Upgrade golangci-lint in CI runner and Makefile

[amanfcp]

Description:

Upgrades golangci-lint from v1 to v2, pinned at v2.11.4. CI uses golangci-lint-action@v7 with a prebuilt binary (no Go 1.25 toolchain fetch). Local make lint now calls scripts/lint.sh, which auto-installs the exact pinned version via curl, eliminating system-installed version mismatches.
The deprecated --out-format flag is removed (colored output is default in v2). errcheck and staticcheck are temporarily disabled as v2's stricter defaults surface ~100 pre-existing issues, to be addressed in a follow-up.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Changes CI/local lint execution and pins a new major golangci-lint version, which can affect developer/CI behavior. Lint coverage is temporarily reduced by disabling errcheck and staticcheck, potentially allowing issues to slip through.

Overview
Upgrades the CI lint workflow to golangci/golangci-lint-action@v7 and pins golangci-lint to v2.11.4, updating lint args and temporarily disabling errcheck and staticcheck.

Switches make lint to run a new scripts/lint.sh that auto-installs (or reuses) the pinned golangci-lint version before running the same lint configuration locally.

^{Written by Cursor Bugbot for commit 96c2de8. This will update automatically on new commits. Configure here.}

[cursor]

Disabling default linters errcheck and staticcheck reduces coverage

Medium Severity

The new LINT_ARGS adds --disable errcheck,staticcheck, which was not present in the old configuration. Previously, both CI and Makefile only used --enable flags on top of defaults, meaning errcheck (unchecked error returns) and staticcheck (comprehensive static analysis, now including gosimple and stylecheck in v2) were actively running. The codebase even has existing nolint:errcheck and nolint:staticcheck comments proving these linters were in use. Silently disabling two core default linters significantly weakens lint coverage for a PR described only as an "upgrade."

 

[amanfcp]

Haven't decided on this yet

[amanfcp]

Maybe we can leave a TODO comment and address this in a follow up PR.

[bryanbeverly]

Yep, agreed. Let's create a ticket for this so we can make sure we re-enable these with v2.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

Unanchored version grep may match wrong versions

Low Severity

The version check uses grep -q "${GOLANGCI_LINT_VERSION#v}" which matches 2.11.4 as a substring. This would incorrectly match future versions like 2.11.40 or 2.11.41, causing the script to skip installation and run the wrong version. Using grep -qw (word-boundary match) would prevent false substring matches.

 

[amanfcp]

Patch updates are a non-issue I think

[bryanbeverly]

I dug into this a little and added a comment below
#4861 (comment)

[bryanbeverly]

The script only looks for golangci-lint in $GOPATH/bin, so if someone already has the correct version installed elsewhere on PATH (e.g. via Homebrew at /opt/homebrew/bin/golangci-lint), it will re-download and install a second copy.

Consider checking PATH first before falling back to the $GOPATH/bin location:

if command -v golangci-lint &>/dev/null && golangci-lint version 2>&1 | grep -q "${GOLANGCI_LINT_VERSION#v}"; then
    GOLANGCI_LINT="$(command -v golangci-lint)"
    echo "golangci-lint ${GOLANGCI_LINT_VERSION} found at ${GOLANGCI_LINT}"
elif [[ -x "${GOLANGCI_LINT}" ]] && "${GOLANGCI_LINT}" version 2>&1 | grep -q "${GOLANGCI_LINT_VERSION#v}"; then
    echo "golangci-lint ${GOLANGCI_LINT_VERSION} found at ${GOLANGCI_LINT}"
else
    echo "Installing golangci-lint ${GOLANGCI_LINT_VERSION}..."
    curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "${GOBIN}" "${GOLANGCI_LINT_VERSION}"
fi

This preserves the version-pinning guarantee while respecting existing installations.

[bryanbeverly]

The version check uses grep -q which matches substrings — 2.11.4 would incorrectly match a future 2.11.40, causing the script to skip installation and run the wrong version.

Note that the commonly suggested grep -qw fix is also fragile here: -w uses word-boundary characters ([a-zA-Z0-9_]), so if the version output ever includes a v prefix (e.g. v2.11.4), the v is a word character and the match would fail entirely.

A safer approach is to extract and compare the version exactly:

installed_version=$("${GOLANGCI_LINT}" version 2>&1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+' | head -1)
if [[ "${installed_version}" == "${GOLANGCI_LINT_VERSION#v}" ]]; then
    echo "golangci-lint ${GOLANGCI_LINT_VERSION} found"
else
    echo "Installing golangci-lint ${GOLANGCI_LINT_VERSION}..."
    curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b "${GOBIN}" "${GOLANGCI_LINT_VERSION}"
fi