upgrade go, public submodule & golangci-lint

[lieut-data]

Summary

In support of #158, let's bump Go, the public module, and golangci-lint. Reduce scoping of id-token to jobs that need it.

Ticket Link

Relates-to: https://mattermost.atlassian.net/browse/MM-68727

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates linter configuration to golangci-lint v2 and lint/build images, bumps Go toolchain and module versions to 1.26.3, and applies minor error-message, reflect-kind, logging, and CI YAML formatting tweaks.

Changes

Linter Configuration and Build Infrastructure Upgrade

Layer / File(s)	Summary
Golangci-lint v2 configuration and Docker image update .golangci.yml, Makefile	.golangci.yml is rewritten to use version: "2" with nested linters, formatters, and settings/exclusions, preserving enabled linters and adding path/generated-code exclusions. Makefile updates DOCKER_IMAGE_GOLINT to a golangci-lint v2 image with a new pinned digest and bumps BUILD_IMAGE_FIPS.

Go Toolchain and Dependency Modernization

Layer / File(s)	Summary
Go version and module dependency updates go.mod	Go toolchain is bumped to 1.26.3 and multiple direct and indirect module versions are updated across the require blocks (Mattermost public package, testing libs, OpenTelemetry, Google Cloud, and transitive deps).

Error Handling and Code Quality Refinements

Layer / File(s)	Summary
Notification server error messages and config logging server/android_notification_server.go, server/apple_notification_server.go, server/config_push_proxy.go	Error message strings reformatted in Android and Apple notification servers and transport setup. Android getErrorCode validates reflect.Pointer. Apple SendNotification uses short variable declaration. Config loading now logs the buffer as string(buf).

CI Workflow updates

Layer / File(s)	Summary
CI GO_VERSION bump and spacing fix .github/workflows/ci.yml	Workflow environment GO_VERSION updated to 1.26.3, explicit permissions added to the fips-security-scan job, and minor spacing/comment formatting adjusted.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: upgrading Go, the public submodule, and golangci-lint across multiple files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is directly related to the changeset, clearly outlining the bumping of Go, the public module, and golangci-lint with supporting references.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bump-public-upgrade-golangci-lint

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.golangci.yml (1)

1-39: ⚠️ Potential issue | 🟠 Major

Fix golangci-lint v2 config schema mismatches in .golangci.yml

• .linters.exclusions.presets likely uses invalid preset identifiers (common-false-positives, std-error-handling); v2 expects the correct names (e.g., commonFalsePositives, stdErrorHandling), otherwise exclusions may be ignored.
• The govet block likely has an invalid key placement for bulk enabling (linters.settings.govet.enable-all: true); v2 expects govet analyzer selection via the supported linters.settings.govet fields (use golangci-lint migrate against the v2 schema to avoid key/path mismatches).
• The Docker digest check for golangci/golangci-lint:v2.12.2 can’t be run in the current environment (no docker binary); validate it in CI/local.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.golangci.yml around lines 1 - 39, Update the .golangci.yml to match
golangci-lint v2 schema: rename the presets under linters.exclusions.presets
from dashed names to camelCase (e.g., common-false-positives ->
commonFalsePositives, std-error-handling -> stdErrorHandling), and remove or
replace the unsupported govet key linters.settings.govet.enable-all: true by
configuring govet according to v2 schema (use supported fields under
linters.settings.govet or run `golangci-lint migrate` to generate the correct
govet analyzer settings); validate the final config locally/CI rather than
relying on a Docker digest check in this environment.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.golangci.yml:
- Around line 1-39: Update the .golangci.yml to match golangci-lint v2 schema:
rename the presets under linters.exclusions.presets from dashed names to
camelCase (e.g., common-false-positives -> commonFalsePositives,
std-error-handling -> stdErrorHandling), and remove or replace the unsupported
govet key linters.settings.govet.enable-all: true by configuring govet according
to v2 schema (use supported fields under linters.settings.govet or run
`golangci-lint migrate` to generate the correct govet analyzer settings);
validate the final config locally/CI rather than relying on a Docker digest
check in this environment.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2956012a-a443-46b9-b608-d933befd1638

📥 Commits

Reviewing files that changed from the base of the PR and between 7852e23 and ca4c821.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• .golangci.yml
• Makefile
• go.mod
• server/android_notification_server.go
• server/apple_notification_server.go
• server/config_push_proxy.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 13-15: The workflow-level permission "id-token: write" is too
broad; remove or change the top-level permissions block so it no longer grants
id-token: write globally and instead add "id-token: write" only to the specific
job(s) that require OIDC (e.g., the job names that use Chainguard identity or
OIDC), by updating the job-level permissions for those jobs to include id-token:
write while leaving workflow-level permissions as minimal (contents: read) or
omitting id-token entirely.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6cb29714-8156-408e-9f2a-46129c670914

📥 Commits

Reviewing files that changed from the base of the PR and between 4880899 and d86bad3.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[lieut-data]

Regarding the .golangci.yml outside-diff comment: the preset names (common-false-positives, std-error-handling) are the correct kebab-case identifiers for golangci-lint v2 — camelCase is not expected here. Similarly, linters.settings.govet.enable-all: true is the correct v2 path. No changes needed there.

[lieut-data]

linting re: errors

[lieut-data]

inline linting from Go 1.26+

[lieut-data]

migrated to version 2

[lieut-data]

Upgraded golangci-lint

[lieut-data]

@esarafianou, this prompted me to realize we aren't bumping glibc-openssl-fips alongside the Go bumps. I can plan to do that as a separate pass and match it with the core repo, but proposing leaving it untouched for now.