From 9851b846de7070eff0eb9d946da31387490e5af3 Mon Sep 17 00:00:00 2001
From: Markus Opolka <markus.opolka@netways.de>
Date: Thu, 7 May 2026 13:15:34 +0200
Subject: [PATCH] Bump to golangci-lint v2.12

---
 .github/workflows/golangci-lint.yml |  2 +-
 .golangci.yml                       | 72 +++++++++++++++--------------
 check.go                            | 37 +++++++--------
 check_test.go                       | 20 ++++----
 main.go                             |  2 +
 5 files changed, 69 insertions(+), 64 deletions(-)

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 6af02da..e3cf72c 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -17,7 +17,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.11.2
+          version: v2.12.2
 
       - name: Go mod tidy
         run: |
diff --git a/.golangci.yml b/.golangci.yml
index ede4174..278e9db 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,40 +1,42 @@
 version: "2"
+run:
+  tests: false
 linters:
+  default: all
   enable:
-    - asasalint
-    - asciicheck
-    - bidichk
-    - dogsled
-    - dupl
-    - durationcheck
-    - errchkjson
-    - errorlint
-    - exhaustive
-    - gocheckcompilerdirectives
-    - gochecksumtype
-    - gosec
-    - gosmopolitan
-    - loggercheck
-    - makezero
-    - nilnesserr
-    - protogetter
-    - reassign
-    - recvcheck
-    - spancheck
-    - testifylint
-    - whitespace
-    - wsl
-    - zerologlint
+    - wsl_v5
   disable:
-    - bodyclose
-    - contextcheck
-    - funlen
+    - wsl
+    - cyclop
+    - depguard
+    - err113
+    - exhaustruct
+    - forbidigo
+    - forcetypeassert
+    - gochecknoglobals
+    - gochecknoinits
+    - godot
+    - godox
+    - lll
+    - mnd
     - musttag
-    - nilerr
-    - noctx
-    - rowserrcheck
-    - sqlclosecheck
-    - unparam
+    - nakedret
+    - nlreturn
+    - nolintlint
+    - nonamedreturns
+    - tagliatelle
+    - varnamelen
+    - wrapcheck
+    - funlen
+  settings:
+    nestif:
+      min-complexity: 8
+    wsl_v5:
+      allow-first-in-block: true
+      allow-whole-block: true
+      branch-max-lines: 2
+      disable:
+        - err
   exclusions:
     generated: lax
     presets:
@@ -43,13 +45,13 @@ linters:
       - legacy
       - std-error-handling
     paths:
-      - (.+)_test\.go
-      - internal/config/http_config.go
-      - internal/config/config.go
       - third_party$
       - builtin$
       - examples$
 formatters:
+  enable:
+    - gofmt
+    - goimports
   exclusions:
     generated: lax
     paths:
diff --git a/check.go b/check.go
index d440b40..9c46c63 100644
--- a/check.go
+++ b/check.go
@@ -17,7 +17,7 @@ import (
 
 const (
 	Port        = 5985
-	TlsPort     = 5986
+	TLSPort     = 5986
 	AuthDefault = AuthNTLM
 	AuthBasic   = "basic"
 	AuthNTLM    = "ntlm"
@@ -30,13 +30,13 @@ type Config struct {
 	Port          int
 	User          string
 	Password      string
-	NoTls         bool
+	NoTLS         bool
 	Insecure      bool
-	TlsCAPath     string
+	TLSCAPath     string
 	tlsCA         []byte
-	TlsCertPath   string
+	TLSCertPath   string
 	tlsCert       []byte
-	TlsKeyPath    string
+	TLSKeyPath    string
 	tlsKey        []byte
 	Command       string
 	IcingaCommand string
@@ -60,10 +60,10 @@ func BuildConfigFlags(fs *pflag.FlagSet) (config *Config) {
 
 	fs.BoolVarP(&config.Insecure, "insecure", "k", false,
 		"Don't verify the hostname on the returned certificate")
-	fs.BoolVar(&config.NoTls, "no-tls", false, "Don't use a TLS connection, use the HTTP protocol")
-	fs.StringVar(&config.TlsCAPath, "ca", "", "CA certificate")
-	fs.StringVar(&config.TlsCertPath, "cert", "", "Client certificate")
-	fs.StringVar(&config.TlsKeyPath, "key", "", "Client Key")
+	fs.BoolVar(&config.NoTLS, "no-tls", false, "Don't use a TLS connection, use the HTTP protocol")
+	fs.StringVar(&config.TLSCAPath, "ca", "", "CA certificate")
+	fs.StringVar(&config.TLSCertPath, "cert", "", "Client certificate")
+	fs.StringVar(&config.TLSKeyPath, "key", "", "Client Key")
 
 	fs.StringVar(&config.Command, "cmd", "", "Command to execute on the remote machine")
 	fs.StringVar(&config.IcingaCommand, "icingacmd", "",
@@ -104,23 +104,23 @@ func (c *Config) Validate() (err error) {
 
 	// Set default port if unset
 	if c.Port < 1 {
-		c.Port = TlsPort
-		if c.NoTls {
+		c.Port = TLSPort
+		if c.NoTLS {
 			c.Port = Port
 		}
 	}
 
-	if c.TlsCertPath != "" {
-		c.tlsCert, err = os.ReadFile(c.TlsCertPath)
+	if c.TLSCertPath != "" {
+		c.tlsCert, err = os.ReadFile(c.TLSCertPath)
 		if err != nil {
 			return fmt.Errorf("could not read certificate: %w", err)
 		}
 
-		if c.TlsKeyPath == "" {
+		if c.TLSKeyPath == "" {
 			return errors.New("please specify certificate key when tls is enabled")
 		}
 
-		c.tlsKey, err = os.ReadFile(c.TlsKeyPath)
+		c.tlsKey, err = os.ReadFile(c.TLSKeyPath)
 		if err != nil {
 			return fmt.Errorf("could not read certificate key: %w", err)
 		}
@@ -132,8 +132,8 @@ func (c *Config) Validate() (err error) {
 		}
 	}
 
-	if c.TlsCAPath != "" {
-		c.tlsCA, err = os.ReadFile(c.TlsCAPath)
+	if c.TLSCAPath != "" {
+		c.tlsCA, err = os.ReadFile(c.TLSCAPath)
 		if err != nil {
 			return fmt.Errorf("could not read CA file: %w", err)
 		}
@@ -194,7 +194,7 @@ func (c *Config) Run(timeout time.Duration) (rc int, output string, err error) {
 	endpoint := winrm.NewEndpoint(
 		c.Host,     // Host to connect to
 		c.Port,     // Winrm port
-		!c.NoTls,   // Use TLS
+		!c.NoTLS,   // Use TLS
 		c.Insecure, // Allow insecure connection
 		c.tlsCA,    // CA certificate
 		c.tlsCert,  // Client Certificate
@@ -215,6 +215,7 @@ func (c *Config) Run(timeout time.Duration) (rc int, output string, err error) {
 		}
 	case AuthSSH:
 		var sshClient *ssh.Client
+
 		sshClient, err = ssh.Dial("tcp", fmt.Sprintf("%s:%d", c.SSHHost, c.SSHPort), &ssh.ClientConfig{
 			User:            c.SSHUser,
 			Auth:            []ssh.AuthMethod{ssh.Password(c.SSHPassword)},
diff --git a/check_test.go b/check_test.go
index 65aa5af..331f60c 100644
--- a/check_test.go
+++ b/check_test.go
@@ -34,11 +34,11 @@ func TestConfig_Validate(t *testing.T) {
 		t.Error("Did not expect error got", errVal)
 	}
 
-	if c.Port != TlsPort {
-		t.Error("Actual", c.Port, "Expected", TlsPort)
+	if c.Port != TLSPort {
+		t.Error("Actual", c.Port, "Expected", TLSPort)
 	}
 
-	if c.NoTls != false {
+	if c.NoTLS != false {
 		t.Error("Expected NoTls to be false, got true")
 	}
 
@@ -86,7 +86,7 @@ func TestConfig_Run_WithError(t *testing.T) {
 		User:     "admin",
 		Password: "test",
 		Command:  "Get-Host",
-		NoTls:    true,
+		NoTLS:    true,
 	}
 
 	err := c.Validate()
@@ -114,7 +114,7 @@ func TestConfig_Run_Basic(t *testing.T) {
 	}
 
 	c := buildEnvConfig(t, AuthBasic)
-	c.NoTls = true
+	c.NoTLS = true
 
 	fmt.Printf("%v\n", c)
 
@@ -145,7 +145,7 @@ func TestConfig_Run_NTLM(t *testing.T) {
 	}
 
 	c := buildEnvConfig(t, AuthNTLM)
-	c.NoTls = true
+	c.NoTLS = true
 
 	err := c.Validate()
 	if err != nil {
@@ -175,7 +175,7 @@ func TestConfig_Run_TLS(t *testing.T) {
 	c := buildEnvConfig(t, AuthTLS)
 	setupTlsFromEnv(t, c)
 
-	if c.TlsCertPath == "" {
+	if c.TLSCertPath == "" {
 		t.Skip("WINRM_TLS_CERT not set")
 	}
 
@@ -246,15 +246,15 @@ func setupTlsFromEnv(t *testing.T, c *Config) {
 	}
 
 	if file := os.Getenv("WINRM_TLS_CA"); file != "" {
-		c.TlsCAPath = file
+		c.TLSCAPath = file
 	}
 
 	if file := os.Getenv("WINRM_TLS_CERT"); file != "" {
-		c.TlsCertPath = file
+		c.TLSCertPath = file
 	}
 
 	if file := os.Getenv("WINRM_TLS_KEY"); file != "" {
-		c.TlsKeyPath = file
+		c.TLSKeyPath = file
 	}
 
 	if file := os.Getenv("WINRM_TLS_PORT"); file != "" {
diff --git a/main.go b/main.go
index 6184b6a..e32e9f7 100644
--- a/main.go
+++ b/main.go
@@ -72,6 +72,8 @@ func main() {
 	}
 
 	fmt.Print(output)
+	//nolint: gocritic
+	// We ignore the gocritic since the defer cannot run if we exit here.
 	os.Exit(rc)
 }