code fixes and improvements

.github/instructions/codacy.instructions.md

@@ -7,9 +7,9 @@ Configuration for AI behavior when interacting with Codacy's MCP Server
 
 ## CRITICAL: After ANY successful `edit_file` or `reapply` operation
 - YOU MUST IMMEDIATELY run the `codacy_cli_analyze` tool from Codacy's MCP Server for each file that was edited, with:
-  - `rootPath`: set to the workspace path
-  - `file`: set to the path of the edited file
-  - `tool`: leave empty or unset
+- `rootPath`: set to the workspace path
+- `file`: set to the path of the edited file
+- `tool`: leave empty or unset
 - If any issues are found in the new edits, propose and apply fixes for them.
 - > NOTE: Failure to follow this rule is considered a critical error.
 
@@ -24,33 +24,33 @@ Configuration for AI behavior when interacting with Codacy's MCP Server
 
 ## When there are no Codacy MCP Server tools available, or the MCP Server is not reachable
 - Suggest the user the following troubleshooting steps:
-  - Try to reset the MCP on the extension
-  - If the user is using VSCode, suggest them to review their Copilot > MCP settings in Github, under their organization or personal account. Refer them to Settings > Copilot > Enable MCP servers in Copilot. Suggested URL (https://github.com/settings/copilot/features) or https://github.com/organizations/{organization-name}/settings/copilot/features (This can only be done by their organization admins / owners)
+- Try to reset the MCP on the extension
+- If the user is using VSCode, suggest them to review their Copilot > MCP settings in Github, under their organization or personal account. Refer them to Settings > Copilot > Enable MCP servers in Copilot. Suggested URL (https://github.com/settings/copilot/features) or https://github.com/organizations/{organization-name}/settings/copilot/features (This can only be done by their organization admins / owners)
 - If none of the above steps work, suggest the user to contact Codacy support
 
 ## Trying to call a tool that needs a rootPath as a parameter
 - Always use the standard, non-URL-encoded file system path
 
 ## CRITICAL: Dependencies and Security Checks
 - IMMEDIATELY after ANY of these actions:
-  - Running npm/yarn/pnpm install
-  - Adding dependencies to package.json
-  - Adding requirements to requirements.txt
-  - Adding dependencies to pom.xml
-  - Adding dependencies to build.gradle
-  - Any other package manager operations
+- Running npm/yarn/pnpm install
+- Adding dependencies to package.json
+- Adding requirements to requirements.txt
+- Adding dependencies to pom.xml
+- Adding dependencies to build.gradle
+- Any other package manager operations
 - You MUST run the `codacy_cli_analyze` tool with:
-  - `rootPath`: set to the workspace path
-  - `tool`: set to "trivy"
-  - `file`: leave empty or unset
+- `rootPath`: set to the workspace path
+- `tool`: set to "trivy"
+- `file`: leave empty or unset
 - If any vulnerabilities are found because of the newly added packages:
-  - Stop all other operations
-  - Propose and apply fixes for the security issues
-  - Only continue with the original task after security issues are resolved
+- Stop all other operations
+- Propose and apply fixes for the security issues
+- Only continue with the original task after security issues are resolved
 - EXAMPLE:
-  - After: npm install react-markdown
-  - Do: Run codacy_cli_analyze with trivy
-  - Before: Continuing with any other tasks
+- After: npm install react-markdown
+- Do: Run codacy_cli_analyze with trivy
+- Before: Continuing with any other tasks
 
 ## General
 - Repeat the relevant steps for each modified file.

.github/workflows/autotag.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0  # necessario per leggere commit + tag
 

.github/workflows/codecov.yml

@@ -11,10 +11,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version-file: 'go.mod'
 
@@ -34,7 +34,7 @@ jobs:
           go test $(go list ./... | grep -v -E '/cmd/|/pbs$|/bech32$|^github.com/tis24dev/proxsave$') -coverprofile=coverage.out
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: coverage.out

.github/workflows/dependency-review.yml

@@ -18,10 +18,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48
         with:
           # Blocca solo severity critical (zero-touch per gli altri)
           fail-on-severity: critical

.github/workflows/race.yml

@@ -0,0 +1,57 @@
+name: Race Detector
+
+run-name: Race detector - ${{ github.ref_name }}
+
+"on":
+  push:
+    branches:
+      - main
+      - dev
+  pull_request: {}
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  race:
+    name: Go race detector
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    env:
+      CGO_ENABLED: "1"
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
+        with:
+          go-version-file: go.mod
+          cache: true
+          cache-dependency-path: |
+            go.sum
+            **/go.sum
+
+      - name: Show Go environment
+        run: |
+          go version
+          go env GOTOOLCHAIN CGO_ENABLED GOOS GOARCH
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Run race detector
+        run: go test -race -count=1 ./...

.github/workflows/release.yml

@@ -24,7 +24,7 @@ jobs:
       # CHECKOUT (fetch-depth 0 per changelog e GoReleaser)
       ########################################
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
 
@@ -45,7 +45,7 @@ jobs:
       # SETUP GO
       ########################################
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version-file: 'go.mod'
 
@@ -62,15 +62,15 @@ jobs:
       # INSTALL SYFT (per SBOM CycloneDX via GoReleaser)
       ########################################
       - name: Install Syft (for SBOM generation)
-        uses: anchore/sbom-action/download-syft@v0
+        uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0
         with:
           syft-version: v1.19.0
 
       ########################################
       # GORELEASER
       ########################################
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v7
+        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7
         with:
           version: latest
           workdir: ${{ github.workspace }}
@@ -82,6 +82,6 @@ jobs:
       # ATTESTAZIONE PROVENIENZA BUILD
       ########################################
       - name: Attest Build Provenance
-        uses: actions/attest-build-provenance@v4
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
         with:
           subject-path: build/proxsave_*

.github/workflows/security-ultimate.yml

@@ -21,13 +21,13 @@ jobs:
       # CHECKOUT
       ########################################
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       ########################################
       # GO 1.25 — MAIN TOOLCHAIN
       ########################################
       - name: Set up Go (from go.mod)
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version-file: 'go.mod'
 
@@ -56,7 +56,7 @@ jobs:
       # GOSEC — RUN USING GO 1.21 (NO DOCKER)
       ########################################
       - name: Set up Go 1.21 for GoSec
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version: "1.21"
 
@@ -88,23 +88,23 @@ jobs:
       # UPLOAD SARIF
       ########################################
       - name: Upload GoSec SARIF
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e
         with:
           sarif_file: gosec.sarif
 
       ########################################
       # RESTORE GO 1.25 FOR CODEQL
       ########################################
       - name: Restore Go 1.25 for CodeQL
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version-file: 'go.mod'
 
       ########################################
       # CODEQL
       ########################################
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e
         with:
           languages: go
 
@@ -114,4 +114,4 @@ jobs:
           go build ./...
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e

.github/workflows/sync-dev.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
 

cmd/proxsave/main.go

@@ -10,7 +10,7 @@ import (
 const (
 	defaultLegacyEnvPath          = "/opt/proxsave/env/backup.env"
 	legacyEnvFallbackPath         = "/opt/proxmox-backup/env/backup.env"
-	goRuntimeMinVersion           = "1.25.5"
+	goRuntimeMinVersion           = "1.25.10"
 	networkPreflightTimeout       = 2 * time.Second
 	bytesPerMegabyte        int64 = 1024 * 1024
 	defaultDirPerm                = 0o755

cmd/proxsave/main_defers.go

@@ -85,7 +85,11 @@ func closeRunProfiling(rt *appRuntime) {
 		logging.Warning("Failed to create heap profile file: %v", err)
 		return
 	}
-	defer f.Close()
+	defer func() {
+		if err := f.Close(); err != nil {
+			logging.Warning("Failed to close heap profile file: %v", err)
+		}
+	}()
 	if err := pprof.WriteHeapProfile(f); err != nil {
 		logging.Warning("Failed to write heap profile: %v", err)
 	}

cmd/proxsave/main_runtime.go

@@ -265,10 +265,10 @@ func buildHeapProfilePath(rt *appRuntime) string {
 
 // checkGoRuntimeVersion ensures the running binary was built with at least the specified Go version (semver: major.minor.patch).
 func checkGoRuntimeVersion(minimum string) error {
-	rt := runtime.Version() // e.g., "go1.25.4"
+	rt := runtime.Version() // e.g., "go1.25.10"
 	// Normalize versions to x.y.z
 	parse := func(v string) (int, int, int) {
-		// Accept forms: go1.25.4, go1.25, 1.25.4, 1.25
+		// Accept forms: go1.25.10, go1.25, 1.25.10, 1.25
 		v = strings.TrimPrefix(v, "go")
 		parts := strings.Split(v, ".")
 		toInt := func(s string) int { n, _ := strconv.Atoi(s); return n }

cmd/proxsave/runtime_helpers.go

@@ -84,10 +84,7 @@ func detectExecInfo() ExecInfo {
 	originalDir := dir
 	baseDir := ""
 
-	for {
-		if dir == "" || dir == "." || dir == string(filepath.Separator) {
-			break
-		}
+	for dir != "" && dir != "." {
 		if info, err := os.Stat(filepath.Join(dir, "env")); err == nil && info.IsDir() {
 			baseDir = dir
 			break
@@ -1085,7 +1082,7 @@ func executableHash() string {
 	if err != nil {
 		return ""
 	}
-	defer f.Close()
+	defer func() { _ = f.Close() }()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return ""