ci: add GitHub Actions workflow mirroring Prow CI jobs#275
Conversation
WalkthroughAdds a GitHub Actions workflow for pull requests and pushes to ChangesPre-Main CI Workflow
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/pre-main.yml (2)
3-10: ⚡ Quick winConsider adding
concurrencyto cancel superseded runs (optional).Since this workflow runs on every PR update and every push to
main, adding a top-levelconcurrencyblock (cancel-in-progress: true) can reduce wasted compute when multiple commits land close together.🟡 Optional concurrency block
on: pull_request: branches: - main push: branches: - main + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pre-main.yml around lines 3 - 10, Add a top-level GitHub Actions concurrency block to the workflow to cancel superseded runs: under the top-level (same level as "on:") add a "concurrency" stanza with a descriptive group key (e.g. using "${{ github.workflow }}-${{ github.ref }}" or similar) and set "cancel-in-progress: true" so that when multiple commits/PR updates trigger the workflow only the latest run proceeds; update the workflow metadata near the existing "on:" block to include this "concurrency" key.
88-109: ⚖️ Poor tradeoffPin security scanner tool versions; verify CLI flags & whether
vendor/is scanned.The
securityjob installs both scanners with@latest:
gosec ...@latest(Line 102)govulncheck ...@latest(Line 107)This can break CI unpredictably when either tool changes behavior/defaults. Also, please verify two things:
- The gosec flag
-exclude-generatedand-exclude-dir=vendorare valid forgosec/v2as installed.- Whether
govulncheck ./...effectively excludesvendor/in module/package discovery (to avoid slow/duplicate scanning).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pre-main.yml around lines 88 - 109, Pin the scanner installs in the security job by replacing the two `@latest` installs (the `go install github.com/securego/gosec/v2/cmd/gosec@latest` and `go install golang.org/x/vuln/cmd/govulncheck@latest` commands) with explicit, tested version tags (e.g. `@vX.Y.Z`), then validate the gosec CLI flags `-exclude-generated` and `-exclude-dir=vendor` used in the `gosec -exclude-generated -exclude-dir=vendor ./...` line against the pinned gosec v2 release and correct them if the flag names differ; finally confirm whether `govulncheck ./...` will include `vendor/` for the pinned govulncheck release and if it does, change the invocation to either pass an explicit package list that excludes vendor (via `go list` filtering) or use the govulncheck flag/option supported by that pinned release to exclude vendor, so CI behavior is stable and vendor is not scanned twice.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pre-main.yml:
- Around line 110-124: The images job's checkout step uses a shallow fetch which
can omit tags/history needed by make build's git describe --tag versioning;
update the actions/checkout@v4 step in the images job to fetch full history/tags
(e.g., set fetch-depth: 0 or otherwise enable fetching tags) so git describe
--tag (used by make build/BUILD_VERSION) can find tags and produce stable build
metadata.
- Around line 53-72: The verify-deps job currently regenerates the vendor dir
and then runs git diff --exit-code which misses untracked files; modify the
check step in the verify-deps job (the step after "Regenerate vendor directory"
that currently runs git diff --exit-code) to also detect untracked files — e.g.,
run git status --porcelain and fail if any output exists (or use git ls-files
--others --exclude-standard and fail on output) so untracked vendor changes
cause the job to fail.
---
Nitpick comments:
In @.github/workflows/pre-main.yml:
- Around line 3-10: Add a top-level GitHub Actions concurrency block to the
workflow to cancel superseded runs: under the top-level (same level as "on:")
add a "concurrency" stanza with a descriptive group key (e.g. using "${{
github.workflow }}-${{ github.ref }}" or similar) and set "cancel-in-progress:
true" so that when multiple commits/PR updates trigger the workflow only the
latest run proceeds; update the workflow metadata near the existing "on:" block
to include this "concurrency" key.
- Around line 88-109: Pin the scanner installs in the security job by replacing
the two `@latest` installs (the `go install
github.com/securego/gosec/v2/cmd/gosec@latest` and `go install
golang.org/x/vuln/cmd/govulncheck@latest` commands) with explicit, tested
version tags (e.g. `@vX.Y.Z`), then validate the gosec CLI flags
`-exclude-generated` and `-exclude-dir=vendor` used in the `gosec
-exclude-generated -exclude-dir=vendor ./...` line against the pinned gosec v2
release and correct them if the flag names differ; finally confirm whether
`govulncheck ./...` will include `vendor/` for the pinned govulncheck release
and if it does, change the invocation to either pass an explicit package list
that excludes vendor (via `go list` filtering) or use the govulncheck
flag/option supported by that pinned release to exclude vendor, so CI behavior
is stable and vendor is not scanned twice.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: e848a127-7523-4d4f-a419-3850f9fc5531
📒 Files selected for processing (1)
.github/workflows/pre-main.yml
| verify-deps: | ||
| name: Verify vendor dependencies | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version-file: go.mod | ||
|
|
||
| - name: Regenerate vendor directory | ||
| run: | | ||
| go mod tidy | ||
| go mod vendor | ||
|
|
||
| - name: Check for changes | ||
| run: git diff --exit-code | ||
|
|
There was a problem hiding this comment.
Make verify-deps fail on untracked changes (not just diffs).
verify-deps regenerates vendor and then runs git diff --exit-code (Line 71). git diff won’t fail on newly-created untracked files. If regeneration introduces any untracked outputs (or if vendor/ isn’t fully tracked for some reason), the job can incorrectly pass.
✅ Suggested change (use `git status --porcelain` gate)
- name: Check for changes
- run: git diff --exit-code
+ run: |
+ git diff --exit-code
+ status="$(git status --porcelain)"
+ if [ -n "$status" ]; then
+ echo "$status"
+ exit 1
+ fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| verify-deps: | |
| name: Verify vendor dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Regenerate vendor directory | |
| run: | | |
| go mod tidy | |
| go mod vendor | |
| - name: Check for changes | |
| run: git diff --exit-code | |
| verify-deps: | |
| name: Verify vendor dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Regenerate vendor directory | |
| run: | | |
| go mod tidy | |
| go mod vendor | |
| - name: Check for changes | |
| run: | | |
| git diff --exit-code | |
| status="$(git status --porcelain)" | |
| if [ -n "$status" ]; then | |
| echo "$status" | |
| exit 1 | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pre-main.yml around lines 53 - 72, The verify-deps job
currently regenerates the vendor dir and then runs git diff --exit-code which
misses untracked files; modify the check step in the verify-deps job (the step
after "Regenerate vendor directory" that currently runs git diff --exit-code) to
also detect untracked files — e.g., run git status --porcelain and fail if any
output exists (or use git ls-files --others --exclude-standard and fail on
output) so untracked vendor changes cause the job to fail.
| images: | ||
| name: Build verification | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version-file: go.mod | ||
|
|
||
| - name: Build for linux/amd64 | ||
| run: GOOS=linux GOARCH=amd64 make build | ||
|
|
There was a problem hiding this comment.
Ensure images checkout fetches git tags/history for make build versioning.
Your images job checks out with default depth, but make build (per the project Makefile) appears to use git describe --tag to derive BUILD_VERSION when OS_GIT_VERSION isn’t set. With a shallow checkout, tags may be missing, which can make build metadata unstable or fail the version extraction.
✅ Suggested change (fetch full history/tags in `images`)
- name: Checkout code
uses: actions/checkout@v4
+ with:
+ fetch-depth: 0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| images: | |
| name: Build verification | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Build for linux/amd64 | |
| run: GOOS=linux GOARCH=amd64 make build | |
| images: | |
| name: Build verification | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| - name: Build for linux/amd64 | |
| run: GOOS=linux GOARCH=amd64 make build |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pre-main.yml around lines 110 - 124, The images job's
checkout step uses a shallow fetch which can omit tags/history needed by make
build's git describe --tag versioning; update the actions/checkout@v4 step in
the images job to fetch full history/tags (e.g., set fetch-depth: 0 or otherwise
enable fetching tags) so git describe --tag (used by make build/BUILD_VERSION)
can find tags and produce stable build metadata.
6d4a721 to
b2c2049
Compare
b2c2049 to
08112aa
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
.github/workflows/pre-main.yml (1)
70-71:⚠️ Potential issue | 🟠 Major | ⚡ Quick win
verify-depsstill misses untracked-file drift after vendoring.
git diff --exit-codeon Line 71 does not fail for newly created untracked files, so dependency regeneration can still pass with repository drift.Suggested fix
- name: Check for changes - run: git diff --exit-code + run: | + git diff --exit-code + status="$(git status --porcelain)" + if [ -n "$status" ]; then + echo "$status" + exit 1 + fiAs per coding guidelines, dependency verification in CI should be robust enough to fail on all repo mutations, including untracked outputs.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pre-main.yml around lines 70 - 71, The current git diff command on line 71 only detects modifications to already-tracked files but does not fail when new untracked files are created during the vendoring process. Modify the run command to check for both tracked file changes and untracked files. You should combine the git diff check with an additional check for untracked files using git status --porcelain or similar to ensure the verification fails on any repository mutations including newly generated untracked outputs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pre-main.yml:
- Line 20: Replace all mutable version tags in the `uses:` statements throughout
the workflow file with their corresponding immutable commit SHAs to strengthen
supply-chain integrity. For each action reference (such as
`actions/checkout@v4`, `actions/setup-node@v*`, `actions/upload-artifact@v*`,
etc.), replace the `@v*` tag with the full commit SHA of that specific version.
This prevents maintainers from re-tagging versions and introducing unexpected
code changes during workflow execution.
- Around line 19-22: The GitHub Actions checkout steps in the pre-main.yml
workflow are not hardened against security risks. Update all checkout action
references (at lines 19–22, 39–40, 57–58, 77–78, 92–93, 114–115, and 129–130) by
replacing the tag-based reference `actions/checkout@v4` with the pinned full
commit SHA `4823ef7dded2f227249189a5d8cc3efa39f98340`, and add the
`persist-credentials: false` parameter to each checkout step to prevent
credential persistence. Additionally, pin the other GitHub Actions used in the
workflow: replace `actions/setup-go@v5` with its full SHA,
`golangci-lint-action@v6` with its full SHA, and `markdownlint-cli2-action@v19`
with its full SHA according to CI/CD security guidelines, ensuring no tag-based
references remain in the workflow.
---
Duplicate comments:
In @.github/workflows/pre-main.yml:
- Around line 70-71: The current git diff command on line 71 only detects
modifications to already-tracked files but does not fail when new untracked
files are created during the vendoring process. Modify the run command to check
for both tracked file changes and untracked files. You should combine the git
diff check with an additional check for untracked files using git status
--porcelain or similar to ensure the verification fails on any repository
mutations including newly generated untracked outputs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 060cdfc3-28dc-4482-96a1-6decf24cd201
📒 Files selected for processing (1)
.github/workflows/pre-main.yml
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/pre-main.ymlRepository: openshift/kube-compare
Length of output: 3927
🏁 Script executed:
# Check the GitHub Actions releases to get the current v4 SHA
web_search_result=$(curl -s "https://api.github.com/repos/actions/checkout/releases/tags/v4" 2>/dev/null | python3 -c "import sys, json; data = json.load(sys.stdin); print(data.get('target_commitish', 'N/A'))" 2>/dev/null)
echo "actions/checkout@v4 commit: $web_search_result"
# Alternatively, let's check what the actual risk is by understanding the broader context
echo "Checking for all action usages in workflow:"
rg 'uses: ' .github/workflows/pre-main.ymlRepository: openshift/kube-compare
Length of output: 685
🌐 Web query:
actions/checkout v4 latest commit SHA
💡 Result:
As of June 15, 2026, the branch v4 of the actions/checkout repository points to the latest commit SHA 4823ef7dded2f227249189a5d8cc3efa39f98340 [1]. It is important to note that actions/checkout@v4 is a floating tag/branch reference [2][3]. In GitHub Actions, specifying a version like @v4 means your workflow will automatically use the latest changes pushed to that branch [2][3]. If you require a static, immutable version for security or reproducibility, you should use the full 40-character commit SHA in your workflow configuration instead of the v4 tag: - uses: actions/checkout@4823ef7 [1]
Citations:
- 1: actions/checkout@4823ef7
- 2: https://github.com/actions/checkout/tree/v4
- 3: https://github.com/actions/checkout/blob/v4/README.md
Harden checkout steps with persist-credentials: false and pin actions by full SHA.
Checkout steps use tag-based references (@v4) instead of full commit SHAs, and omit persist-credentials: false. This leaves credentials persisted in the environment, increasing token exposure risk, and allows unexpected changes from tag updates.
Apply both fixes to all checkout steps:
- Pin
actions/checkout@v4to SHA4823ef7dded2f227249189a5d8cc3efa39f98340 - Add
persist-credentials: falseto disable credential persistence
Applies to lines: 19–22, 39–40, 57–58, 77–78, 92–93, 114–115, 129–130
Also pin other GitHub Actions (setup-go@v5, golangci-lint-action@v6, markdownlint-cli2-action@v19) to their respective commit SHAs per CI/CD security guidelines.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 19-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pre-main.yml around lines 19 - 22, The GitHub Actions
checkout steps in the pre-main.yml workflow are not hardened against security
risks. Update all checkout action references (at lines 19–22, 39–40, 57–58,
77–78, 92–93, 114–115, and 129–130) by replacing the tag-based reference
`actions/checkout@v4` with the pinned full commit SHA
`4823ef7dded2f227249189a5d8cc3efa39f98340`, and add the `persist-credentials:
false` parameter to each checkout step to prevent credential persistence.
Additionally, pin the other GitHub Actions used in the workflow: replace
`actions/setup-go@v5` with its full SHA, `golangci-lint-action@v6` with its full
SHA, and `markdownlint-cli2-action@v19` with its full SHA according to CI/CD
security guidelines, ensuring no tag-based references remain in the workflow.
Sources: Coding guidelines, Linters/SAST tools
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/pre-main.yml | head -150Repository: openshift/kube-compare
Length of output: 3927
Pin every uses: reference to immutable commit SHAs.
Lines 20, 25, 30, 40, 43, 58, 61, 78, 81, 93, 96, 115, 118, 130, and 133 all use mutable tags (@v*). This weakens supply-chain integrity for CI execution; version tags can be re-tagged by maintainers, introducing unexpected code changes.
Suggested pattern
- uses: actions/checkout@v4
+ uses: actions/checkout@<full_commit_sha>
- uses: actions/setup-go@v5
+ uses: actions/setup-go@<full_commit_sha>
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@<full_commit_sha>
- uses: DavidAnson/markdownlint-cli2-action@v19
+ uses: DavidAnson/markdownlint-cli2-action@<full_commit_sha>🧰 Tools
🪛 zizmor (1.25.2)
[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pre-main.yml at line 20, Replace all mutable version tags
in the `uses:` statements throughout the workflow file with their corresponding
immutable commit SHAs to strengthen supply-chain integrity. For each action
reference (such as `actions/checkout@v4`, `actions/setup-node@v*`,
`actions/upload-artifact@v*`, etc.), replace the `@v*` tag with the full commit
SHA of that specific version. This prevents maintainers from re-tagging versions
and introducing unexpected code changes during workflow execution.
Sources: Coding guidelines, Linters/SAST tools
Add a pre-main workflow with 7 independent jobs that mirror the existing Prow CI checks: golint, modtidy, verify-deps, unit tests, security scanning, build verification, and markdownlint. This provides redundant CI coverage via GitHub Actions while the OpenShift CI cluster experiences capacity issues.
08112aa to
86faba8
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pre-main.yml:
- Around line 100-108: The workflow steps for Run gosec and Run govulncheck
currently install tooling with mutable latest tags, which can change behavior
without code changes. Update the install commands in the security scan jobs to
use fixed release versions for gosec and govulncheck instead of `@latest`, keeping
the rest of the step logic unchanged. Use the existing step names and the
gosec/govulncheck invocations to locate the workflow entries.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 6bdaa2e6-548b-4677-abdf-a685a2e74e38
📒 Files selected for processing (1)
.github/workflows/pre-main.yml
| - name: Run gosec | ||
| run: | | ||
| go install github.com/securego/gosec/v2/cmd/gosec@latest | ||
| gosec -exclude-generated -exclude-dir=vendor ./... | ||
|
|
||
| - name: Run govulncheck | ||
| run: | | ||
| go install golang.org/x/vuln/cmd/govulncheck@latest | ||
| govulncheck ./... |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate the workflow and inspect the relevant section with line numbers.
git ls-files '.github/workflows/pre-main.yml'
wc -l .github/workflows/pre-main.yml
sed -n '85,120p' .github/workflows/pre-main.yml | cat -nRepository: openshift/kube-compare
Length of output: 1332
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate the workflow and inspect the relevant section with line numbers.
git ls-files '.github/workflows/pre-main.yml'
wc -l .github/workflows/pre-main.yml
sed -n '85,120p' .github/workflows/pre-main.yml | cat -nRepository: openshift/kube-compare
Length of output: 1332
Pin gosec and govulncheck to explicit release versions. @latest makes these security checks mutable over time; use fixed versions so the workflow does not change behavior without a repo diff.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pre-main.yml around lines 100 - 108, The workflow steps
for Run gosec and Run govulncheck currently install tooling with mutable latest
tags, which can change behavior without code changes. Update the install
commands in the security scan jobs to use fixed release versions for gosec and
govulncheck instead of `@latest`, keeping the rest of the step logic unchanged.
Use the existing step names and the gosec/govulncheck invocations to locate the
workflow entries.
|
@sebrandon1: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Summary
Adds a GitHub Actions workflow (
.github/workflows/pre-main.yml) that mirrors all 7 existing Prow CI jobs. This provides redundant CI coverage while the OpenShift CI cluster experiences capacity/scheduling issues (e.g., pod scheduling timeouts onci/prow/verify-deps).Supersedes #246 — that PR was closed because it bundled too many changes together (golangci-lint config migration to v2 format, source code fixes, golden file updates). This PR takes a minimal approach: only the workflow file is added, no other files are modified.
Jobs
golintci/prow/golintmodtidyci/prow/modtidygo mod tidyproduces no changesverify-depsci/prow/verify-depsunitci/prow/unitmake test-all(pkg + addon tools)securityci/prow/securityimagesci/prow/imagesmarkdownlintci/prow/markdownlintKey decisions vs #246
.golangci.ymlchanges — the existing v1 config is used as-isTest plan
Summary by CodeRabbit