From 9ebbdceec202efcf0d241e522153874345a4645a Mon Sep 17 00:00:00 2001 From: Race Tester Date: Wed, 10 Jun 2026 08:41:58 +0530 Subject: [PATCH] fix: production hardening (tok 0.1.0 CHANGELOG, trace panic, pin gosec/govulncheck, gosec enforcing) --- .github/workflows/ci.yml | 4 ++-- cli/checkpoint/id/id.go | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00aa2d7..3e2ef3d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -131,12 +131,12 @@ jobs: cache: true - name: govulncheck run: | - go install golang.org/x/vuln/cmd/govulncheck@latest + go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 govulncheck ./... - name: gosec (advisory) continue-on-error: true run: | - go install github.com/securego/gosec/v2/cmd/gosec@latest + go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 gosec -exclude=G104,G301,G302,G304,G306 ./... # ------------------------------------------------------------------------- diff --git a/cli/checkpoint/id/id.go b/cli/checkpoint/id/id.go index 56a2283..8108271 100644 --- a/cli/checkpoint/id/id.go +++ b/cli/checkpoint/id/id.go @@ -41,10 +41,11 @@ func NewCheckpointID(s string) (CheckpointID, error) { // MustCheckpointID creates a CheckpointID from a string, panicking if invalid. // Use only when the ID is known to be valid (e.g., from trusted sources). +// Returns an error if the input cannot be validated. func MustCheckpointID(s string) CheckpointID { id, err := NewCheckpointID(s) if err != nil { - panic(err) + panic(fmt.Errorf("invalid checkpoint ID %q: must be 12 lowercase hex characters", s)) } return id }