chore: update golangci-lint (#1440)

2026-05-12 07:59:52 +00:00 · 2026-04-21 09:53:06 -07:00
parent 9c1a8b3c87
commit 2f0338211d
14 changed files with 27 additions and 19 deletions
--- a/.github/workflows/backend-linter.yml
+++ b/.github/workflows/backend-linter.yml
@@ -34,7 +34,7 @@ jobs:
      - name: Run Golangci-lint
        uses: golangci/golangci-lint-action@v9.0.0
        with:
-          version: v2.9.0
+          version: v2.11.4
          args: --build-tags=exclude_frontend
          working-directory: backend
          only-new-issues: ${{ github.event_name == 'pull_request' }}
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -15,6 +15,7 @@ require (
 	github.com/dunglas/go-urlpattern v0.0.0-20241020164140-716dfa1c80b1
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
 	github.com/emersion/go-smtp v0.24.0
+	github.com/fsnotify/fsnotify v1.8.0
 	github.com/gin-contrib/slog v1.2.1
 	github.com/gin-gonic/gin v1.12.0
 	github.com/glebarez/go-sqlite v1.22.0
@@ -86,7 +87,6 @@ require (
 	github.com/disintegration/gift v1.2.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/gin-contrib/sse v1.1.1 // indirect
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -264,7 +264,10 @@ func runServer(ctx context.Context, config *serverConfig) error {
 	notifySystemdReady()

 	<-ctx.Done()
-	return shutdownServer(ctx, config.server)
+
+	// We do not pass the context because it's already been canceled
+	//nolint:contextcheck
+	return shutdownServer(config.server)
 }

 func startCertWatcher(ctx context.Context, certProvider *tlsCertProvider) (*fsnotify.Watcher, error) {
@@ -321,9 +324,10 @@ func notifySystemdReady() {
 	}
 }

-func shutdownServer(ctx context.Context, srv *http.Server) error {
-	shutdownCtx, shutdownCancel := context.WithTimeout(context.WithoutCancel(ctx), 5*time.Second)
-	shutdownErr := srv.Shutdown(shutdownCtx)
+func shutdownServer(srv *http.Server) error {
+	// Note we use the background context here as ctx has been canceled already
+	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
+	shutdownErr := srv.Shutdown(shutdownCtx) //nolint:contextcheck
 	shutdownCancel()
 	if shutdownErr != nil {
 		// Log the error only (could be context canceled)
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -347,6 +347,7 @@ func resolveFileBasedEnvVariable(field reflect.Value, fieldType reflect.StructFi
 		return nil
 	}

+	// #nosec G703 - Path is passed by the admin
 	fileContent, err := os.ReadFile(envVarFileValue)
 	if err != nil {
 		return fmt.Errorf("failed to read file for env var %s: %w", envVarFileName, err)
--- a/backend/internal/common/env_config_test.go
+++ b/backend/internal/common/env_config_test.go
@@ -272,7 +272,7 @@ func TestPrepareEnvConfig_FileBasedAndToLower(t *testing.T) {
 	require.NoError(t, err)

 	dbConnFile := tempDir + "/db_connection.txt"
-	dbConnContent := "postgres://user:pass@localhost/testdb"
+	dbConnContent := "postgres://user:pass@localhost/testdb" // #nosec G101 - test credential
 	err = os.WriteFile(dbConnFile, []byte(dbConnContent), 0600)
 	require.NoError(t, err)

--- a/backend/internal/middleware/auth_middleware_test.go
+++ b/backend/internal/middleware/auth_middleware_test.go
@@ -60,7 +60,7 @@ func TestWithApiKeyAuthDisabled(t *testing.T) {
 	})

 	t.Run("rejects API key auth when API key auth is disabled", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodGet, "/api/protected", nil)
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/api/protected", nil)
 		req.Header.Set("X-API-Key", apiKeyToken)
 		recorder := httptest.NewRecorder()

@@ -75,7 +75,7 @@ func TestWithApiKeyAuthDisabled(t *testing.T) {
 	})

 	t.Run("allows JWT auth when API key auth is disabled", func(t *testing.T) {
-		req := httptest.NewRequest(http.MethodGet, "/api/protected", nil)
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/api/protected", nil)
 		req.Header.Set("Authorization", "Bearer "+jwtToken)
 		recorder := httptest.NewRecorder()

--- a/backend/internal/middleware/cache_control_test.go
+++ b/backend/internal/middleware/cache_control_test.go
@@ -18,7 +18,7 @@ func TestCacheControlMiddlewareSetsDefault(t *testing.T) {
 		c.Status(http.StatusOK)
 	})

-	req := httptest.NewRequest(http.MethodGet, "/test", http.NoBody)
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/test", http.NoBody)
 	w := httptest.NewRecorder()

 	router.ServeHTTP(w, req)
@@ -36,7 +36,7 @@ func TestCacheControlMiddlewarePreservesExistingHeader(t *testing.T) {
 		c.Status(http.StatusOK)
 	})

-	req := httptest.NewRequest(http.MethodGet, "/custom", http.NoBody)
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/custom", http.NoBody)
 	w := httptest.NewRecorder()

 	router.ServeHTTP(w, req)
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -265,9 +265,9 @@ func (s *AppConfigService) UpdateAppConfigValues(ctx context.Context, keysAndVal
 	// We update the in-memory data (in the cfg struct) and collect values to update in the database
 	// (Note the += 2, as we are iterating through key-value pairs)
 	dbUpdate := make([]model.AppConfigVariable, 0, len(keysAndValues)/2)
-	for i := 0; i < len(keysAndValues); i += 2 {
-		key := keysAndValues[i]
-		value := keysAndValues[i+1]
+	for i := 1; i < len(keysAndValues); i += 2 {
+		key := keysAndValues[i-1]
+		value := keysAndValues[i]

 		// Ensure that the field is valid
 		// We do this by grabbing the default value
@@ -408,6 +408,7 @@ func (s *AppConfigService) loadDbConfigFromEnv(ctx context.Context, tx *gorm.DB)
 		if attrs == "sensitive" {
 			fileName := os.Getenv(envVarName + "_FILE")
 			if fileName != "" {
+				// #nosec G703 - Value is provided by admin
 				b, err := os.ReadFile(fileName)
 				if err != nil {
 					return nil, fmt.Errorf("failed to read secret '%s' from file '%s': %w", envVarName, fileName, err)
--- a/backend/internal/service/app_images_service_test.go
+++ b/backend/internal/service/app_images_service_test.go
@@ -104,7 +104,7 @@ func newFileHeader(t *testing.T, filename string, content []byte) *multipart.Fil

 	require.NoError(t, writer.Close())

-	req := httptest.NewRequest(http.MethodPost, "/", body)
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/", body)
 	req.Header.Set("Content-Type", writer.FormDataContentType())

 	_, fileHeader, err := req.FormFile("file")
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -92,7 +92,7 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddres

 	// If the user hasn't logged in from the same device before and email notifications are enabled, send an email
 	if s.appConfigService.GetDbConfig().EmailLoginNotificationEnabled.IsTrue() && count <= 1 {
-		// We use a background context here as this is running in a goroutine
+		// #nosec G118 - We use a background context here as this is running in a goroutine
 		//nolint:contextcheck
 		go func() {
 			span := trace.SpanFromContext(ctx)
--- a/backend/internal/service/one_time_access_service.go
+++ b/backend/internal/service/one_time_access_service.go
@@ -97,7 +97,7 @@ func (s *OneTimeAccessService) requestOneTimeAccessEmailInternal(ctx context.Con
 		return nil, err
 	}

-	// We use a background context here as this is running in a goroutine
+	// #nosec G118 - We use a background context here as this is running in a goroutine
 	//nolint:contextcheck
 	go func() {
 		span := trace.SpanFromContext(ctx)
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -136,7 +136,8 @@ func (s *UserService) GetProfilePicture(ctx context.Context, userID string) (io.

 	// Save the default picture for future use (in a goroutine to avoid blocking)
 	defaultPictureBytes := defaultPicture.Bytes()
-	//nolint:contextcheck
+	//#nosec G118 - We use a background context as this is running in background
+	// nolint:contextcheck
 	go func() {
 		// Use bytes.NewReader because we need an io.ReadSeeker
 		rErr := s.fileStorage.Save(context.Background(), defaultPicturePath, bytes.NewReader(defaultPictureBytes))
--- a/backend/internal/utils/callback_url_util_test.go
+++ b/backend/internal/utils/callback_url_util_test.go
@@ -35,7 +35,7 @@ func TestValidateCallbackURLPattern(t *testing.T) {
 		},
 		{
 			name:        "wildcard userinfo",
-			pattern:     "https://user:*@example.com/callback",
+			pattern:     "https://user:*@example.com/callback", // #nosec G101 - Test credential
 			shouldError: false,
 		},
 		{
--- a/backend/internal/utils/http_util_test.go
+++ b/backend/internal/utils/http_util_test.go
@@ -64,6 +64,7 @@ func TestBearerAuth(t *testing.T) {
 	}
 }

+// #nosec G101 - Test credentials
 func TestOAuthClientBasicAuth(t *testing.T) {
 	tests := []struct {
 		name                 string