Update tool dependencies and fix new lint issues#36702
Merged
silverwind merged 9 commits intoFeb 26, 2026
Merged
Conversation
Update golangci-lint v2.9.0 to v2.10.1, misspell v0.7.0 to v0.8.0, actionlint v1.7.10 to v1.7.11. Fix new QF1012 staticcheck findings by using fmt.Fprintf instead of WriteString(fmt.Sprintf(...)). Add nolint for SA1019 on ecdsa.PublicKey.X/Y deprecated in Go 1.26. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GiteaBot
added
the
lgtm/need 2
Extract EC coordinates from the uncompressed SEC 1 byte representation (0x04 || X || Y) returned by PublicKey.Bytes() instead of directly accessing the deprecated pubKey.X and pubKey.Y fields. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Extract EC coordinates from the uncompressed SEC 1 byte representation (0x04 || X || Y) returned by PublicKey.Bytes(), and derive the curve name from coordinate length, avoiding all deprecated ecdsa.PublicKey fields (X, Y, Curve). This also fixes a latent RFC 7518 compliance issue where big.Int.Bytes() could produce shorter-than-expected coordinates by stripping leading zeros (e.g. for P-521). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates repository tooling (lint-related dependencies) and applies code changes needed to satisfy new linter/staticcheck findings, including a crypto/JWK update for ECDSA keys used by the OAuth2/OIDC provider.
Changes:
- Bump lint tool dependencies in the Makefile (golangci-lint, misspell, actionlint).
- Replace
WriteString(fmt.Sprintf(...))patterns withfmt.Fprintf(...)across multiple string/buffer builders to address new linter findings. - Update ECDSA JWK encoding to use SEC 1 uncompressed point bytes (avoiding deprecated field access and preserving leading zeros), and add unit coverage for P-256/P-384/P-521.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| services/webhook/wechatwork.go | Use fmt.Fprintf to build commit text (lint fix). |
| services/webhook/telegram.go | Use fmt.Fprintf for commit list formatting (lint fix). |
| services/webhook/slack.go | Use fmt.Fprintf for attachment text (lint fix). |
| services/webhook/msteams.go | Use fmt.Fprintf for commit text (lint fix). |
| services/webhook/matrix.go | Use fmt.Fprintf when building Matrix HTML content (lint fix). |
| services/webhook/feishu.go | Use fmt.Fprintf for header text (lint fix). |
| services/webhook/discord.go | Use fmt.Fprintf for commit text (lint fix). |
| services/release/notes.go | Use fmt.Fprintf when building release notes (lint fix). |
| services/oauth2_provider/jwtsigningkey.go | Change ECDSA ToJWK() to derive coordinates from SEC 1 bytes and map curve name from coordinate length. |
| services/oauth2_provider/jwtsigningkey_test.go | Add unit test verifying JWK output for P-256/P-384/P-521 (including fixed coordinate sizes). |
| services/gitdiff/gitdiff.go | Use fmt.Fprintf for synthetic patch header generation (lint fix). |
| routers/web/repo/setting/lfs.go | Use fmt.Fprintf while building LFS file HTML fragments (lint fix). |
| modules/git/foreachref/format.go | Use fmt.Fprintf when composing git for-each-ref format flag (lint fix). |
| models/repo/repo.go | Use fmt.Fprintf for repository size details string formatting (lint fix). |
| Makefile | Bump lint tool dependency versions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Instead of inferring the curve name from coordinate length (which could be ambiguous), derive it from the JWT signing algorithm. Also validate that the SEC 1 point encoding has the 0x04 uncompressed prefix and the expected total length. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Member
Author
|
Posted by @silverwind's AI assistant (Claude) Did an in-depth validation of the
|
wxiaoguang
reviewed
Feb 22, 2026
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
lunny
reviewed
Feb 22, 2026
lunny
approved these changes
Feb 22, 2026
GiteaBot
added
lgtm/need 1
Zettat123
approved these changes
Feb 26, 2026
GiteaBot
added
lgtm/done
silverwind
added
the
reviewed/wait-merge
GiteaBot
removed
the
reviewed/wait-merge
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Feb 27, 2026
* giteaofficial/main: Filter out untracked files from spellchecking (go-gitea#36756) Fix CSS stacking context issue in actions log (go-gitea#36749) Fix milestone/project text overflow in issue sidebar (go-gitea#36741) Update tool dependencies and fix new lint issues (go-gitea#36702) Instance-wide (global) info banner and maintenance mode (go-gitea#36571) Add created_by filter to SearchIssues (go-gitea#36670) Inline and lazy-load EasyMDE CSS, fix border colors (go-gitea#36714)
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Feb 27, 2026
* origin/main: Move Fomantic dropdown CSS to custom module (go-gitea#36530) Use "Enable Gravatar" but not "Disable" (go-gitea#36771) feat: add branch_count to repository API (go-gitea#35351) (go-gitea#36743) Deprecate RenderWithErr (go-gitea#36769) Lazy-load some Vue components, fix heatmap chunk loading on every page (go-gitea#36719) Filter out untracked files from spellchecking (go-gitea#36756) Fix CSS stacking context issue in actions log (go-gitea#36749) Fix milestone/project text overflow in issue sidebar (go-gitea#36741) Update tool dependencies and fix new lint issues (go-gitea#36702) Instance-wide (global) info banner and maintenance mode (go-gitea#36571) Add created_by filter to SearchIssues (go-gitea#36670) Inline and lazy-load EasyMDE CSS, fix border colors (go-gitea#36714) # Conflicts: # templates/repo/issue/view_content/pull_merge_box.tmpl # web_src/js/features/repo-issue-pull.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
fmt.Fprintfinstead ofWriteString(fmt.Sprintf(...))ecdsa.PublicKeyfield access withPublicKey.Bytes()for JWK encoding, with SEC 1 validation and curve derived from signing algorithmToJWK()covering P-256, P-384, and P-521 curves, also verifying correct coordinate padding per RFC 7518Test plan
make lint-gopasses with 0 issuesgo test ./services/oauth2_provider/ -run TestECDSASigningKeyToJWKpasses for all curves🤖 Generated with Claude Code