Add //go:build darwin to secure_enclave.m and secure_enclave.h so Go
ignores them on non-darwin platforms. Without this, the lint stage fails
on Linux with 'Objective-C source files not allowed when not using cgo
or SWIG' because the !darwin stub (macse_stub.go) doesn't use CGO.
Pin all three FROM lines with SHA256 digests per REPO_POLICIES.md:
- golangci/golangci-lint:v2.1.6@sha256:568ee1c1...
- golang:1.24-alpine@sha256:8bee1901...
- alpine:3.23@sha256:25109184... (was alpine:latest)
Also replaced mutable 'alpine:latest' tag with 'alpine:3.23'.
Restructure Dockerfile to match upaas/dnswatcher pattern:
- Separate lint stage using golangci/golangci-lint:v2.1.6 image
- Builder stage for tests and compilation (no lint dependency)
- Add fmt-check Makefile target
- Decouple test from lint in Makefile (lint runs in its own stage)
- Run gofmt on all files
- docker build verified passing locally
The previous checkout SHA was invalid, causing immediate CI failure.
Use the known-good actions/checkout v4.2.2 SHA. Simplify trigger to
on: [push] to match other repos. Keep --ulimit memlock=-1:-1 for
10MB secret tests that need mlock.
- Install golangci-lint v2 via binary download instead of go install
(avoids Go 1.25 requirement of golangci-lint v2.10+)
- Add darwin build tags to tests that depend on macOS keychain:
derivation_index_test.go, pgpunlock_test.go, validation (keychain tests)
- Move generateRandomString to helpers_darwin.go (only called from
darwin-only keychainunlocker.go)
- Fix unchecked error returns flagged by errcheck linter
- Add gnupg to builder stage for PGP-related tests
- Use --ulimit memlock=-1:-1 in CI for memguard large secret tests
- Add //nolint:unused for intentionally kept but currently unused test helpers
Per new policy: CI actions simply run 'docker build .'. The Dockerfile
now installs golangci-lint and runs 'make check' early in the build
process, so a successful docker build implies all checks pass.
- Dockerfile: add golangci-lint install and 'make check' before final build
- CI workflow: simplify to just 'docker build .' (no Go setup needed)
- Makefile targets unchanged
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
