Update golangci-lint from v2.10.1 to v2.11.4#7537
Merged
weikanglim merged 3 commits intomainfrom Apr 6, 2026
Merged
Conversation
Agent-Logs-Url: https://github.com/Azure/azure-dev/sessions/f849c578-921e-47c6-8afc-95fca6eff77c Co-authored-by: JeffreyCA <9157833+JeffreyCA@users.noreply.github.com>
…ations for G118/G703/G704 Agent-Logs-Url: https://github.com/Azure/azure-dev/sessions/f849c578-921e-47c6-8afc-95fca6eff77c Co-authored-by: JeffreyCA <9157833+JeffreyCA@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
JeffreyCA
April 6, 2026 19:00
View session
JeffreyCA
requested review from
danieljurek,
hemarina,
jongio,
rajeshkamal5050,
tg-msft,
vhvb1989,
wbreza and
weikanglim
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR bumps the repository’s Go lint tooling to golangci-lint v2.11.4 (CI + developer tooling) and updates/suppresses newly surfaced gosec findings so the codebase remains lint-clean under the newer linter.
Changes:
- Updated
golangci-lintversion references in CI workflows andmagepreflight tooling. - Added targeted
//nolint:gosecsuppressions for newly reportedgosecfindings (G118/G703/G704) and introduced a global gosec exclude for G122. - Adjusted a misplaced SSRF (
G704) suppression to align with the call site flagged by gosec.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
cli/azd/test/internal/tfoidc/main.go |
Moves/adds gosec suppression to the HTTP request creation path for OIDC token fetching. |
cli/azd/pkg/ux/spinner.go |
Suppresses gosec G118 for a stored CancelFunc that is invoked later in Stop(). |
cli/azd/pkg/update/manager_test.go |
Adds gosec suppression for SSRF-taint false positive in a test transport URL rewrite. |
cli/azd/pkg/tools/dotnet/dotnet.go |
Suppresses gosec G703 on a manifest write path used by apphost tooling. |
cli/azd/pkg/infra/provisioning/terraform/terraform_provider.go |
Suppresses gosec G703 on parameter file writes in Terraform provisioning. |
cli/azd/pkg/infra/provisioning/terraform/terraform_provider_test.go |
Suppresses gosec G703 for controlled test file paths. |
cli/azd/magefile.go |
Pins go install of golangci-lint to v2.11.4 for dev preflight. |
cli/azd/internal/vsrpc/server.go |
Suppresses gosec G118 where cancel funcs are stored for later invocation (server lifecycle + per-RPC). |
cli/azd/internal/repository/initializer_test.go |
Suppresses gosec G703 for controlled fixture writes in tests. |
cli/azd/.golangci.yaml |
Adds global gosec exclude for G122 (Walk/WalkDir TOCTOU). |
.github/workflows/lint-go.yml |
Updates default golangci-lint input version to v2.11.4. |
.github/workflows/copilot-setup-steps.yml |
Updates golangci-lint installer invocation to v2.11.4. |
Collaborator
Azure Dev CLI Install InstructionsInstall scriptsMacOS/Linux
bash: pwsh: WindowsPowerShell install MSI install Standalone Binary
MSI
Documentationlearn.microsoft.com documentationtitle: Azure Developer CLI reference
|
vhvb1989
approved these changes
Apr 6, 2026
Pin the installer script URL to v2.11.4 instead of HEAD for reproducibility and supply-chain safety. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
weikanglim
approved these changes
Apr 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bump golangci-lint to v2.11.4 across CI and dev tooling, then fix all newly surfaced gosec findings.
Version references updated
.github/workflows/lint-go.yml— default workflow input.github/workflows/copilot-setup-steps.yml— curl installercli/azd/magefile.go—go installtargetNew gosec rules addressed
G122 (WalkDir TOCTOU) — Added to
.golangci.yamlglobal excludes alongside existing G304. Proper fix requires migrating toos.RootAPIs; tracked as TODO consistent with other deferred gosec rules.G118 (context cancel not called) — 3 false positives where
cancelis stored in a struct field or map and invoked later (e.g.s.cancel = cancel→s.cancel()inStop()). Suppressed with//nolint:gosec+ rationale.G703 (path traversal taint) — 3 false positives where paths originate from infra config or test fixtures, not user input. Suppressed inline.
G704 (SSRF taint) — 2 false positives: one in test transport rewriting to a test server, one hitting a trusted OIDC endpoint. Also fixed a pre-existing misplaced
//nolintintfoidc/main.go(was onDo()but gosec flagsNewRequestWithContext).Extension modules
All 6 Go extension modules under
cli/azd/extensions/pass clean with 0 issues.