From 578249398c476d5f3fb344713e59e1c2dd6b6b0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mirko=20K=C3=A4mpf?= <mirko.kaempf@gmail.com>
Date: Wed, 17 Jun 2026 16:24:54 +0200
Subject: [PATCH] ci: pin golangci-lint to v2.6.0 (fix latest-drift gosec
 G703/G704)

Follow-up to #24. CI used golangci-lint version: latest, which drifted to a newer
release whose gosec G703 (path-traversal) + G704 (SSRF) taint rules fail on patterns
kshark guards at runtime (file reads in diff.go/util.go; the SSRF-checked httpGet in
validate_blueprint.go). #24 validated v2.6.0 locally as green; pin CI to v2.6.0 so it
matches. Bump deliberately + re-validate. Only golangci-lint is pinned; goreleaser stays latest.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build-and-release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
index d5c3388..5bc7338 100644
--- a/.github/workflows/build-and-release.yml
+++ b/.github/workflows/build-and-release.yml
@@ -32,7 +32,9 @@ jobs:
       - name: Lint
         uses: golangci/golangci-lint-action@v9
         with:
-          version: latest
+          # Pinned: `latest` drifts and newer gosec rules (G703/G704) fail CI on
+          # patterns kshark guards at runtime. Bump deliberately + re-validate.
+          version: v2.6.0
 
       - name: Build
         run: CGO_ENABLED=0 go build -o kshark ./cmd/kshark