chore: Add Code Static Analysis GH Workflow

[ykaiboussiSO]

Description

• Add golangci-lint as tool dependency in go.mod
• Create CI Workflow to run code static analysis
• Address "Major" issues from staticcheck linter and formatting error.
• Outstanding changeset upgrading neo4j driver from v5.28.4 to v6.0.0

Resolves: PQE-404

Type of Change

• Chore (a change that does not modify the application functionality)
• Bug fix (a change that fixes an issue)
• New feature / enhancement (a change that adds new functionality)
• Refactor (no behaviour change)
• Test coverage
• Build / CI / tooling
• Documentation

Testing

• Unit tests added / updated
• Integration tests added / updated
• Manual integration tests run (go test -tags manual_integration ./integration/...)

Screenshots (if appropriate):

Driver Impact

• PostgreSQL driver (drivers/pg)
• Neo4j driver (drivers/neo4j)

Checklist

• Code is formatted
• All existing tests pass
• go.mod / go.sum are up to date if dependencies changed

Summary by CodeRabbit

• Chores
  • Added automated static code analysis on pull requests and CI linting/formatting configuration.
  • Updated Go module tooling and development dependencies.
  • Upgraded underlying Neo4j driver to a new major version and adapted code to its context-aware APIs for improved stability and compatibility.

[coderabbitai]

Warning

Rate limit exceeded

@ykaiboussiSO has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 37 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 46 minutes and 37 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f66da89f-980b-40ec-9bce-77b2dc5ec6c9

📥 Commits

Reviewing files that changed from the base of the PR and between a1fd4d2 and eb51839.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• drivers/neo4j/driver.go
• go.mod

Walkthrough

Added CI static-analysis workflow and GolangCI-Lint config, updated go.mod tooling/dependencies, migrated Neo4j driver usage to v6 (context-aware APIs) across driver and transaction-related code, refactored relationship creation in opengraph, and applied small local code cleanups.

Changes

Cohort / File(s)	Summary
CI/CD Static Analysis Pipeline .github/workflows/run-static-analysis.yml	Added GitHub Actions workflow "Run Code Static Analysis" to run golangci-lint on PR opened and synchronize for main and stage/**; checks out repo, installs Go from go.mod, caches Go, runs go vet (with one package excluded) and golangci-lint run.
GolangCI-Lint Config .golangci.yml	Added GolangCI-Lint configuration (version: "2"): disables errcheck, configures staticcheck exclusions, formatter settings (gofmt/goimports), file-specific linter ignores, and emits JSON to golangci-report.json.
Go module tooling & dependencies go.mod	Added tool directive for golangci-lint, bumped Neo4j driver to v6, and added/updated many indirect dependencies (mainly linting/static-analysis libs).
Neo4j driver migration (imports & API changes) drivers/neo4j/... drivers/neo4j/batch.go, drivers/neo4j/driver.go, drivers/neo4j/mapper.go, drivers/neo4j/neo4j.go, drivers/neo4j/node.go, drivers/neo4j/relationship.go, drivers/neo4j/result.go, drivers/neo4j/transaction.go, drivers/neo4j/wrapper.go, drivers/neo4j/result_internal_test.go	Switched imports from .../v5/neo4j to .../v6/neo4j; migrated to v6 context-aware APIs (session/transaction/result Run/Commit/Close now accept context.Context), changed transaction type to ExplicitTransaction where required, and updated wrapper method signatures to include context.
Neo4j-related usages elsewhere graph/properties.go, util/errors.go, util/errors_test.go	Updated Neo4j dbtype/neo4j imports to v6 and adjusted type assertions/error type checks to reference v6 types.
Batch/Graph changes opengraph/load.go	Refactored relationship creation to build a graph.Relationship struct and call batch.CreateRelationship(relationship) instead of CreateRelationshipByIDs(...); mapping and error handling retained.
Small code cleanups / refactors container/bfs.go, container/pacmap.go, cypher/frontend/query.go, cypher/models/pgsql/translate/expression.go, cmd/benchmark/main.go	Minor local edits: removed unused range binding, used type inference for locals, switched to var boolean declaration, replaced strings.Replace(..., -1) with strings.ReplaceAll, and adjusted flag alignment—no behavioral changes.
Workflow removal .github/workflows/go-test.yml	Removed a commented-out vet job section (deleted legacy go vet steps).

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant DriverLib as Neo4jDriver(v6)
    participant Session
    participant Transaction
    participant Database
    Client->>DriverLib: NewSession(ctx, cfg)
    DriverLib->>Session: return session(handle)
    Client->>Session: BeginTransaction(ctx, opts)
    Session->>Transaction: return explicit transaction
    Client->>Transaction: Run(ctx, statement, params)
    Transaction->>Database: execute statement
    Database-->>Transaction: result
    Client->>Transaction: Commit(ctx)
    Transaction->>Database: commit
    Client->>Session: Close(ctx)
    DriverLib->>Client: Close(ctx)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I hop through code with eager paws,
New linters hum to tidy laws,
Drivers v6 now carry the day,
Context in tow as I bound the way.
A little hop for clearer plays ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main objective of adding a GitHub Actions workflow for static analysis, which is supported by the addition of the workflow file and golangci-lint configuration.
Description check	✅ Passed	The description covers the key changes (golangci-lint tool addition, CI workflow creation, linter fixes, Neo4j upgrade) and follows the template structure with completed sections, though some optional sections lack detail.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch PQE-404

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

.github/workflows/run-static-analysis.yml (2)

42-45: Consider adding output formatting for better CI integration.

Adding output formatting (e.g., --out-format=github-actions) provides better integration with GitHub's annotation system, making issues easier to discover directly in the PR diff view.

💡 Proposed enhancement

       - name: Run Analysis
         run: |
-          go tool golangci-lint run ./...
+          go tool golangci-lint run --out-format=github-actions ./...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/run-static-analysis.yml around lines 42 - 45, Update the
"Run Analysis" workflow step so the golangci-lint invocation emits GitHub
Actions annotations: modify the command "go tool golangci-lint run ./..." to
include the output format flag (e.g., add --out-format=github-actions) so lint
findings surface as PR annotations; ensure the step name "Run Analysis" keeps
continue-on-error: true if desired.

---

24-26: Consider adding reopened event type for completeness.

The workflow triggers on opened and synchronize events but not reopened. Adding reopened ensures static analysis runs when a closed PR is reopened.

✨ Proposed addition

     types:
       - "opened"
       - "synchronize"
+      - "reopened"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/run-static-analysis.yml around lines 24 - 26, Add the
"reopened" pull_request type to the workflow trigger types so the static
analysis job also runs when a previously closed PR is reopened; update the types
array (currently containing "opened" and "synchronize") to include "reopened"
alongside those entries to ensure the workflow triggers on reopened PRs as well.

go.mod (1)

3-3: Consider updating Go version to 1.25.8 or later.

Go 1.25.0 is a valid, released version. However, Go 1.25.8 is available as a more recent patch in the same minor version series, and Go 1.26.1 is the latest stable release. Using an older patch version may miss important security fixes and improvements. Update go 1.25.0 to a more current version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 3, Update the Go toolchain version in go.mod by replacing the
existing directive "go 1.25.0" with a newer patch/minor release (e.g., "go
1.25.8" or "go 1.26.1") so the module uses a Go release that includes recent
security fixes and improvements; locate the "go 1.25.0" directive in go.mod and
change it to the chosen newer version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/run-static-analysis.yml:
- Around line 42-45: The CI step named "Run Analysis" currently sets
continue-on-error: true which allows golangci-lint failures to pass; remove the
continue-on-error: true key from that step so lint failures fail the job, and
optionally update the run command (the golangci-lint invocation) to use
--new-from-rev=<rev> or other flags if you want to enforce only new issues;
ensure you only modify the "Run Analysis" step and retain the existing
golangci-lint run ./... invocation otherwise.

In @.golangci.yml:
- Around line 3-4: The configuration currently disables the entire errcheck
linter; re-enable errcheck (remove the "- errcheck" entry) and, if certain
unchecked errors must be ignored, add targeted exclusions instead using
golangci-lint's configuration (e.g., add linters-settings for errcheck or use
exclude/exclude-rules or excludePatterns to silence specific files, functions,
or error-return patterns). Ensure the symbol "errcheck" is not listed under
disable and create precise exclude rules for known safe exceptions rather than
disabling the linter globally.

---

Nitpick comments:
In @.github/workflows/run-static-analysis.yml:
- Around line 42-45: Update the "Run Analysis" workflow step so the
golangci-lint invocation emits GitHub Actions annotations: modify the command
"go tool golangci-lint run ./..." to include the output format flag (e.g., add
--out-format=github-actions) so lint findings surface as PR annotations; ensure
the step name "Run Analysis" keeps continue-on-error: true if desired.
- Around line 24-26: Add the "reopened" pull_request type to the workflow
trigger types so the static analysis job also runs when a previously closed PR
is reopened; update the types array (currently containing "opened" and
"synchronize") to include "reopened" alongside those entries to ensure the
workflow triggers on reopened PRs as well.

In `@go.mod`:
- Line 3: Update the Go toolchain version in go.mod by replacing the existing
directive "go 1.25.0" with a newer patch/minor release (e.g., "go 1.25.8" or "go
1.26.1") so the module uses a Go release that includes recent security fixes and
improvements; locate the "go 1.25.0" directive in go.mod and change it to the
chosen newer version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dc996af0-15d4-41ee-aaa3-ba850ae459f3

📥 Commits

Reviewing files that changed from the base of the PR and between 2380370 and 731ca05.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .github/workflows/run-static-analysis.yml
• .golangci.yml
• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Do not disable the errcheck linter.

Disabling errcheck removes detection of unchecked error returns, which is a common source of correctness bugs and security vulnerabilities in Go. Unchecked errors can lead to silent failures, data corruption, resource leaks, and security issues.

If specific error checks need to be excluded, use targeted exclusions rather than disabling the entire linter.

✅ Proposed fix: Enable errcheck with targeted exclusions if needed

-linters:
-  disable:
-    - errcheck
+linters:
+  enable:
+    - errcheck
+# If specific exclusions are needed:
+# linters-settings:
+#   errcheck:
+#     exclude-functions:
+#       - fmt.Print.*

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	disable:
	- errcheck
	linters:
	enable:
	- errcheck
	# If specific exclusions are needed:
	# linters-settings:
	# errcheck:
	# exclude-functions:
	# - fmt.Print.*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.golangci.yml around lines 3 - 4, The configuration currently disables the
entire errcheck linter; re-enable errcheck (remove the "- errcheck" entry) and,
if certain unchecked errors must be ignored, add targeted exclusions instead
using golangci-lint's configuration (e.g., add linters-settings for errcheck or
use exclude/exclude-rules or excludePatterns to silence specific files,
functions, or error-return patterns). Ensure the symbol "errcheck" is not listed
under disable and create precise exclude rules for known safe exceptions rather
than disabling the linter globally.

[urangel]

I agree with the 🐇 here in that we would benefit from hard failing given that the static analysis is of value. We may need to tackle the current findings in order to enable merging this check into main

[ykaiboussiSO]

Thank you, @urangel, for your feedback. Going forward, our CI will fail on errors. I also pushed changes to address the major issues flagged by staticcheck and to fix formatting.

[coderabbitai]

🧹 Nitpick comments (1)

drivers/neo4j/result.go (1)

46-48: Consider propagating context through the result interface.

Using context.Background() here means that result iteration won't respect the caller's context cancellation or timeout. If the upstream neo4jTransaction has a deadline and the database is slow to return rows, this iteration will continue regardless.

This appears to be a design constraint of the current graph.Result interface, but worth noting as a potential improvement area for timeout-sensitive workloads.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@drivers/neo4j/result.go` around lines 46 - 48, The Next method on
internalResult currently calls s.driverResult.Next(context.Background()), which
ignores caller cancellation; update the graph.Result contract and implementation
to propagate context: change the graph.Result.Next signature to Next(ctx
context.Context) (or add NextContext(ctx context.Context) if you need backward
compatibility), then update internalResult.Next to call s.driverResult.Next(ctx)
and adjust all callers (including neo4jTransaction usage sites) to pass through
the originating context/deadline. Ensure all other Result implementations and
tests are updated to match the new signature so iteration respects
cancellation/timeouts.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@drivers/neo4j/result.go`:
- Around line 46-48: The Next method on internalResult currently calls
s.driverResult.Next(context.Background()), which ignores caller cancellation;
update the graph.Result contract and implementation to propagate context: change
the graph.Result.Next signature to Next(ctx context.Context) (or add
NextContext(ctx context.Context) if you need backward compatibility), then
update internalResult.Next to call s.driverResult.Next(ctx) and adjust all
callers (including neo4jTransaction usage sites) to pass through the originating
context/deadline. Ensure all other Result implementations and tests are updated
to match the new signature so iteration respects cancellation/timeouts.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 311fe747-77b7-4a40-b839-036e54dc374e

📥 Commits

Reviewing files that changed from the base of the PR and between 731ca05 and 2f073eb.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (22)

• .github/workflows/run-static-analysis.yml
• .golangci.yml
• cmd/benchmark/main.go
• container/bfs.go
• container/pacmap.go
• cypher/frontend/query.go
• cypher/models/pgsql/translate/expression.go
• drivers/neo4j/batch.go
• drivers/neo4j/driver.go
• drivers/neo4j/mapper.go
• drivers/neo4j/neo4j.go
• drivers/neo4j/node.go
• drivers/neo4j/relationship.go
• drivers/neo4j/result.go
• drivers/neo4j/result_internal_test.go
• drivers/neo4j/transaction.go
• drivers/neo4j/wrapper.go
• go.mod
• graph/properties.go
• opengraph/load.go
• util/errors.go
• util/errors_test.go

✅ Files skipped from review due to trivial changes (7)

• container/pacmap.go
• cypher/models/pgsql/translate/expression.go
• util/errors_test.go
• container/bfs.go
• cypher/frontend/query.go
• cmd/benchmark/main.go
• .golangci.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/run-static-analysis.yml
• go.mod