Fix CI lint failures and update actions for Node 24

[linkdata]

Summary

• fix golangci-lint findings from failed build job
• update GitHub Actions to Node 24-compatible major versions

Verification

• golangci-lint run --timeout=5m
• make test
• make build

Summary by CodeRabbit

• Bug Fixes

  • Fixed response body write error handling to properly report failures instead of silently ignoring them.

• Tests

  • Enhanced error validation in test cleanup procedures and panic detection for better test reliability.

• Chores

  • Updated CI/CD pipelines with newer versions of GitHub Actions and linting tools for improved reliability.

[coderabbitai]

Warning

Review limit reached

@linkdata, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 36 minutes and 31 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 50419757-301f-409c-ab69-79f645478780

📥 Commits

Reviewing files that changed from the base of the PR and between 68360f4 and 7055690.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/container.yml

📝 Walkthrough

Walkthrough

This PR updates GitHub Actions versions across CI workflows, adds error handling for response writes in production code and test cleanup, and adjusts test assertions to match changed semantics in certificate pool equality checks, DAWG panic behavior, and MQTT client configuration structure.

Changes

GitHub Actions Workflow Version Updates

Layer / File(s)	Summary
GitHub Actions version bumps in CI workflows .github/workflows/build.yml, .github/workflows/container.yml	Both workflows update actions/checkout from v4 to v6 and actions/setup-go from v5 to v6. The build workflow additionally pins golangci-lint action to v9.2.1 (from v8.0.0). No changes to job structure, matrix, or toolchain versions.

Error Handling Improvements

Layer / File(s)	Summary
Write error handling in parquet rotation handler pkg/runner/runner.go	manualParquetRotationHandler now captures and logs the error from w.Write when writing the rotation response, replacing the previous unchecked write.
Flag reset error validation in test cleanup pkg/cmd/root_test.go	TestRunFlagsBoundToViper now checks the return values from Flags().Set() during cleanup and fails the test via t.Fatalf if either flag reset fails.

Test Assertion Updates for Changed Implementation

Layer / File(s)

Summary

Certificate pool, DAWG panic, and MQTT config assertions pkg/runner/runner_extra_test.go

TestCertPoolAndJWKFiles compares the loaded pool against a new empty x509.CertPool() instead of checking Subjects() length. TestLoadDawgFileErrors replaces the panic assertion pattern with a deferred recover() closure. TestMQTTConfigAndPublisher validates top-level MQTT config fields (ClientID, KeepAlive, TlsCfg.MinVersion) and uses cfg.On* callback accessors instead of cfg.ClientConfig.* nested paths.

---

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Possibly Related PRs

• dnstapir/edm#37: Adds golangci-lint step to .github/workflows/build.yml, directly overlapping with this PR's golangci-lint action version update.
• dnstapir/edm#85: Updates Go toolchain version in workflows and go.mod, related to this PR's updates of GitHub Actions versions for Go tooling.
• dnstapir/edm#102: Contains overlapping CI workflow updates, though focused on different configuration aspects.

---

Suggested Reviewers

• zluudg

---

🐰 Action versions hop to v6 so high,
Error checks catch writes that slip by,
Pool assertions align with new ways,
MQTT callbacks dance through the days! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing CI lint failures and updating GitHub Actions for Node 24 compatibility.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/actions-lint-node24

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/build.yml (1)

14-14: 💤 Low value

Consider adding persist-credentials: false for security.

Static analysis flags that checkout without persist-credentials: false may expose credentials through artifacts if the workflow creates any.

🔒 Suggested security hardening

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 14, The checkout step currently uses
actions/checkout@v6 without disabling credential persistence; update the
checkout step (actions/checkout@v6) to include persist-credentials: false so the
GITHUB_TOKEN is not automatically persisted to the workspace/artifacts. Modify
the existing checkout invocation to add the persist-credentials: false input
(and leave fetch-depth or other inputs unchanged) to harden the workflow against
credential leakage.

.github/workflows/container.yml (1)

27-27: 💤 Low value

Consider security hardening for actions.

Static analysis suggests two optional security improvements:

1. Add persist-credentials: false to checkout to prevent credential leakage through artifacts
2. The setup-go action enables caching by default, which static analysis flags for potential cache poisoning risks

🔒 Suggested security hardening

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false

For the cache-poisoning concern with setup-go, you can explicitly disable caching if desired:

-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@v6
         with:
           go-version: "1.25.6"
+          cache: false

Also applies to: 37-37

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/container.yml at line 27, The workflow uses
actions/checkout@v6 and setup-go with defaults that can leak credentials or
enable caching; update the checkout step to set persist-credentials: false to
avoid passing GITHUB_TOKEN to subsequent steps/artifacts, and explicitly add the
setup-go step configuration to disable built-in caching (or configure caching
keys/verify inputs) to mitigate cache-poisoning risks—locate and modify the
actions/checkout@v6 and the setup-go invocation in the container.yml workflow
and add these explicit options.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 14: Update the workflow to validate and mitigate breaking changes: for
actions/checkout@v6, explicitly set persist-credentials to true/false as
required for container runners (address the changed default behavior); for
actions/setup-go@v6, confirm the GitHub Actions runner version requirement (>=
v2.327.1) and adjust any Node/runtime or go toolchain cache usage in the steps
that call setup-go; and repin golangci/golangci-lint-action to the exact
40-character commit SHA that corresponds to v9.2.1 (replace the current
shorter/incorrect commit id and update the v9.2.1 annotation to match that full
SHA) so the workflow uses the intended immutable release.

---

Nitpick comments:
In @.github/workflows/build.yml:
- Line 14: The checkout step currently uses actions/checkout@v6 without
disabling credential persistence; update the checkout step (actions/checkout@v6)
to include persist-credentials: false so the GITHUB_TOKEN is not automatically
persisted to the workspace/artifacts. Modify the existing checkout invocation to
add the persist-credentials: false input (and leave fetch-depth or other inputs
unchanged) to harden the workflow against credential leakage.

In @.github/workflows/container.yml:
- Line 27: The workflow uses actions/checkout@v6 and setup-go with defaults that
can leak credentials or enable caching; update the checkout step to set
persist-credentials: false to avoid passing GITHUB_TOKEN to subsequent
steps/artifacts, and explicitly add the setup-go step configuration to disable
built-in caching (or configure caching keys/verify inputs) to mitigate
cache-poisoning risks—locate and modify the actions/checkout@v6 and the setup-go
invocation in the container.yml workflow and add these explicit options.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e09be1a1-bb51-47ff-a383-10f7c7ec5cc4

📥 Commits

Reviewing files that changed from the base of the PR and between b820224 and 68360f4.

📒 Files selected for processing (5)

• .github/workflows/build.yml
• .github/workflows/container.yml
• pkg/cmd/root_test.go
• pkg/runner/runner.go
• pkg/runner/runner_extra_test.go

[linkdata]

For some reason, CodeRabbit reasoning seemed to indicate that it is good practice to pin the GH actions to commit SHAs. I disagree - we will stick with version tags.
EDIT: But since golangci/golangci-lint-action was SHA-pinned before, we'll keep it pinned.