From 3a5db2d442f83f8c3d9bea68f9785f1f8c689503 Mon Sep 17 00:00:00 2001
From: Cristian Greco <cristian@regolo.cc>
Date: Fri, 11 Jul 2025 11:53:32 +0200
Subject: [PATCH] ci: address golangci-lint issue with persist-credentials
 (#16861)

* ci: address golangci-lint issue with persist-credentials

Fixes the following zizmor warning:

```
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> scripts/golangci-lint.yml:26:9
   |
26 |         - name: Checkout repository
   |  _________-
27 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
28 | |         # with:
29 | |         #   persist-credentials: false
   | |______________________________________- does not set persist-credentials: false
```

All other actions have been fixed in https://github.com/prometheus/prometheus/pull/16530

Credit to @jharvey10 who also addressed this particular issue in
https://github.com/grafana/postgres_exporter/commit/a5bf67d897ac760f0205d87fb6354957516ee1ca

Signed-off-by: Cristian Greco <cristian@regolo.cc>

* update golangci-lint to v2.2.1

Signed-off-by: Cristian Greco <cristian@regolo.cc>

---------

Signed-off-by: Cristian Greco <cristian@regolo.cc>
---
 .github/workflows/ci.yml  | 2 +-
 Makefile.common           | 2 +-
 scripts/golangci-lint.yml | 4 +++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ea10fd0091..3e2cef99e6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -231,7 +231,7 @@ jobs:
         with:
           args: --verbose
           # Make sure to sync this with Makefile.common and scripts/golangci-lint.yml.
-          version: v2.1.5
+          version: v2.2.1
   fuzzing:
     uses: ./.github/workflows/fuzzing.yml
     if: github.event_name == 'pull_request'
diff --git a/Makefile.common b/Makefile.common
index 6f61bec48f..1f4c9025a5 100644
--- a/Makefile.common
+++ b/Makefile.common
@@ -61,7 +61,7 @@ PROMU_URL     := https://github.com/prometheus/promu/releases/download/v$(PROMU_
 SKIP_GOLANGCI_LINT :=
 GOLANGCI_LINT :=
 GOLANGCI_LINT_OPTS ?=
-GOLANGCI_LINT_VERSION ?= v2.1.5
+GOLANGCI_LINT_VERSION ?= v2.2.1
 GOLANGCI_FMT_OPTS ?=
 # golangci-lint only supports linux, darwin and windows platforms on i386/amd64/arm64.
 # windows isn't included here because of the path separator being different.
diff --git a/scripts/golangci-lint.yml b/scripts/golangci-lint.yml
index 672dd424d6..b74e7b6bbd 100644
--- a/scripts/golangci-lint.yml
+++ b/scripts/golangci-lint.yml
@@ -25,6 +25,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Go
         uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
@@ -36,4 +38,4 @@ jobs:
         uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
         with:
           args: --verbose
-          version: v2.1.5
+          version: v2.2.1