replace sentinel err != ErrXxx checks with errors.Is(err, ErrXxx) (errorlint)
  • style: misc nits — total += lgth, t.Logf("Output: %s", output), comment spacing

Test plan

  • go build ./...
  • go vet ./...
  • gofmt -l . (clean)
  • golangci-lint run ./... → 0 issues
  • go test -race -count=1 ./... → PASS (~195s, scrypt is intentionally slow)
  • go mod verify
  • CI workflow runs green on this PR
  • CodeQL workflow runs green on this PR

Notes / follow-ups

Two pre-existing items intentionally left out of scope:

  • GetHashVersion uses strings.Trim(parts[0], "secBoxv") which strips a cutset rather than the prefix. Works for the current version string but should be strings.TrimPrefix for correctness.
  • The icrowley/fake test dependency is largely unmaintained upstream; could be replaced with a small inline random-password helper in a follow-up.

Generated by Claude Code

claude added 4 commits May 16, 2026 04:21
@claude
Modernize Go version, CI, and lint setup
72a9ee4 
- Bump go.mod to Go 1.23 and refresh dependencies (golang.org/x/crypto v0.32.0,
  github.com/icrowley/fake latest, github.com/corpix/uarand v0.2.0)
- Drop legacy vendor/ directory in favor of Go modules
- Remove .travis.yml; add .github/workflows/ci.yml running tests with -race on
  Go 1.23 and 1.24 plus golangci-lint v2
- Add .golangci.yml (v2 config) enabling errcheck, govet, staticcheck, gosec,
  errorlint, gocritic, revive, etc., with gofmt/goimports formatters
- Update codeql-analysis.yml to actions/checkout@v4, setup-go@v5, and
  github/codeql-action v3
- Replace Travis badge with CI badge; switch GoDoc badge to pkg.go.dev
- Fix issues surfaced by the new linters:
  * Stop swallowing errors from scryptHash and base64.Decode in Hash,
    updateMasterV1 and verifyV1 (ineffassign was masking real bugs)
  * Lowercase exported error message strings (ST1005)
  * Replace naked returns with explicit returns
  * Use errors.Is in tests instead of sentinel != comparison
  * Drop redundant []byte conversions and remove variable shadowing
@claude
chore: ignore build artifacts and coverage output
f4ef1ba 
Prevents accidental commits of locally-built example binary, coverage.out,
and test executables.
@claude
style: lowercase secretbox in error message
238868e 
Aligns casing with the nacl/secretbox package name.
@claude
ci: pin GitHub Actions to commit SHAs and fix lint action version
092e805 
- Bump golangci/golangci-lint-action to v8 (required for golangci-lint v2;
  the previous v6 only supports v1.x, which caused the Lint job to fail
  setup before running)
- Pin every GHA reference to a full commit SHA with the tag in a trailing
  comment, per OpenSSF / GitHub hardening guidance
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dwin @claude