From 9bfffa7b8200a59d699878770ba375cb6a8746b0 Mon Sep 17 00:00:00 2001 From: Krishan Kant Sharma Date: Mon, 6 Jul 2026 15:59:14 -0500 Subject: [PATCH 1/2] docs: add "Enforce a No-New-LaunchDarkly Policy for Go in CI" guide MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit flaglint-go has no published GitHub Action (unlike flaglint-js's flaglint/flaglint composite action) — the guide is honest about that and shows raw workflow steps instead: install via go install (actions/setup-go) or Homebrew (preinstalled on GitHub-hosted runners), then run validate directly. Structure mirrors the existing JS tutorials/integrations pages: - Recommended path: baseline-mode adoption (--baseline --fail-on-new), which most real teams need since --no-direct-launchdarkly fails immediately on any existing debt - Strict blocking policy once debt is cleared, plus bootstrap-exclude - SARIF upload for GitHub Code Scanning, with the correct flaglint.go.direct-launchdarkly rule ID Adds the page to the "Go CLI" sidebar section (held back from the previous PR since Starlight's build fails hard on a sidebar slug that doesn't exist yet) and verified in-browser: sidebar placement, pagination, YAML syntax highlighting, and the pre-existing quickstart.md link to this page all work. Signed-off-by: Krishan Kant Sharma --- astro.config.mjs | 1 + .../docs/docs/go/guides/enforce-in-ci.md | 114 ++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 src/content/docs/docs/go/guides/enforce-in-ci.md diff --git a/astro.config.mjs b/astro.config.mjs index 5671976..0a43ba5 100644 --- a/astro.config.mjs +++ b/astro.config.mjs @@ -126,6 +126,7 @@ export default defineConfig({ { label: "audit", slug: "docs/go/cli/audit" }, { label: "validate", slug: "docs/go/cli/validate" }, { label: "Identity Model", slug: "docs/go/concepts/identity-model" }, + { label: "Enforce in CI", slug: "docs/go/guides/enforce-in-ci" }, { label: "Supported Scope", slug: "docs/go/reference/supported-scope" }, { label: "Limitations", slug: "docs/go/reference/limitations" }, ], diff --git a/src/content/docs/docs/go/guides/enforce-in-ci.md b/src/content/docs/docs/go/guides/enforce-in-ci.md new file mode 100644 index 0000000..e9c2112 --- /dev/null +++ b/src/content/docs/docs/go/guides/enforce-in-ci.md @@ -0,0 +1,114 @@ +--- +title: Enforce a No-New-LaunchDarkly Policy for Go in CI +description: Use flaglint-go validate in GitHub Actions to block new direct LaunchDarkly Go SDK calls, adopting gradually via baseline mode. +lastUpdated: 2026-07-06 +--- + +flaglint-go has no published GitHub Action (unlike flaglint-js's `flaglint/flaglint` composite action) — install it in your workflow with `go install` or Homebrew, then run `validate` directly. Both are one extra step. + +## Install in CI + +**Via `go install`** (needs `actions/setup-go`, already common in Go CI): + +```yaml +- uses: actions/setup-go@v5 + with: + go-version: '1.23' +- run: go install github.com/flaglint/flaglint-go/cmd/flaglint-go@latest +``` + +**Via Homebrew** (no Go toolchain needed — `brew` is preinstalled on GitHub-hosted `ubuntu-latest` and `macos-latest` runners): + +```yaml +- run: brew install flaglint/tap/flaglint-go +``` + +## Recommended: Adopt With a Baseline First + +Turning on `--no-direct-launchdarkly` immediately fails CI for every existing call site — usually not what you want on day one. Capture current debt as a baseline once, commit it, and fail only on *new* debt going forward: + +```bash +# Run once, locally, and commit the result +flaglint-go audit ./services --write-baseline .flaglint-baseline.json +``` + +```yaml +name: FlagLint Go +on: [pull_request] + +jobs: + flaglint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.23' + - run: go install github.com/flaglint/flaglint-go/cmd/flaglint-go@latest + - run: flaglint-go validate ./services --baseline .flaglint-baseline.json --fail-on-new +``` + +This fails the build only when a call site's fingerprint isn't already in `.flaglint-baseline.json`. Re-run `--write-baseline` (and commit the update) whenever you accept new debt on purpose or resolve existing findings. + +## Blocking All Direct Calls + +Once existing debt is cleared (or for a codebase starting clean), enforce the strict policy instead: + +```yaml +- run: flaglint-go validate ./services --no-direct-launchdarkly +``` + +Do not add `continue-on-error: true` to this step — the job should fail when violations exist. + +### Bootstrap Exclusions + +Files that legitimately wire the LaunchDarkly client directly (a provider-setup package, for example) can be exempted: + +```yaml +- run: | + flaglint-go validate ./services \ + --no-direct-launchdarkly \ + --bootstrap-exclude "internal/openfeature-bootstrap/**" +``` + +## SARIF Upload for GitHub Code Scanning + +```yaml +name: FlagLint Go (SARIF) +on: [pull_request] + +jobs: + validate: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.23' + - run: go install github.com/flaglint/flaglint-go/cmd/flaglint-go@latest + + - name: Validate no direct LaunchDarkly Go SDK calls + run: | + flaglint-go validate ./services \ + --no-direct-launchdarkly \ + --format sarif \ + --output flaglint-go-validation.sarif + + - name: Upload SARIF + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: flaglint-go-validation.sarif +``` + +`if: always()` belongs on the upload step, not the validate step, so GitHub Code Scanning still ingests results even when validation fails. SARIF findings use rule ID `flaglint.go.direct-launchdarkly`. + +## Feedback + +- [Edit this page on GitHub](https://github.com/flaglint/flaglint.dev/edit/main/src/content/docs/docs/go/guides/enforce-in-ci.md) +- [Report an issue](https://github.com/flaglint/flaglint-go/issues/new) +- See also: [validate reference](/docs/go/cli/validate/) +- Next: [flaglint-go Overview](/docs/go/) From f7617baa04e848375fb218658e1b2e358c91de03 Mon Sep 17 00:00:00 2001 From: Krishan Kant Sharma Date: Mon, 6 Jul 2026 16:03:46 -0500 Subject: [PATCH 2/2] docs(go): fix Homebrew PATH inaccuracy caught in review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The guide claimed brew is "preinstalled" on both ubuntu-latest and macos-latest with no caveat, showing a bare `brew install` step for both. Per actions/runner-images' own Ubuntu docs, Homebrew is preinstalled there but NOT added to PATH by default (it lives at /home/linuxbrew) — the shown one-liner would fail with "brew: command not found" as written. Only macos-latest has brew on PATH out of the box. Split the Homebrew instructions: macOS gets the bare install step, Ubuntu gets the required `brew shellenv` PATH setup first. go install remains the option used in the full workflow examples since it's runner-OS-agnostic. Signed-off-by: Krishan Kant Sharma --- src/content/docs/docs/go/guides/enforce-in-ci.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/content/docs/docs/go/guides/enforce-in-ci.md b/src/content/docs/docs/go/guides/enforce-in-ci.md index e9c2112..c6ee659 100644 --- a/src/content/docs/docs/go/guides/enforce-in-ci.md +++ b/src/content/docs/docs/go/guides/enforce-in-ci.md @@ -17,12 +17,22 @@ flaglint-go has no published GitHub Action (unlike flaglint-js's `flaglint/flagl - run: go install github.com/flaglint/flaglint-go/cmd/flaglint-go@latest ``` -**Via Homebrew** (no Go toolchain needed — `brew` is preinstalled on GitHub-hosted `ubuntu-latest` and `macos-latest` runners): +This is the option used in the full workflow examples below — it works the same way on every GitHub-hosted runner OS. + +**Via Homebrew** — on `macos-latest`, `brew` is already on `PATH`: ```yaml - run: brew install flaglint/tap/flaglint-go ``` +On `ubuntu-latest`, Homebrew is preinstalled but **not** added to `PATH` by default — initialize it first: + +```yaml +- run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" + brew install flaglint/tap/flaglint-go +``` + ## Recommended: Adopt With a Baseline First Turning on `--no-direct-launchdarkly` immediately fails CI for every existing call site — usually not what you want on day one. Capture current debt as a baseline once, commit it, and fail only on *new* debt going forward: