mindersec · JAORMX · Apr 7, 2025 · Mar 31, 2025 · Apr 1, 2025 · Apr 1, 2025
@@ -26,7 +26,7 @@ jobs:
           go-version-file: 'go.mod'
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
 
   check-go-mod-tidy-and-make-gen:
     name: Uncommitted changes check - go mod tidy & make gen

@@ -1,104 +1,103 @@
-# SPDX-FileCopyrightText: Copyright 2023 The Minder Authors
-# SPDX-License-Identifier: Apache-2.0
-
+version: "2"
 run:
   issues-exit-code: 1
-  timeout: 5m
-
-linters-settings:
-  lll:
-    line-length: 130
-  gocyclo:
-    min-complexity: 15
-  gci:
-    sections:
-      - standard
-      - default
-      - prefix(github.com/mindersec/minder)
-  revive:
-    # see https://github.com/mgechev/revive#available-rules for details.
-    ignore-generated-header: true
-    severity: warning
-    rules:
-      - name: blank-imports
-        severity: warning
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: duplicated-imports
-      - name: error-naming
-      # - name: error-strings #BDG: This was enabled for months, but it suddenly started working on 3/2/2022.. come to find out we have TONS of error messages starting with capital... disabling for now(ever?)
-      - name: error-return
-      - name: exported
-        severity: error
-      - name: if-return
-      # - name: get-return // BDG: We have a lot of API endpoint handlers named like getFoos but write to response vs return... maybe later can figure that out
-      - name: identical-branches
-      - name: indent-error-flow
-      - name: import-shadowing
-      - name: package-comments
-      # NOTE: range-val-address and range-val-in-closure are irrelevant in Go 1.22 and later
-      - name: redefines-builtin-id
-      - name: struct-tag
-      - name: unconditional-recursion
-      - name: unnecessary-stmt
-      - name: unreachable-code
-      - name: unused-parameter
-      - name: unused-receiver
-      - name: unhandled-error
-        disabled: true
-  gosec:
-    excludes:
-      - G114 # for the moment we need to use listenandserve that has no support for timeouts
-      - G404 # use unsafe random generator until logic change is discussed
-      - G307 # Deferring unsafe method "Close" on type "io.ReadCloser"
-      - G601 # Irrelevant for Go 1.22 and later, see: https://github.com/securego/gosec/issues/1099
-
-  depguard:
-    rules:
-      prevent_unmaintained_packages:
-        list-mode: lax # allow unless explicitely denied
-        files:
-          - $all
-          - "!$test"
-        deny:
-          - pkg: "log"
-            desc: "We should use zerolog instead"
-          - pkg: io/ioutil
-            desc: "this is deprecated"
-
+output:
+  formats:
+    text:
+      path: stdout
+      print-linter-name: true
+      print-issued-lines: true
 linters:
-  disable-all: true
+  default: none
   enable:
-    - lll
-    - exhaustive
     - depguard
+    - exhaustive
     - goconst
     - gocyclo
-    - gofmt
     - gosec
-    - gci
-    - unparam
-    - gosimple
     - govet
     - ineffassign
+    - lll
     - paralleltest
     - promlinter
     - revive
     - staticcheck
-    - unused
     - thelper
     - tparallel
-
-issues:
-  exclude-use-default: false
-  exclude-rules:
-    - path: '(.+)_test\.go'
-      linters:
-        - lll
-
-output:
-  formats:
-    - format: colored-line-number
-  print-issued-lines: true
-  print-linter-name: true
-  sort-results: true
+    - unparam
+    - unused
+  settings:
+    depguard:
+      rules:
+        prevent_unmaintained_packages:
+          list-mode: lax
+          files:
+            - $all
+            - '!$test'
+          deny:
+            - pkg: log
+              desc: We should use zerolog instead
+            - pkg: io/ioutil
+              desc: this is deprecated
+    gocyclo:
+      min-complexity: 15
+    gosec:
+      excludes:
+        - G114
+        - G404
+        - G307
+        - G601
+    lll:
+      line-length: 130
+    revive:
+      severity: warning
+      rules:
+        - name: blank-imports
+          severity: warning
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: duplicated-imports
+        - name: error-naming
+        - name: error-return
+        - name: exported
+          severity: error
+        - name: if-return
+        - name: identical-branches
+        - name: indent-error-flow
+        - name: import-shadowing
+        - name: package-comments
+        - name: redefines-builtin-id
+        - name: struct-tag
+        - name: unconditional-recursion
+        - name: unnecessary-stmt
+        - name: unreachable-code
+        - name: unused-parameter
+        - name: unused-receiver
+        - name: unhandled-error
+          disabled: true
+  exclusions:
+    generated: lax
+    rules:
+      - linters:
+          - lll
+        path: (.+)_test\.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gci
+    - gofmt
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(github.com/mindersec/minder)
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
@@ -45,13 +45,13 @@ var DocsCmd = &cobra.Command{
 		// GenMarkdownTreeCustom doesn't include additional help commands, so write it manually.
 		configHelpFile, err := os.Create("./docs/docs/ref/cli/minder_config.md")
 		if err != nil {
-			return fmt.Errorf("Unable to open file for config docs: %w", err)
+			return fmt.Errorf("unable to open file for config docs: %w", err)
 		}
 		if _, err := configHelpFile.WriteString("---\ntitle: minder config\n---\n"); err != nil {
-			return fmt.Errorf("Unable to write docs header: %w", err)
+			return fmt.Errorf("unable to write docs header: %w", err)
 		}
 		if err := doc.GenMarkdown(app.ConfigHelpCmd, configHelpFile); err != nil {
-			return fmt.Errorf("Unable to write markdown for config help: %w", err)
+			return fmt.Errorf("unable to write markdown for config help: %w", err)
 		}
 		return doc.GenMarkdownTreeCustom(app.RootCmd, "./docs/docs/ref/cli", prefix, identity)
 	},

@@ -138,11 +138,7 @@ func deleteEvaluationHistory(
 	batchSize uint,
 ) (int, error) {
 	deleted := 0
-	for {
-		if len(records) == 0 {
-			break
-		}
-
+	for len(records) > 0 {
 		// This only happens at the last iteration if the
 		// number of records to delete is not a multiple of
 		// the batch size.

@@ -86,15 +86,15 @@ var serveCmd = &cobra.Command{
 		// and remove the Keycloak-specific paths.
 		jwksUrl, err := cfg.Identity.Server.GetRealmPath("protocol/openid-connect/certs")
 		if err != nil {
-			return fmt.Errorf("failed to create JWKS URL: %w\n", err)
+			return fmt.Errorf("failed to create JWKS URL: %w", err)
 		}
 		issUrl, err := cfg.Identity.Server.JwtUrl()
 		if err != nil {
-			return fmt.Errorf("failed to create issuer URL: %w\n", err)
+			return fmt.Errorf("failed to create issuer URL: %w", err)
 		}
 		staticJwt, err := jwt.NewJwtValidator(ctx, jwksUrl.String(), issUrl.String(), cfg.Identity.Server.Audience)
 		if err != nil {
-			return fmt.Errorf("failed to fetch and cache identity provider JWKS: %w\n", err)
+			return fmt.Errorf("failed to fetch and cache identity provider JWKS: %w", err)
 		}
 		allowedIssuers := []string{issUrl.String()}
 		allowedIssuers = append(allowedIssuers, cfg.Identity.AdditionalIssuers...)

@@ -28,12 +28,12 @@ var ghIssuerUrl = url.URL{
 }
 
 // String implements auth.IdentityProvider.
-func (_ *GitHubActions) String() string {
+func (*GitHubActions) String() string {
 	return "githubactions"
 }
 
 // URL implements auth.IdentityProvider.
-func (_ *GitHubActions) URL() url.URL {
+func (*GitHubActions) URL() url.URL {
 	return ghIssuerUrl
 }
 

@@ -164,7 +164,7 @@ func getJWKSUrlForOpenId(issuer string) (string, error) {
 
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return "", fmt.Errorf("Failed to read response body: %w", err)
+		return "", fmt.Errorf("failed to read response body: %w", err)
 	}
 
 	config := openIdConfig{}

@@ -55,30 +55,30 @@ func TestValidator_ParseAndValidate(t *testing.T) {
 	// We need to add this to the mux after server start, because it includes the server.URL
 	mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		_, _ = w.Write([]byte(fmt.Sprintf(`{
+		_, _ = fmt.Fprintf(w, `{
 		"issuer":"%[1]s",
 		"jwks_uri":"%[1]s/certs",
 		"scopes_supported":["openid","email","profile"],
 		"claims_supported":["sub","email","iss","aud","iat","exp"]
-		}`, server.URL)))
+		}`, server.URL)
 	})
 	mux.HandleFunc("/other/.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		_, _ = w.Write([]byte(fmt.Sprintf(`{
+		_, _ = fmt.Fprintf(w, `{
 		"issuer":"%[1]s/other",
 		"jwks_uri":"%[1]s/certs",
 		"scopes_supported":["openid","email","profile"],
 		"claims_supported":["sub","email","iss","aud","iat","exp"]
-		}`, server.URL)))
+		}`, server.URL)
 	})
 	mux.HandleFunc("/elsewhere/.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		_, _ = w.Write([]byte(fmt.Sprintf(`{
+		_, _ = fmt.Fprintf(w, `{
 		"issuer":"%[1]s/elsewhere",
 		"jwks_uri":"%[1]s/non-existent",
 		"scopes_supported":["openid","email","profile"],
 		"claims_supported":["sub","email","iss","aud","iat","exp"]
-		}`, server.URL)))
+		}`, server.URL)
 	})
 
 	tests := []struct {

@@ -87,7 +87,7 @@ func NewJwtValidator(ctx context.Context, jwksUrl string, issUrl string, aud str
 	// Refresh the JWKS once before starting
 	_, err = jwks.Refresh(ctx, jwksUrl)
 	if err != nil {
-		return nil, fmt.Errorf("failed to refresh identity provider JWKS: %s\n", err)
+		return nil, fmt.Errorf("failed to refresh identity provider JWKS: %s", err)
 	}
 
 	keySetCache := KeySetCache{

@@ -116,7 +116,7 @@ func (f *fakeKeycloak) Start(t *testing.T) *httptest.Server {
 	return httptest.NewServer(mux)
 }
 
-func (_ *fakeKeycloak) GetToken(w http.ResponseWriter, _ *http.Request) {
+func (*fakeKeycloak) GetToken(w http.ResponseWriter, _ *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	if _, err := w.Write([]byte(`{"access_token":"1234","expires_in":300,"token_type":"Bearer"}`)); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)

@@ -28,7 +28,7 @@ import (
 var (
 	// ErrStoreNotFound denotes the error where the store wasn't found via the
 	// given configuration.
-	ErrStoreNotFound = errors.New("Store not found")
+	ErrStoreNotFound = errors.New("store not found")
 
 	//go:embed model/minder.generated.json
 	authzModel string

@@ -33,46 +33,46 @@ func (n *NoopClient) Check(ctx context.Context, action string, project uuid.UUID
 }
 
 // Write_ implements authz.Client
-func (_ *NoopClient) Write(_ context.Context, _ string, _ authz.Role, _ uuid.UUID) error {
+func (*NoopClient) Write(_ context.Context, _ string, _ authz.Role, _ uuid.UUID) error {
 	return nil
 }
 
 // Delete implements authz.Client
-func (_ *NoopClient) Delete(_ context.Context, _ string, _ authz.Role, _ uuid.UUID) error {
+func (*NoopClient) Delete(_ context.Context, _ string, _ authz.Role, _ uuid.UUID) error {
 	return nil
 }
 
 // DeleteUser implements authz.Client
-func (_ *NoopClient) DeleteUser(_ context.Context, _ string) error {
+func (*NoopClient) DeleteUser(_ context.Context, _ string) error {
 	return nil
 }
 
 // AssignmentsToProject implements authz.Client
-func (_ *NoopClient) AssignmentsToProject(_ context.Context, _ uuid.UUID) ([]*minderv1.RoleAssignment, error) {
+func (*NoopClient) AssignmentsToProject(_ context.Context, _ uuid.UUID) ([]*minderv1.RoleAssignment, error) {
 	return nil, nil
 }
 
 // ProjectsForUser implements authz.Client
-func (_ *NoopClient) ProjectsForUser(_ context.Context, _ string) ([]uuid.UUID, error) {
+func (*NoopClient) ProjectsForUser(_ context.Context, _ string) ([]uuid.UUID, error) {
 	return nil, nil
 }
 
 // PrepareForRun implements authz.Client
-func (_ *NoopClient) PrepareForRun(_ context.Context) error {
+func (*NoopClient) PrepareForRun(_ context.Context) error {
 	return nil
 }
 
 // MigrateUp implements authz.Client
-func (_ *NoopClient) MigrateUp(_ context.Context) error {
+func (*NoopClient) MigrateUp(_ context.Context) error {
 	return nil
 }
 
 // Adopt implements authz.Client
-func (_ *NoopClient) Adopt(_ context.Context, _, _ uuid.UUID) error {
+func (*NoopClient) Adopt(_ context.Context, _, _ uuid.UUID) error {
 	return nil
 }
 
 // Orphan implements authz.Client
-func (_ *NoopClient) Orphan(_ context.Context, _, _ uuid.UUID) error {
+func (*NoopClient) Orphan(_ context.Context, _, _ uuid.UUID) error {
 	return nil
 }