ci(deps): update golangci-lint to v1.59.0 (#10318)

* ci(deps): update golangci-lint to v1.59.0 * chore: fix ignores after stricter #nosec Signed-off-by: Mike Beaumont <mjboamail@gmail.com>
kumahq · May 27, 2024 · dc92b27 · dc92b27
1 parent 6ae285c
commit dc92b27
Show file tree

Hide file tree

Showing 10 changed files with 25 additions and 16 deletions.
diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml
@@ -51,7 +51,7 @@ jobs:
       - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
           args: --fix=false --verbose
-          version: v1.56.1
+          version: v1.59.0
       - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: |

diff --git a/mk/dependencies/deps.lock b/mk/dependencies/deps.lock
@@ -1 +1 @@
-aa93aef4e96dccf4a394c17ef6d5b6d2df9d5ab4
+0ba3997a3b0428c45c0a974664f25156ffc11c7e
diff --git a/mk/dev.mk b/mk/dev.mk
@@ -24,7 +24,7 @@ CI_TOOLS_BIN_DIR=$(CI_TOOLS_DIR)/bin
 K8S_MIN_VERSION = v1.23.17-k3s1
 K8S_MAX_VERSION = v1.30.0-k3s1
 export GO_VERSION=$(shell go mod edit -json | jq -r .Go)
-export GOLANGCI_LINT_VERSION=v1.56.1
+export GOLANGCI_LINT_VERSION=v1.59.0
 GOOS := $(shell go env GOOS)
 GOARCH := $(shell go env GOARCH)
 LATEST_RELEASE_BRANCH := $(shell $(CI_TOOLS_BIN_DIR)/yq e '.[] | select(.latest == true) | .branch' versions.yml)

diff --git a/pkg/kds/mux/client.go b/pkg/kds/mux/client.go
@@ -319,9 +319,8 @@ func (c *client) NeedLeaderElection() bool {
 }
 
 func tlsConfig(rootCaFile string, skipVerify bool) (*tls.Config, error) {
-	// #nosec G402 -- we let the user decide if they want to ignore verification
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: skipVerify,
+		InsecureSkipVerify: skipVerify, // #nosec G402 -- we let the user decide if they want to ignore verification
 		MinVersion:         tls.VersionTLS12,
 	}
 	if rootCaFile != "" {

diff --git a/pkg/plugins/resources/postgres/pgx_store.go b/pkg/plugins/resources/postgres/pgx_store.go
@@ -294,8 +294,8 @@ func (r *pgxResourceStore) pickRoPool() *pgxpool.Pool {
 	if r.roPool == nil {
 		return r.pool
 	}
-	// #nosec G404 - math rand is enough
-	if rand.Int31n(101) <= int32(r.roRatio) {
+	randomPool := rand.Int31n(101) // #nosec G404 - math rand is enough
+	if randomPool <= int32(r.roRatio) {
 		return r.roPool
 	}
 	return r.pool

diff --git a/pkg/transparentproxy/ebpf/program.go b/pkg/transparentproxy/ebpf/program.go
@@ -41,8 +41,11 @@ func (p Program) LoadAndAttach(cfg config.InitializedConfig, programs embed.FS,
 	}
 
 	programPath := path.Join(cfg.Ebpf.ProgramsSourcePath, p.Name)
-	// #nosec
-	if err := os.WriteFile(programPath, programBytes, 0o744); err != nil {
+	if err := os.WriteFile(
+		programPath,
+		programBytes,
+		0o744, // #nosec G306
+	); err != nil {
 		return fmt.Errorf("writing program bytes to file failed with error: %s", err)
 	}
 

diff --git a/test/e2e_env/universal/auth/dp_auth.go b/test/e2e_env/universal/auth/dp_auth.go
@@ -103,6 +103,7 @@ data: %s`, base64.StdEncoding.EncodeToString([]byte(claims.ID)))
 		Eventually(func(g Gomega) {
 			// we need to trigger XDS config change for this DP to disconnect it
 			// this limitation may be lifted in the future
+			randomRetries := rand.Int()%100 + 1 // #nosec G404 -- this is for tests no need to use secure rand
 			yaml = fmt.Sprintf(`
 type: MeshRetry
 name: retry-policy
@@ -123,7 +124,7 @@ spec:
             maxInterval: 20m
           retryOn:
             - "5xx"
-`, rand.Int()%100+1) // #nosec G404 -- this is for tests no need to use secure rand
+`, randomRetries)
 			g.Expect(universal.Cluster.Install(YamlUniversal(yaml))).To(Succeed())
 
 			online, _, err := IsDataplaneOnline(universal.Cluster, meshName, serviceName)

diff --git a/test/framework/client/collect.go b/test/framework/client/collect.go
@@ -372,10 +372,9 @@ func MakeDirectRequest(
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return dialer.Dial(network, u.Host)
 			},
-			// #nosec G402 -- Intentionally weak in tests
 			TLSClientConfig: &tls.Config{
 				ServerName:         req.Host,
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: true,                 // #nosec G402 -- Intentionally weak in tests
 				NextProtos:         []string{"http/1.1"}, // ALPN is required by Envoy
 			},
 		}

diff --git a/test/framework/setup.go b/test/framework/setup.go
@@ -914,10 +914,18 @@ func DumpTempCerts(names ...string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	if err := os.WriteFile(filepath.Join(path, "cert.pem"), []byte(fmt.Sprintf("---\n%s", cert)), os.ModePerm); err != nil {
+	if err := os.WriteFile(
+		filepath.Join(path, "cert.pem"),
+		[]byte(fmt.Sprintf("---\n%s", cert)),
+		os.ModePerm, // #nosec G306
+	); err != nil {
 		return "", err
 	}
-	if err := os.WriteFile(filepath.Join(path, "key.pem"), []byte(fmt.Sprintf("---\n%s", key)), os.ModePerm); err != nil {
+	if err := os.WriteFile(
+		filepath.Join(path, "key.pem"),
+		[]byte(fmt.Sprintf("---\n%s", key)),
+		os.ModePerm, // #nosec G306
+	); err != nil {
 		return "", err
 	}
 	return path, nil

diff --git a/tools/xds-client/stream/client.go b/tools/xds-client/stream/client.go
@@ -43,9 +43,8 @@ func New(serverURL string) (*Client, error) {
 	case "grpc":
 		dialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
 	case "grpcs":
-		// #nosec G402 -- it's acceptable as this is only to be used in testing
 		dialOpts = append(dialOpts, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
-			InsecureSkipVerify: true,
+			InsecureSkipVerify: true, // #nosec G402 -- it's acceptable as this is only to be used in testing
 		})))
 	default:
 		return nil, errors.Errorf("unsupported scheme %q. Use one of %s", url.Scheme, []string{"grpc", "grpcs"})