🔨 chore: Updates codeql & test workflows and fixes golangci-lint

[bendoerr]

Summary by CodeRabbit

• Chores
  • Enhanced CodeQL workflow with multi-language support, updated action versions, improved runner selection, and expanded permissions.
  • Improved test workflow with dynamic Go versioning, added Terraform setup, and enhanced test reporting using JUnit XML output.
  • Introduced a comprehensive linting configuration for Go code in the test directory.
  • Updated Go module dependencies and toolchain versions for the test suite, refreshing and upgrading libraries.
  • Upgraded lint workflow action version and simplified linting flags configuration.

[coderabbitai]

Warning

Rate limit exceeded

@bendoerr has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 6 minutes and 9 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 799941d and 3b8c976.

⛔ Files ignored due to path filters (1)

• test/go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/lint.yml (1 hunks)
• .github/workflows/test.yml (1 hunks)
• test/.golangci.yml (1 hunks)
• test/go.mod (1 hunks)

Walkthrough

The updates introduce significant enhancements to the project's continuous integration and code quality processes. The CodeQL workflow now supports multiple languages and build modes, uses updated actions, and features improved runner selection and permissions. The test workflow has been restructured to dynamically set up Go and Terraform, run tests with detailed reporting, and generate JUnit XML output. A comprehensive golangci-lint configuration file is added to enforce strict linting standards in the test directory. The Go module file is updated to newer Go versions, includes a toolchain directive, and refreshes the dependency graph with upgraded, replaced, and removed packages. The lint workflow was updated to use a newer golangci-lint action version and removed detailed lint flags.

Changes

File(s)	Change Summary
.github/workflows/codeql.yml	Workflow renamed to "CodeQL Advanced". Enhanced to support multiple languages and build modes via a matrix. Runner selection is now conditional. Permissions expanded. Updated actions and versions for hardening, Go setup, and CodeQL. Go setup now uses go-version-file. Added comments for clarity. Manual build step added for certain build modes. Analyze step updated with category parameter.
.github/workflows/test.yml	Go setup changed to use version from test/go.mod. Removed Terratest action. Added Terraform setup. Introduced steps to install go-junit-report, run Go tests with timeout and verbose output, convert output to JUnit XML conditionally, and upload test summary conditionally. Working directories and paths adjusted accordingly.
test/.golangci.yml	New, extensive golangci-lint configuration file added. Enables and configures a wide range of linters with custom settings, exclusion rules, and strict requirements on nolint usage. Tailored for comprehensive code quality enforcement in the test directory.
test/go.mod	Updated Go version (1.21.4 → 1.23.0) and added toolchain directive (Go 1.24.2). Upgraded terratest and many indirect dependencies. Replaced some dependencies (e.g., AWS SDK v1 → v2), removed outdated ones, and added new ones. Reflects a full refresh of the Go dependency graph. No code changes.
.github/workflows/lint.yml	Upgraded reviewdog/action-golangci-lint action from v2.6.2 to v2.8.0. Removed previously specified detailed golangci_lint_flags input. Other parameters unchanged.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant GitHub Actions
    participant CodeQL
    participant Linting
    participant Test Runner
    participant Terraform

    Developer->>GitHub Actions: Push code / open PR
    GitHub Actions->>CodeQL: Run advanced scan (multi-language, build-matrix)
    GitHub Actions->>Linting: Run golangci-lint with strict config
    GitHub Actions->>Test Runner: Set up Go (from go.mod), install tools
    GitHub Actions->>Terraform: Set up Terraform
    GitHub Actions->>Test Runner: Run Go tests, generate JUnit XML
    Test Runner->>GitHub Actions: Upload test report
    GitHub Actions->>Developer: Present analysis, lint, and test results

Loading

Possibly related PRs

• ⬆️ gha: Bump the github-actions group with 4 updates #83: Updates .github/workflows/codeql.yml with CodeQL and harden-runner action version upgrades, overlapping with this PR's workflow updates.
• ⬆️ gha: Bump github/codeql-action from 3.26.3 to 3.26.5 in the github-actions group #85: Also upgrades CodeQL GitHub Actions versions, related through CodeQL workflow version bumps.
• ⬆️ gha: Bump github/codeql-action from 3.26.0 to 3.26.3 in the github-actions group #84: Modifies .github/workflows/codeql.yml to update CodeQL actions versions, related as a narrower version upgrade compared to this PR's broader workflow restructuring.

Suggested labels

dependencies, github_actions

Poem

In the warren where the workflows dwell,
CodeQL advanced, now scans so well!
Linting is strict, dependencies new,
Test reports in XML, shining through.
With Go and Terraform, all set to hop—
This rabbit’s proud, our CI’s tip-top!
🐇✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 7

🔭 Outside diff range comments (2)

test/go.mod (1)

13-138: 🧹 Nitpick (assertive)

Prune stale indirect dependencies
The require block now lists a large number of indirect modules. Run go mod tidy and remove unnecessary entries to slim the module graph and speed up CI.

.github/workflows/codeql.yml (1)

1-110: 🧹 Nitpick (assertive)

Consider consolidating Go setup into a reusable workflow
To DRY up the repeated actions/setup-go usage and version-file reference across workflows, evaluate creating a composite action or reusable workflow that standardizes Go environment setup.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 660e4c7 and ec4c2d5.

⛔ Files ignored due to path filters (1)

• test/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/test.yml (1 hunks)
• test/.golangci.yml (1 hunks)
• test/go.mod (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.35.1)

.github/workflows/test.yml

[warning] 26-26: too few spaces before comment

(comments)

---

[warning] 26-26: missing starting space in comment

(comments)

---

[warning] 35-35: too few spaces before comment

(comments)

---

[error] 39-39: too many blank lines

(1 > 0) (empty-lines)

🪛 GitHub Actions: Test

test/go.mod

[error] 1-1: The specified go version file at: test/go.mod does not exist

🔇 Additional comments (20)

.github/workflows/test.yml (3)

25-27: Approve: Add Terraform setup step
Introducing hashicorp/setup-terraform ensures Terraform CLI is available for terratest and aligns with current best practices.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 26-26: too few spaces before comment

(comments)

---

[warning] 26-26: missing starting space in comment

(comments)

---

37-38: Approve: Always publish test report
Using if: always() ensures JUnit XML is uploaded even on failures, providing CI feedback for flaky or broken tests.

---

23-23:

✅ Verification successful

Verify Go version file path
The actions/setup-go step now reads the Go version from test/go.mod, but the Test job failed with “file does not exist.” Please confirm that test/go.mod is committed at this path and accessible to the workflow.

---

🏁 Script executed:

#!/bin/bash
# Verify that test/go.mod exists in the repository
if [ ! -f test/go.mod ]; then
  echo "ERROR: test/go.mod not found"
  exit 1
fi
echo "SUCCESS: test/go.mod found"

Length of output: 91

---

Go version file path confirmed
I’ve verified that test/go.mod exists in the repository and is accessible to the workflow. No changes needed here.

test/.golangci.yml (5)

3-3: Approve: Lint config version
Setting version: "2" aligns with the current golangci-lint format.

---

9-9: Approve: Adjust max-same-issues
Raising the identical-issue threshold to 50 reduces noise for recurring patterns in generated code.

---

11-19: Approve: Enable formatters
goimports and golines will automatically fix imports and line lengths, supporting consistent code formatting.

---

23-31: Verify local-prefixes match module path
You’ve configured local-prefixes as github.com/bendoerr-terraform-modules/terraform-null-label/test. This should match the module declared in test/go.mod. Please confirm that they are in sync to ensure correct grouping of imports.

---

32-35: Approve: Set golines.max-len to 120
A max line length of 120 is reasonable for readability in test code.

test/go.mod (3)

3-6: Approve: Update Go version and toolchain directive
Specifying go 1.23.0 and toolchain go1.24.2 brings tests in line with the latest runtime and ensures compatibility with new language features.

---

8-10: Approve: Upgrade Terratest dependency
Bumping github.com/gruntwork-io/terratest to v0.48.2 keeps pace with bug fixes and new features.

---

13-138: Verify AWS SDK v2 migration
You’ve replaced AWS SDK v1 with v2 modules. Please confirm that all import paths in your tests have been updated accordingly and that there are no lingering references to github.com/aws/aws-sdk-go.

.github/workflows/codeql.yml (9)

12-12: Approve: Rename workflow to CodeQL Advanced
Clarifies the purpose and highlights the advanced configuration.

---

20-20: Approve: Adjust schedule to 3:19 AM Monday
Running at non-peak hours reduces impact on shared runners.

---

24-25: Approve: Dynamic matrix naming
Incorporating ${{ matrix.language }} in the job name improves clarity in multi-language scans.

---

30-30: Approve: Conditional runner selection
Using macos-latest for Swift and ubuntu-latest otherwise optimizes resource usage per language.

---

35-36: Approve: Expanded permissions
Adding security-events: write and packages: read ensures CodeQL can upload findings and fetch packs.

---

45-49: Approve: Matrix includes Go autobuild
The two-entry matrix covers both actions (none) and Go (autobuild), aligning with typical project needs.

---

72-76: Verify Go version file for CodeQL setup
The actions/setup-go step reads test/go.mod here as well. Confirm the file’s presence and path to avoid Go initialization failures during CodeQL analysis.

---

78-83: Approve: Parameterize build mode in init
Passing build-mode: ${{ matrix.build-mode }} allows fine-grained control over how CodeQL builds and analyzes code.

---

96-104: Approve: Manual build fallback step
The conditional manual build step provides clear instructions and fails fast if autobuild cannot compile the code.

[coderabbitai]

Actionable comments posted: 3

🔭 Outside diff range comments (1)

.github/workflows/test.yml (1)

53-54: 🧹 Nitpick (assertive)

Remove superfluous blank line
YAMLlint reports “too many blank lines.” Please remove the extra empty line at the end of the job.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 53-53: too many blank lines

(1 > 0) (empty-lines)

♻️ Duplicate comments (4)

test/.golangci.yml (4)

37-111: Consider narrowing enabled linters for performance
Enabling a large number of linters may slow CI feedback. Start with a critical subset (e.g., staticcheck, errcheck, gosec) and progressively enable more.

---

304-308: Remove redundant inamedparam settings
The inamedparam linter is not enabled under linters.enable, so its settings block has no effect. Either enable it or remove this section.

---

113-118: Remove or enable exhaustruct settings
You've declared exclusions for exhaustruct but haven’t enabled the linter. Enable it under linters.enable or remove these settings to avoid dead configuration.

---

409-417: Anchor regex for test-file exclusions
Change the path pattern to anchor the end of the filename:

-path: '_test\.go'
+path: '_test\\.go$'

This ensures only files ending with _test.go are matched.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec4c2d5 and 5e794c1.

⛔ Files ignored due to path filters (1)

• test/go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/lint.yml (1 hunks)
• .github/workflows/test.yml (1 hunks)
• test/.golangci.yml (1 hunks)
• test/go.mod (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.35.1)

.github/workflows/test.yml

[warning] 17-17: too few spaces before comment

(comments)

---

[warning] 22-22: too few spaces before comment

(comments)

---

[warning] 25-25: too few spaces before comment

(comments)

---

[warning] 31-31: too few spaces before comment

(comments)

---

[warning] 31-31: missing starting space in comment

(comments)

---

[warning] 49-49: too few spaces before comment

(comments)

---

[error] 53-53: too many blank lines

(1 > 0) (empty-lines)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: golangci-lint

🔇 Additional comments (18)

test/go.mod (3)

3-6: Align Go version and toolchain
The go directive has been bumped to 1.23.0 and the toolchain directive to 1.24.2, ensuring CI and local builds use the same Go version.

---

8-10:

❓ Verification inconclusive

Upgrade primary dependencies
The direct dependency on github.com/gruntwork-io/terratest has been updated to v0.48.2, and github.com/kr/pretty remains at v0.3.1. Verify that any compatibility issues with the Terratest upgrade are addressed.

---

🏁 Script executed:

#!/bin/bash
# Verify no breaking changes in Terratest API usage
rg -R "github.com/gruntwork-io/terratest" -n src/test

Length of output: 458

---

Here's a corrected search to locate any Terratest imports or usage in your test files:

---

🏁 Script executed:

#!/bin/bash
# Verify Terratest API usage in tests
rg -n "github.com/gruntwork-io/terratest" test

Length of output: 518

---

Verify Terratest v0.48.2 upgrade
The direct dependency on github.com/gruntwork-io/terratest has been bumped to v0.48.2. I see it imported in:

• test/examples_complete_test.go:
  • github.com/gruntwork-io/terratest/modules/terraform
  • test_structure "github.com/gruntwork-io/terratest/modules/test-structure"

Please confirm that all Terratest APIs used here are unchanged in v0.48.2 and that your tests pass locally.

---

13-137:

✅ Verification successful

Major dependency graph refresh
The indirect dependencies have been extensively modernized—including migration from AWS SDK v1 to v2 modules, Kubernetes upgrades, and new libraries. Ensure that all imports in src/test reference the AWS SDK v2 paths and no v1 imports remain.

---

🏁 Script executed:

#!/bin/bash
# Check for AWS SDK v1 imports in test code
rg "github.com/aws/aws-sdk-go/" -n src/test && echo "Found AWS v1 imports" || echo "No AWS v1 imports detected"

Length of output: 155

---

🏁 Script executed:

#!/bin/bash
# Search entire repository for any AWS SDK v1 import paths
rg --with-filename --line-number "github.com/aws/aws-sdk-go/" .

Length of output: 63

---

🏁 Script executed:

#!/bin/bash
# Verify AWS SDK v1 imports specifically in the test directory
rg --with-filename --line-number --type go "github.com/aws/aws-sdk-go" test/

Length of output: 76

---

Major dependency graph refresh verified
A repository‑wide search confirms there are no remaining github.com/aws/aws-sdk-go imports—only v2 modules are referenced in test/ and elsewhere. Changes approved.

.github/workflows/test.yml (5)

21-23: Update actions/checkout to v4.1.7
Pinning to a specific commit ensures reproducible CI runs.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 22-22: too few spaces before comment

(comments)

---

24-29: Enhance Go setup with version file and caching
Using actions/[email protected] with go-version-file: test/go.mod and cache: true speeds up test setup and ensures consistency.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 25-25: too few spaces before comment

(comments)

---

30-32: Add Terraform setup step
The hashicorp/[email protected] action is correctly pinned. Confirm version alignment with other Terraform workflows.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 31-31: too few spaces before comment

(comments)

---

[warning] 31-31: missing starting space in comment

(comments)

---

33-36: Install go-junit-report tool
Pinning to v2.1.0 guarantees consistent JUnit XML conversion.

---

37-41: Run Go tests with verbose output
Capturing output via tee into results.out is effective for later conversion.

test/.golangci.yml (1)

1-4: Initialize golangci-lint configuration for the test directory
This new file lays out a comprehensive linting policy tailored for test code.

.github/workflows/codeql.yml (9)

12-21: Rename and reschedule CodeQL workflow
Renaming to “CodeQL Advanced” and shifting the cron to 19 3 * * 1 triggers weekly scans at a non-peak hour.

---

25-31: Use dynamic runner selection by language
Selecting macos-latest for Swift and ubuntu-latest for others optimizes resource usage.

---

33-41: Expand CodeQL permissions
Adding security-events: write and packages: read supports multi-language packs and private repo scanning.

---

43-50: Configure matrix for languages and build modes
The inclusion of actions (none) and go (autobuild) build modes adds flexibility to your scan strategy.

---

59-63: Upgrade hardened runner action
Bumping step-security/harden-runner to v2.12.0 integrates the latest security hardening policies.

---

72-76: Unify Go version usage
Using actions/[email protected] with go-version-file: test/go.mod ensures consistent Go versions across test and scan workflows.

---

78-83: Enhance CodeQL init with build-mode
Upgrading to [email protected] and injecting the matrix’s build-mode ensures proper setup for both autobuild and none modes.

---

96-105: Provide clear manual build instructions
The manual build-mode step gives clear placeholders for custom build commands when needed.

---

106-110: Upgrade CodeQL analyze action
Using [email protected] with a dynamic category per language surfaces findings by language.

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 6

🔭 Outside diff range comments (1)

.github/workflows/test.yml (1)

48-53: ⚠️ Potential issue

Fix hashFiles path for XML results
Similarly, change the upload guard from:

if: hashFiles('test/results.xml') != ''

to:

-if: hashFiles('test/results.xml') != ''
+if: hashFiles('src/test/results.xml') != ''

The paths: src/test/results.xml entry is already correct.

🛑 Comments failed to post (6)

test/go.mod (1)

8-8: 💡 Verification agent

🧩 Analysis chain

Bump Terratest dependency
Upgrading github.com/gruntwork-io/terratest to v0.48.2 is straightforward. Ensure existing tests still pass against this version.

Please run:

to confirm compatibility.

---

🏁 Script executed:

go test ./test/...

Length of output: 169

---

Fix test invocation in the test module
The go test ./test/... command is now failing with:

pattern ./test/...: directory prefix test does not contain main module or its selected dependencies

Please confirm the Terratest upgrade by one of the following:

• Run tests from inside the test directory:

  cd test && go test ./...

• Or add a go.work at the repo root to include ./test:

  go work init . ./test
  go work sync
  go test ./test/...

Once tests pass, we can approve this bump.

.github/workflows/test.yml (1)

42-47: ⚠️ Potential issue

Fix hashFiles path for test output
The condition currently checks:

if: hashFiles('test/results.out') != ''

When the Run Tests step writes to src/test/results.out, this will never match. Update to:

-if: hashFiles('test/results.out') != ''
+if: hashFiles('src/test/results.out') != ''

test/.golangci.yml (4)

425-428: 🧹 Nitpick (assertive)

Anchor test-file exclusion regex
Change the path pattern from '_test\.go' to '_test\.go$' so it only matches files ending in _test.go.

---

37-111: 🧹 Nitpick (assertive)

Consider narrowing enabled linters for faster feedback
With over 70 linters enabled, CI runs may slow down. Start with a core subset (e.g., staticcheck, errcheck, gosec) and gradually enable more as confidence grows.

---

220-228: ⚠️ Potential issue

Remove or enable exhaustruct settings
There’s an exhaustruct configuration block but the linter is commented out in linters.enable. Either uncomment it or remove this dead config to avoid confusion.

---

304-308: 🧹 Nitpick (assertive)

Remove redundant inamedparam settings
The inamedparam settings block has no effect unless the linter is enabled. Consider removing it or adding inamedparam to linters.enable.