Bump golanglint-ci to 1.60.3

.golangci.yaml

@@ -20,7 +20,6 @@ linters:
     # - depguard
     - dogsled
     - exhaustive
-    - exportloopref
     - funlen
     - gochecknoglobals
     - gochecknoinits
@@ -39,7 +38,6 @@ linters:
     - nolintlint
     - prealloc
     - rowserrcheck
-    - exportloopref
     - sqlclosecheck
     - unconvert
     - whitespace

cmd/pinniped/cmd/kubeconfig.go

@@ -745,7 +745,7 @@ func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconf
 func countCACerts(pemData []byte) int {
 	pool := x509.NewCertPool()
 	pool.AppendCertsFromPEM(pemData)
-	return len(pool.Subjects())
+	return len(pool.Subjects()) //nolint:staticcheck // there's no other clear way to mimic this legacy behavior
 }
 
 func hasPendingStrategy(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer) bool {

hack/lib/lint-version.txt

@@ -1 +1 @@
-1.60.1
+1.60.3

internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go

@@ -146,6 +146,7 @@ func (c *oidcClientWatcherController) updateStatus(
 		updated.Status.Phase = supervisorconfigv1alpha1.OIDCClientPhaseError
 	}
 
+	//nolint:gosec // looks like we are willing to accept the risk that there are less than 2147483647 dynamic clients
 	updated.Status.TotalClientSecrets = int32(totalClientSecrets)
 
 	if equality.Semantic.DeepEqual(upstream, updated) {

internal/endpointaddr/endpointaddr.go

@@ -71,7 +71,10 @@ func Parse(endpoint string, defaultPort uint16) (HostPort, error) {
 		return HostPort{}, fmt.Errorf("host %q is not a valid hostname or IP address", host)
 	}
 
-	return HostPort{Host: host, Port: uint16(integerPort)}, nil
+	return HostPort{
+		Host: host,
+		Port: uint16(integerPort), //nolint:gosec // this cast is checked by validation.IsValidPortNum above
+	}, nil
 }
 
 // ParseFromURL wraps Parse but specifically takes a url.URL instead of an endpoint string.

internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go

@@ -1,4 +1,4 @@
-// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package chooseidphtml
@@ -28,8 +28,8 @@ var (
 
 	// Parse the Go templated HTML and inject functions providing the minified inline CSS and JS.
 	parsedHTMLTemplate = template.Must(template.New("choose_idp.gohtml").Funcs(template.FuncMap{
-		"minifiedCSS": func() template.CSS { return template.CSS(CSS()) },
-		"minifiedJS":  func() template.JS { return template.JS(JS()) }, //nolint:gosec // This is 100% static input, not attacker-controlled.
+		"minifiedCSS": func() template.CSS { return template.CSS(CSS()) }, //nolint:gosec // This is 100% static input, not attacker-controlled.
+		"minifiedJS":  func() template.JS { return template.JS(JS()) },    //nolint:gosec // This is 100% static input, not attacker-controlled.
 	}).Parse(rawHTMLTemplate))
 
 	// Generate the CSP header value once since it's effectively constant.

internal/federationdomain/endpoints/login/loginhtml/loginhtml.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package loginhtml defines HTML templates used by the Supervisor.
@@ -25,7 +25,7 @@ var (
 
 	// Parse the Go templated HTML and inject functions providing the minified inline CSS and JS.
 	parsedHTMLTemplate = template.Must(template.New("login_form.gohtml").Funcs(template.FuncMap{
-		"minifiedCSS": func() template.CSS { return template.CSS(CSS()) },
+		"minifiedCSS": func() template.CSS { return template.CSS(CSS()) }, //nolint:gosec // This is 100% static input, not attacker-controlled.
 	}).Parse(rawHTMLTemplate))
 
 	// Generate the CSP header value once since it's effectively constant.

internal/federationdomain/formposthtml/formposthtml.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package formposthtml defines HTML templates used by the Supervisor.
@@ -29,8 +29,8 @@ var (
 
 	// Parse the Go templated HTML and inject functions providing the minified inline CSS and JS.
 	parsedHTMLTemplate = template.Must(template.New("form_post.gohtml").Funcs(template.FuncMap{
-		"minifiedCSS": func() template.CSS { return template.CSS(minifiedCSS) },
-		"minifiedJS":  func() template.JS { return template.JS(minifiedJS) }, //nolint:gosec // This is 100% static input, not attacker-controlled.
+		"minifiedCSS": func() template.CSS { return template.CSS(minifiedCSS) }, //nolint:gosec // This is 100% static input, not attacker-controlled.
+		"minifiedJS":  func() template.JS { return template.JS(minifiedJS) },    //nolint:gosec // This is 100% static input, not attacker-controlled.
 	}).Parse(rawHTMLTemplate))
 
 	// Generate the CSP header value once since it's effectively constant.

internal/net/phttp/warning.go

@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package phttp
@@ -40,6 +40,7 @@ func getWarningHandler() rest.WarningHandler {
 	// the client-go rest.WarningHandlers all log warnings with non-empty message and code=299, agent is ignored
 
 	// no deduplication or color output when running from a non-terminal such as a pod
+	//nolint:gosec // this is an int, cast to uintptr, cast back to int
 	if isTerm := term.IsTerminal(int(os.Stderr.Fd())); !isTerm {
 		return rest.WarningLogger{}
 	}

internal/plog/config.go

@@ -57,6 +57,7 @@ func ValidateAndSetLogLevelAndFormatGlobally(ctx context.Context, spec LogSpec)
 	if _, err := logs.GlogSetter(strconv.Itoa(int(klogLevel))); err != nil {
 		panic(err) // programmer error
 	}
+	//nolint:gosec // the range for klogLevel is [0,108]
 	globalLevel.SetLevel(zapcore.Level(-klogLevel)) // klog levels are inverted when zap handles them
 
 	var encoding string

internal/plog/level.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package plog
@@ -45,6 +45,7 @@ func Enabled(level LogLevel) bool {
 	l := klogLevelForPlogLevel(level)
 	// check that both our global level and the klog global level agree that the plog level is enabled
 	// klog levels are inverted when zap handles them
+	//nolint:gosec // the range for klogLevel is [0,108]
 	return globalLevel.Enabled(zapcore.Level(-l)) && klog.V(l).Enabled()
 }
 

internal/testutil/totp/totp.go

@@ -80,7 +80,7 @@ func GenerateOTPCode(t *testing.T, token string, when time.Time) (string, int64)
 		((int(sum[offset+2] & mask3)) << shift8) |
 		(int(sum[offset+3]) & mask3))
 
-	modulo := int32(value % int64(math.Pow10(length)))
+	modulo := int32(value % int64(math.Pow10(length))) //nolint:gosec // the resulting number must be less than 10^6
 
 	format := fmt.Sprintf("%%0%dd", length)
 

internal/upstreamoidc/upstreamoidc_test.go

@@ -1461,7 +1461,7 @@ func forceUserInfoWithClaims(subject string, claims string) *coreosoidc.UserInfo
 
 	// this is some dark magic to set a private field
 	claimsField := reflect.ValueOf(userInfo).Elem().FieldByName("claims")
-	claimsPointer := (*[]byte)(unsafe.Pointer(claimsField.UnsafeAddr()))
+	claimsPointer := (*[]byte)(unsafe.Pointer(claimsField.UnsafeAddr())) //nolint:gosec // this is a test hack we are willing to live with
 	*claimsPointer = []byte(claims)
 
 	return userInfo

pkg/oidcclient/login.go

@@ -75,7 +75,7 @@ const (
 )
 
 // stdin returns the file descriptor for stdin as an int.
-func stdin() int { return int(os.Stdin.Fd()) }
+func stdin() int { return int(os.Stdin.Fd()) } //nolint:gosec // this is an int, cast to uintptr, cast back to int
 
 type handlerState struct {
 	// Basic parameters.

test/integration/limited_ciphers_utils_test.go

@@ -114,7 +114,7 @@ func expectTLSConfigForServicePort(
 ) {
 	portAsInt, err := strconv.Atoi(localPortAsStr)
 	require.NoError(t, err)
-	portAsUint := uint16(portAsInt) // okay to cast because it will only be legal port numbers
+	portAsUint := uint16(portAsInt) //nolint:gosec // okay to cast because it will only be legal port numbers
 
 	startKubectlPortForward(ctx, t, localPortAsStr, "443", serviceName, serviceNamespace)
 
@@ -193,7 +193,7 @@ func restartAllPodsOfApp(
 
 	// Scale down the deployment's number of replicas to 0, which will shut down all the pods.
 	originalScale := updateDeploymentScale(t, namespace, appName, 0)
-	require.Greater(t, originalScale, 0)
+	require.Greater(t, int(originalScale), 0)
 
 	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		newPods := getRunningPodsByNamePrefix(t, namespace, appName+"-", ignorePodsWithNameSubstring)
@@ -205,7 +205,7 @@ func restartAllPodsOfApp(
 
 	testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 		newPods := getRunningPodsByNamePrefix(t, namespace, appName+"-", ignorePodsWithNameSubstring)
-		requireEventually.Len(newPods, originalScale, "wanted %d pods", originalScale)
+		requireEventually.Equal(len(newPods), int(originalScale), "wanted %d pods", originalScale)
 		requireEventually.True(allPodsReady(newPods), "wanted all new pods to be ready")
 	}, 2*time.Minute, 200*time.Millisecond)
 }

test/integration/main_test.go

@@ -28,7 +28,7 @@ func TestMain(m *testing.M) {
 func splitIntegrationTestsIntoBuckets(m *testing.M) {
 	// this is some dark magic to set a private field
 	testsField := reflect.ValueOf(m).Elem().FieldByName("tests")
-	testsPointer := (*[]testing.InternalTest)(unsafe.Pointer(testsField.UnsafeAddr()))
+	testsPointer := (*[]testing.InternalTest)(unsafe.Pointer(testsField.UnsafeAddr())) //nolint:gosec // this is a test hack we are willing to live with
 
 	tests := *testsPointer
 

test/integration/pod_shutdown_test.go

@@ -97,7 +97,7 @@ func shutdownAllPodsOfApp(
 		var newPods []corev1.Pod
 		testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
 			newPods = getRunningPodsByNamePrefix(t, namespace, appName+"-", ignorePodsWithNameSubstring)
-			requireEventually.Len(newPods, originalScale, "wanted pods to return to original scale")
+			requireEventually.Equal(len(newPods), int(originalScale), "wanted pods to return to original scale")
 			requireEventually.True(allPodsReady(newPods), "wanted all new pods to be ready")
 		}, 2*time.Minute, 200*time.Millisecond)
 
@@ -111,7 +111,7 @@ func shutdownAllPodsOfApp(
 
 	// Double check: the deployment's previous scale should have equaled the actual number of running pods from
 	// the start of the test (before we scaled down).
-	require.Equal(t, len(initialPods), originalScale)
+	require.Equal(t, len(initialPods), int(originalScale))
 
 	// Now that we have adjusted the scale to 0, the pods should go away.
 	// Our pods are intended to gracefully shut down within a few seconds, so fail unless it happens fairly quickly.
@@ -204,7 +204,7 @@ func isPodReady(pod corev1.Pod) bool {
 	return false
 }
 
-func updateDeploymentScale(t *testing.T, namespace string, deploymentName string, newScale int) int {
+func updateDeploymentScale(t *testing.T, namespace string, deploymentName string, newScale int32) int32 {
 	t.Helper()
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
@@ -214,13 +214,13 @@ func updateDeploymentScale(t *testing.T, namespace string, deploymentName string
 	require.NoError(t, err)
 
 	desiredScale := initialScale.DeepCopy()
-	desiredScale.Spec.Replicas = int32(newScale)
+	desiredScale.Spec.Replicas = newScale
 	updatedScale, err := client.AppsV1().Deployments(namespace).UpdateScale(ctx, deploymentName, desiredScale, metav1.UpdateOptions{})
 	require.NoError(t, err)
 	t.Logf("updated scale of Deployment %s/%s from %d to %d",
 		namespace, deploymentName, initialScale.Spec.Replicas, updatedScale.Spec.Replicas)
 
-	return int(initialScale.Spec.Replicas)
+	return initialScale.Spec.Replicas
 }
 
 func tailFollowPodLogs(t *testing.T, pod corev1.Pod) (chan struct{}, *bytes.Buffer) {