chore: Add Code Static Analysis GH Workflow

[ykaiboussiSO]

Description

• Add golangci-lint as a tool dependency in go.mod.
• Create CI Workflow to run code static analysis.
• Code static findings will be part of the outputs for visibility it will not block the pipeline.

Resolves: PQE-404

Type of Change

• Chore (a change that does not modify the application functionality)
• Bug fix (a change that fixes an issue)
• New feature / enhancement (a change that adds new functionality)
• Refactor (no behaviour change)
• Test coverage
• Build / CI / tooling
• Documentation

Testing

• Unit tests added / updated
• Integration tests added / updated
• Manual integration tests run (go test -tags manual_integration ./integration/...)

Screenshots (if appropriate):

Driver Impact

• PostgreSQL driver (drivers/pg)
• Neo4j driver (drivers/neo4j)

Checklist

• Code is formatted
• All existing tests pass
• go.mod / go.sum are up to date if dependencies changed

Summary by CodeRabbit

• Chores
  • Updated Neo4j driver to v6.0.0
  • Added static analysis and code quality checks to the development pipeline

[coderabbitai]

Walkthrough

This change introduces static code analysis tooling to the project by adding a GitHub Actions workflow that runs go vet and golangci-lint, along with their corresponding configuration files. The go.mod is updated to include the Neo4j driver v6 and additional linting-related indirect dependencies.

Changes

Cohort / File(s)	Summary
Static Analysis Workflow .github/workflows/run-static-analysis.yml	New GitHub Actions workflow that executes go vet and golangci-lint on pull requests targeting main and stage/** branches.
Linting Configuration .golangci.yml	New GolangCI-Lint configuration enabling staticcheck, gofmt, and goimports linters with JSON output to golangci-report.json.
Dependency Management go.mod	Updated Neo4j Go driver from v5.28.4 to v6.0.0; added linting and analysis tool dependencies; added golangci-lint v2 tool directive.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A workflow's hop brings static cheer,
Linters now guard the code so dear,
Neo4j v6 arrives with grace,
Config files in their proper place,
Analysis tools, hooray hooray! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: Add Code Static Analysis GH Workflow' clearly and accurately describes the main change: adding a GitHub Actions workflow for static analysis.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description covers all required sections including a clear summary, the resolved issue (PQE-404), type of change (Chore), testing details, driver impact, and a completed checklist confirming go.mod is up to date.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch PQE-404

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.github/workflows/run-static-analysis.yml (2)

42-45: Consider adding output formatting for better CI integration.

Adding output formatting (e.g., --out-format=github-actions) provides better integration with GitHub's annotation system, making issues easier to discover directly in the PR diff view.

💡 Proposed enhancement

       - name: Run Analysis
         run: |
-          go tool golangci-lint run ./...
+          go tool golangci-lint run --out-format=github-actions ./...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/run-static-analysis.yml around lines 42 - 45, Update the
"Run Analysis" workflow step so the golangci-lint invocation emits GitHub
Actions annotations: modify the command "go tool golangci-lint run ./..." to
include the output format flag (e.g., add --out-format=github-actions) so lint
findings surface as PR annotations; ensure the step name "Run Analysis" keeps
continue-on-error: true if desired.

---

24-26: Consider adding reopened event type for completeness.

The workflow triggers on opened and synchronize events but not reopened. Adding reopened ensures static analysis runs when a closed PR is reopened.

✨ Proposed addition

     types:
       - "opened"
       - "synchronize"
+      - "reopened"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/run-static-analysis.yml around lines 24 - 26, Add the
"reopened" pull_request type to the workflow trigger types so the static
analysis job also runs when a previously closed PR is reopened; update the types
array (currently containing "opened" and "synchronize") to include "reopened"
alongside those entries to ensure the workflow triggers on reopened PRs as well.

go.mod (1)

3-3: Consider updating Go version to 1.25.8 or later.

Go 1.25.0 is a valid, released version. However, Go 1.25.8 is available as a more recent patch in the same minor version series, and Go 1.26.1 is the latest stable release. Using an older patch version may miss important security fixes and improvements. Update go 1.25.0 to a more current version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, Update the Go toolchain version in go.mod by replacing the
existing directive "go 1.25.0" with a newer patch/minor release (e.g., "go
1.25.8" or "go 1.26.1") so the module uses a Go release that includes recent
security fixes and improvements; locate the "go 1.25.0" directive in go.mod and
change it to the chosen newer version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/run-static-analysis.yml:
- Around line 42-45: The CI step named "Run Analysis" currently sets
continue-on-error: true which allows golangci-lint failures to pass; remove the
continue-on-error: true key from that step so lint failures fail the job, and
optionally update the run command (the golangci-lint invocation) to use
--new-from-rev=<rev> or other flags if you want to enforce only new issues;
ensure you only modify the "Run Analysis" step and retain the existing
golangci-lint run ./... invocation otherwise.

In @.golangci.yml:
- Around line 3-4: The configuration currently disables the entire errcheck
linter; re-enable errcheck (remove the "- errcheck" entry) and, if certain
unchecked errors must be ignored, add targeted exclusions instead using
golangci-lint's configuration (e.g., add linters-settings for errcheck or use
exclude/exclude-rules or excludePatterns to silence specific files, functions,
or error-return patterns). Ensure the symbol "errcheck" is not listed under
disable and create precise exclude rules for known safe exceptions rather than
disabling the linter globally.

---

Nitpick comments:
In @.github/workflows/run-static-analysis.yml:
- Around line 42-45: Update the "Run Analysis" workflow step so the
golangci-lint invocation emits GitHub Actions annotations: modify the command
"go tool golangci-lint run ./..." to include the output format flag (e.g., add
--out-format=github-actions) so lint findings surface as PR annotations; ensure
the step name "Run Analysis" keeps continue-on-error: true if desired.
- Around line 24-26: Add the "reopened" pull_request type to the workflow
trigger types so the static analysis job also runs when a previously closed PR
is reopened; update the types array (currently containing "opened" and
"synchronize") to include "reopened" alongside those entries to ensure the
workflow triggers on reopened PRs as well.

In `@go.mod`:
- Line 3: Update the Go toolchain version in go.mod by replacing the existing
directive "go 1.25.0" with a newer patch/minor release (e.g., "go 1.25.8" or "go
1.26.1") so the module uses a Go release that includes recent security fixes and
improvements; locate the "go 1.25.0" directive in go.mod and change it to the
chosen newer version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dc996af0-15d4-41ee-aaa3-ba850ae459f3

📥 Commits

Reviewing files that changed from the base of the PR and between 2380370 and 731ca05.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .github/workflows/run-static-analysis.yml
• .golangci.yml
• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Do not disable the errcheck linter.

Disabling errcheck removes detection of unchecked error returns, which is a common source of correctness bugs and security vulnerabilities in Go. Unchecked errors can lead to silent failures, data corruption, resource leaks, and security issues.

If specific error checks need to be excluded, use targeted exclusions rather than disabling the entire linter.

✅ Proposed fix: Enable errcheck with targeted exclusions if needed

-linters:
-  disable:
-    - errcheck
+linters:
+  enable:
+    - errcheck
+# If specific exclusions are needed:
+# linters-settings:
+#   errcheck:
+#     exclude-functions:
+#       - fmt.Print.*

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	disable:
	- errcheck
	linters:
	enable:
	- errcheck
	# If specific exclusions are needed:
	# linters-settings:
	# errcheck:
	# exclude-functions:
	# - fmt.Print.*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.golangci.yml around lines 3 - 4, The configuration currently disables the
entire errcheck linter; re-enable errcheck (remove the "- errcheck" entry) and,
if certain unchecked errors must be ignored, add targeted exclusions instead
using golangci-lint's configuration (e.g., add linters-settings for errcheck or
use exclude/exclude-rules or excludePatterns to silence specific files,
functions, or error-return patterns). Ensure the symbol "errcheck" is not listed
under disable and create precise exclude rules for known safe exceptions rather
than disabling the linter globally.

[coderabbitai]

🧹 Nitpick comments (1)

drivers/neo4j/result.go (1)

46-48: Consider propagating context through the result interface.

Using context.Background() here means that result iteration won't respect the caller's context cancellation or timeout. If the upstream neo4jTransaction has a deadline and the database is slow to return rows, this iteration will continue regardless.

This appears to be a design constraint of the current graph.Result interface, but worth noting as a potential improvement area for timeout-sensitive workloads.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@drivers/neo4j/result.go` around lines 46 - 48, The Next method on
internalResult currently calls s.driverResult.Next(context.Background()), which
ignores caller cancellation; update the graph.Result contract and implementation
to propagate context: change the graph.Result.Next signature to Next(ctx
context.Context) (or add NextContext(ctx context.Context) if you need backward
compatibility), then update internalResult.Next to call s.driverResult.Next(ctx)
and adjust all callers (including neo4jTransaction usage sites) to pass through
the originating context/deadline. Ensure all other Result implementations and
tests are updated to match the new signature so iteration respects
cancellation/timeouts.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@drivers/neo4j/result.go`:
- Around line 46-48: The Next method on internalResult currently calls
s.driverResult.Next(context.Background()), which ignores caller cancellation;
update the graph.Result contract and implementation to propagate context: change
the graph.Result.Next signature to Next(ctx context.Context) (or add
NextContext(ctx context.Context) if you need backward compatibility), then
update internalResult.Next to call s.driverResult.Next(ctx) and adjust all
callers (including neo4jTransaction usage sites) to pass through the originating
context/deadline. Ensure all other Result implementations and tests are updated
to match the new signature so iteration respects cancellation/timeouts.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 311fe747-77b7-4a40-b839-036e54dc374e

📥 Commits

Reviewing files that changed from the base of the PR and between 731ca05 and 2f073eb.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (22)

• .github/workflows/run-static-analysis.yml
• .golangci.yml
• cmd/benchmark/main.go
• container/bfs.go
• container/pacmap.go
• cypher/frontend/query.go
• cypher/models/pgsql/translate/expression.go
• drivers/neo4j/batch.go
• drivers/neo4j/driver.go
• drivers/neo4j/mapper.go
• drivers/neo4j/neo4j.go
• drivers/neo4j/node.go
• drivers/neo4j/relationship.go
• drivers/neo4j/result.go
• drivers/neo4j/result_internal_test.go
• drivers/neo4j/transaction.go
• drivers/neo4j/wrapper.go
• go.mod
• graph/properties.go
• opengraph/load.go
• util/errors.go
• util/errors_test.go

✅ Files skipped from review due to trivial changes (7)

• container/pacmap.go
• cypher/models/pgsql/translate/expression.go
• util/errors_test.go
• container/bfs.go
• cypher/frontend/query.go
• cmd/benchmark/main.go
• .golangci.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/run-static-analysis.yml
• go.mod

[urangel]

neat

[urangel]

lgtm, would recommend giving @kpom-specter a chance to take a look too!