From 5689573ce60d3403e9635c8b0a1fea9818b09f6c Mon Sep 17 00:00:00 2001 From: Francisco Serrano Date: Tue, 10 Mar 2026 18:06:43 +0200 Subject: [PATCH 01/12] fix: linter rules --- .../commands/account/token/create_test.go | 2 +- internal/commands/server/firewall/show.go | 8 ++-- internal/commands/stack/dokku/dokku.go | 2 +- internal/commands/stack/helm.go | 2 +- .../commands/stack/starterkit/starterkit.go | 48 +++++++++---------- internal/commands/stack/supabase/config.go | 2 +- internal/commands/storage/import.go | 4 +- internal/config/config_test.go | 13 +++-- internal/terminal/terminal.go | 2 +- internal/ui/usage.go | 6 +-- 10 files changed, 47 insertions(+), 42 deletions(-) diff --git a/internal/commands/account/token/create_test.go b/internal/commands/account/token/create_test.go index 3540b1d4b..af67d25e4 100644 --- a/internal/commands/account/token/create_test.go +++ b/internal/commands/account/token/create_test.go @@ -38,7 +38,7 @@ func TestCreateToken(t *testing.T) { AllowedIPRanges: nil, }, resp: &upcloud.Token{ - APIToken: "ucat_01JH5D3ZZJVZS6JC713FA11CB8", + APIToken: "test-token", ID: "0cd8eab4-ecb7-445b-a457-6019b0a00496", Name: "test", Type: "workspace", diff --git a/internal/commands/server/firewall/show.go b/internal/commands/server/firewall/show.go index 897c1d726..445e3657e 100644 --- a/internal/commands/server/firewall/show.go +++ b/internal/commands/server/firewall/show.go @@ -159,10 +159,10 @@ func formatMatch(address fwRuleAddress) string { if ipStart.Equal(ipStop) { // TODO: ermm, reimplement.. when we figure out if this is really needed + how to do it // sb.WriteString(ui.DefaultAddressColours.Sprint(ipStart)) - sb.WriteString(fmt.Sprint(ipStart)) + fmt.Fprint(&sb, ipStart) } else { // sb.WriteString(ui.DefaultAddressColours.Sprintf("%s →\n%s", ipStart, ipStop)) - sb.WriteString(fmt.Sprintf("%s →\n%s", ipStart, ipStop)) + fmt.Fprintf(&sb, "%s →\n%s", ipStart, ipStop) } } if address.PortStart != "" { @@ -170,9 +170,9 @@ func formatMatch(address fwRuleAddress) string { sb.WriteString("\n") } if address.PortStart == address.PortEnd { - sb.WriteString(fmt.Sprintf("port: %s", address.PortStart)) + fmt.Fprintf(&sb, "port: %s", address.PortStart) } else { - sb.WriteString(fmt.Sprintf("port: %s → %s", address.PortStart, address.PortEnd)) + fmt.Fprintf(&sb, "port: %s → %s", address.PortStart, address.PortEnd) } } return sb.String() diff --git a/internal/commands/stack/dokku/dokku.go b/internal/commands/stack/dokku/dokku.go index 75ce545a9..89f438bf6 100644 --- a/internal/commands/stack/dokku/dokku.go +++ b/internal/commands/stack/dokku/dokku.go @@ -143,7 +143,7 @@ func (s *deployDokkuCommand) deploy(exec commands.Executor, configDir string) er return err } defer func(name string) { - errRemove := os.Remove(name) + errRemove := os.Remove(name) //nolint:gosec // file path is generated by os.CreateTemp above if errRemove != nil { fmt.Printf("failed to remove temp file %s: %v\n", name, errRemove) } diff --git a/internal/commands/stack/helm.go b/internal/commands/stack/helm.go index b539e4526..e8aebaa1d 100644 --- a/internal/commands/stack/helm.go +++ b/internal/commands/stack/helm.go @@ -327,7 +327,7 @@ func UninstallHelmRelease(releaseName, logDir string) error { } if resp != nil { - fmt.Fprintf(logFile, "Uninstalled release %q: %s\n", releaseName, resp.Info) + fmt.Fprintf(logFile, "Uninstalled release %q: %s\n", releaseName, resp.Info) //nolint:gosec // local log output is not an HTML sink } return nil diff --git a/internal/commands/stack/starterkit/starterkit.go b/internal/commands/stack/starterkit/starterkit.go index dc0de7108..3145377df 100644 --- a/internal/commands/stack/starterkit/starterkit.go +++ b/internal/commands/stack/starterkit/starterkit.go @@ -139,13 +139,13 @@ func buildSummary( // Kubernetes b.WriteString("KUBERNETES CLUSTER\n") if cluster != nil { - b.WriteString(fmt.Sprintf(" Name: %s\n", cluster.Name)) - b.WriteString(fmt.Sprintf(" UUID: %s\n", cluster.UUID)) - b.WriteString(fmt.Sprintf(" Zone: %s\n", cluster.Zone)) - b.WriteString(fmt.Sprintf(" Network: %s\n", cluster.Network)) + fmt.Fprintf(&b, " Name: %s\n", cluster.Name) + fmt.Fprintf(&b, " UUID: %s\n", cluster.UUID) + fmt.Fprintf(&b, " Zone: %s\n", cluster.Zone) + fmt.Fprintf(&b, " Network: %s\n", cluster.Network) if kubeconfigPath != "" { - b.WriteString(fmt.Sprintf(" Kubeconfig: %s\n", kubeconfigPath)) - b.WriteString(fmt.Sprintf(" Set env: export KUBECONFIG=%s\n", kubeconfigPath)) + fmt.Fprintf(&b, " Kubeconfig: %s\n", kubeconfigPath) + fmt.Fprintf(&b, " Set env: export KUBECONFIG=%s\n", kubeconfigPath) b.WriteString(" Test: kubectl get nodes\n") b.WriteString(" Ingress LB: kubectl -n ingress-nginx get svc ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].hostname}{\"\\n\"}'\n") } @@ -155,9 +155,9 @@ func buildSummary( // Network & Router b.WriteString("NETWORKING\n") if network != nil { - b.WriteString(fmt.Sprintf(" Network: %s (UUID: %s)\n", network.Name, network.UUID)) + fmt.Fprintf(&b, " Network: %s (UUID: %s)\n", network.Name, network.UUID) if len(network.IPNetworks) > 0 { - b.WriteString(fmt.Sprintf(" CIDR: %s\n", network.IPNetworks[0].Address)) + fmt.Fprintf(&b, " CIDR: %s\n", network.IPNetworks[0].Address) if network.IPNetworks[0].DHCP == upcloud.True { b.WriteString(" DHCP: enabled\n") } else { @@ -166,17 +166,17 @@ func buildSummary( } } if router != nil { - b.WriteString(fmt.Sprintf(" Router: %s (UUID: %s)\n", router.Name, router.UUID)) + fmt.Fprintf(&b, " Router: %s (UUID: %s)\n", router.Name, router.UUID) } b.WriteString("\n") // Managed Database b.WriteString("MANAGED DATABASE\n") if db != nil { - b.WriteString(fmt.Sprintf(" Name: %s (UUID: %s)\n", db.Title, db.UUID)) - b.WriteString(fmt.Sprintf(" Type/Plan: %s / %s\n", db.Type, db.Plan)) - b.WriteString(fmt.Sprintf(" State: %s\n", db.State)) - b.WriteString(fmt.Sprintf(" ServiceURI: %s\n", db.ServiceURI)) + fmt.Fprintf(&b, " Name: %s (UUID: %s)\n", db.Title, db.UUID) + fmt.Fprintf(&b, " Type/Plan: %s / %s\n", db.Type, db.Plan) + fmt.Fprintf(&b, " State: %s\n", db.State) + fmt.Fprintf(&b, " ServiceURI: %s\n", db.ServiceURI) } else { b.WriteString(" (not created)\n") } @@ -185,25 +185,25 @@ func buildSummary( // Managed Object Storage b.WriteString("OBJECT STORAGE\n") if obj != nil { - b.WriteString(fmt.Sprintf(" Name: %s (UUID: %s)\n", obj.Name, obj.UUID)) - b.WriteString(fmt.Sprintf(" Region: %s\n", obj.Region)) - b.WriteString(fmt.Sprintf(" State: %s\n", obj.OperationalState)) + fmt.Fprintf(&b, " Name: %s (UUID: %s)\n", obj.Name, obj.UUID) + fmt.Fprintf(&b, " Region: %s\n", obj.Region) + fmt.Fprintf(&b, " State: %s\n", obj.OperationalState) // If API provides endpoint(s) if len(obj.Endpoints) > 0 { - b.WriteString(fmt.Sprintf(" DomainName: %s\n", obj.Endpoints[0].DomainName)) - b.WriteString(fmt.Sprintf(" Type: %s\n", obj.Endpoints[0].Type)) - b.WriteString(fmt.Sprintf(" IAMURL: %s\n", obj.Endpoints[0].IAMURL)) - b.WriteString(fmt.Sprintf(" STSURL: %s\n", obj.Endpoints[0].STSURL)) + fmt.Fprintf(&b, " DomainName: %s\n", obj.Endpoints[0].DomainName) + fmt.Fprintf(&b, " Type: %s\n", obj.Endpoints[0].Type) + fmt.Fprintf(&b, " IAMURL: %s\n", obj.Endpoints[0].IAMURL) + fmt.Fprintf(&b, " STSURL: %s\n", obj.Endpoints[0].STSURL) } // If bucket was created if objBucket != "" { - b.WriteString(fmt.Sprintf(" Bucket: %s\n", objBucket)) + fmt.Fprintf(&b, " Bucket: %s\n", objBucket) } // If access key was created if objAcc != nil { - b.WriteString(fmt.Sprintf(" AccessKey: %s\n", objAcc.AccessKeyID)) - b.WriteString(fmt.Sprintf(" SecretKey: %s\n", *objAcc.SecretAccessKey)) + fmt.Fprintf(&b, " AccessKey: %s\n", objAcc.AccessKeyID) + fmt.Fprintf(&b, " SecretKey: %s\n", *objAcc.SecretAccessKey) } } else { b.WriteString(" (not created)\n") @@ -232,7 +232,7 @@ func buildSummary( // Final tips b.WriteString("NEXT STEPS\n") if kubeconfigPath != "" { - b.WriteString(fmt.Sprintf(" export KUBECONFIG=%s\n", kubeconfigPath)) + fmt.Fprintf(&b, " export KUBECONFIG=%s\n", kubeconfigPath) } b.WriteString(" Deploy ingress-nginx and your app, then point DNS (CNAME) to the LB hostname shown above.\n") diff --git a/internal/commands/stack/supabase/config.go b/internal/commands/stack/supabase/config.go index 0b4709139..9d9fe993d 100644 --- a/internal/commands/stack/supabase/config.go +++ b/internal/commands/stack/supabase/config.go @@ -22,7 +22,7 @@ type SupabaseConfig struct { LbHostname string ClusterName string - JWTSecret string + JWTSecret string //nolint:gosec // config intentionally carries JWT signing secret AnonKey string ServiceRoleKey string PostgresPassword string diff --git a/internal/commands/storage/import.go b/internal/commands/storage/import.go index 28dc4024c..39bd47620 100644 --- a/internal/commands/storage/import.go +++ b/internal/commands/storage/import.go @@ -202,7 +202,7 @@ func (s *importCommand) ExecuteWithoutArguments(exec commands.Executor) (output. case upcloud.StorageImportSourceDirectUpload: // import from local file transferType = "upload" - sourceFile, err := os.Open(parsedSource.Path) + sourceFile, err := os.Open(parsedSource.Path) //nolint:gosec // local source path comes from explicit CLI input if err != nil { return commands.HandleError(exec, msg, fmt.Errorf("cannot open local file: %w", err)) } @@ -314,7 +314,7 @@ func createStorage(exec commands.Executor, params *createParams) (upcloud.Storag } func getLocalFileSize(path string) (size int64, err error) { - stat, err := os.Stat(path) + stat, err := os.Stat(path) //nolint:gosec // local path comes from explicit CLI/file URL input if err != nil { return 0, err } diff --git a/internal/config/config_test.go b/internal/config/config_test.go index e0c80813d..0d8daf748 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -16,7 +16,7 @@ func TestConfig_LoadInvalidYAML(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) + assert.NoError(t, os.Remove(tmpFile.Name())) //nolint:gosec // temp file name comes from os.CreateTemp }) _, err = tmpFile.WriteString("usernamd:sdkfo\npassword: foo") require.NoError(t, err) @@ -27,12 +27,16 @@ func TestConfig_LoadInvalidYAML(t *testing.T) { } func TestConfig_Load(t *testing.T) { + t.Setenv("UPCLOUD_USERNAME", "") + t.Setenv("UPCLOUD_PASSWORD", "") + t.Setenv("UPCLOUD_TOKEN", "") + cfg := New() tmpFile, err := os.CreateTemp(os.TempDir(), "") require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) + assert.NoError(t, os.Remove(tmpFile.Name())) //nolint:gosec // temp file name comes from os.CreateTemp }) _, err = tmpFile.WriteString("username: sdkfo\npassword: foo") require.NoError(t, err) @@ -74,13 +78,14 @@ func TestConfig_GetVersion(t *testing.T) { func TestConfig_LoadKeyring(t *testing.T) { t.Setenv("UPCLOUD_USERNAME", "") t.Setenv("UPCLOUD_PASSWORD", "") + t.Setenv("UPCLOUD_TOKEN", "") cfg := New() tmpFile, err := os.CreateTemp(os.TempDir(), "") require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) + assert.NoError(t, os.Remove(tmpFile.Name())) //nolint:gosec // temp file name comes from os.CreateTemp }) _, err = tmpFile.WriteString("username: unittest") require.NoError(t, err) @@ -91,7 +96,7 @@ func TestConfig_LoadKeyring(t *testing.T) { cfg.GlobalFlags.ConfigFile = tmpFile.Name() err = cfg.Load() require.NoError(t, err) - assert.Equal(t, cfg.GetString("username"), "unittest") + assert.Equal(t, "unittest", cfg.GetString("username")) assert.Equal(t, "unittest_password", cfg.GetString("password")) t.Cleanup(func() { // remove test user from keyring diff --git a/internal/terminal/terminal.go b/internal/terminal/terminal.go index b250c1dc7..423b40118 100644 --- a/internal/terminal/terminal.go +++ b/internal/terminal/terminal.go @@ -30,7 +30,7 @@ func IsStderrTerminal() bool { // GetTerminalWidth tries to figure out the width of the terminal and returns it // returns 0 if there are problems in getting the width. func GetTerminalWidth() int { - w, _, err := term.GetSize(int(os.Stdout.Fd())) + w, _, err := term.GetSize(int(os.Stdout.Fd())) //nolint:gosec // file descriptors are runtime-provided small integers if err != nil { return 0 } diff --git a/internal/ui/usage.go b/internal/ui/usage.go index 64e26051d..dc5a5e95c 100644 --- a/internal/ui/usage.go +++ b/internal/ui/usage.go @@ -30,9 +30,9 @@ func formatFlags(fs *pflag.FlagSet) string { } var flagText, flagUsage strings.Builder if flag.Shorthand != "" { - flagText.WriteString(fmt.Sprintf("-%s, ", flag.Shorthand)) + fmt.Fprintf(&flagText, "-%s, ", flag.Shorthand) } - flagText.WriteString(fmt.Sprintf("--%s %s", flag.Name, flag.Value.Type())) + fmt.Fprintf(&flagText, "--%s %s", flag.Name, flag.Value.Type()) flagUsage.WriteString(text.WrapSoft(flag.Usage, wrappingLineLength)) def := flag.DefValue if strings.HasSuffix(flag.Value.Type(), "Slice") || strings.HasSuffix(flag.Value.Type(), "Array") { @@ -40,7 +40,7 @@ func formatFlags(fs *pflag.FlagSet) string { def = strings.TrimSuffix(def, "]") } if def != "" { - flagUsage.WriteString(fmt.Sprintf("\nDefault: %s", def)) + fmt.Fprintf(&flagUsage, "\nDefault: %s", def) } t.Append(table.Row{flagText.String(), flagUsage.String()}) }) From f02d2b21391cb1a202f7c4c381bd5a47f5af5f95 Mon Sep 17 00:00:00 2001 From: Francisco Serrano Date: Tue, 10 Mar 2026 18:18:36 +0200 Subject: [PATCH 02/12] fix: nosec failures --- internal/commands/stack/dokku/dokku.go | 2 +- internal/commands/stack/helm.go | 2 +- internal/commands/stack/supabase/config.go | 2 +- internal/commands/storage/import.go | 6 +++--- internal/config/config_test.go | 6 +++--- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/commands/stack/dokku/dokku.go b/internal/commands/stack/dokku/dokku.go index 89f438bf6..3950894d6 100644 --- a/internal/commands/stack/dokku/dokku.go +++ b/internal/commands/stack/dokku/dokku.go @@ -143,7 +143,7 @@ func (s *deployDokkuCommand) deploy(exec commands.Executor, configDir string) er return err } defer func(name string) { - errRemove := os.Remove(name) //nolint:gosec // file path is generated by os.CreateTemp above + errRemove := os.Remove(name) // #nosec G703 -- temp path is created by os.CreateTemp above if errRemove != nil { fmt.Printf("failed to remove temp file %s: %v\n", name, errRemove) } diff --git a/internal/commands/stack/helm.go b/internal/commands/stack/helm.go index e8aebaa1d..115c84d81 100644 --- a/internal/commands/stack/helm.go +++ b/internal/commands/stack/helm.go @@ -327,7 +327,7 @@ func UninstallHelmRelease(releaseName, logDir string) error { } if resp != nil { - fmt.Fprintf(logFile, "Uninstalled release %q: %s\n", releaseName, resp.Info) //nolint:gosec // local log output is not an HTML sink + fmt.Fprintf(logFile, "Uninstalled release %q: %s\n", releaseName, resp.Info) // #nosec G705 -- writes to local log file, not HTML } return nil diff --git a/internal/commands/stack/supabase/config.go b/internal/commands/stack/supabase/config.go index 9d9fe993d..7e0a28d8c 100644 --- a/internal/commands/stack/supabase/config.go +++ b/internal/commands/stack/supabase/config.go @@ -22,7 +22,7 @@ type SupabaseConfig struct { LbHostname string ClusterName string - JWTSecret string //nolint:gosec // config intentionally carries JWT signing secret + JWTSecret string // #nosec G117 -- field intentionally stores JWT signing secret AnonKey string ServiceRoleKey string PostgresPassword string diff --git a/internal/commands/storage/import.go b/internal/commands/storage/import.go index 39bd47620..200e19f8e 100644 --- a/internal/commands/storage/import.go +++ b/internal/commands/storage/import.go @@ -202,7 +202,7 @@ func (s *importCommand) ExecuteWithoutArguments(exec commands.Executor) (output. case upcloud.StorageImportSourceDirectUpload: // import from local file transferType = "upload" - sourceFile, err := os.Open(parsedSource.Path) //nolint:gosec // local source path comes from explicit CLI input + sourceFile, err := os.Open(parsedSource.Path) // #nosec G703 -- local source path is explicit CLI input if err != nil { return commands.HandleError(exec, msg, fmt.Errorf("cannot open local file: %w", err)) } @@ -247,7 +247,7 @@ func (s *importCommand) ExecuteWithoutArguments(exec commands.Executor) (output. // we have no knowledge of the remote file size, report bytes uploaded transferred := fmt.Sprintf("%sB", "-1") if statusUpdate.bytesTransferred <= math.MaxUint32 { - transferred = ui.AbbrevNumBinaryPrefix(uint(statusUpdate.bytesTransferred)) //nolint:gosec // disable G115: false positive because value is checked + transferred = ui.AbbrevNumBinaryPrefix(uint(statusUpdate.bytesTransferred)) // #nosec G115 -- guarded by MaxUint32 check above } exec.PushProgressUpdate(messages.Update{ Key: msg, @@ -314,7 +314,7 @@ func createStorage(exec commands.Executor, params *createParams) (upcloud.Storag } func getLocalFileSize(path string) (size int64, err error) { - stat, err := os.Stat(path) //nolint:gosec // local path comes from explicit CLI/file URL input + stat, err := os.Stat(path) // #nosec G703 -- local path comes from explicit CLI/file URL input if err != nil { return 0, err } diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 0d8daf748..154e82bda 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -16,7 +16,7 @@ func TestConfig_LoadInvalidYAML(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) //nolint:gosec // temp file name comes from os.CreateTemp + assert.NoError(t, os.Remove(tmpFile.Name())) // #nosec G703 -- temp path is created by os.CreateTemp }) _, err = tmpFile.WriteString("usernamd:sdkfo\npassword: foo") require.NoError(t, err) @@ -36,7 +36,7 @@ func TestConfig_Load(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) //nolint:gosec // temp file name comes from os.CreateTemp + assert.NoError(t, os.Remove(tmpFile.Name())) // #nosec G703 -- temp path is created by os.CreateTemp }) _, err = tmpFile.WriteString("username: sdkfo\npassword: foo") require.NoError(t, err) @@ -85,7 +85,7 @@ func TestConfig_LoadKeyring(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) //nolint:gosec // temp file name comes from os.CreateTemp + assert.NoError(t, os.Remove(tmpFile.Name())) // #nosec G703 -- temp path is created by os.CreateTemp }) _, err = tmpFile.WriteString("username: unittest") require.NoError(t, err) From 87b73e25a2815b98ecd15a563f2c5ed5fe8e617d Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:41:48 +0200 Subject: [PATCH 03/12] Update internal/commands/stack/dokku/dokku.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/commands/stack/dokku/dokku.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/stack/dokku/dokku.go b/internal/commands/stack/dokku/dokku.go index 3950894d6..0b4558944 100644 --- a/internal/commands/stack/dokku/dokku.go +++ b/internal/commands/stack/dokku/dokku.go @@ -143,7 +143,7 @@ func (s *deployDokkuCommand) deploy(exec commands.Executor, configDir string) er return err } defer func(name string) { - errRemove := os.Remove(name) // #nosec G703 -- temp path is created by os.CreateTemp above + errRemove := os.Remove(name) //gosec:disable G703 -- temp path is created by os.CreateTemp above if errRemove != nil { fmt.Printf("failed to remove temp file %s: %v\n", name, errRemove) } From 6ce400119d55ee8a3796b029be705cb6b2d25ee4 Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:41:57 +0200 Subject: [PATCH 04/12] Update internal/commands/stack/supabase/config.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/commands/stack/supabase/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/stack/supabase/config.go b/internal/commands/stack/supabase/config.go index 7e0a28d8c..43cc58232 100644 --- a/internal/commands/stack/supabase/config.go +++ b/internal/commands/stack/supabase/config.go @@ -22,7 +22,7 @@ type SupabaseConfig struct { LbHostname string ClusterName string - JWTSecret string // #nosec G117 -- field intentionally stores JWT signing secret + JWTSecret string //gosec:disable G117 -- field intentionally stores JWT signing secret AnonKey string ServiceRoleKey string PostgresPassword string From e11784fc5dc58f45c0892233a9ebee4404d19011 Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:42:07 +0200 Subject: [PATCH 05/12] Update internal/commands/stack/helm.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/commands/stack/helm.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/stack/helm.go b/internal/commands/stack/helm.go index 115c84d81..39aaefa45 100644 --- a/internal/commands/stack/helm.go +++ b/internal/commands/stack/helm.go @@ -327,7 +327,7 @@ func UninstallHelmRelease(releaseName, logDir string) error { } if resp != nil { - fmt.Fprintf(logFile, "Uninstalled release %q: %s\n", releaseName, resp.Info) // #nosec G705 -- writes to local log file, not HTML + fmt.Fprintf(logFile, "Uninstalled release %q: %s\n", releaseName, resp.Info) //gosec:disable G705 -- writes to local log file, not HTML } return nil From f490d8eb2bbc5945c817d3870c6d54155721746e Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:42:15 +0200 Subject: [PATCH 06/12] Update internal/commands/storage/import.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/commands/storage/import.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/storage/import.go b/internal/commands/storage/import.go index 200e19f8e..26aed79bb 100644 --- a/internal/commands/storage/import.go +++ b/internal/commands/storage/import.go @@ -202,7 +202,7 @@ func (s *importCommand) ExecuteWithoutArguments(exec commands.Executor) (output. case upcloud.StorageImportSourceDirectUpload: // import from local file transferType = "upload" - sourceFile, err := os.Open(parsedSource.Path) // #nosec G703 -- local source path is explicit CLI input + sourceFile, err := os.Open(parsedSource.Path) //gosec:disable G703 -- local source path is explicit CLI input if err != nil { return commands.HandleError(exec, msg, fmt.Errorf("cannot open local file: %w", err)) } From ad9848029dbbf55938c1eab0fd1318ac71b92536 Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:42:26 +0200 Subject: [PATCH 07/12] Update internal/commands/storage/import.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/commands/storage/import.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/storage/import.go b/internal/commands/storage/import.go index 26aed79bb..45ecb03da 100644 --- a/internal/commands/storage/import.go +++ b/internal/commands/storage/import.go @@ -247,7 +247,7 @@ func (s *importCommand) ExecuteWithoutArguments(exec commands.Executor) (output. // we have no knowledge of the remote file size, report bytes uploaded transferred := fmt.Sprintf("%sB", "-1") if statusUpdate.bytesTransferred <= math.MaxUint32 { - transferred = ui.AbbrevNumBinaryPrefix(uint(statusUpdate.bytesTransferred)) // #nosec G115 -- guarded by MaxUint32 check above + transferred = ui.AbbrevNumBinaryPrefix(uint(statusUpdate.bytesTransferred)) //gosec:disable G115 -- guarded by MaxUint32 check above } exec.PushProgressUpdate(messages.Update{ Key: msg, From 5bb9cf8ba47cbd48068161b0b7077edfaa44aa00 Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:42:34 +0200 Subject: [PATCH 08/12] Update internal/commands/storage/import.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/commands/storage/import.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/storage/import.go b/internal/commands/storage/import.go index 45ecb03da..cf6b0ccd4 100644 --- a/internal/commands/storage/import.go +++ b/internal/commands/storage/import.go @@ -314,7 +314,7 @@ func createStorage(exec commands.Executor, params *createParams) (upcloud.Storag } func getLocalFileSize(path string) (size int64, err error) { - stat, err := os.Stat(path) // #nosec G703 -- local path comes from explicit CLI/file URL input + stat, err := os.Stat(path) //gosec:disable G703 -- local path comes from explicit CLI/file URL input if err != nil { return 0, err } From ffb8414c94b09f4b4d577434b34c603170ca5bc5 Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:42:42 +0200 Subject: [PATCH 09/12] Update internal/config/config_test.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/config/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 154e82bda..b6526653a 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -16,7 +16,7 @@ func TestConfig_LoadInvalidYAML(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) // #nosec G703 -- temp path is created by os.CreateTemp + assert.NoError(t, os.Remove(tmpFile.Name())) //gosec:disable G703 -- temp path is created by os.CreateTemp }) _, err = tmpFile.WriteString("usernamd:sdkfo\npassword: foo") require.NoError(t, err) From 1a15f17a61503a447269c61f6cfd6fb163a00b8e Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:42:51 +0200 Subject: [PATCH 10/12] Update internal/config/config_test.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/config/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/config/config_test.go b/internal/config/config_test.go index b6526653a..43de2a6e3 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -36,7 +36,7 @@ func TestConfig_Load(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) // #nosec G703 -- temp path is created by os.CreateTemp + assert.NoError(t, os.Remove(tmpFile.Name())) //gosec:disable G703 -- temp path is created by os.CreateTemp }) _, err = tmpFile.WriteString("username: sdkfo\npassword: foo") require.NoError(t, err) From 60c9d6a7b77e3f8ad33c50abc6f34fb0902a04f1 Mon Sep 17 00:00:00 2001 From: Francisco Serrano <59340762+paketeserrano@users.noreply.github.com> Date: Wed, 11 Mar 2026 13:43:01 +0200 Subject: [PATCH 11/12] Update internal/config/config_test.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ville Skyttä --- internal/config/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 43de2a6e3..b8634be56 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -85,7 +85,7 @@ func TestConfig_LoadKeyring(t *testing.T) { require.NoError(t, err) t.Cleanup(func() { assert.NoError(t, tmpFile.Close()) - assert.NoError(t, os.Remove(tmpFile.Name())) // #nosec G703 -- temp path is created by os.CreateTemp + assert.NoError(t, os.Remove(tmpFile.Name())) //gosec:disable G703 -- temp path is created by os.CreateTemp }) _, err = tmpFile.WriteString("username: unittest") require.NoError(t, err) From 3c46595d90f9b48f3d21d15b502f11acd297baa0 Mon Sep 17 00:00:00 2001 From: Francisco Serrano Date: Wed, 11 Mar 2026 13:46:18 +0200 Subject: [PATCH 12/12] fix: proper linter directive --- internal/terminal/terminal.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/terminal/terminal.go b/internal/terminal/terminal.go index 423b40118..8a215d7fd 100644 --- a/internal/terminal/terminal.go +++ b/internal/terminal/terminal.go @@ -30,7 +30,7 @@ func IsStderrTerminal() bool { // GetTerminalWidth tries to figure out the width of the terminal and returns it // returns 0 if there are problems in getting the width. func GetTerminalWidth() int { - w, _, err := term.GetSize(int(os.Stdout.Fd())) //nolint:gosec // file descriptors are runtime-provided small integers + w, _, err := term.GetSize(int(os.Stdout.Fd())) //gosec:disable G115 // file descriptors are runtime-provided small integers if err != nil { return 0 }