Summary
Two minor cleanup items identified during PR #527 review, unrelated to the dynamic values feature.
1. Harden filepath.Join across bundler
18 pre-existing instances in pkg/bundler/ production code use filepath.Join where the second argument is not a compile-time constant. These should use shared.SafeJoin to prevent path traversal when the argument originates from user input. CodeQL flagged several of these during #527 review.
Key files: bundler.go, checksum/checksum.go, verifier/verifier.go, attestation/binary.go
2. Relax goconst for test files
golangci-lint requires constants for repeated test strings (e.g., const testMutatedValue = "changed"), which adds ceremony without value in test code. Configure goconst to exclude *_test.go files.
Component
Bundlers, Infrastructure
Priority
Nice to have
Related
Summary
Two minor cleanup items identified during PR #527 review, unrelated to the dynamic values feature.
1. Harden
filepath.Joinacross bundler18 pre-existing instances in
pkg/bundler/production code usefilepath.Joinwhere the second argument is not a compile-time constant. These should useshared.SafeJointo prevent path traversal when the argument originates from user input. CodeQL flagged several of these during #527 review.Key files:
bundler.go,checksum/checksum.go,verifier/verifier.go,attestation/binary.go2. Relax
goconstfor test filesgolangci-lintrequires constants for repeated test strings (e.g.,const testMutatedValue = "changed"), which adds ceremony without value in test code. Configuregoconstto exclude*_test.gofiles.Component
Bundlers, Infrastructure
Priority
Nice to have
Related