Update builder image, cosign image, golangci-lint

.github/workflows/tests.yaml

@@ -178,5 +178,5 @@ jobs:
         uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.55
+          version: v1.56
           args: --timeout=5m

.github/workflows/validate-release.yml

@@ -26,14 +26,14 @@ jobs:
   check-signature:
     runs-on: ubuntu-latest
     container:
-      image: gcr.io/projectsigstore/cosign:v2.2.2-dev@sha256:1a49e2f6cf3580935863d9d8d46066db9aad3dbd673ca24cb83d143221c6e64b
+      image: gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967
 
     steps:
       - name: Check Signature
         run: |
-          cosign verify ghcr.io/gythialy/golang-cross:v1.21.6-0@sha256:c00bdb060aff03e8042f41ed0c11a0bbbb01e2ea3f65733ce037497fcb83d5d7 \
+          cosign verify ghcr.io/gythialy/golang-cross:v1.21.7-0@sha256:7a0c553f9bea35120ca907c7b01f29c0e45061ef5891ead0ab3bf3b1c323a265 \
           --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.6-0"
+          --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.7-0"
         env:
           TUF_ROOT: /tmp
 
@@ -43,7 +43,7 @@ jobs:
       - check-signature
 
     container:
-      image: ghcr.io/gythialy/golang-cross:v1.21.6-0@sha256:c00bdb060aff03e8042f41ed0c11a0bbbb01e2ea3f65733ce037497fcb83d5d7
+      image: ghcr.io/gythialy/golang-cross:v1.21.7-0@sha256:7a0c553f9bea35120ca907c7b01f29c0e45061ef5891ead0ab3bf3b1c323a265
 
     permissions: {}
 

cmd/cosign/cli/commands.go

@@ -62,7 +62,7 @@ func New() *cobra.Command {
 		Short:             "A tool for Container Signing, Verification and Storage in an OCI registry.",
 		DisableAutoGenTag: true,
 		SilenceUsage:      true, // Don't show usage on errors
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+		PersistentPreRunE: func(cmd *cobra.Command, _ []string) error {
 			if ro.OutputFile != "" {
 				var err error
 				out, err = os.Create(ro.OutputFile)
@@ -80,7 +80,7 @@ func New() *cobra.Command {
 
 			return nil
 		},
-		PersistentPostRun: func(cmd *cobra.Command, args []string) {
+		PersistentPostRun: func(_ *cobra.Command, _ []string) {
 			if out != nil {
 				_ = out.Close()
 			}

cmd/cosign/cli/env.go

@@ -34,7 +34,7 @@ func Env() *cobra.Command {
 		Use:   "env",
 		Short: "Prints Cosign environment variables",
 		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			envVars := env.EnvironmentVariables()
 			printEnv(envVars, getEnv(), getEnviron(), o.ShowDescriptions, o.ShowSensitiveValues)
 

cmd/cosign/cli/fulcio/fulcio_test.go

@@ -191,7 +191,7 @@ func TestNewSigner(t *testing.T) {
 	pemChain, _ := cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, rootCert})
 
 	testServer := httptest.NewServer(http.HandlerFunc(
-		func(w http.ResponseWriter, r *http.Request) {
+		func(w http.ResponseWriter, _ *http.Request) {
 			w.WriteHeader(http.StatusCreated)
 			_, _ = w.Write(pemChain)
 		}))

cmd/cosign/cli/generate/generate_key_pair.go

@@ -114,7 +114,7 @@ func writeKeyFiles(privateKeyFileName string, publicKeyFileName string, keys *co
 	}
 	fmt.Fprintln(os.Stderr, "Private key written to", privateKeyFileName)
 
-	if err := os.WriteFile(publicKeyFileName, keys.PublicBytes, 0644); err != nil {
+	if err := os.WriteFile(publicKeyFileName, keys.PublicBytes, 0644); err != nil { //nolint: gosec
 		return err
 	} // #nosec G306
 	fmt.Fprintln(os.Stderr, "Public key written to", publicKeyFileName)

cmd/cosign/cli/initialize.go

@@ -52,7 +52,7 @@ cosign initialize -root <url>
 # initialize with an out-of-band root key file and custom repository mirror.
 cosign initialize -mirror <url> -root <url>`,
 		PersistentPreRun: options.BindViper,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			return initialize.DoInitialize(cmd.Context(), o.Root, o.Mirror)
 		},
 	}

cmd/cosign/cli/public_key.go

@@ -56,14 +56,14 @@ func PublicKey() *cobra.Command {
 
   # extract public key from GitLab with project id
   cosign public-key --key gitlab://[PROJECT_ID] <IMAGE>`,
-		PreRunE: func(cmd *cobra.Command, args []string) error {
+		PreRunE: func(_ *cobra.Command, _ []string) error {
 			if !options.OneOf(o.Key, o.SecurityKey.Use) {
 				return &options.KeyParseError{}
 			}
 			return nil
 		},
 		PersistentPreRun: options.BindViper,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			writer := publickey.NamedWriter{Name: "", Writer: nil}
 			var f *os.File
 			// Open output file for public key if specified.

cmd/cosign/cli/sign.go

@@ -87,7 +87,7 @@ race conditions or (worse) malicious tampering.
 
 		Args:             cobra.MinimumNArgs(1),
 		PersistentPreRun: options.BindViper,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, args []string) error {
 			switch o.Attachment {
 			case "sbom":
 				fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)

cmd/cosign/cli/sign/sign_test.go

@@ -219,7 +219,7 @@ func Test_ParseOCIReference(t *testing.T) {
 		{"image:@sha256:abcdef", ""},
 	}
 	for _, tt := range tests {
-		stderr := ui.RunWithTestCtx(func(ctx context.Context, write ui.WriteFunc) {
+		stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) {
 			ParseOCIReference(ctx, tt.ref)
 		})
 		if len(tt.expectedWarning) > 0 {

cmd/cosign/cli/signblob.go

@@ -57,13 +57,13 @@ func SignBlob() *cobra.Command {
   cosign sign-blob --key hashivault://[KEY] <FILE>`,
 		Args:             cobra.MinimumNArgs(1),
 		PersistentPreRun: options.BindViper,
-		PreRunE: func(cmd *cobra.Command, args []string) error {
+		PreRunE: func(_ *cobra.Command, _ []string) error {
 			if options.NOf(o.Key, o.SecurityKey.Use) > 1 {
 				return &options.KeyParseError{}
 			}
 			return nil
 		},
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, args []string) error {
 			oidcClientSecret, err := o.OIDC.ClientSecret()
 			if err != nil {
 				return err

cmd/cosign/cli/upload.go

@@ -65,7 +65,7 @@ func uploadBlob() *cobra.Command {
   cosign upload blob -a mykey=myvalue -a myotherkey="my other value" -f foo-darwin:darwin -f foo-linux:linux <IMAGE>`,
 		Args:             cobra.ExactArgs(1),
 		PersistentPreRun: options.BindViper,
-		PreRunE: func(cmd *cobra.Command, args []string) error {
+		PreRunE: func(_ *cobra.Command, _ []string) error {
 			if len(o.Files.Files) < 1 {
 				return flag.ErrHelp
 			}

cmd/cosign/cli/verify/verify_blob_test.go

@@ -553,7 +553,7 @@ func TestVerifyBlob(t *testing.T) {
 				entries = append(entries, *entry)
 			}
 			testServer := httptest.NewServer(http.HandlerFunc(
-				func(w http.ResponseWriter, r *http.Request) {
+				func(w http.ResponseWriter, _ *http.Request) {
 					w.Header().Set("Content-Type", "application/json")
 					json.NewEncoder(w).Encode(entries)
 				}))

cmd/cosign/cli/verify/verify_test.go

@@ -145,7 +145,7 @@ func TestPrintVerification(t *testing.T) {
 	_ = captureOutput
 
 	out := captureOutput(func() {
-		ui.RunWithTestCtx(func(ctx context.Context, write ui.WriteFunc) {
+		ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) {
 			PrintVerification(ctx, []oci.Signature{ociSig}, "json")
 		})
 	})

internal/ui/log_test.go

@@ -35,7 +35,7 @@ func TestInfof(t *testing.T) {
 		{"fmt", "foo: %v", []any{"bar"}, "foo: bar\n"},
 	}
 	for _, tc := range cases {
-		stderr := ui.RunWithTestCtx(func(ctx context.Context, write ui.WriteFunc) {
+		stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) {
 			ui.Infof(ctx, tc.input, tc.args...)
 		})
 		assert.Equal(t, tc.expected, stderr, "Bad output to STDERR")
@@ -49,7 +49,7 @@ func TestWarnf(t *testing.T) {
 		{"fmt", "bar: %v", []any{"baz"}, "WARNING: bar: baz\n"},
 	}
 	for _, tc := range cases {
-		stderr := ui.RunWithTestCtx(func(ctx context.Context, write ui.WriteFunc) {
+		stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) {
 			ui.Warnf(ctx, tc.input, tc.args...)
 		})
 		assert.Equal(t, tc.expected, stderr, "Bad output to STDERR")

pkg/blob/load_test.go

@@ -58,7 +58,7 @@ func TestLoadFile(t *testing.T) {
 func TestLoadURL(t *testing.T) {
 	data := []byte("test")
 
-	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, _ *http.Request) {
 		rw.Write(data)
 	}))
 	defer server.Close()

pkg/cosign/obsolete_test.go

@@ -31,7 +31,7 @@ func TestObsoletePayload(t *testing.T) {
 	digestedImg, err := name.NewDigest("docker.io/namespace/image@sha256:4aa3054270f7a70b4528f2064ee90961788e1e1518703592ae4463de3b889dec")
 	require.NoError(t, err)
 	var res []byte
-	stderr := ui.RunWithTestCtx(func(ctx context.Context, write ui.WriteFunc) {
+	stderr := ui.RunWithTestCtx(func(ctx context.Context, _ ui.WriteFunc) {
 		r, err := ObsoletePayload(ctx, digestedImg)
 		require.NoError(t, err)
 		res = r

pkg/oci/mutate/map_test.go

@@ -36,7 +36,7 @@ func TestMapImage(t *testing.T) {
 
 	t.Run("one call to identity mutator", func(t *testing.T) {
 		calls := 0
-		rsi, err := Map(context.Background(), si, func(c context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
+		rsi, err := Map(context.Background(), si, func(_ context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
 			calls++
 			return se, nil
 		})
@@ -53,7 +53,7 @@ func TestMapImage(t *testing.T) {
 
 	t.Run("error propagates", func(t *testing.T) {
 		want := errors.New("this is the error I expect")
-		_, got := Map(context.Background(), si, func(c context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
+		_, got := Map(context.Background(), si, func(_ context.Context, _ oci.SignedEntity) (oci.SignedEntity, error) {
 			return nil, want
 		})
 		if !errors.Is(got, want) {
@@ -68,7 +68,7 @@ func TestMapImage(t *testing.T) {
 		}
 		want := signed.Image(i)
 
-		got, err := Map(context.Background(), si, func(c context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
+		got, err := Map(context.Background(), si, func(_ context.Context, _ oci.SignedEntity) (oci.SignedEntity, error) {
 			return want, nil
 		})
 		if err != nil {
@@ -80,7 +80,7 @@ func TestMapImage(t *testing.T) {
 	})
 
 	t.Run("filtered image", func(t *testing.T) {
-		got, err := Map(context.Background(), si, func(c context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
+		got, err := Map(context.Background(), si, func(_ context.Context, _ oci.SignedEntity) (oci.SignedEntity, error) {
 			return nil, nil
 		})
 		if err != nil {
@@ -131,7 +131,7 @@ func TestMapImageIndex(t *testing.T) {
 
 	t.Run("just one call to root index w/ ErrSkipChildren", func(t *testing.T) {
 		calls := 0
-		_, err := Map(context.Background(), sii, func(ctx context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
+		_, err := Map(context.Background(), sii, func(_ context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
 			calls++
 			if se != sii {
 				t.Errorf("Wanted mutator called on %#v, got call on %#v", sii, se)
@@ -180,7 +180,7 @@ func TestMapImageIndex(t *testing.T) {
 	})
 
 	t.Run("test filtering images", func(t *testing.T) {
-		rsi, err := Map(context.Background(), sii, func(ctx context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
+		rsi, err := Map(context.Background(), sii, func(_ context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
 			if _, ok := se.(oci.SignedImage); ok {
 				return nil, nil
 			}
@@ -231,7 +231,7 @@ func TestMapImageIndex(t *testing.T) {
 
 	t.Run("error propagates from child image", func(t *testing.T) {
 		want := errors.New("this is the error I expect")
-		_, got := Map(context.Background(), sii, func(c context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
+		_, got := Map(context.Background(), sii, func(_ context.Context, se oci.SignedEntity) (oci.SignedEntity, error) {
 			if _, ok := se.(oci.SignedImage); !ok {
 				return se, nil
 			}

pkg/oci/remote/digest_test.go

@@ -35,7 +35,7 @@ func TestResolveDigest(t *testing.T) {
 	digest := name.MustParseReference("gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4")
 
 	t.Run("digest doesn't call remote.Get", func(t *testing.T) {
-		remoteGet = func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) {
+		remoteGet = func(_ name.Reference, _ ...remote.Option) (*remote.Descriptor, error) {
 			t.Fatal("ResolveDigest should not call remote.Get.")
 			return nil, nil
 		}
@@ -50,7 +50,7 @@ func TestResolveDigest(t *testing.T) {
 	})
 
 	t.Run("tag calls remote.Get", func(t *testing.T) {
-		remoteGet = func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) {
+		remoteGet = func(_ name.Reference, _ ...remote.Option) (*remote.Descriptor, error) {
 			return &remote.Descriptor{
 				Descriptor: v1.Descriptor{
 					Digest: v1.Hash{
@@ -74,7 +74,7 @@ func TestResolveDigest(t *testing.T) {
 
 	t.Run("remote.Get errors propagate", func(t *testing.T) {
 		want := errors.New("we should propagate this error")
-		remoteGet = func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) {
+		remoteGet = func(_ name.Reference, _ ...remote.Option) (*remote.Descriptor, error) {
 			return nil, want
 		}
 

pkg/oci/remote/image_test.go

@@ -31,7 +31,7 @@ func TestSignedImage(t *testing.T) {
 	})
 	wantLayers := int64(7)
 
-	remoteImage = func(ref name.Reference, options ...remote.Option) (v1.Image, error) {
+	remoteImage = func(_ name.Reference, _ ...remote.Option) (v1.Image, error) {
 		// Only called for signature images
 		return random.Image(300 /* byteSize */, wantLayers)
 	}
@@ -76,7 +76,7 @@ func TestSignedImageWithAttachment(t *testing.T) {
 	})
 	wantLayers := int64(1) // File must have a single layer
 
-	remoteImage = func(ref name.Reference, options ...remote.Option) (v1.Image, error) {
+	remoteImage = func(_ name.Reference, _ ...remote.Option) (v1.Image, error) {
 		// Only called for signature images
 		return random.Image(300 /* byteSize */, wantLayers)
 	}

pkg/oci/remote/index_test.go

@@ -56,11 +56,11 @@ func TestSignedImageIndex(t *testing.T) {
 		},
 	)
 
-	remoteImage = func(ref name.Reference, options ...remote.Option) (v1.Image, error) {
+	remoteImage = func(_ name.Reference, _ ...remote.Option) (v1.Image, error) {
 		// Only called for signature images
 		return random.Image(300 /* byteSize */, wantLayers)
 	}
-	remoteIndex = func(ref name.Reference, options ...remote.Option) (ii v1.ImageIndex, err error) {
+	remoteIndex = func(_ name.Reference, _ ...remote.Option) (ii v1.ImageIndex, err error) {
 		return l3, nil
 	}
 

pkg/oci/remote/remote_test.go

@@ -29,7 +29,7 @@ func TestTagMethods(t *testing.T) {
 	defer func() {
 		remoteGet = rg
 	}()
-	remoteGet = func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) {
+	remoteGet = func(_ name.Reference, _ ...remote.Option) (*remote.Descriptor, error) {
 		return &remote.Descriptor{
 			Descriptor: v1.Descriptor{
 				Digest: v1.Hash{
@@ -117,7 +117,7 @@ func TestTagMethodErrors(t *testing.T) {
 		remoteGet = rg
 	}()
 	errRemoteGet := errors.New("remote.Get failure")
-	remoteGet = func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) {
+	remoteGet = func(_ name.Reference, _ ...remote.Option) (*remote.Descriptor, error) {
 		return nil, errRemoteGet
 	}
 
@@ -153,7 +153,7 @@ func TestDockercontentDigest(t *testing.T) {
 	defer func() {
 		remoteGet = rg
 	}()
-	remoteGet = func(ref name.Reference, options ...remote.Option) (*remote.Descriptor, error) {
+	remoteGet = func(_ name.Reference, _ ...remote.Option) (*remote.Descriptor, error) {
 		return &remote.Descriptor{
 			Descriptor: v1.Descriptor{
 				Digest: v1.Hash{

pkg/oci/remote/signatures_test.go

@@ -33,7 +33,7 @@ func TestSignaturesErrors(t *testing.T) {
 	})
 
 	t.Run("404 returns empty", func(t *testing.T) {
-		remoteImage = func(ref name.Reference, options ...remote.Option) (v1.Image, error) {
+		remoteImage = func(_ name.Reference, _ ...remote.Option) (v1.Image, error) {
 			return nil, &transport.Error{
 				StatusCode: http.StatusNotFound,
 			}
@@ -54,7 +54,7 @@ func TestSignaturesErrors(t *testing.T) {
 		want := &transport.Error{
 			StatusCode: http.StatusInternalServerError,
 		}
-		remoteImage = func(ref name.Reference, options ...remote.Option) (v1.Image, error) {
+		remoteImage = func(_ name.Reference, _ ...remote.Option) (v1.Image, error) {
 			return nil, want
 		}
 
@@ -66,7 +66,7 @@ func TestSignaturesErrors(t *testing.T) {
 
 	t.Run("other errors propagate", func(t *testing.T) {
 		want := errors.New("it's my error, I can cry if I want to")
-		remoteImage = func(ref name.Reference, options ...remote.Option) (v1.Image, error) {
+		remoteImage = func(_ name.Reference, _ ...remote.Option) (v1.Image, error) {
 			return nil, want
 		}
 

pkg/oci/remote/unknown_test.go

@@ -31,7 +31,7 @@ func TestSignedUnknown(t *testing.T) {
 	})
 	wantLayers := int64(7)
 
-	remoteImage = func(ref name.Reference, options ...remote.Option) (v1.Image, error) {
+	remoteImage = func(_ name.Reference, _ ...remote.Option) (v1.Image, error) {
 		// Only called for signature images
 		return random.Image(300 /* byteSize */, wantLayers)
 	}
@@ -73,7 +73,7 @@ func TestSignedUnknownWithAttachment(t *testing.T) {
 	})
 	wantLayers := int64(1) // File must have a single layer
 
-	remoteImage = func(ref name.Reference, options ...remote.Option) (v1.Image, error) {
+	remoteImage = func(_ name.Reference, _ ...remote.Option) (v1.Image, error) {
 		// Only called for signature images
 		return random.Image(300 /* byteSize */, wantLayers)
 	}