Use official golangci action together with CodeQL

[osterman]

What

• Replace reviewdog with the official golangci-lint-action due to challenges in limiting reports to modified lines using filter-mode.
• Output in SARIF format and upload results to GitHub CodeQL for enhanced analysis.

Why

• Achieve better control over which linting issues cause check failures.
• Utilize CodeQL's UI for improved lint review capabilities, including inline annotations and the ability to dismiss findings.
• Enable status checks for linting to be based on CodeQL analysis results, streamlining the workflow.

Known Limitations

Warning

Small patches and line numbers do not always match line numbers in lint results, in which case those lines won't be raised

First, I was able to reproduce it. whitespace reports an issue at the "wrong" line: The change is on 301 and the report on 302, but 302 has not changed so golangci-lint skips the report.
It's not really the "wrong" line because the report is related to an empty line before the }, this empty line is only a problem because }.
We can see that as a more global limitation of the new-from-patch and new-from-rev: if a report is not directly on the line that changes then the report is skipped.
So technically, there is no possible fix for that.
The only way for those options to work, with reports that are not at the same places as the changes, is to use --whole-files

golangci-lint run --whole-files --new-from-rev main

references

• --new-from-rev main doesn't work golangci/golangci-lint#4376 (comment)

Summary by CodeRabbit

Summary by CodeRabbit

• Chores
  • Enhanced automated workflow permissions for improved security.
  • Streamlined the linting process by removing the previous linting job.
  • Adjusted code quality checks for test files to better target error detection.
  • Improved warning messages to clearly communicate unsupported configuration settings.
  • Simplified linting command to run on all Go files in the project directory.
  • Added new jobs for linting and semantic versioning checks in the CodeQL workflow to enhance code quality.
  • Updated comments and guidance for handling large pull requests in the Mergify configuration.

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[coderabbitai]

Warning

Rate limit exceeded

@osterman has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 0 minutes and 8 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 986cd15 and 4719d0d.

📒 Files selected for processing (1)

• internal/exec/terraform_utils.go (3 hunks)

📝 Walkthrough

Walkthrough

This pull request updates the GitHub Actions workflow and linting configuration. The lint-golangci job is removed entirely, indicating a significant change in the linting process. Adjustments are made to the exclusion rules for specific linters in the .golangci.yml file. Additionally, a log warning message is rephrased in the Terraform utilities, and the Makefile is simplified to run the linter on all Go files directly.

Changes

File(s)	Change Summary
.github/workflows/test.yml	Removed the lint-golangci job, indicating a significant change in the linting process.
.golangci.yml	Modified the issues section to add exclude-dirs for experiments/.*, adjusted exclude-rules for test files by adding err113 and gsec, and removing errcheck from exclusions. Introduced sort-results: true in the output section.
internal/exec/terraform_utils.go	Reworded the warning message in the isWorkspacesEnabled function to clarify that the enabled setting for workspaces is unsupported for HTTP backends.
Makefile	Simplified the lint target command from a complex file filtering process to a direct call to golangci-lint run, allowing it to run on all Go files in the project directory.
.github/workflows/codeql.yml	Added a new lint-golangci job that runs on pull requests, including steps for checking out code and running golangci-lint, and clarified comments throughout the workflow.

Possibly related PRs

• Add GolangCI Lint Configuration for Better Code Quality #1078: The changes in the main PR, which remove the lint-golangci job from the workflow, are directly related to the addition of the same job in the retrieved PR, indicating a shift in the linting strategy.
• Add more lint rules #1082: The changes in the main PR, which remove the lint-golangci job and associated linting checks, are directly related to the modifications in the retrieved PR that enhance the golangci-lint configuration, as both involve adjustments to linting processes and configurations.
• Rename GolangCI GHA Job, add lint target to Makefile #1081: The changes in the main PR, which remove the lint-golangci job from the workflow, are related to the modifications in the retrieved PR that involve renaming and enhancing the lint-golangci job, indicating a direct connection in the context of linting processes.

Suggested reviewers

• aknysh

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or @auto-summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @auto-title anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

Attention: Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.

Project coverage is 19.34%. Comparing base (5dab42b) to head (4719d0d).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/exec/terraform_utils.go	33.33%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1137   +/-   ##
=======================================
  Coverage   19.34%   19.34%           
=======================================
  Files         170      170           
  Lines       18789    18789           
=======================================
  Hits         3635     3635           
  Misses      14437    14437           
  Partials      717      717           

Flag	Coverage Δ
unittests	19.34% <33.33%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/codeql.yml (2)

11-12: Cron Schedule Comment Discrepancy
The comment indicates "runs on 19:17 every Tuesday," but the cron expression is set to "27 19 * * 2" (i.e. 19:27). Please update either the comment or the cron value to ensure they match.

---

108-119: Exit Code Handling Based on Lint Results
The shell script that checks for lint failures and sets the exit code appropriately is well implemented. As a slight refinement, consider consolidating the multi-line warning message to prevent any accidental formatting issues in the logs.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e262f05 and 9515f37.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml (3 hunks)
• .github/workflows/test.yml (0 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/test.yml

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Lint (golangci)
• GitHub Check: Analyze (go)
• GitHub Check: Summary

🔇 Additional comments (12)

.github/workflows/codeql.yml (12)

5-5: Push Trigger Branch Specification Updated
The push event now explicitly triggers only on the "main" branch, which makes the workflow more targeted and clear.

---

8-9: Pull Request Event Update with Explicit Types
Specifying the branches and adding event types—opened, labeled, unlabeled, and synchronize—ensures that the workflow only runs on the intended pull request activities.

---

27-27: Matrix Language Configuration
The matrix now clearly specifies the languages as ["go", "javascript-typescript"], which makes it evident for the analysis job.

---

30-43: Enhanced CodeQL Initialization with Detailed Comments
The checkout and CodeQL initialization steps now include clearer formatting and additional comments about custom queries and query packs. This extra context improves maintainability and clarity.

---

45-48: Autobuild Step Clarity
The Autobuild step now comes with improved instructions and notes on fallback options if the build fails, which will help in troubleshooting compiled language projects.

---

50-54: Enhanced Shell Command Instructions
The additional comments explaining command-line execution and providing helpful URLs add value for future maintainers.

---

56-58: Commented Out Manual Build Commands Preserved
Keeping the commented-out run commands for manual builds is a thoughtful addition that offers guidance if the Autobuild step ever needs to be bypassed.

---

60-63: Perform CodeQL Analysis Step
The CodeQL analysis step is concise and leverages the latest action version effectively. Its configuration looks solid.

---

65-107: New "lint-golangci" Job Integration
Introducing the official golangci-lint action in this new job enhances our linting process. The steps—including code checkout, lint execution with "only-new-issues," and SARIF upload—are well configured to focus only on new issues in pull requests.

---

121-142: PR Semver Labels Job Configuration
The job that enforces semantic versioning labels improves PR consistency by providing clear feedback when required labels are missing. This enhancement helps prevent merging issues related to versioning.

---

144-171: PR Size Labeler Job Enhancements
The PR Size Labeler configuration is now more detailed with explicit size thresholds and label assignments. Using the updated codelytv action and clearly defined parameters improves its effectiveness.

---

172-177: Files to Ignore and Deletion Settings
The configuration now excludes files like package-lock.json, yarn.lock, and go.sum, and specifies explicit settings for ignoring line and file deletions. Please verify that these settings align well with your project’s size labeling strategy.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.github/workflows/codeql.yml (3)

12-12: Cron Schedule Comment Mismatch

The comment above indicates a run at "19:17 every Tuesday," but the cron schedule is set to "27 19 * * 2". Please double-check if this discrepancy is intentional or if the comment should be updated.

---

65-122: New lint-golangci Job Integration

The new lint-golangci job effectively adopts the official golangci-lint action (v6) and incorporates several useful practices:

• It checks out the code with full history (fetch-depth: 0) to support module resolution.
• Runs golangci-lint with continue-on-error: true, which allows for conditional exit code handling later.
• Uploads SARIF results, and then conditionally sets the exit code based on the presence of a "lint-ignore" label.

This integrated approach should streamline your linting process on pull requests. Just be sure that the usage of continue-on-error is intentional and aligns with your lint failure policies.

---

146-180: Comprehensive PR Size Labeler Setup

The pr-size-labeler job is meticulously configured:

• It checks out the repository with a full reference state.
• It sets specific size thresholds (e.g., xs, s, m, l) and ignores common lock files.
• The options for line and file deletion handling are clearly defined.

This thorough configuration will help maintain consistent PR sizing. It may be worth revisiting the thresholds periodically to ensure they remain appropriate for the project’s evolving needs.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9515f37 and c376147.

📒 Files selected for processing (3)

• .github/workflows/codeql.yml (3 hunks)
• Makefile (1 hunks)
• internal/exec/terraform_utils.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• Makefile
• internal/exec/terraform_utils.go

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Analyze (go)
• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Lint (golangci)
• GitHub Check: Summary

🔇 Additional comments (8)

.github/workflows/codeql.yml (8)

5-5: Branch Restriction on Push Event

The push event now explicitly limits branches to "main". This clean restriction helps ensure only the main branch triggers CodeQL scans.

---

8-9: Enhanced Pull Request Trigger Configuration

The pull_request event now specifies branches: ["main"] along with types: [opened, labeled, unlabeled, synchronize]. This granular configuration improves control over when the workflow is invoked for PRs. Just verify these event types match your intended workflow triggers.

---

27-27: Matrix Configuration Update

The strategy matrix now lists language: ["go", "javascript-typescript"], which neatly targets the desired language environments. Ensure these cover all necessary cases for your scans.

---

30-32: Repository Checkout Step in Analyze Job

Using the checkout action (actions/checkout@v4) is straightforward and effective here. This step is clear and requires no additional modifications.

---

33-44: Initialize CodeQL Step Clarity

The "Initialize CodeQL" step is well-documented and correctly utilizes the action with the dynamic language matrix. The inline comments add useful context for future maintenance.

---

47-49: Autobuild Step Usage

The inclusion of the Autobuild step with github/codeql-action/autobuild@v3 is spot-on. The accompanying comment offers guidance if manual builds become necessary.

---

60-64: Perform CodeQL Analysis Step

The CodeQL Analysis step is configured clearly, with the category dynamically set based on the matrix language. This ensures each language is correctly handled during analysis.

---

123-145: Addition of PR Semver Labels Job

The newly added pr-semver-labels job ensures that pull requests include one of the required semver labels. The detailed inline message provides clear instructions to the contributor if the label is missing.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/codeql.yml (1)

65-101: Robust Integration of the Official golangci-lint Action
The newly added lint-golangci job is well-structured:

• It runs only on pull request events.
• Permissions are properly scoped for checkout, PR annotations, and SARIF uploads.
• The use of only-new-issues: true focuses linting on issues introduced in the current PR.
• The intentional exit code of 0 ensures that SARIF results are always uploaded, even when lint issues are present.

Suggestion: Based on known discrepancies with line numbers on small patches, you might consider adding the --whole-files option to the args if you encounter mismatches.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c376147 and 986cd15.

📒 Files selected for processing (2)

• .github/mergify.yml (1 hunks)
• .github/workflows/codeql.yml (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/mergify.yml

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: Analyze (go)
• GitHub Check: Lint (golangci)
• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Summary

🔇 Additional comments (9)

.github/workflows/codeql.yml (9)

5-5: Standardized Branch Specification for Push Events
The push event now clearly targets the "main" branch with branches: ["main"]. This improves clarity and consistency in triggering the workflow.

---

8-9: Refined Pull Request Event Configuration
Including both branches: ["main"] and explicit event types (opened, labeled, unlabeled, synchronize) helps limit workflow runs to meaningful PR activities and aligns with our linting objectives.

---

12-12: Cron Schedule Quotation Consistency
Switching to double quotes in the cron expression ("27 19 * * 2") maintains YAML formatting consistency. Verify that this schedule runs at your intended time.

---

27-27: Expanded Analysis Matrix
Updating the matrix to include ["go", "javascript-typescript"] allows the CodeQL analysis to cover both Go and JavaScript/TypeScript. This is a beneficial enhancement for multi-language projects.

---

30-44: Enhanced CodeQL Initialization and Checkout
The updated checkout and CodeQL initialization steps—with detailed inline comments—improve readability and ease future maintenance. The clear annotations help explain the purpose of each step.

---

45-59: Clear Guidance for the Autobuild Step
The expanded comments for the Autobuild step provide useful instructions, especially if manual intervention is needed. This proactive documentation aids in troubleshooting when automatic builds fail.

---

60-64: Simplified CodeQL Analysis Execution
The "Perform CodeQL Analysis" step is straightforward and well-documented. It maintains clarity in how the analysis is executed.

---

102-124: Well-Integrated Semantic Versioning Label Check
The new pr-semver-labels job enforces that a pull request includes exactly one required semver label (major, minor, patch, or no-release). The clear warning message ensures that contributors understand the blocking condition.

---

125-159: Effective PR Size Labeling Configuration
The pr-size-labeler job is neatly configured to automatically label PRs based on their size. Parameters such as label names, size thresholds, and ignored files (e.g., lock files) are appropriately set, enhancing overall PR review processes.