ci: bump golangci/golangci-lint-action from 7 to 9#1
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6 to 9. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v6...v9) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
bef3b7f to
816d063
Compare
Contributor
Author
|
Looks like golangci/golangci-lint-action is up-to-date now, so this is no longer needed. |
6 tasks
EricAndrechek
added a commit
that referenced
this pull request
Apr 23, 2026
Medium-severity findings from Claude's re-review, plus three unresolved Copilot threads tied to the same work. 1. board-state-sync.yml guard used \`exit 0\` on missing PROJECT_BOARD_TOKEN — which only exits the step shell, not the job. Subsequent steps would run with an empty GH_TOKEN and fail. Switched to the SKIP_BOARD=true env-var pattern used in project-orchestrator.yml (Claude Medium #1). 2. project-orchestrator.yml: when SKIP_BOARD is set, the pr-status step is skipped and its \`promote\` output is unset, which caused the Assign + request review step's \`promote == 'true'\` condition to silently fail — skipping reviewer assignment even though that operation uses GITHUB_TOKEN and doesn't need the board token. Extended the condition to also allow \`env.SKIP_BOARD == 'true'\` (Claude Medium #2). 3. dependabot-automerge.yml major-bump flow: reordered so the token guard + board-add + assign steps run before the comment, and the comment wording is now conditional on SKIP_BOARD — previously the comment claimed "Added to the Task Board" before the board-add even ran, and if the token was missing the claim was false (Claude Low #3 / Copilot R4 restated). 4. AGENTS.md §Review tooling reference table — three stale facts corrected to match the new implementation: - review-request channel IS used now (not "intentionally not") - re-eval trigger is workflow_run + bot COMMENTED reviews, not check_suite (documented the GITHUB_TOKEN suppression reason) - reviewer selection is single-pick parity-based, not "both admins" (Claude Low #4) 5. Copilot R4 remaining: board-state-sync comment referenced \`closingPullRequestsReferences\` on a line I hadn't fixed in an earlier round. Verified all references now align on \`closedByPullRequestsReferences\` (the actual field name). Also added a SKIP_BOARD guard to every subsequent step in board-state-sync.yml so the "not-configured" path produces a clean no-op instead of a cascade of failing gh calls.
EricAndrechek
added a commit
that referenced
this pull request
Apr 23, 2026
…acklog Copilot R6 flagged that my round-4 `promote`-based gate on the reeval Assign step had an inverse gap: if a PR card was already on the board with Status = In progress / In review / Done (e.g., someone manually moved it before the first bot-clean re-eval), then promote=false, and the Assign step would silently skip reviewer assignment AND review request — even though those should happen on first bot-clean regardless of the board state. Fix: remove the board-status gate from the orchestrator entirely and push idempotency into the composite action instead. The composite now: - queries current PR assignees + requested-reviewers - computes the subset of desired reviewers that are missing from BOTH lists - exits early with a log message if everyone's already present - otherwise adds/requests only the missing users That handles both directions cleanly: - PR already In progress with reviewer set → composite no-ops (no re-spam, same behavior as before) - PR already In progress without reviewer (the gap) → composite sets the missing reviewer No-op behavior on SKIP_BOARD also works — assignment doesn't depend on the board token at all. Didn't consolidate the CHANGELOG Unreleased section (Copilot R6 #1) — the duplicate ### Fixed / ### Changed headers are pre-existing from #55/#65/#71 accumulating, and full consolidation is release-cut scope. Replied to that thread deferring.
EricAndrechek
added a commit
that referenced
this pull request
Apr 28, 2026
Medium-severity findings from Claude's re-review, plus three unresolved Copilot threads tied to the same work. 1. board-state-sync.yml guard used \`exit 0\` on missing PROJECT_BOARD_TOKEN — which only exits the step shell, not the job. Subsequent steps would run with an empty GH_TOKEN and fail. Switched to the SKIP_BOARD=true env-var pattern used in project-orchestrator.yml (Claude Medium #1). 2. project-orchestrator.yml: when SKIP_BOARD is set, the pr-status step is skipped and its \`promote\` output is unset, which caused the Assign + request review step's \`promote == 'true'\` condition to silently fail — skipping reviewer assignment even though that operation uses GITHUB_TOKEN and doesn't need the board token. Extended the condition to also allow \`env.SKIP_BOARD == 'true'\` (Claude Medium #2). 3. dependabot-automerge.yml major-bump flow: reordered so the token guard + board-add + assign steps run before the comment, and the comment wording is now conditional on SKIP_BOARD — previously the comment claimed "Added to the Task Board" before the board-add even ran, and if the token was missing the claim was false (Claude Low #3 / Copilot R4 restated). 4. AGENTS.md §Review tooling reference table — three stale facts corrected to match the new implementation: - review-request channel IS used now (not "intentionally not") - re-eval trigger is workflow_run + bot COMMENTED reviews, not check_suite (documented the GITHUB_TOKEN suppression reason) - reviewer selection is single-pick parity-based, not "both admins" (Claude Low #4) 5. Copilot R4 remaining: board-state-sync comment referenced \`closingPullRequestsReferences\` on a line I hadn't fixed in an earlier round. Verified all references now align on \`closedByPullRequestsReferences\` (the actual field name). Also added a SKIP_BOARD guard to every subsequent step in board-state-sync.yml so the "not-configured" path produces a clean no-op instead of a cascade of failing gh calls.
EricAndrechek
added a commit
that referenced
this pull request
Apr 28, 2026
…acklog Copilot R6 flagged that my round-4 `promote`-based gate on the reeval Assign step had an inverse gap: if a PR card was already on the board with Status = In progress / In review / Done (e.g., someone manually moved it before the first bot-clean re-eval), then promote=false, and the Assign step would silently skip reviewer assignment AND review request — even though those should happen on first bot-clean regardless of the board state. Fix: remove the board-status gate from the orchestrator entirely and push idempotency into the composite action instead. The composite now: - queries current PR assignees + requested-reviewers - computes the subset of desired reviewers that are missing from BOTH lists - exits early with a log message if everyone's already present - otherwise adds/requests only the missing users That handles both directions cleanly: - PR already In progress with reviewer set → composite no-ops (no re-spam, same behavior as before) - PR already In progress without reviewer (the gap) → composite sets the missing reviewer No-op behavior on SKIP_BOARD also works — assignment doesn't depend on the board token at all. Didn't consolidate the CHANGELOG Unreleased section (Copilot R6 #1) — the duplicate ### Fixed / ### Changed headers are pre-existing from #55/#65/#71 accumulating, and full consolidation is release-cut scope. Replied to that thread deferring.
This was referenced Apr 28, 2026
4 tasks
EricAndrechek
added a commit
that referenced
this pull request
May 12, 2026
) ## Summary Delete `project-orchestrator.yml` (and the two composite actions + helper script it owned), fold the only behaviour worth keeping (reviewer-assign on first open) into `housekeeping.yml`, and rely on GitHub's native Projects-v2 workflows for everything else the orchestrator was doing on the board. **Net diff: −887 lines.** Workflow runs per non-Dependabot PR push go from ~8 to ~5. ## Why now The orchestrator was doing two conceptually separate jobs squeezed into one workflow: 1. **Reviewer assignment** — pick the non-author admin, assign them, request their review. 2. **Task Board state machine** — mirror PR state into project #7's Status field, with "opposite semantics" between PR cards and linked-issue cards. For a 4-person team, #1 is genuinely useful as automation and #2 is mostly bookkeeping that GitHub already provides natively (or that's a one-click manual operation on the rare event it doesn't). Each PR push was triggering 3-4 orchestrator runs through `workflow_run` chains, and the workflow has been the largest single source of cross-trigger complexity (GraphQL `statusCheckRollup` perms, integration-token `NONE` for private members, etc. — every recent CI fix has touched it). ## What the native Project workflows already handle Project #7 has these enabled (verified via `gh api graphql ... { projectV2 { workflows } }`): - **Auto-add to project** — new PRs / issues land on the board automatically. - **Item added to project** — sets the default Status when added (configurable in the project UI; defaults to your project's setup). - **Pull request merged** — sets Status = Done on merge. - **Item closed** — sets Status when an issue is closed. - **Pull request linked to issue** — auto-links via `Closes #N` keywords. - **Auto-close issue** — closes linked issues when PR merges. - **Auto-add sub-issues to project**. That covers placement, initial Status, and Done-on-merge. The orchestrator's remaining custom behaviours are dropped (see "trade-offs" below). ## Files **Deleted:** - `.github/workflows/project-orchestrator.yml` (546 lines) - `.github/actions/board-upsert-status/` (composite, only orchestrator + the now-trimmed dependabot-automerge step used it) - `.github/actions/set-linked-issues-status/` (composite, only orchestrator used it) - `.github/scripts/board-fetch-item.sh` (helper, only the above used it) **Kept:** - `.github/actions/assign-and-request-review/` — still used by `dependabot-automerge.yml` and now also `housekeeping.yml`. **Modified:** - `housekeeping.yml` — added a reviewer-assign step that fires on `pull_request_target: opened` / `ready_for_review` (NOT on `synchronize` — composite is idempotent but firing per-push would re-spam reviewers after `dismiss_stale_reviews_on_push` clears a request following CHANGES_REQUESTED). Picks the non-author admin by the same parity logic the orchestrator used. `continue-on-error: true` so a flaky review-request can't mask the title-lint required check's exit code. `ready_for_review` added to the workflow's trigger types so the draft → ready flip pings the reviewer. - `dependabot-automerge.yml` — drop the board-upsert step (native handles it), drop the `PROJECT_BOARD_TOKEN` guard (no longer needed in this workflow), drop the `board-config.env` load (no consumers left), and apply the marker-comment upsert pattern to the major-bump comment (same fix as #114 — folded in here since they touch the same step). - `.github/board-config.env` — drop `STATUS_*` (no consumers left) and `ADMINS` (was only read by orchestrator; `housekeeping.yml` and `admin-approval.yml` both inline it). Keep `PROJECT_OWNER` / `NUMBER` / `ID` and `PRIORITY_*` for `triage.yml`. ## Trade-offs you're explicitly accepting | Lost behaviour | Replacement | |---|---| | Reviewer pinged after CI + Claude go green | Reviewer pinged at open. They can ignore the ping until checks settle. | | Status promoted to Ready only on bot-clean | Status = whatever the project's "Item added" workflow sets. | | `changes_requested` moves PR card to "In review" | One click in the project UI when it happens. | | Linked issues auto-mirror PR state (opposite semantics) | Manual / not mirrored. The PR list itself shows what needs review. | | Auto-flip draft → ready on bot-clean | Author manually clicks "Mark ready" (informative signal). | | `re_requested` re-fires review request | Author manually clicks "Re-request review" (the GitHub default). | ## Conflict with #114 #114 (the standalone dependabot major-bump comment upsert fix) and this PR both edit the same step. Whichever lands first, the other needs a trivial rebase. The upsert pattern in this PR matches #114 exactly, so if #114 lands first the conflict resolution is "take theirs"; if this lands first, #114 closes as already-incorporated. ## Test plan - [ ] Open a fresh non-Dependabot PR: `housekeeping` runs, assigns the non-author admin, requests their review. No orchestrator runs fire. - [ ] Open a major-version Dependabot PR: both admins assigned, comment posted with marker, no board-upsert step in the run log. - [ ] Open a Dependabot patch / minor PR: auto-approve + auto-merge as before. - [ ] Open a draft, push commits, mark ready: reviewer pinged at the ready_for_review event, not earlier. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
13 tasks
6 tasks
EricAndrechek
added a commit
that referenced
this pull request
May 19, 2026
…table Two issues surfaced by the fourth strict-ship_it iteration: 1. **agent-bash-gate.sh false-positives on quoted mentions of blocked patterns.** Commit 6c79315 fixed this specifically for --no-verify by adding a [^"'\$<]* quote-traversal segment to that one regex, but the same fix wasn't applied to the other six checks (gh pr create / ready / edit, gh api requested_reviewers, gh pr review, the push-marker gate). Demonstrated live: `echo "this mentions git push in quotes"` tripped the marker check. Generalized the fix: strip single- and double-quoted segments from the command once at the top into $stripped, and use $stripped for all subsequent regex checks. Simplified check #1's regex accordingly (the in-regex quote traversal is no longer needed). Sanity-tested: false positives on `echo`, `gh pr comment -b "..."`, `git commit -m "..."` all pass through; real `git push --no-verify` / `git commit --no-verify` still block. 2. **claude-code.md "How enforcement is layered" table mislabels the Claude Code hooks layer.** The two-row "two distinct gate layers" framing put `gofumpt-on-save.sh` in a row labeled "UX: auto-format" and omitted `agent-bash-gate.sh` (which is enforcement) and `review-marker.sh` (which is the marker writer). Restructured to four rows: git hooks (universal enforcement), Claude Code agent gate (agent-only enforcement), Claude Code ergonomic hooks (formatter + marker writer), and Claude Code skills/agents/commands (workflow guidance). Matches the more detailed sections later in the doc and the actual settings.json wiring. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps golangci/golangci-lint-action from 7 to 9.
Release notes
Sourced from golangci/golangci-lint-action's releases.
Commits
1e7e51ebuild(deps): bump yaml from 2.8.1 to 2.8.2 in the dependencies group (#1324)5256ff0build(deps-dev): bump the dev-dependencies group with 3 updates (#1323)13fed6fchore: update workflows7afe8ffchore: update workflows5a92899chore: move samples into fixtures (#1321)aa6fad0feat: add version-file option (#1320)a6071aabuild(deps): bump actions/checkout from 5 to 6 (#1318)6e36c84build(deps-dev): bump the dev-dependencies group with 2 updates (#1317)e7fa5acfeat: automatic module directories (#1315)f3ae99fdocs: organize options (#1314)