Makefile and build fixes

[janezpodhostnik]

I had some issue on my setup and I added fixes.

• Update the crypto package to a version that fixes a build compatibility issue (related to GCC versions and reserved keywords)
• Fix make lint failing to find golangci-lint when ~/go/bin is not in Make's PATH

Summary by CodeRabbit

• Chores
  • Updated build tooling to invoke the linter via an explicit tool path to improve reliability.
  • Refined compiler flag handling for cryptographic operations (removed extraneous quoting).
  • Bumped Go toolchain and a cryptography dependency to newer patch versions for compatibility and security.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
gomod/github.com/onflow/crypto	0.25.4	🟢 4.7	Details Check Score Reason Code-Review 🟢 6 Found 5/8 approved changesets -- score normalized to 6 Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 7 3 existing vulnerabilities detected Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/onflow/crypto	0.25.4	🟢 4.7	Details Check Score Reason Code-Review 🟢 6 Found 5/8 approved changesets -- score normalized to 6 Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 7 3 existing vulnerabilities detected Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/onflow/crypto	0.25.4	🟢 4.7	Details Check Score Reason Code-Review 🟢 6 Found 5/8 approved changesets -- score normalized to 6 Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 7 3 existing vulnerabilities detected Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• go.mod
• insecure/go.mod
• integration/go.mod

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated Makefile lint invocation to call golangci-lint from GOPATH bin; changed DISABLE_ADX in crypto_adx_flag.mk from a quoted string to unquoted; bumped Go toolchain and github.com/onflow/crypto versions in root, insecure/, and integration/ go.mod files.

Changes

Cohort / File(s)	Summary
Linter invocation Makefile	Replaced PATH-based golangci-lint call with explicit $(shell go env GOPATH)/bin/golangci-lint invocation. Review CI/dev environments that relied on PATH lookup.
Crypto ADX flags crypto_adx_flag.mk	DISABLE_ADX changed from a quoted string to an unquoted value; a comment block added. No other behavioral changes detected; verify make parsing of the unquoted flag.
Go toolchain and deps go.mod, insecure/go.mod, integration/go.mod	Bumped go directive from 1.25.0 → 1.25.1 and updated github.com/onflow/crypto v0.25.3 → v0.25.4 in three module files. Check module tidy/build in each module.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hopped through Make, with whiskers keen,
Found lints that traveled where they'd been.
Unquoted flags and versions raised,
A tidy trail the changes blazed. 🐇✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Makefile and build fixes' accurately reflects the main changes: golangci-lint PATH resolution fix in Makefile, crypto module updates in multiple go.mod files, and crypto_adx_flag.mk variable formatting adjustment.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@crypto_adx_flag.mk`:
- Around line 26-33: The Makefile is omitting the C_STD_FLAG when building
non-ADX images; update the build flags so DISABLE_ADX and targets that pass
CGO_FLAG include the C standard flag. Either (A) append C_STD_FLAG to the
DISABLE_ADX variable (and adjust CRYPTO_FLAG's non-ADX branch to avoid
duplicating C_STD_FLAG), or (B) modify each docker-build-*-without-adx and
docker-build-*-without-netgo-without-adx target to pass CGO_FLAG as
"$(C_STD_FLAG) $(DISABLE_ADX)"; ensure you update references to DISABLE_ADX,
C_STD_FLAG and CRYPTO_FLAG so builds get "-std=gnu17" along with the portable
ADX disable flags.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check structure of the repo
cd /tmp && git ls-files | head -20

Repository: onflow/flow-go

Length of output: 126

---

🏁 Script executed:

#!/bin/bash
# Find Makefile
find . -name "Makefile" -o -name "*.mk" | head -20

Repository: onflow/flow-go

Length of output: 224

---

🏁 Script executed:

#!/bin/bash
# Verify which targets use DISABLE_ADX directly
echo "=== Checking for DISABLE_ADX definition ==="
rg -n 'DISABLE_ADX\s*:=' . --type makefile

echo ""
echo "=== Checking for CGO_FLAG=$(DISABLE_ADX) usage ==="
rg -n 'CGO_FLAG.*DISABLE_ADX' . --type makefile

echo ""
echo "=== Checking for CRYPTO_FLAG usage in docker-build targets ==="
rg -n 'docker-build.*ADX' . --type makefile -A 3

Repository: onflow/flow-go

Length of output: 369

---

🏁 Script executed:

#!/bin/bash
# Get context around CRYPTO_FLAG and DISABLE_ADX definitions
echo "=== Lines around CRYPTO_FLAG definition (lines 26-35) ==="
sed -n '20,40p' crypto_adx_flag.mk

echo ""
echo "=== Looking at entire crypto_adx_flag.mk ==="
wc -l crypto_adx_flag.mk
cat -n crypto_adx_flag.mk

Repository: onflow/flow-go

Length of output: 2574

---

🏁 Script executed:

#!/bin/bash
# Search for all docker-build-*-without-adx targets
echo "=== All docker-build targets with 'without-adx' ==="
rg -n 'docker-build.*without-adx' Makefile -A 5 | head -100

Repository: onflow/flow-go

Length of output: 8365

---

🏁 Script executed:

#!/bin/bash
# Count exact matches of CGO_FLAG=$(DISABLE_ADX) pattern
echo "=== Exact matches of CGO_FLAG=\$(DISABLE_ADX) ==="
rg 'CGO_FLAG=\$\(DISABLE_ADX\)' Makefile -n -c
rg 'CGO_FLAG=\$\(DISABLE_ADX\)' Makefile -n

Repository: onflow/flow-go

Length of output: 3156

---

Update Makefile targets to include C_STD_FLAG when using DISABLE_ADX.

The docker-build-*-without-adx and docker-build-*-without-netgo-without-adx targets pass CGO_FLAG=$(DISABLE_ADX) directly, which only includes -O2 -D__BLST_PORTABLE__ but omits -std=gnu17. This means 13 targets will fail on GCC 15+ which defaults to C23.

Consider either:

1. Adding C_STD_FLAG to the DISABLE_ADX definition, or
2. Updating those Makefile targets to use a combined flag

Option 1: Include C_STD_FLAG in DISABLE_ADX

 # Flags to disable ADX instructions for older CPUs
-DISABLE_ADX := -O2 -D__BLST_PORTABLE__
+DISABLE_ADX := $(C_STD_FLAG) -O2 -D__BLST_PORTABLE__

Then update the CRYPTO_FLAG assignment for non-ADX case to avoid duplication:

 # if ADX instructions aren't supported, this CGO flags uses a slower non-ADX implementation
-	CRYPTO_FLAG := "$(C_STD_FLAG) $(DISABLE_ADX)"
+	CRYPTO_FLAG := "$(DISABLE_ADX)"

Affected targets (12 docker-build targets + 1 docker-build-util): collection, consensus, execution, verification, access, and observer (each with both -without-adx and -without-netgo-without-adx variants).

🤖 Prompt for AI Agents

In `@crypto_adx_flag.mk` around lines 26 - 33, The Makefile is omitting the
C_STD_FLAG when building non-ADX images; update the build flags so DISABLE_ADX
and targets that pass CGO_FLAG include the C standard flag. Either (A) append
C_STD_FLAG to the DISABLE_ADX variable (and adjust CRYPTO_FLAG's non-ADX branch
to avoid duplicating C_STD_FLAG), or (B) modify each docker-build-*-without-adx
and docker-build-*-without-netgo-without-adx target to pass CGO_FLAG as
"$(C_STD_FLAG) $(DISABLE_ADX)"; ensure you update references to DISABLE_ADX,
C_STD_FLAG and CRYPTO_FLAG so builds get "-std=gnu17" along with the portable
ADX disable flags.

[tarakby]

Thanks for flagging this. I think we should fix this from within the crypto library.
I can work on a general fix for your setup and we can keep flow-go decoupled from C issues. Let's keep this PR non-merged for now till I update the crypto repo.

[janezpodhostnik]

I added a general CGO_CFLAGS = "-std=gnu17" for my setup right now and that fixes my issue. So I can also close this if we are planning to solve this differently.

[tarakby]

I moved the fix to the crypto library (onflow/crypto#38) where the issue comes from, instead of the application layer. In general, I wanted to abstract the C build details from flow-go.
ADX instructions enabling or disabling is the only exception, and we need it for cross compiling the node software for other machines.

In the future, you can find the CFLAGS of the crypto build defined here, and the flags can be adjusted if needed.

[janezpodhostnik]

Thanks @tarakby. I can't approve, but it looks good to me.

[m-Peter]

LGTM!