NO-ISSUE: Update module github.com/golangci/golangci-lint to v2.11.3

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/golangci/golangci-lint	v2.8.0 -> v2.11.3

---

Release Notes

golangci/golangci-lint (github.com/golangci/golangci-lint)

v2.11.3

Compare Source

Released on 2026-03-10

1. Linters bug fixes
   • gosec: from v2.24.7 to 619ce21

v2.11.2

Compare Source

Released on 2026-03-07

1. Fixes
   • fmt: fix error when using the fmt command with explicit paths.

v2.11.1

Compare Source

Released on 2026-03-06

Due to an error related to AUR, some artifacts of the v2.11.0 release have not been published.

This release contains the same things as v2.11.0.

v2.11.0

Compare Source

Released on 2026-03-06

1. Linters new features or changes
   • errcheck: from 1.9.0 to 1.10.0 (exclude crypto/rand.Read by default)
   • gosec: from 2.23.0 to 2.24.6 (new rules: G113, G118, G119, G120, G121, G122, G123, G408, G707)
   • noctx: from 0.4.0 to 0.5.0 (new detection: httptest.NewRequestWithContext)
   • prealloc: from 1.0.2 to 1.1.0
   • revive: from 1.14.0 to 1.15.0 (⚠️ Breaking change: package-related checks moved from var-naming to a new rule package-naming)
2. Linters bug fixes
   • gocognit: from 1.2.0 to 1.2.1
   • gosec: from 2.24.6 to 2.24.7
   • unqueryvet: from 1.5.3 to 1.5.4

v2.10.1

Compare Source

Released on 2026-02-17

1. Fixes
   • buildssa panic

v2.10.0

Compare Source

Released on 2026-02-17

1. Linters new features or changes
   • ginkgolinter: from 0.22.0 to 0.23.0
   • gosec: from 2.22.11 to 2.23.0 (new rules: G117, G602, G701, G702, G703, G704, G705, G706)
   • staticcheck: from 0.6.1 to 0.7.0
2. Linters bug fixes
   • godoclint: from 0.11.1 to 0.11.2

v2.9.0

Compare Source

Released on 2026-02-10

1. Enhancements
   • 🎉 go1.26 support
2. Linters new features or changes
   • arangolint: from 0.3.1 to 0.4.0 (new rule: detect potential query injections)
   • ginkgolinter: from 0.21.2 to 0.22.0 (support for wrappers)
   • golines: from 0.14.0 to 0.15.0
   • misspell: from 0.7.0 to 0.8.0
   • revive: from v1.13.0 to v1.14.0 (new rules: epoch-naming, use-slices-sort)
   • unqueryvet: from 1.4.0 to 1.5.3 (new options: check-n1, check-sql-injection, check-tx-leaks, allow, custom-rules)
   • wsl_v5: from 5.3.0 to 5.6.0 (new rule: after-block)
3. Linters bug fixes
   • modernize: from 0.41.0 to 0.42.0
   • prealloc: from 1.0.1 to 1.0.2
   • protogetter: from 0.3.18 to 0.3.20
4. Misc.
   • Log information about files when configuration verification
   • Emit an error when no linters enabled
   • Do not collect VCS information when loading code

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[openshift-ci-robot]

@red-hat-konflux[bot]: This pull request explicitly references no jira issue.

Details

In response to this:

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/golangci/golangci-lint	v2.8.0 -> v2.11.1

---

Release Notes

golangci/golangci-lint (github.com/golangci/golangci-lint)

v2.11.1

Released on 2026-03-06

Due to an error related to AUR, some artifacts of the v2.11.0 release have not been published.

This release contains the same things as v2.11.0.

v2.11.0

Released on 2026-03-06

1. Linters new features or changes

• errcheck: from 1.9.0 to 1.10.0 (exclude crypto/rand.Read by default)
• gosec: from 2.23.0 to 2.24.6 (new rules: G113, G118, G119, G120, G121, G122, G123, G408, G707)
• noctx: from 0.4.0 to 0.5.0 (new detection: httptest.NewRequestWithContext)
• prealloc: from 1.0.2 to 1.1.0
• revive: from 1.14.0 to 1.15.0 (⚠️ Breaking change: package-related checks moved from var-naming to a new rule package-naming)

2. Linters bug fixes

• gocognit: from 1.2.0 to 1.2.1
• gosec: from 2.24.6 to 2.24.7
• unqueryvet: from 1.5.3 to 1.5.4

v2.10.1

Compare Source

Released on 2026-02-17

1. Fixes

• buildssa panic

v2.10.0

Compare Source

Released on 2026-02-17

1. Linters new features or changes

• ginkgolinter: from 0.22.0 to 0.23.0
• gosec: from 2.22.11 to 2.23.0 (new rules: G117, G602, G701, G702, G703, G704, G705, G706)
• staticcheck: from 0.6.1 to 0.7.0

2. Linters bug fixes

• godoclint: from 0.11.1 to 0.11.2

v2.9.0

Compare Source

Released on 2026-02-10

1. Enhancements

• 🎉 go1.26 support

2. Linters new features or changes

• arangolint: from 0.3.1 to 0.4.0 (new rule: detect potential query injections)
• ginkgolinter: from 0.21.2 to 0.22.0 (support for wrappers)
• golines: from 0.14.0 to 0.15.0
• misspell: from 0.7.0 to 0.8.0
• revive: from v1.13.0 to v1.14.0 (new rules: epoch-naming, use-slices-sort)
• unqueryvet: from 1.4.0 to 1.5.3 (new options: check-n1, check-sql-injection, check-tx-leaks, allow, custom-rules)
• wsl_v5: from 5.3.0 to 5.6.0 (new rule: after-block)

3. Linters bug fixes

• modernize: from 0.41.0 to 0.42.0
• prealloc: from 1.0.1 to 1.0.2
• protogetter: from 0.3.18 to 0.3.20

4. Misc.

• Log information about files when configuration verification
• Emit an error when no linters enabled
• Do not collect VCS information when loading code

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The Dockerfile.assisted-installer-build was modified to bump the GolangCI-Lint installation from v2.8.0 to v2.11.2; no other commands or build steps were changed.

Changes

Cohort / File(s)	Summary
GolangCI-Lint Version Update Dockerfile.assisted-installer-build	Replaced GolangCI-Lint v2.8.0 with v2.11.2 in the RUN install sequence (single-line version bump).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims to update golangci-lint to v2.11.3, but the actual change only updates to v2.11.2, creating a mismatch between the stated and actual version.	Update the PR title to accurately reflect the change: 'NO-ISSUE: Update module github.com/golangci/golangci-lint to v2.11.2' instead of v2.11.3.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR only modifies Dockerfile.assisted-installer-build to update golangci-lint version; no test files modified.
Test Structure And Quality	✅ Passed	PR only updates GolangCI-Lint version in Dockerfile.assisted-installer-build; no test files modified, making custom check not applicable.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch konflux/mintmaker/master/linter

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile.assisted-installer-build`:
- Line 5: The Dockerfile RUN that downloads and executes the golangci-lint
installer uses the mutable master branch URL (the curl | sh pipeline) while
installing v2.11.1; change the download URL in that RUN line to a pinned,
immutable release URL for v2.11.1 (e.g., the raw file or releases/download path
for tag v2.11.1) so the installer script matches the version being installed
(and optionally add a checksum verification step), keeping the rest of the
invocation (-s -- -b $(go env GOPATH)/bin v2.11.1) unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8b390c51-39dc-4adb-9e60-50a3092d3146

📥 Commits

Reviewing files that changed from the base of the PR and between c3de390 and 3463ba0.

📒 Files selected for processing (1)

• Dockerfile.assisted-installer-build

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Run the verification script from the review comment
for ref in master v2.11.1; do
  url="https://raw.githubusercontent.com/golangci/golangci-lint/${ref}/install.sh"
  http_code="$(curl -sS -o "/tmp/golangci-${ref}.sh" -w "%{http_code}" "$url")"
  sha="$(sha256sum "/tmp/golangci-${ref}.sh" 2>/dev/null | awk '{print $1}' || echo 'N/A')"
  echo "${ref} HTTP_CODE=${http_code} SHA256=${sha}"
done

Repository: openshift/assisted-installer

Length of output: 136

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Download and hash the install scripts
echo "=== Downloading install scripts ==="
for ref in master v2.11.1; do
  url="https://raw.githubusercontent.com/golangci/golangci-lint/${ref}/install.sh"
  echo "Fetching: ${ref}"
  if curl -sS -o "/tmp/golangci-${ref}.sh" "$url"; then
    if [ -f "/tmp/golangci-${ref}.sh" ]; then
      size=$(wc -c < "/tmp/golangci-${ref}.sh")
      sha=$(sha256sum "/tmp/golangci-${ref}.sh" | awk '{print $1}')
      echo "${ref}: HTTP 200, size=${size} bytes, sha256=${sha}"
    fi
  else
    echo "${ref}: Download failed"
  fi
done

echo ""
echo "=== Comparing scripts ==="
if [ -f "/tmp/golangci-master.sh" ] && [ -f "/tmp/golangci-v2.11.1.sh" ]; then
  if cmp -s "/tmp/golangci-master.sh" "/tmp/golangci-v2.11.1.sh"; then
    echo "Scripts are IDENTICAL"
  else
    echo "Scripts are DIFFERENT"
    diff -u "/tmp/golangci-master.sh" "/tmp/golangci-v2.11.1.sh" | head -20
  fi
fi

echo ""
echo "=== Checking Dockerfile ==="
if [ -f "Dockerfile.assisted-installer-build" ]; then
  echo "Line 5 content:"
  sed -n '5p' Dockerfile.assisted-installer-build
fi

Repository: openshift/assisted-installer

Length of output: 192

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 << 'EOF'
import urllib.request
import hashlib
import os

def get_file_hash(url):
    try:
        with urllib.request.urlopen(url, timeout=10) as response:
            content = response.read()
            hash_obj = hashlib.sha256(content)
            return content, hash_obj.hexdigest(), len(content)
    except Exception as e:
        return None, None, str(e)

print("=== Downloading install scripts ===")
for ref in ['master', 'v2.11.1']:
    url = f"https://raw.githubusercontent.com/golangci/golangci-lint/{ref}/install.sh"
    print(f"Fetching: {ref}")
    content, sha256, result = get_file_hash(url)
    if content is not None:
        print(f"  {ref}: HTTP 200, size={len(content)} bytes, sha256={sha256}")
        with open(f"/tmp/golangci-{ref}.sh", "wb") as f:
            f.write(content)
    else:
        print(f"  {ref}: Error - {result}")

print("\n=== Comparing scripts ===")
if os.path.exists("/tmp/golangci-master.sh") and os.path.exists("/tmp/golangci-v2.11.1.sh"):
    with open("/tmp/golangci-master.sh", "rb") as f1:
        master = f1.read()
    with open("/tmp/golangci-v2.11.1.sh", "rb") as f2:
        v2111 = f2.read()
    
    if master == v2111:
        print("Scripts are IDENTICAL")
    else:
        print("Scripts are DIFFERENT")
        print(f"  master size: {len(master)} bytes")
        print(f"  v2.11.1 size: {len(v2111)} bytes")
EOF

echo ""
echo "=== Checking Dockerfile ==="
if [ -f "Dockerfile.assisted-installer-build" ]; then
  echo "File exists. Line 5:"
  sed -n '5p' Dockerfile.assisted-installer-build
  echo ""
  echo "Lines 1-10 for context:"
  head -10 Dockerfile.assisted-installer-build
fi

Repository: openshift/assisted-installer

Length of output: 1236

---

Pin the installer script to an immutable ref before executing it.

Line 5 fetches install.sh from master and pipes it to sh, which is mutable and differs from the pinned version v2.11.1 being installed (verified: master and v2.11.1 scripts differ by ~500 bytes). This inconsistency weakens reproducibility and supply-chain safety.

🔧 Proposed hardening

-RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.1 && \
+RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/v2.11.1/install.sh | sh -s -- -b "$(go env GOPATH)/bin" v2.11.1 && \

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.1 && \
	RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/v2.11.1/install.sh | sh -s -- -b "$(go env GOPATH)/bin" v2.11.1 && \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.assisted-installer-build` at line 5, The Dockerfile RUN that
downloads and executes the golangci-lint installer uses the mutable master
branch URL (the curl | sh pipeline) while installing v2.11.1; change the
download URL in that RUN line to a pinned, immutable release URL for v2.11.1
(e.g., the raw file or releases/download path for tag v2.11.1) so the installer
script matches the version being installed (and optionally add a checksum
verification step), keeping the rest of the invocation (-s -- -b $(go env
GOPATH)/bin v2.11.1) unchanged.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 48.48%. Comparing base (c3de390) to head (2c91dc7).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2046   +/-   ##
=======================================
  Coverage   48.48%   48.48%           
=======================================
  Files          20       20           
  Lines        4333     4333           
=======================================
  Hits         2101     2101           
  Misses       2011     2011           
  Partials      221      221           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

♻️ Duplicate comments (1)

Dockerfile.assisted-installer-build (1)

5-5: ⚠️ Potential issue | 🟠 Major

Pin install.sh to the same golangci-lint tag.

Line 5 still downloads the installer from master while installing v2.11.2. That keeps the build non-reproducible and weakens supply-chain guarantees because the script can change independently of the versioned artifact.

🔧 Proposed hardening

-RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.2 && \
+RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/v2.11.2/install.sh | sh -s -- -b "$(go env GOPATH)/bin" v2.11.2 && \

#!/bin/bash
set -euo pipefail

echo "=== Dockerfile line ==="
sed -n '5p' Dockerfile.assisted-installer-build

echo
echo "=== Compare installer scripts ==="
for ref in master v2.11.2; do
  url="https://raw.githubusercontent.com/golangci/golangci-lint/${ref}/install.sh"
  curl -fsSL "$url" -o "/tmp/golangci-${ref}.sh"
  printf '%s sha256=%s size=%s\n' \
    "$ref" \
    "$(sha256sum "/tmp/golangci-${ref}.sh" | awk '{print $1}')" \
    "$(wc -c < "/tmp/golangci-${ref}.sh")"
done

echo
if cmp -s /tmp/golangci-master.sh /tmp/golangci-v2.11.2.sh; then
  echo "master and v2.11.2 install.sh are identical"
else
  echo "master and v2.11.2 install.sh differ"
  diff -u /tmp/golangci-v2.11.2.sh /tmp/golangci-master.sh | sed -n '1,40p'
fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.assisted-installer-build` at line 5, The Dockerfile downloads the
golangci-lint installer from master while installing v2.11.2, which makes the
build non-reproducible; update the curl invocation that currently fetches
"https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh" so
it references the matching tag (v2.11.2) instead of master (e.g., use the URL
with the v2.11.2 ref) so the installer script and the installed version are
pinned together in the RUN line that calls install.sh and sh -s -- -b $(go env
GOPATH)/bin v2.11.2.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@Dockerfile.assisted-installer-build`:
- Line 5: The Dockerfile downloads the golangci-lint installer from master while
installing v2.11.2, which makes the build non-reproducible; update the curl
invocation that currently fetches
"https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh" so
it references the matching tag (v2.11.2) instead of master (e.g., use the URL
with the v2.11.2 ref) so the installer script and the installed version are
pinned together in the RUN line that calls install.sh and sh -s -- -b $(go env
GOPATH)/bin v2.11.2.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fcd259cb-b2a2-4c58-921f-c9663df4a568

📥 Commits

Reviewing files that changed from the base of the PR and between c5e8ea7 and 4ebd824.

📒 Files selected for processing (1)

• Dockerfile.assisted-installer-build

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: red-hat-konflux[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@red-hat-konflux[bot]: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/edge-lint	2c91dc7	link	true	/test edge-lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.