From b5f7cc9e9be45fade8eafac09badc60bbf270dc6 Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBook-Pro.local>
Date: Tue, 23 Jun 2026 12:44:32 +0200
Subject: [PATCH] ci(go-lint): golangci-lint v1.64.8 (go1.24) +
 new-from-merge-base

go-lint failed on every PR: golangci-lint v1.62-alpine is built with go1.23 and
refuses to load a go1.24.0 module's config ("language version go1.23 lower than
targeted 1.24.0"), so it never actually linted.

- container v1.62-alpine -> v1.64.8-alpine (built with go1.24.1)
- revive `exported` used the old map-argument form, which v1.64 rejects
  ("expecting a string, got map") -> string form (disableStutteringCheck)
- running golangci for the first time surfaces ~15 pre-existing findings in
  unrelated packages (academy/whistleblower/iace/training + a few tests);
  switch issues.new:false -> new-from-merge-base:main so only newly changed
  lines fail (the config already anticipated this)
- new-from-merge-base needs the merge base -> go-lint checkout now does a full
  clone (local `main` ref) instead of a shallow single-branch clone

Verified locally with v1.64.8: a clean branch over main lints to 0 issues
(pre-existing debt ignored), config loads cleanly. Touches only CI config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yaml        | 6 ++++--
 ai-compliance-sdk/.golangci.yml | 9 ++++-----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index 73dc338e..98822fc7 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -136,12 +136,14 @@ jobs:
     runs-on: docker
     needs: detect-changes
     if: github.event_name == 'pull_request' && needs.detect-changes.outputs.sdk == 'true'
-    container: golangci/golangci-lint:v1.62-alpine
+    container: golangci/golangci-lint:v1.64.8-alpine
     steps:
       - name: Checkout
         run: |
           apk add --no-cache git
-          git clone --depth 1 --branch ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          # Full clone so `main` is a local ref — new-from-merge-base needs the merge base.
+          git clone ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
+          git checkout ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}
       - name: Lint ai-compliance-sdk
         run: |
           [ -d "ai-compliance-sdk" ] || exit 0
diff --git a/ai-compliance-sdk/.golangci.yml b/ai-compliance-sdk/.golangci.yml
index 0288466b..73adc2c9 100644
--- a/ai-compliance-sdk/.golangci.yml
+++ b/ai-compliance-sdk/.golangci.yml
@@ -55,8 +55,7 @@ linters-settings:
     rules:
       - name: exported
         arguments:
-          - checkPrivateReceivers: false
-          - disableStutteringCheck: true
+          - disableStutteringCheck
       - name: error-return
       - name: increment-decrement
       - name: var-declaration
@@ -83,6 +82,6 @@ issues:
   max-issues-per-linter: 50
   max-same-issues: 5
 
-  # New code only: don't fail on pre-existing issues in files we haven't touched.
-  # Remove this once a clean baseline is established.
-  new: false
+  # New code only: lint lines changed vs main, so pre-existing debt doesn't fail CI.
+  # Needs the go-lint job to clone with a local `main` ref (see .gitea/workflows/ci.yaml).
+  new-from-merge-base: main
-- 
2.52.0