chore: add golangci-lint, bump Go to 1.26, fix all lint issues (#133)

## Summary
- Add `.golangci.yml` with linter configuration matching the main gitea repo
- Add `lint`, `lint-fix`, `lint-go`, `lint-go-fix`, and `security-check` Makefile targets
- Add `tidy` Makefile target (extracts min Go version from `go.mod` for `-compat` flag)
- Bump minimum Go version to 1.26
- Update golangci-lint to v2.10.1
- Replace `golang/govulncheck-action` with `make security-check` in CI
- Add `make lint` step to CI
- Fix all lint issues across the codebase (formatting, `errors.New` vs `fmt.Errorf`, `any` vs `interface{}`, unused returns, stuttering names, Go 1.26 `new(expr)`, etc.)
- Remove unused `pkg/ptr` package (inlined by Go 1.26 `new(expr)`)
- Remove dead linter exclusions (staticcheck, gocritic, testifylint, dupl)

## Test plan
- [x] `make lint` passes
- [x] `go test ./...` passes
- [x] `make build` succeeds

Reviewed-on: https://gitea.com/gitea/gitea-mcp/pulls/133
Reviewed-by: techknowlogick <techknowlogick@noreply.gitea.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-committed-by: silverwind <me@silverwind.io>

pkg/gitea/gitea.go

@@ -34,7 +34,7 @@ func NewClient(token string) (*gitea.Client, error) {
 	}
 
 	// Set user agent for the client
-	client.SetUserAgent(fmt.Sprintf("gitea-mcp-server/%s", flag.Version))
+	client.SetUserAgent("gitea-mcp-server/" + flag.Version)
 	return client, nil
 }
 

pkg/gitea/rest.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -40,7 +41,7 @@ func tokenFromContext(ctx context.Context) string {
 func newRESTHTTPClient() *http.Client {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	if flag.Insecure {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec // user-requested insecure mode
 	}
 	return &http.Client{
 		Transport: transport,
@@ -51,7 +52,7 @@ func newRESTHTTPClient() *http.Client {
 func buildAPIURL(path string, query url.Values) (string, error) {
 	host := strings.TrimRight(flag.Host, "/")
 	if host == "" {
-		return "", fmt.Errorf("gitea host is empty")
+		return "", errors.New("gitea host is empty")
 	}
 	p := strings.TrimLeft(path, "/")
 	u, err := url.Parse(fmt.Sprintf("%s/api/v1/%s", host, p))
@@ -66,7 +67,7 @@ func buildAPIURL(path string, query url.Values) (string, error) {
 
 // DoJSON performs an API request and decodes a JSON response into respOut (if non-nil).
 // It returns the HTTP status code.
-func DoJSON(ctx context.Context, method, path string, query url.Values, body any, respOut any) (int, error) {
+func DoJSON(ctx context.Context, method, path string, query url.Values, body, respOut any) (int, error) {
 	var bodyReader io.Reader
 	if body != nil {
 		b, err := json.Marshal(body)
@@ -87,7 +88,7 @@ func DoJSON(ctx context.Context, method, path string, query url.Values, body any
 
 	token := tokenFromContext(ctx)
 	if token != "" {
-		req.Header.Set("Authorization", fmt.Sprintf("token %s", token))
+		req.Header.Set("Authorization", "token "+token)
 	}
 	req.Header.Set("Accept", "application/json")
 	if body != nil {
@@ -107,7 +108,7 @@ func DoJSON(ctx context.Context, method, path string, query url.Values, body any
 	}
 
 	if respOut == nil {
-		io.Copy(io.Discard, resp.Body) // best-effort
+		_, _ = io.Copy(io.Discard, resp.Body) // best-effort
 		return resp.StatusCode, nil
 	}
 
@@ -140,7 +141,7 @@ func DoBytes(ctx context.Context, method, path string, query url.Values, body an
 
 	token := tokenFromContext(ctx)
 	if token != "" {
-		req.Header.Set("Authorization", fmt.Sprintf("token %s", token))
+		req.Header.Set("Authorization", "token "+token)
 	}
 	if accept != "" {
 		req.Header.Set("Accept", accept)
@@ -171,5 +172,3 @@ func DoBytes(ctx context.Context, method, path string, query url.Values, body an
 
 	return respBytes, resp.StatusCode, nil
 }
-
-

pkg/gitea/rest_test.go

@@ -28,5 +28,3 @@ func TestTokenFromContext(t *testing.T) {
 		}
 	})
 }
-
-