Skip to content

ci: bump golangci/golangci-lint-action from 7 to 9#1

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/golangci/golangci-lint-action-9
Closed

ci: bump golangci/golangci-lint-action from 7 to 9#1
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/golangci/golangci-lint-action-9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 28, 2026

Copy link
Copy Markdown
Contributor

Bumps golangci/golangci-lint-action from 7 to 9.

Release notes

Sourced from golangci/golangci-lint-action's releases.

v9.0.0

In the scope of this release, we change Nodejs runtime from node20 to node24 (https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/).

What's Changed

Changes

Full Changelog: golangci/golangci-lint-action@v8.0.0...v9.0.0

v8.0.0

Requires golangci-lint version >= v2.1.0

What's Changed

Changes

Full Changelog: golangci/golangci-lint-action@v7...v8.0.0

v7.0.1

What's Changed

Documentation

Dependencies

New Contributors

Full Changelog: golangci/golangci-lint-action@v7.0.0...v7.0.1

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 28, 2026
@dependabot dependabot Bot changed the title ci: bump golangci/golangci-lint-action from 6 to 9 ci: bump golangci/golangci-lint-action from 7 to 9 Mar 28, 2026
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6 to 9.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@v6...v9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/golangci/golangci-lint-action-9 branch from bef3b7f to 816d063 Compare March 28, 2026 01:28
@dependabot @github

dependabot Bot commented on behalf of github Mar 28, 2026

Copy link
Copy Markdown
Contributor Author

Looks like golangci/golangci-lint-action is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Mar 28, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/golangci/golangci-lint-action-9 branch March 28, 2026 01:41
EricAndrechek added a commit that referenced this pull request Apr 23, 2026
Medium-severity findings from Claude's re-review, plus three
unresolved Copilot threads tied to the same work.

1. board-state-sync.yml guard used \`exit 0\` on missing
   PROJECT_BOARD_TOKEN — which only exits the step shell, not the
   job. Subsequent steps would run with an empty GH_TOKEN and
   fail. Switched to the SKIP_BOARD=true env-var pattern used in
   project-orchestrator.yml (Claude Medium #1).

2. project-orchestrator.yml: when SKIP_BOARD is set, the pr-status
   step is skipped and its \`promote\` output is unset, which caused
   the Assign + request review step's \`promote == 'true'\`
   condition to silently fail — skipping reviewer assignment even
   though that operation uses GITHUB_TOKEN and doesn't need the
   board token. Extended the condition to also allow
   \`env.SKIP_BOARD == 'true'\` (Claude Medium #2).

3. dependabot-automerge.yml major-bump flow: reordered so the
   token guard + board-add + assign steps run before the comment,
   and the comment wording is now conditional on SKIP_BOARD —
   previously the comment claimed "Added to the Task Board" before
   the board-add even ran, and if the token was missing the claim
   was false (Claude Low #3 / Copilot R4 restated).

4. AGENTS.md §Review tooling reference table — three stale facts
   corrected to match the new implementation:
   - review-request channel IS used now (not "intentionally not")
   - re-eval trigger is workflow_run + bot COMMENTED reviews, not
     check_suite (documented the GITHUB_TOKEN suppression reason)
   - reviewer selection is single-pick parity-based, not "both
     admins"
   (Claude Low #4)

5. Copilot R4 remaining: board-state-sync comment referenced
   \`closingPullRequestsReferences\` on a line I hadn't fixed in an
   earlier round. Verified all references now align on
   \`closedByPullRequestsReferences\` (the actual field name).

Also added a SKIP_BOARD guard to every subsequent step in
board-state-sync.yml so the "not-configured" path produces a clean
no-op instead of a cascade of failing gh calls.
EricAndrechek added a commit that referenced this pull request Apr 23, 2026
…acklog

Copilot R6 flagged that my round-4 `promote`-based gate on the
reeval Assign step had an inverse gap: if a PR card was already
on the board with Status = In progress / In review / Done
(e.g., someone manually moved it before the first bot-clean
re-eval), then promote=false, and the Assign step would silently
skip reviewer assignment AND review request — even though those
should happen on first bot-clean regardless of the board state.

Fix: remove the board-status gate from the orchestrator entirely
and push idempotency into the composite action instead. The
composite now:

- queries current PR assignees + requested-reviewers
- computes the subset of desired reviewers that are missing from
  BOTH lists
- exits early with a log message if everyone's already present
- otherwise adds/requests only the missing users

That handles both directions cleanly:
- PR already In progress with reviewer set → composite no-ops
  (no re-spam, same behavior as before)
- PR already In progress without reviewer (the gap) → composite
  sets the missing reviewer

No-op behavior on SKIP_BOARD also works — assignment doesn't
depend on the board token at all.

Didn't consolidate the CHANGELOG Unreleased section (Copilot R6
#1) — the duplicate ### Fixed / ### Changed headers are
pre-existing from #55/#65/#71 accumulating, and full
consolidation is release-cut scope. Replied to that thread
deferring.
EricAndrechek added a commit that referenced this pull request Apr 28, 2026
Medium-severity findings from Claude's re-review, plus three
unresolved Copilot threads tied to the same work.

1. board-state-sync.yml guard used \`exit 0\` on missing
   PROJECT_BOARD_TOKEN — which only exits the step shell, not the
   job. Subsequent steps would run with an empty GH_TOKEN and
   fail. Switched to the SKIP_BOARD=true env-var pattern used in
   project-orchestrator.yml (Claude Medium #1).

2. project-orchestrator.yml: when SKIP_BOARD is set, the pr-status
   step is skipped and its \`promote\` output is unset, which caused
   the Assign + request review step's \`promote == 'true'\`
   condition to silently fail — skipping reviewer assignment even
   though that operation uses GITHUB_TOKEN and doesn't need the
   board token. Extended the condition to also allow
   \`env.SKIP_BOARD == 'true'\` (Claude Medium #2).

3. dependabot-automerge.yml major-bump flow: reordered so the
   token guard + board-add + assign steps run before the comment,
   and the comment wording is now conditional on SKIP_BOARD —
   previously the comment claimed "Added to the Task Board" before
   the board-add even ran, and if the token was missing the claim
   was false (Claude Low #3 / Copilot R4 restated).

4. AGENTS.md §Review tooling reference table — three stale facts
   corrected to match the new implementation:
   - review-request channel IS used now (not "intentionally not")
   - re-eval trigger is workflow_run + bot COMMENTED reviews, not
     check_suite (documented the GITHUB_TOKEN suppression reason)
   - reviewer selection is single-pick parity-based, not "both
     admins"
   (Claude Low #4)

5. Copilot R4 remaining: board-state-sync comment referenced
   \`closingPullRequestsReferences\` on a line I hadn't fixed in an
   earlier round. Verified all references now align on
   \`closedByPullRequestsReferences\` (the actual field name).

Also added a SKIP_BOARD guard to every subsequent step in
board-state-sync.yml so the "not-configured" path produces a clean
no-op instead of a cascade of failing gh calls.
EricAndrechek added a commit that referenced this pull request Apr 28, 2026
…acklog

Copilot R6 flagged that my round-4 `promote`-based gate on the
reeval Assign step had an inverse gap: if a PR card was already
on the board with Status = In progress / In review / Done
(e.g., someone manually moved it before the first bot-clean
re-eval), then promote=false, and the Assign step would silently
skip reviewer assignment AND review request — even though those
should happen on first bot-clean regardless of the board state.

Fix: remove the board-status gate from the orchestrator entirely
and push idempotency into the composite action instead. The
composite now:

- queries current PR assignees + requested-reviewers
- computes the subset of desired reviewers that are missing from
  BOTH lists
- exits early with a log message if everyone's already present
- otherwise adds/requests only the missing users

That handles both directions cleanly:
- PR already In progress with reviewer set → composite no-ops
  (no re-spam, same behavior as before)
- PR already In progress without reviewer (the gap) → composite
  sets the missing reviewer

No-op behavior on SKIP_BOARD also works — assignment doesn't
depend on the board token at all.

Didn't consolidate the CHANGELOG Unreleased section (Copilot R6
#1) — the duplicate ### Fixed / ### Changed headers are
pre-existing from #55/#65/#71 accumulating, and full
consolidation is release-cut scope. Replied to that thread
deferring.
EricAndrechek added a commit that referenced this pull request May 12, 2026
)

## Summary

Delete `project-orchestrator.yml` (and the two composite actions +
helper script it owned), fold the only behaviour worth keeping
(reviewer-assign on first open) into `housekeeping.yml`, and rely on
GitHub's native Projects-v2 workflows for everything else the
orchestrator was doing on the board.

**Net diff: −887 lines.** Workflow runs per non-Dependabot PR push go
from ~8 to ~5.

## Why now

The orchestrator was doing two conceptually separate jobs squeezed into
one workflow:
1. **Reviewer assignment** — pick the non-author admin, assign them,
request their review.
2. **Task Board state machine** — mirror PR state into project #7's
Status field, with "opposite semantics" between PR cards and
linked-issue cards.

For a 4-person team, #1 is genuinely useful as automation and #2 is
mostly bookkeeping that GitHub already provides natively (or that's a
one-click manual operation on the rare event it doesn't). Each PR push
was triggering 3-4 orchestrator runs through `workflow_run` chains, and
the workflow has been the largest single source of cross-trigger
complexity (GraphQL `statusCheckRollup` perms, integration-token `NONE`
for private members, etc. — every recent CI fix has touched it).

## What the native Project workflows already handle

Project #7 has these enabled (verified via `gh api graphql ... {
projectV2 { workflows } }`):

- **Auto-add to project** — new PRs / issues land on the board
automatically.
- **Item added to project** — sets the default Status when added
(configurable in the project UI; defaults to your project's setup).
- **Pull request merged** — sets Status = Done on merge.
- **Item closed** — sets Status when an issue is closed.
- **Pull request linked to issue** — auto-links via `Closes #N`
keywords.
- **Auto-close issue** — closes linked issues when PR merges.
- **Auto-add sub-issues to project**.

That covers placement, initial Status, and Done-on-merge. The
orchestrator's remaining custom behaviours are dropped (see "trade-offs"
below).

## Files

**Deleted:**
- `.github/workflows/project-orchestrator.yml` (546 lines)
- `.github/actions/board-upsert-status/` (composite, only orchestrator +
the now-trimmed dependabot-automerge step used it)
- `.github/actions/set-linked-issues-status/` (composite, only
orchestrator used it)
- `.github/scripts/board-fetch-item.sh` (helper, only the above used it)

**Kept:**
- `.github/actions/assign-and-request-review/` — still used by
`dependabot-automerge.yml` and now also `housekeeping.yml`.

**Modified:**
- `housekeeping.yml` — added a reviewer-assign step that fires on
`pull_request_target: opened` / `ready_for_review` (NOT on `synchronize`
— composite is idempotent but firing per-push would re-spam reviewers
after `dismiss_stale_reviews_on_push` clears a request following
CHANGES_REQUESTED). Picks the non-author admin by the same parity logic
the orchestrator used. `continue-on-error: true` so a flaky
review-request can't mask the title-lint required check's exit code.
`ready_for_review` added to the workflow's trigger types so the draft →
ready flip pings the reviewer.
- `dependabot-automerge.yml` — drop the board-upsert step (native
handles it), drop the `PROJECT_BOARD_TOKEN` guard (no longer needed in
this workflow), drop the `board-config.env` load (no consumers left),
and apply the marker-comment upsert pattern to the major-bump comment
(same fix as #114 — folded in here since they touch the same step).
- `.github/board-config.env` — drop `STATUS_*` (no consumers left) and
`ADMINS` (was only read by orchestrator; `housekeeping.yml` and
`admin-approval.yml` both inline it). Keep `PROJECT_OWNER` / `NUMBER` /
`ID` and `PRIORITY_*` for `triage.yml`.

## Trade-offs you're explicitly accepting

| Lost behaviour | Replacement |
|---|---|
| Reviewer pinged after CI + Claude go green | Reviewer pinged at open.
They can ignore the ping until checks settle. |
| Status promoted to Ready only on bot-clean | Status = whatever the
project's "Item added" workflow sets. |
| `changes_requested` moves PR card to "In review" | One click in the
project UI when it happens. |
| Linked issues auto-mirror PR state (opposite semantics) | Manual / not
mirrored. The PR list itself shows what needs review. |
| Auto-flip draft → ready on bot-clean | Author manually clicks "Mark
ready" (informative signal). |
| `re_requested` re-fires review request | Author manually clicks
"Re-request review" (the GitHub default). |

## Conflict with #114

#114 (the standalone dependabot major-bump comment upsert fix) and this
PR both edit the same step. Whichever lands first, the other needs a
trivial rebase. The upsert pattern in this PR matches #114 exactly, so
if #114 lands first the conflict resolution is "take theirs"; if this
lands first, #114 closes as already-incorporated.

## Test plan

- [ ] Open a fresh non-Dependabot PR: `housekeeping` runs, assigns the
non-author admin, requests their review. No orchestrator runs fire.
- [ ] Open a major-version Dependabot PR: both admins assigned, comment
posted with marker, no board-upsert step in the run log.
- [ ] Open a Dependabot patch / minor PR: auto-approve + auto-merge as
before.
- [ ] Open a draft, push commits, mark ready: reviewer pinged at the
ready_for_review event, not earlier.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
EricAndrechek added a commit that referenced this pull request May 19, 2026
…table

Two issues surfaced by the fourth strict-ship_it iteration:

1. **agent-bash-gate.sh false-positives on quoted mentions of blocked
   patterns.** Commit 6c79315 fixed this specifically for --no-verify by
   adding a [^"'\$<]* quote-traversal segment to that one regex, but the
   same fix wasn't applied to the other six checks (gh pr create / ready
   / edit, gh api requested_reviewers, gh pr review, the push-marker
   gate). Demonstrated live: `echo "this mentions git push in quotes"`
   tripped the marker check. Generalized the fix: strip single- and
   double-quoted segments from the command once at the top into
   $stripped, and use $stripped for all subsequent regex checks.
   Simplified check #1's regex accordingly (the in-regex quote traversal
   is no longer needed). Sanity-tested: false positives on `echo`,
   `gh pr comment -b "..."`, `git commit -m "..."` all pass through;
   real `git push --no-verify` / `git commit --no-verify` still block.

2. **claude-code.md "How enforcement is layered" table mislabels the
   Claude Code hooks layer.** The two-row "two distinct gate layers"
   framing put `gofumpt-on-save.sh` in a row labeled "UX: auto-format"
   and omitted `agent-bash-gate.sh` (which is enforcement) and
   `review-marker.sh` (which is the marker writer). Restructured to
   four rows: git hooks (universal enforcement), Claude Code agent
   gate (agent-only enforcement), Claude Code ergonomic hooks
   (formatter + marker writer), and Claude Code skills/agents/commands
   (workflow guidance). Matches the more detailed sections later in
   the doc and the actual settings.json wiring.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants