Lint workflow fails after golangci-lint latest resolved to v2.12.1

[steadytao]

Issue Details

The lint workflow is currently failing because golangci/golangci-lint-action is configured with version: latest and the action has recently resolved that to golangci-lint v2.12.1.

That version is now reporting repo-wide findings across gosec, govet and modernize causing the lint job to fail.

Current findings include:

• gosec
  • G124 cookie attribute findings in:
    • modules/caddyhttp/fileserver/browse.go
    • modules/caddyhttp/reverseproxy/selectionpolicies.go
  • G710 open redirect taint finding in:
    • modules/caddyhttp/fileserver/staticfiles.go
• govet
  • reflect.Ptr inline constant findings in:
    • cmd/packagesfuncs.go
    • context.go
• modernize
  • slices.Backward suggestions in:
    • modules/caddyhttp/routes.go
    • modules/caddyhttp/server.go
• https://github.com/caddyserver/caddy/actions/runs/25268991738/job/74088187876

I think this should be tracked separately because there are two related concerns:

1. the workflow is currently non-deterministic because it follows latest
2. several of the new findings appear valid enough to clean up rather than only suppress

A reasonable fix may be to pin golangci-lint to a known-good version first then clean up the new findings and intentionally bump the pinned version afterwards.

Assistance Disclosure

AI not used

If AI was used, describe the extent to which it was used.

No response

[mohammed90]

I think we should keep latest. Although it's sometimes annoying when new issues come up seemingly randomly, we need it to bring up uncaught issues that's been identified in the ecosystem. There's automation for actions and deps upgrade, i.e. dependabot, but there isn't automation for such embedded field.

[mholt]

Yeah, I was thinking about this over the weekend, and I also agree that maybe keeping latest is a net benefit. The linters definitely have regressions which is annoying, but it's probably better overall.