Skip to content

Commit

Permalink
Update go min require and golangci-lint (#1885)
Browse files Browse the repository at this point in the history 
* update golangci-lint to v1.62.x

Signed-off-by: cpanato <ctadeu@gmail.com>

* update go to min go1.23.4

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: cpanato <ctadeu@gmail.com>
  • Loading branch information
@cpanato
cpanato authored Dec 12, 2024
1 parent 811318b commit eb1f9a3
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/verify.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ jobs:
- name: golangci-lint
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
version: v1.61
version: v1.62

oidc-config:
name: oidc-config
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/sigstore/fulcio

go 1.23.2
go 1.23.4

require (
chainguard.dev/go-grpc-kit v0.17.7
Expand Down

1 comment on commit eb1f9a3

@kaovilai
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stop bumping go directive unless necessitated by other dependencies

There is nothing necessitating this bump.

❯ go mod graph | grep go@1.23.4
github.com/sigstore/fulcio go@1.23.4
go@1.23.4 toolchain@go1.23.4

❯ go mod graph | grep go@1.23.| grep -v fulcio
chainguard.dev/go-grpc-kit@v0.17.7 go@1.23.1
chainguard.dev/sdk@v0.1.29 go@1.23.3
go@1.23.4 toolchain@go1.23.4

The minimum should be 1.23.3 without fulcio's own bump.

Stop the minimum virus :D

This repo by itself should not be enforcing minimum on other repositories importing it. Stop spreading "minimum virus"

toolchain version used will be defined outside of go.mod ideally, such as by installing a newer compatible go toolchain to ci/cd/development env.

Failing that, toolchain directive should be used instead of go directive for bumping versions to not cascade minimum versions to importing dependencies.

toolchain directive, in contrast to the go directive, applies only to the current module (the one defined by the go.mod file). It suggests the toolchain to be used when in that very module, and doesn't propagate to other modules.

High profile repos that have removed/reduced minimum go patch version per user requests

Being proactive to prevent following from reoccuring

Please sign in to comment.