From 1af7d7cdd51fdc91980b643628c8eae20578d8b1 Mon Sep 17 00:00:00 2001
From: Shubham Malik <shubham@stepsecurity.io>
Date: Mon, 15 Jun 2026 19:20:30 +0530
Subject: [PATCH 1/2] chore: bump Go toolchain to 1.26

---
 .tool-versions | 2 +-
 README.md      | 2 +-
 go.mod         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.tool-versions b/.tool-versions
index a425f40..5bc54b1 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1 +1 @@
-golang 1.24.13
+golang 1.26.4
diff --git a/README.md b/README.md
index e5c4f44..41216cd 100644
--- a/README.md
+++ b/README.md
@@ -108,7 +108,7 @@ make build
 ./stepsecurity-dev-machine-guard
 ```
 
-Requires Go 1.24+. The binary has zero external dependencies.
+Requires Go 1.26+. The binary has zero external dependencies.
 
 ## Usage
 
diff --git a/go.mod b/go.mod
index 90a2829..efd3399 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/step-security/dev-machine-guard
 
-go 1.24
+go 1.26
 
 require golang.org/x/sys v0.33.0
 

From ce63e1c8cd61244bfa88ed74859f9a4bc9ea745f Mon Sep 17 00:00:00 2001
From: Shubham Malik <shubham@stepsecurity.io>
Date: Mon, 15 Jun 2026 21:24:24 +0530
Subject: [PATCH 2/2] ci: build golangci-lint with Go 1.26 to unblock lint

---
 .github/workflows/tests.yml |  6 +++++-
 .golangci.yml               | 23 +++++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 .golangci.yml

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index ddd0f85..974aa8a 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -46,9 +46,13 @@ jobs:
             exit 1
           fi
 
-      - uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+      - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
+          # No released golangci-lint is built with Go 1.26 yet, and it refuses
+          # to lint a module targeting a newer Go than it was built with. Compile
+          # it from source with this job's Go 1.26 toolchain so the check passes.
+          install-mode: goinstall
 
   build:
     name: Build (${{ matrix.goos }}/${{ matrix.goarch }})
diff --git a/.golangci.yml b/.golangci.yml
new file mode 100644
index 0000000..be7c9ad
--- /dev/null
+++ b/.golangci.yml
@@ -0,0 +1,23 @@
+# golangci-lint configuration.
+#
+# Historically this project ran golangci-lint v1 with no config file, relying on
+# its built-in default exclusions. Building the linter with Go 1.26 requires
+# golangci-lint v2 (see the lint job in .github/workflows/tests.yml), and v2
+# dropped those default exclusions. This config restores the previous effective
+# lint policy so the Go toolchain bump stays scoped and does not churn unrelated
+# code.
+version: "2"
+linters:
+  exclusions:
+    presets:
+      # Restores v1's default errcheck excludes for the standard
+      # error-returning calls that are conventionally ignored
+      # (Close/Flush/os.Remove/os.Setenv/os.Unsetenv/print*). This was the old
+      # built-in EXC0001 rule.
+      - std-error-handling
+    rules:
+      # QF (quickfix) style suggestions were not enforced under v1; keep them
+      # off to preserve the prior policy.
+      - linters:
+          - staticcheck
+        text: "QF1001|QF1002"