d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(ci): align Go to 1.23.x, add staticcheck/govulncheck/gitleaks gates #5

Merged
nsatoshi merged 1 commits from devin/1776539160-chore-ci-go-version-and-scanners into master 2026-04-18 19:34:39 +00:00
Conversation 0 Commits 1 Files Changed 9 +170 -79
nsatoshi commented 2026-04-18 19:10:48 +00:00
Owner
Copy Link

Summary

PR #5 of the 11-PR completion sequence. Rewrites .github/workflows/ci.yml so the pipeline actually exercises what the review said was missing, fixes the Go-version drift (go.mod declares go 1.23.0, CI was pinned to 1.22), and wires in three new gates (staticcheck, govulncheck, gitleaks).

Workflow changes

  • Go: 1.221.23.4 (matches backend/go.mod).
  • Jobs split and named: test-backend, scan-backend, test-frontend, gitleaks.
  • test-backend runs go vet + go build + go test.
  • scan-backend installs staticcheck@v0.5.1... now pinned to latest-that-works-with-Go-1.23 + govulncheck@latest.
  • test-frontend runs npm ci + next lint + tsc --noEmit -p tsconfig.check.json + next build.
  • gitleaks/gitleaks-action@v2 job uses fetch-depth: 0 to scan the full history.
  • Triggers now include master (the actual default branch). Previous workflow targeted main/develop only, so it literally never ran on the repo's real PRs.
  • Action versions bumped (checkout@v4, setup-go@v5, setup-node@v4) and caching enabled for both Node and Go modules.
  • Concurrency group cancels stale runs on the same ref.

.gitleaks.toml (new)

Extends the default ruleset and adds a repo-specific rule so the historical L@kers?$?2010 pattern stays in the detection set even after rotation — any re-introduction via copy-paste from an old branch or stale doc will fail CI. Allowlists docs/SECURITY.md and CHANGELOG.md (where the string is cited as a rotation reference, not a live credential).

backend/staticcheck.conf (new)

Enables all with a carefully-scoped disable list:

  • ST1000/1003/1005/1020/1021/1022 — stylistic comment / naming nits.
  • U1000 — unused fields/funcs. The project has several deliberate stubs that trip this; a later cleanup PR can delete them.
  • S1016, S1031 — noisy simplifications.

Everything in the SA (correctness) family stays on.

Correctness fixes surfaced by staticcheck

  • backend/analytics/token_distribution.go — the "best-effort materialized-view refresh" block no longer dereferences a shadowed err. Scope-tight if err := ... for the subsequent QueryRow.
  • backend/api/rest/middleware.gocompressionMiddleware was parsing Accept-Encoding and then doing nothing with it. Now it's a literal pass-through with a TODO pointing at gorilla/handlers.CompressHandler.
  • backend/api/rest/mission_control.go — shadowed err from json.Unmarshal was silently overwritten by fmt.Errorf and then discarded. Replaced with a scoped if uerr := ... so the RPC fallback runs as intended.
  • backend/indexer/traces/tracer.go — best-effort CREATE TABLE no longer assigns to a shadowed err it never reads.
  • backend/indexer/track2/block_indexer.golatestBlock - uint64(i) >= 0 was a tautology on uint64. Replaced with an explicit if uint64(i) > latestBlock { break } guard so count=1000 against a shallow chain doesn't underflow.
  • backend/tracing/tracer.go — introduces a local ctxKey type + constants so WithValue stops tripping SA1029 (same pattern as PR #4, but for the tracing package).

Verification

  • go build ./... — clean.
  • go vet ./... — clean.
  • go test ./... — all existing tests PASS.
  • staticcheck ./... — clean except for nine SA1029 hits in api/middleware/auth.go + api/track4/operator_scripts_test.go which are resolved by PR #4. Once PR #4 merges to master and PR #5 rebases, the scan-backend job will be fully green.

Completion criterion advanced

4. CI in good health — "Backend Go version matches go.mod; staticcheck, govulncheck, gitleaks, eslint, and tsc all gate the PR; workflow actually triggers on the default branch."

## Summary PR #5 of the 11-PR completion sequence. Rewrites `.github/workflows/ci.yml` so the pipeline actually exercises what the review said was missing, fixes the Go-version drift (`go.mod` declares `go 1.23.0`, CI was pinned to `1.22`), and wires in three new gates (`staticcheck`, `govulncheck`, `gitleaks`). ## Workflow changes - Go: `1.22` → `1.23.4` (matches `backend/go.mod`). - Jobs split and named: `test-backend`, `scan-backend`, `test-frontend`, `gitleaks`. - `test-backend` runs `go vet` + `go build` + `go test`. - `scan-backend` installs `staticcheck@v0.5.1`... now pinned to latest-that-works-with-Go-1.23 + `govulncheck@latest`. - `test-frontend` runs `npm ci` + `next lint` + `tsc --noEmit -p tsconfig.check.json` + `next build`. - `gitleaks/gitleaks-action@v2` job uses `fetch-depth: 0` to scan the full history. - Triggers now include `master` (the actual default branch). Previous workflow targeted `main`/`develop` only, so it literally never ran on the repo's real PRs. - Action versions bumped (`checkout@v4`, `setup-go@v5`, `setup-node@v4`) and caching enabled for both Node and Go modules. - Concurrency group cancels stale runs on the same ref. ## `.gitleaks.toml` (new) Extends the default ruleset and adds a repo-specific rule so the historical `L@kers?$?2010` pattern stays in the detection set even after rotation — any re-introduction via copy-paste from an old branch or stale doc will fail CI. Allowlists `docs/SECURITY.md` and `CHANGELOG.md` (where the string is cited as a rotation reference, not a live credential). ## `backend/staticcheck.conf` (new) Enables `all` with a carefully-scoped disable list: - `ST1000/1003/1005/1020/1021/1022` — stylistic comment / naming nits. - `U1000` — unused fields/funcs. The project has several deliberate stubs that trip this; a later cleanup PR can delete them. - `S1016`, `S1031` — noisy simplifications. Everything in the `SA` (correctness) family stays on. ## Correctness fixes surfaced by staticcheck - `backend/analytics/token_distribution.go` — the "best-effort materialized-view refresh" block no longer dereferences a shadowed `err`. Scope-tight `if err := ...` for the subsequent `QueryRow`. - `backend/api/rest/middleware.go` — `compressionMiddleware` was parsing `Accept-Encoding` and then doing nothing with it. Now it's a literal pass-through with a TODO pointing at `gorilla/handlers.CompressHandler`. - `backend/api/rest/mission_control.go` — shadowed `err` from `json.Unmarshal` was silently overwritten by `fmt.Errorf` and then discarded. Replaced with a scoped `if uerr := ...` so the RPC fallback runs as intended. - `backend/indexer/traces/tracer.go` — best-effort `CREATE TABLE` no longer assigns to a shadowed `err` it never reads. - `backend/indexer/track2/block_indexer.go` — `latestBlock - uint64(i) >= 0` was a tautology on `uint64`. Replaced with an explicit `if uint64(i) > latestBlock { break }` guard so `count=1000` against a shallow chain doesn't underflow. - `backend/tracing/tracer.go` — introduces a local `ctxKey` type + constants so `WithValue` stops tripping SA1029 (same pattern as PR #4, but for the tracing package). ## Verification - `go build ./...` — clean. - `go vet ./...` — clean. - `go test ./...` — all existing tests PASS. - `staticcheck ./...` — clean except for nine SA1029 hits in `api/middleware/auth.go` + `api/track4/operator_scripts_test.go` which are resolved by [PR #4](https://gitea.d-bis.org/d-bis/explorer-monorepo/pulls/4). Once PR #4 merges to `master` and PR #5 rebases, the scan-backend job will be fully green. ## Completion criterion advanced > **4. CI in good health** — "Backend Go version matches `go.mod`; staticcheck, govulncheck, gitleaks, eslint, and tsc all gate the PR; workflow actually triggers on the default branch."
nsatoshi added 1 commit 2026-04-18 19:10:48 +00:00
chore(ci): align Go to 1.23.x, add staticcheck/govulncheck/gitleaks gates
Some checks failed
CI / Backend (go 1.23.x) (pull_request) Successful in 6m22s
Details
CI / Backend security scanners (pull_request) Failing after 2m0s
Details
CI / Frontend (node 20) (pull_request) Successful in 3m6s
Details
CI / gitleaks (secret scan) (pull_request) Failing after 17s
Details
09db9de398 
.github/workflows/ci.yml:
- Go version: 1.22 -> 1.23.4 (matches go.mod's 'go 1.23.0' declaration).
- Split into four jobs with explicit names:
    * test-backend: go vet + go build + go test
    * scan-backend: staticcheck + govulncheck (installed from pinned tags)
    * test-frontend: npm ci + eslint + tsc --noEmit + next build
    * gitleaks: full-history secret scan on every PR
- Branches triggered: master + main + develop (master is the repo
  default; the previous workflow only triggered on main/develop and
  would never have run on the repo's actual PRs).
- actions/checkout@v4, actions/setup-go@v5, actions/setup-node@v4.
- Concurrency group cancels stale runs on the same ref.
- Node and Go caches enabled for faster CI.

.gitleaks.toml (new):
- Extends gitleaks defaults.
- Custom rule 'explorer-legacy-db-password-L@ker' keeps the historical
  password pattern L@kers?\$?2010 wedged in the detection set even
  after rotation, so any re-introduction (via copy-paste from old
  branches, stale docs, etc.) fails CI.
- Allowlists docs/SECURITY.md and CHANGELOG.md where the string is
  cited in rotation context.

backend/staticcheck.conf (new):
- Enables the full SA* correctness set.
- Temporarily disables ST1000/1003/1005/1020/1021/1022, U1000, S1016,
  S1031. These are stylistic/cosmetic checks; the project has a long
  tail of pre-existing hits there that would bloat every PR. Each is
  commented so the disable can be reverted in a dedicated cleanup.

Legit correctness issues surfaced by staticcheck and fixed in this PR:
- backend/analytics/token_distribution.go: 'best-effort MV refresh'
  block no longer dereferences a shadowed 'err'; scope-tight 'if err :='
  used for the subsequent QueryRow.
- backend/api/rest/middleware.go: compressionMiddleware() was parsing
  Accept-Encoding and doing nothing with it. Now it's a literal
  pass-through with a TODO comment pointing at gorilla/handlers.
- backend/api/rest/mission_control.go: shadowed 'err' from
  json.Unmarshal was assigned to an ignored outer binding via
  fmt.Errorf; replaced with a scoped 'if uerr :=' that lets the RPC
  fallback run as intended.
- backend/indexer/traces/tracer.go: best-effort CREATE TABLE no longer
  discards the error implicitly.
- backend/indexer/track2/block_indexer.go: 'latestBlock - uint64(i) >= 0'
  was a tautology on uint64. Replaced with an explicit
  'if uint64(i) > latestBlock { break }' guard so operators running
  count=1000 against a shallow chain don't underflow.
- backend/tracing/tracer.go: introduces a local ctxKey type and two
  constants so WithValue calls stop tripping SA1029.

Verification:
- go build ./... clean.
- go vet ./... clean.
- go test ./... all existing tests PASS.
- staticcheck ./... clean except for the SA1029 hits in
  api/middleware/auth.go and api/track4/operator_scripts_test.go,
  which are resolved by PR #4 once it merges to master.

Advances completion criterion 4 (CI in good health).
nsatoshi merged commit a20fcc5462 into master 2026-04-18 19:34:39 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
70rn4710n A.r.yavari SEG nsatoshi
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: d-bis/explorer-monorepo#5
Delete Branch "devin/1776539160-chore-ci-go-version-and-scanners"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?