Skip to content

Comments

update to go 1.26 (debug/buildinfo is a new default package)#458

Open
Soph wants to merge 1 commit intomainfrom
soph/go-1-26
Open

update to go 1.26 (debug/buildinfo is a new default package)#458
Soph wants to merge 1 commit intomainfrom
soph/go-1-26

Conversation

@Soph
Copy link
Collaborator

@Soph Soph commented Feb 22, 2026

  • Update Go from 1.25.6 to 1.26.0
  • Update golangci-lint from 2.8.0 to 2.10.1 (required for Go 1.26 support)
  • Rename buildinfo package to versioninfo (Go 1.26 added debug/buildinfo to stdlib, causing linter conflict)
  • Add gosec exclusions for CLI-appropriate rules with hybrid approach:
    • Global: G204/G702 (subprocess), G705 (XSS) - always irrelevant for CLI
    • Targeted //nolint comments for G115, G703, G704 - preserves future detection

Copilot AI review requested due to automatic review settings February 22, 2026 20:27
@Soph Soph requested a review from a team as a code owner February 22, 2026 20:27
@cursor
Copy link

cursor bot commented Feb 22, 2026
edited
Loading

PR Summary

Medium Risk
Mostly tooling/config and package-rename churn, but it touches version propagation into checkpoint metadata and relaxes some gosec checks around subprocess execution, which could mask future unsafe command construction if validations regress.

Overview
Bumps the project toolchain to Go 1.26.0 and updates local dev tooling (mise, golangci-lint) accordingly.

Renames the internal build metadata package from buildinfo to versioninfo and updates all callers (checkpoint/session metadata, telemetry, entire version, and release/install ldflags in goreleaser/mise) to reference the new symbols.

Adjusts security linting: adds global gosec excludes for CLI-expected subprocess/XSS rules and replaces several inline //nolint:gosec suppressions with targeted ones (e.g., fd casts, os.Rename, outbound HTTP, pager/exec usage), plus minor string builder formatting refactors (fmt.Fprintf).

Written by Cursor Bugbot for commit 698e604. Configure here.

Copilot AI reviewed Feb 22, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the toolchain and lint configuration for Entire CLI to support Go 1.26, while avoiding a naming collision with Go’s new debug/buildinfo stdlib package and aligning security linting with CLI realities.

Changes:

  • Bump Go to 1.26.0 and golangci-lint to 2.10.1 across mise.toml and go.mod.
  • Rename the internal buildinfo package to versioninfo and update all imports + linker -X ldflags references.
  • Add global gosec excludes for CLI-irrelevant rules and add targeted //nolint suppressions where needed.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
mise.toml Updates Go/golangci-lint tool versions and switches build ldflags from buildinfo to versioninfo.
mise-tasks/dev/publish Updates install ldflags to use versioninfo.
go.mod Bumps Go version directive to 1.26.0.
cmd/entire/cli/versioninfo/versioninfo.go Renames package declaration to versioninfo for ldflags + imports.
cmd/entire/cli/versioncheck/versioncheck.go Adds targeted gosec suppressions for rename + outbound HTTP request.
cmd/entire/cli/trailers/trailers.go Replaces fmt.Sprintf+WriteString with fmt.Fprintf into a builder.
cmd/entire/cli/telemetry/detached_unix.go Removes now-unnecessary gosec suppression for subprocess invocation.
cmd/entire/cli/strategy/phase_wiring_test.go Updates imports and assertions from buildinfo to versioninfo.
cmd/entire/cli/strategy/manual_commit_session.go Switches stored CLI version source to versioninfo.Version.
cmd/entire/cli/strategy/manual_commit_condensation.go Uses fmt.Fprintf for builder formatting to reduce allocations / satisfy lint.
cmd/entire/cli/strategy/common.go Uses fmt.Fprintf in message building; removes gosec suppressions now handled globally.
cmd/entire/cli/strategy/auto_commit.go Switches stored CLI version source to versioninfo.Version.
cmd/entire/cli/root.go Updates telemetry/versioncheck/version output to use versioninfo.
cmd/entire/cli/git_operations.go Removes gosec suppressions on git fetch subprocess usage (now globally excluded).
cmd/entire/cli/explain.go Adds targeted gosec suppressions for uintptrint fd conversions; removes subprocess nolint.
cmd/entire/cli/checkpoint/temporary.go Removes gosec suppression on git branch -D subprocess usage (now globally excluded).
cmd/entire/cli/checkpoint/committed.go Switches stored CLI version source to versioninfo.Version; builder formatting via fmt.Fprintf.
cmd/entire/cli/checkpoint/checkpoint_test.go Updates tests to assert versioninfo.Version is persisted.
.goreleaser.yaml Updates release ldflags to set versioninfo.Version/Commit.
.golangci.yaml Adds global gosec excludes (G204/G702/G705) and keeps targeted suppressions elsewhere.

cmd/entire/cli/versioncheck/versioncheck.go
Comment on lines 177 to +178
client := &http.Client{}
resp, err := client.Do(req)
resp, err := client.Do(req) //nolint:gosec // G704: intentional request to GitHub releases API
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider configuring the http.Client with an explicit Timeout (you already have httpTimeout and a request context) instead of suppressing gosec on the outbound request. This keeps the linter useful and makes the timeout behavior self-documenting at the client level.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Soph