Skip to content

Make security-check informational only#36681

Merged
techknowlogick merged 1 commit into
go-gitea:mainfrom
silverwind:vulnexit
Feb 20, 2026
Merged

Make security-check informational only#36681
techknowlogick merged 1 commit into
go-gitea:mainfrom
silverwind:vulnexit

Conversation

@silverwind

@silverwind silverwind commented Feb 20, 2026
edited
Loading

Copy link
Copy Markdown
Member

Change security-check not break the build which is a major inconvenience as it breaks CI on all PRs.

https://github.com/go-gitea/gitea/security/dependabot already provides a clean overview of outstanding security issues in dependencies and I'm using it all the time to find and update vulnerable dependencies.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Feb 20, 2026
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 20, 2026
@silverwind silverwind added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Feb 20, 2026
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 20, 2026
@techknowlogick techknowlogick merged commit 87f7291 into go-gitea:main Feb 20, 2026
24 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Feb 20, 2026
@wxiaoguang wxiaoguang deleted the vulnexit branch February 20, 2026 15:40
chhe pushed a commit to chhe/act_runner that referenced this pull request Feb 22, 2026
@ChristopherHX
chore(lint): add golangci-lint v2 and fix all lint issues (#803)
658101d 
## Summary
- Replace old `.golangci.yml` (v1 format) with v2 format, aligned with gitea's lint config
- Add `lint-go`, `lint-go-fix`, and `lint` Makefile targets using golangci-lint v2.10.1
- Replace `make vet` with `make lint` in CI workflow (lint includes vet)
- Fix all 35 lint issues: modernize (maps.Copy, range over int, any), perfsprint (errors.New), unparam (remove unused parameters), revive (var naming), staticcheck, forbidigo exclusion for cmd/
- Make `security-check` non-fatal (apply go-gitea/gitea#36681)
- Remove dead gocritic exclusion rules (commentFormatting, exitAfterDefer)
- Remove dead linter exclusions and disabled checks (singleCaseSwitch, ST1003, QF1001, QF1006, QF1008, testifylint go-require/require-error, test file exclusions for dupl/errcheck/staticcheck/unparam)

## Test plan
- [x] `golangci-lint run` passes
- [x] `go build ./...` passes
- [x] `go test ./...` passes

---------

Co-authored-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: Christopher Homberger <christopher.homberger@web.de>
Reviewed-on: https://gitea.com/gitea/act_runner/pulls/803
Reviewed-by: ChristopherHX <christopherhx@noreply.gitea.com>
@silverwind silverwind mentioned this pull request Mar 6, 2026
Merged
@silverwind silverwind added the backport/v1.25 This PR should be backported to Gitea 1.25 label Mar 6, 2026
@silverwind

silverwind commented Mar 6, 2026

Copy link
Copy Markdown
Member Author

Still a problem on 1.25 branch, flagged this for backport.

@GiteaBot

GiteaBot commented Mar 6, 2026

Copy link
Copy Markdown
Collaborator

I was unable to create a backport for 1.25. @silverwind, please send one manually. 🍵

go run ./contrib/backport 36681
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Mar 6, 2026
Copilot AI mentioned this pull request Mar 6, 2026
Merged
Copilot AI added a commit that referenced this pull request Mar 6, 2026
@silverwind
Backport: Make security-check informational only (#36681)
b40292a 
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
lunny pushed a commit that referenced this pull request Mar 6, 2026
@silverwind
Backport: Make security-check informational only (#36681) (#36852)
b3290b6 
Backport #36681

`security-check` (govulncheck) was failing CI on all PRs whenever
vulnerabilities existed in dependencies. Since
https://github.com/go-gitea/gitea/security/dependabot already surfaces
this information, the check should be informational only.

- **`Makefile`**: Append `|| true` to the `security-check` target so
govulncheck output is preserved but non-zero exits no longer break CI.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
@go-gitea go-gitea locked as resolved and limited conversation to collaborators May 22, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

@lafriks lafriks lafriks approved these changes

Assignees

No one assigned

Labels

backport/manual No power to the bots! Create your backport yourself! backport/v1.25 This PR should be backported to Gitea 1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

4 participants

@silverwind @GiteaBot @techknowlogick @lafriks