Add version in .golangci.yml
#316
Conversation
HeavyWombat
added
the
kind/dependency-change
pull-request-size
bot
added
the
size/XS
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6 to 8. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v6...v8) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
HeavyWombat
force-pushed
the
use/golangci-lint-version-field
branch
2 times, most recently
from
00f1427 to
694f029
Compare
.github/workflows/verify.yaml
Outdated
| with: | ||
| args: --timeout=10m | ||
| args: --new-from-rev=HEAD~ --timeout=10m |
There was a problem hiding this comment.
Where will we find about them then ?
I know it has always been painful (having gosec specifically in mind) that you cannot PR something anymore because you first have to fix new findings due to a tool update, but if we would not be that strict I would assume nobody takes care of that.
There was a problem hiding this comment.
I can open an issue with the existing findings and we can discuss them in the community meeting?
There was a problem hiding this comment.
That is just one side of it. Your change will for all time cause new findings due to tooling changes to be hidden. For that community meeting would be a good place to decide whether that is a good idea and how to handle that.
There was a problem hiding this comment.
That is just one side of it. Your change will for all time cause new findings due to tooling changes to be hidden. For that community meeting would be a good place to decide whether that is a good idea and how to handle that.
I am not sure I follow. That flag will only show linter findings that are introduced with the respective PR. So in theory the amount of current findings in the code remains the same. New findings in new PR should then be addressed in the respective PR.
There was a problem hiding this comment.
I am hunting after those new findings that are in existing code but found because the validation tool is enhanced. Like recently when gosec added integer casting validation. From one moment to the next one when they released that, all new/updated pull requests became red because they had those findings. We then had to fix those first and rebased the other PRs. If we tell the tool to only bring up findings in modified code, then we will not notice those new "tool update findings" anymore. And that we should decide as community. Imo we should either not do what you suggest, or we require some replacement - could be a daily action that scans the existing code and opens an issue when there are findings (like we do with vulns in the latest release).
There was a problem hiding this comment.
I dropped the --new flag.
HeavyWombat
force-pushed
the
use/golangci-lint-version-field
branch
from
694f029 to
4f64b32
Compare
Add `version` in `.golangci.yml` to unblock updates of `golangci/golangci-lint-action`. Signed-off-by: Matthias Diester <[email protected]>
HeavyWombat
force-pushed
the
use/golangci-lint-version-field
branch
from
4f64b32 to
132edcb
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SaschaSchwarze0 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Changes
Ref: #312
Add
versionin.golangci.ymlto unblock updates ofgolangci/golangci-lint-action.Submitter Checklist
See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.
Release Notes