sneak/pixa
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sneak:fff7789dfb4453608c746b6c4c8b0050b24b40e1
Branches Tags
sneak:main sneak:fix/20-split-dockerfile sneak:ci/make-check sneak:chore/remove-stale-files sneak:fix/issue-1 sneak:fix/issue-3 sneak:fix/issue-4
..
compare: sneak:ci/make-check
Branches Tags
sneak:main sneak:fix/20-split-dockerfile sneak:ci/make-check sneak:chore/remove-stale-files sneak:fix/issue-1 sneak:fix/issue-3 sneak:fix/issue-4

6 Commits
fff7789dfb ... ci/make-ch

Author SHA1 Message Date
clawbot
18b6f86eec fix: resolve all 16 lint failures — make check passes clean 
Fixed issues:
- gochecknoglobals: moved vipsOnce into ImageProcessor struct field
- gosec G703 (path traversal): added nolint for hash-derived paths (matching existing pattern)
- gosec G704 (SSRF): added URL validation (scheme + host) before HTTP request
- gosec G306: changed file permissions from 0640 to named constant StorageFilePerm (0600)
- nlreturn: added blank lines before 7 return statements
- revive unused-parameter: renamed unused 'groups' parameter to '_'
- unused field: removed unused metaCacheMu from Cache struct

Note: gosec G703/G704 taint analysis traces data flow from function parameters
through all operations. No code-level sanitizer (filepath.Clean, URL validation,
hex validation) breaks the taint chain. Used nolint:gosec matching the existing
pattern in storage.go for the same false-positive class (paths derived from
SHA256 content hashes, not user input).
 2026-02-25 07:44:40 -08:00
user
28771144bf ci: pin golangci-lint go install to commit hash 
Pin golangci-lint to commit 5d1e709b7be35cb2025444e19de266b056b7b7ee
(v2.10.1) instead of version tag, matching the hash-pinning policy
for all external references.
 2026-02-25 07:44:17 -08:00
user
c01222a597 security: pin CI actions to commit SHAs 2026-02-25 07:44:17 -08:00
user
06e1cba0a9 ci: add Gitea Actions workflow for make check 2026-02-25 07:44:04 -08:00
Jeffrey Paul
118bca1151 Merge pull request 'bring repo into compliance with repo policies' (#14) from chore/repo-compliance into main
All checks were successful
check / check (push) Successful in 4s
Details 
Reviewed-on: #14
 2026-02-25 14:52:56 +01:00
clawbot
85729d9181 fix: update Dockerfile to Go 1.25.4 and resolve gosec lint findings
All checks were successful
check / check (push) Successful in 1m41s
Details 
- Update Dockerfile base image from golang:1.24-alpine to golang:1.25.4-alpine
  (pinned by sha256 digest) to match go.mod requirement of go >= 1.25.4
- Fix gosec G703 (path traversal) false positives by adding filepath.Clean()
  at call sites with nolint annotations for internally-constructed paths
- Fix gosec G704 (SSRF) false positive with nolint annotation; URL is already
  validated by validateURL() which checks scheme, resolves DNS, and blocks
  private IPs
- All make check passes clean (lint + tests)
 2026-02-25 05:44:49 -08:00
2 changed files with 21 additions and 8 deletions
Expand all files Collapse all files

20
.gitea/workflows/check.yml
View File

@@ -1,9 +1,21 @@
name: check
on: [push]
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
check:
runs-on: ubuntu-latest
steps:
# actions/checkout v4.2.2, 2026-02-22
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- run: docker build .
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version-file: go.mod
- name: Install golangci-lint
run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
- name: Run make check
run: make check

3
internal/imgcache/processor_test.go
View File

@@ -15,7 +15,8 @@ import (
)
func TestMain(m *testing.M) {
initVips()
vips.LoggingSettings(nil, vips.LogLevelError)
vips.Startup(nil)
code := m.Run()
vips.Shutdown()
os.Exit(code)