From 4d1bbf7d59a4851e9f3f61e09127e80d5f0d962c Mon Sep 17 00:00:00 2001
From: Jonathan Haas <jonathan@haas.holdings>
Date: Fri, 10 Apr 2026 23:37:33 -0700
Subject: [PATCH 1/2] ci: stabilize keep tool bootstrap

---
 .github/workflows/ci.yml |  6 +++---
 Makefile                 | 25 +++++++++++++++----------
 2 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3eb10d1..59a42ee 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -29,7 +29,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v7
 
       - name: Install toolchains
         run: make install-tools
@@ -82,7 +82,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v7
 
       - name: Install Python dependencies
         run: |
@@ -124,7 +124,7 @@ jobs:
           check-latest: true
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v7
 
       - name: Prepare tooling
         run: make install-tools
diff --git a/Makefile b/Makefile
index 81d7652..a1ba169 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,11 @@
 PROJECT_NAME := keep
-GOLANGCI_LINT ?= golangci-lint
+GOLANGCI_LINT_VERSION ?= 1.64.8
 GOBIN := $(shell go env GOPATH)/bin
+GOLANGCI_LINT ?= $(GOBIN)/golangci-lint
+GOIMPORTS ?= $(GOBIN)/goimports
+GOVULNCHECK ?= $(GOBIN)/govulncheck
+GOSEC ?= $(GOBIN)/gosec
+OPA ?= $(GOBIN)/opa
 export PATH := $(GOBIN):$(PATH)
 
 .PHONY: all tidy build test lint format lint-go lint-python format-go format-python docker-up docker-down docker-logs db-migrate opa-test cert-refresh setup-venv security
@@ -26,7 +31,7 @@ format: format-go format-python
 format-go:
 	@echo "Formatting Go code..."
 	go fmt ./...
-	goimports -w -local github.com/EvalOps/keep .
+	$(GOIMPORTS) -w -local github.com/EvalOps/keep .
 
 format-python:
 	@echo "Formatting Python code..."
@@ -65,7 +70,7 @@ db-migrate-status:
 	go run ./cmd/migrate -version
 
 opa-test:
-	opa test ./policies
+	$(OPA) test ./policies
 
 cert-refresh:
 	go run ./cmd/authz cert-refresh
@@ -74,7 +79,7 @@ cert-refresh:
 install-tools:
 	@echo "Installing Go tools..."
 	mkdir -p $(GOBIN)
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+	GOPROXY=https://proxy.golang.org,direct go install github.com/golangci/golangci-lint/cmd/golangci-lint@v$(GOLANGCI_LINT_VERSION)
 	go install golang.org/x/tools/cmd/goimports@v0.36.0
 	go install golang.org/x/vuln/cmd/govulncheck@latest
 	go install github.com/securego/gosec/v2/cmd/gosec@v2.22.6
@@ -120,10 +125,10 @@ dev-bootstrap:
 
 check-tools:
 	@echo "Checking Go tools..."
-	@command -v golangci-lint >/dev/null 2>&1 || { echo "golangci-lint not found. Run 'make install-tools'"; exit 1; }
-	@command -v goimports >/dev/null 2>&1 || { echo "goimports not found. Run 'make install-tools'"; exit 1; }
-	@command -v govulncheck >/dev/null 2>&1 || { echo "govulncheck not found. Run 'make install-tools'"; exit 1; }
-	@command -v gosec >/dev/null 2>&1 || { echo "gosec not found. Run 'make install-tools'"; exit 1; }
+	@test -x "$(GOLANGCI_LINT)" || { echo "golangci-lint not found at $(GOLANGCI_LINT). Run 'make install-tools'"; exit 1; }
+	@test -x "$(GOIMPORTS)" || { echo "goimports not found at $(GOIMPORTS). Run 'make install-tools'"; exit 1; }
+	@test -x "$(GOVULNCHECK)" || { echo "govulncheck not found at $(GOVULNCHECK). Run 'make install-tools'"; exit 1; }
+	@test -x "$(GOSEC)" || { echo "gosec not found at $(GOSEC). Run 'make install-tools'"; exit 1; }
 	@echo "Checking Python tools..."
 	@command -v black >/dev/null 2>&1 || { echo "black not found. Run 'make install-tools'"; exit 1; }
 	@command -v flake8 >/dev/null 2>&1 || { echo "flake8 not found. Run 'make install-tools'"; exit 1; }
@@ -134,11 +139,11 @@ check-tools:
 security:
 	@echo "Running govulncheck..."
 	@# govulncheck currently fails due to golang.org/x/sync/semaphore type info missing via github.com/jackc/puddle/v2
-	@if ! govulncheck ./...; then \
+	@if ! $(GOVULNCHECK) ./...; then \
 		echo "Warning: govulncheck encountered known issue (golang.org/x/sync/semaphore via github.com/jackc/puddle/v2); continuing"; \
 	fi
 	@echo "Running gosec..."
-	gosec ./...
+	$(GOSEC) ./...
 
 # CI/CD targets
 ci-lint: check-tools lint

From 732e324d1922f0736ca5abb1e0de3e9708307898 Mon Sep 17 00:00:00 2001
From: Jonathan Haas <jonathan@haas.holdings>
Date: Fri, 10 Apr 2026 23:40:18 -0700
Subject: [PATCH 2/2] ci: restore PATH-based opa lookup

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index a1ba169..0b30772 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,7 @@ GOLANGCI_LINT ?= $(GOBIN)/golangci-lint
 GOIMPORTS ?= $(GOBIN)/goimports
 GOVULNCHECK ?= $(GOBIN)/govulncheck
 GOSEC ?= $(GOBIN)/gosec
-OPA ?= $(GOBIN)/opa
+OPA ?= opa
 export PATH := $(GOBIN):$(PATH)
 
 .PHONY: all tidy build test lint format lint-go lint-python format-go format-python docker-up docker-down docker-logs db-migrate opa-test cert-refresh setup-venv security