CI/CD (#14)

msafarik · Marek Safarik · web-flow · commit fe2f194284a1 · 2026-02-23T13:11:22.000+01:00
* github actions: lint, gosec, sourcery, staticcheck

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

* fix gopath

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

* run checks only on stable fedora release

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

* Fix golangci-li errors

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

* goces

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

* Removed texlive-colourchange-doc package

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

* fix: golangci-lint after review (version upgrade and replacement go install with golangci-lint)

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

* golangci-lint version upgrade to v9

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

* upgrade golangci-lint to v2

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;

---------

Signed-off-by: Marek Safarik &lt;msafarik@redhat.com&gt;
Co-authored-by: Marek Safarik &lt;msafarik@redhat.com&gt;
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
@@ -0,0 +1,38 @@
+---
+name: golangci-lint
+
+"on":
+  push:
+    paths-ignore:
+      - '**.md'
+      - '**.sh'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+      - '**.sh'
+
+jobs:
+  golangci-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Show OS information
+        run: cat /etc/os-release
+
+      - name: Install Go
+        run: dnf -y install golang
+
+      - name: Show Go version
+        run: go version
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v9
+        with:
+          version: latest
+
+    container:
+      image: fedora:latest
+      env:
+        GOPATH: /root/go
+        PATH: /root/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
diff --git a/.github/workflows/gosec.yaml b/.github/workflows/gosec.yaml
@@ -0,0 +1,36 @@
+---
+name: gosec
+
+"on":
+  push:
+    paths-ignore:
+      - '**.md'
+      - '**.sh'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+      - '**.sh'
+
+jobs:
+  gosec:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Show OS information
+        run: cat /etc/os-release
+
+      - name: Install Go
+        run: dnf -y install golang
+
+      - name: Install gosec
+        run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+
+      - name: Run gosec
+        run: gosec -exclude=G706 ./...
+
+    container:
+      image: fedora:latest
+      env:
+        GOPATH: /root/go
+        PATH: /root/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
diff --git a/.github/workflows/install-dependencies b/.github/workflows/install-dependencies
@@ -229,7 +229,6 @@ case "${DISTRO}" in
         texlive-graphicxpsd \
         texlive-ae \
         texlive-colourchange \
-        texlive-colourchange-doc \
         texlive-todonotes \
         texlive-babel-english \
         texlive-tocbibind \
diff --git a/.github/workflows/sourcery.yaml b/.github/workflows/sourcery.yaml
@@ -0,0 +1,22 @@
+---
+name: sourcery-ai
+
+"on":
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  sourcery:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Sourcery AI Code Review
+        uses: sourcery-ai/action@v1
+        with:
+          token: ${{ secrets.SOURCERY_TOKEN }}
diff --git a/.github/workflows/staticcheck.yaml b/.github/workflows/staticcheck.yaml
@@ -0,0 +1,36 @@
+---
+name: staticcheck
+
+"on":
+  push:
+    paths-ignore:
+      - '**.md'
+      - '**.sh'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+      - '**.sh'
+
+jobs:
+  staticcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Show OS information
+        run: cat /etc/os-release
+
+      - name: Install Go
+        run: dnf -y install golang
+
+      - name: Install staticcheck
+        run: go install honnef.co/go/tools/cmd/staticcheck@latest
+
+      - name: Run staticcheck
+        run: staticcheck ./...
+
+    container:
+      image: fedora:latest
+      env:
+        GOPATH: /root/go
+        PATH: /root/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,61 @@
+---
+version: "2"
+
+linters:
+  enable:
+    # Default linters
+    - errcheck
+    - govet
+    - staticcheck
+    - unused
+    # Additional linters
+    - bodyclose
+    - dupl
+    - gocognit
+    - goconst
+    - gocritic
+    - gocyclo
+    - gosec
+    - misspell
+    - nakedret
+    - prealloc
+    - revive
+    - unconvert
+    - unparam
+    - whitespace
+  settings:
+    gocyclo:
+      min-complexity: 15
+    gocognit:
+      min-complexity: 20
+    dupl:
+      threshold: 100
+    goconst:
+      min-len: 3
+      min-occurrences: 3
+    misspell:
+      locale: US
+    errcheck:
+      exclude-functions:
+        - (net/http.ResponseWriter).Write
+        - fmt.Fprintf
+        - (io.Closer).Close
+    gosec:
+      excludes:
+        - G706
+    revive:
+      rules:
+        - name: blank-imports
+        - name: context-as-argument
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: increment-decrement
+        - name: var-naming
+        - name: package-comments
+          disabled: true
+
+formatters:
+  enable:
+    - gofmt
+    - goimports
diff --git a/cmd/client/main.go b/cmd/client/main.go
@@ -38,7 +38,8 @@ func main() {
 
 	apiKey := strings.TrimSpace(os.Getenv("ANTHROPIC_API_KEY"))
 	if apiKey == "" {
-		log.Fatal("ANTHROPIC_API_KEY environment variable not set")
+		log.Println("ANTHROPIC_API_KEY environment variable not set")
+		return
 	}
 
 	serverPath := os.Getenv("MCP_SERVER_PATH")
@@ -51,7 +52,7 @@ func main() {
 		port = defaultPort
 	}
 
-	if _, err := os.Stat(serverPath); os.IsNotExist(err) {
+	if _, err := os.Stat(serverPath); os.IsNotExist(err) { // #nosec G703 -- serverPath from env/default, not user input
 		log.Printf("Warning: MCP server not found at %s", serverPath)
 		log.Printf("Build the server first: go build -o bin/server cmd/server/main.go")
 		return
@@ -63,24 +64,28 @@ func main() {
 	})
 
 	if err := agentInstance.Connect(ctx); err != nil {
-		log.Fatalf("Failed to connect to MCP server: %v", err)
+		log.Printf("Failed to connect to MCP server: %v", err)
+		return
 	}
 	log.Printf("Connected to MCP server")
 	defer agentInstance.Close()
 
 	if err := agentInstance.GetTools(ctx); err != nil {
-		log.Fatalf("Failed to get MCP tools: %v", err)
+		log.Printf("Failed to get MCP tools: %v", err)
+		return
 	}
 
-	srv, err := web.NewServer(agentInstance, ctx)
+	srv, err := web.NewServer(ctx, agentInstance)
 	if err != nil {
-		log.Fatalf("Failed to create web server: %v", err)
+		log.Printf("Failed to create web server: %v", err)
+		return
 	}
 
 	addr := fmt.Sprintf(":%s", port)
 	log.Printf("Starting Keylime MCP Agent at http://localhost%s", addr)
 
 	if err := srv.Start(addr); err != nil {
-		log.Fatalf("Server error: %v", err)
+		log.Printf("Server error: %v", err)
+		return
 	}
 }
diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -30,7 +30,6 @@ func main() {
 	if err := server.Run(context.Background(), &mcp.StdioTransport{}); err != nil {
 		log.Fatal(err)
 	}
-
 }
 
 func loadConfig() keylime.Config {
diff --git a/internal/agent/agent.go b/internal/agent/agent.go
@@ -3,6 +3,7 @@ package agent
 import (
 	"context"
 	"fmt"
+	"log"
 	"os/exec"
 	"strings"
 
@@ -31,7 +32,7 @@ You have a maximum of 5 conversation turns to complete the task. When given a ta
 )
 
 type Config struct {
-	APIKey       string
+	APIKey       string // #nosec G117 -- field name for API key config, value is not hardcoded
 	ServerPath   string
 	Model        anthropic.Model
 	MaxTokens    int64
@@ -88,7 +89,7 @@ func (a *Agent) Connect(ctx context.Context) error {
 		Name:    mcpClientName,
 		Version: mcpClientVersion,
 	}, nil)
-	cmd := exec.Command(a.config.ServerPath)
+	cmd := exec.Command(a.config.ServerPath) // #nosec G204 -- ServerPath is from trusted config, not user input
 	transport := &mcp.CommandTransport{Command: cmd}
 	session, err := client.Connect(ctx, transport, nil)
 	if err != nil {
@@ -148,10 +149,14 @@ func convertMCPToolToClaudeTool(tool *mcp.Tool) anthropic.ToolUnionParam {
 
 func (a *Agent) Close() {
 	if a.mcpSession != nil {
-		a.mcpSession.Close()
+		if err := a.mcpSession.Close(); err != nil {
+			log.Printf("Warning: failed to close MCP session: %v", err)
+		}
 	}
 	if a.mcpCmd != nil && a.mcpCmd.Process != nil {
-		a.mcpCmd.Process.Kill()
+		if err := a.mcpCmd.Process.Kill(); err != nil {
+			log.Printf("Warning: failed to kill MCP process: %v", err)
+		}
 	}
 }
 
@@ -223,13 +228,14 @@ func (a *Agent) ExecuteTool(ctx context.Context, toolRequest *ToolRequest, onMes
 	var resultText string
 	var isError bool
 
-	if err != nil {
+	switch {
+	case err != nil:
 		resultText = fmt.Sprintf("Error: %v", err)
 		isError = true
-	} else if result.IsError {
+	case result.IsError:
 		resultText = fmt.Sprintf("Tool '%s' execution failed: %s", toolRequest.Name, extractTextContent(result.Content))
 		isError = true
-	} else {
+	default:
 		resultText = extractTextContent(result.Content)
 	}
 
diff --git a/internal/keylime/client.go b/internal/keylime/client.go
diff --git a/internal/keylime/helpers.go b/internal/keylime/helpers.go
diff --git a/internal/keylime/types.go b/internal/keylime/types.go
diff --git a/internal/web/server.go b/internal/web/server.go

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,6 @@ func main() {`
`30`	`30`	`if err := server.Run(context.Background(), &mcp.StdioTransport{}); err != nil {`
`31`	`31`	`log.Fatal(err)`
`32`	`32`	`}`
`33`		`-`
`34`	`33`	`}`
`35`	`34`
`36`	`35`	`func loadConfig() keylime.Config {`