Enable stricter linting

.github/workflows/ccm-integration-tests.yml

@@ -19,7 +19,7 @@ permissions:
   contents: read
 
 env:
-  GO_VERSION: 1.22
+  GO_VERSION: 1.24
 
 jobs:
   lint:
@@ -28,6 +28,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - uses: actions/setup-go@v5
         with:
           go-version: '${{ env.GO_VERSION }}'
@@ -40,11 +43,8 @@ jobs:
             ~/.cache/go-build
           key: lint-${{ hashFiles('go.mod') }}
 
-      - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.55.2
-
-      - name: Install staticcheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@2023.1.6
+      - name: Install go tools
+        run: go mod tidy -modfile tool.mod
 
       - name: Run Linter
         run: make lint
@@ -63,6 +63,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - uses: actions/setup-go@v5
         with:
           go-version: '${{ env.GO_VERSION }}'
@@ -76,6 +79,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Generate Test Matrix"
         id: list
@@ -90,6 +95,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Evaluate image name
         run: 'helpers/image-from-ref >> $GITHUB_ENV'
@@ -147,6 +154,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Load image
         uses: actions/download-artifact@v4
@@ -182,3 +191,28 @@ jobs:
       - name: Destroy Test Cluster
         if: always()
         run: helpers/cleanup
+
+  validate-workflows:
+    name: Validate GitHub Workflows
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Check Workflows
+        run: |
+          python -m pip install zizmor --root-user-action=ignore
+          zizmor .github/workflows/*
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.golangci.yml

@@ -1,27 +1,60 @@
+version: "2"
+
 linters:
-  disable-all: true
+  default: all
+  disable:
+    - cyclop
+    - depguard
+    - err113
+    - exhaustruct
+    - forbidigo
+    - forcetypeassert
+    - funlen
+    - gochecknoinits
+    - gocognit
+    - goconst
+    - gocyclo
+    - gomoddirectives
+    - ireturn
+    - maintidx
+    - mnd
+    - nestif
+    - nilnil
+    - noctx
+    - nonamedreturns
+    - revive
+    - testifylint
+    - testpackage
+    - varnamelen
+    - usestdlibvars
+    - whitespace
+    - wsl
+  settings:
+    lll:
+      line-length: 80
+      tab-width: 4
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - lll
+        source: .+LoadBalancer|// http(s)://
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+
+formatters:
   enable:
-    - errcheck
-    - exportloopref
-    - gocritic
     - gofmt
-    - gosimple
-    - govet
-    - ineffassign
-    - lll
-    - makezero
-    - staticcheck
-    - unparam
-    - unused
-    - wrapcheck
-
-linters-settings:
-  lll:
-    line-length: 80
-    tab-width: 4
-
-issues:
-  exclude-rules:
-    - linters:
-      - lll
-      source: ".+LoadBalancer|// http(s)://"
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22-alpine AS build
+FROM golang:1.24-alpine AS build
 ARG VERSION
 
 RUN apk add --no-cache git

Makefile

@@ -5,8 +5,8 @@ build:
 		cmd/cloudscale-cloud-controller-manager/main.go
 
 lint:
-	golangci-lint run --timeout=10m
-	staticcheck ./...
+	go tool -modfile tool.mod golangci-lint run --timeout=10m --show-stats=false
+	go tool -modfile tool.mod staticcheck ./...
 
 test:
 	go test -race -v \

go.mod

@@ -1,6 +1,6 @@
 module github.com/cloudscale-ch/cloudscale-cloud-controller-manager
 
-go 1.22
+go 1.24
 
 // https://github.com/kubernetes/apiserver/issues/97
 replace github.com/google/cel-go => github.com/google/cel-go v0.17.7
@@ -18,8 +18,8 @@ require (
 	github.com/cloudscale-ch/cloudscale-go-sdk/v4 v4.0.0
 	github.com/google/uuid v1.5.0
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc
 	k8s.io/client-go v0.29.0
+	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 )
 
 require (
@@ -86,6 +86,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc // indirect
 	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
@@ -107,7 +108,6 @@ require (
 	k8s.io/controller-manager v0.29.0 // indirect
 	k8s.io/kms v0.29.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 // indirect
-	k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect

pkg/cloudscale_ccm/cloud.go

@@ -19,41 +19,45 @@ import (
 
 const (
 	// Under no circumstances can this string change. It is for eternity.
-	ProviderName   = "cloudscale"
+	ProviderName = "cloudscale"
+
+	// #nosec G101
 	AccessToken    = "CLOUDSCALE_ACCESS_TOKEN"
 	ApiUrl         = "CLOUDSCALE_API_URL"
 	ApiTimeout     = "CLOUDSCALE_API_TIMEOUT"
 	DefaultTimeout = time.Duration(20) * time.Second
 )
 
-// cloud implements cloudprovider.Interface
+// cloud implements cloudprovider.Interface.
 type cloud struct {
 	instances    *instances
 	loadbalancer *loadbalancer
 }
 
-// Register this provider with Kubernetes
+// Register this provider with Kubernetes.
 func init() {
 	cloudprovider.RegisterCloudProvider(ProviderName, newCloudscaleProvider)
 }
 
-// maskAccessToken returns the given token with most of the information hidden
+// maskAccessToken returns the given token with most of the information hidden.
 func maskAccessToken(token string) string {
 	if len(token) < 4 {
 		return ""
 	}
+
 	return fmt.Sprintf("%.4s%s", token, strings.Repeat("*", len(token)-4))
 }
 
-// apiTimeout returns the configured timeout or the default one
+// apiTimeout returns the configured timeout or the default one.
 func apiTimeout() time.Duration {
 	if seconds, _ := strconv.Atoi(os.Getenv(ApiTimeout)); seconds > 0 {
 		return time.Duration(seconds) * time.Second
 	}
+
 	return DefaultTimeout
 }
 
-// newCloudscaleProvider creates the provider, ready to be registered
+// newCloudscaleProvider creates the provider, ready to be registered.
 func newCloudscaleProvider(config io.Reader) (cloudprovider.Interface, error) {
 	if config != nil {
 		klog.Warning("--cloud-config received but ignored")
@@ -77,7 +81,7 @@ func newCloudscaleProvider(config io.Reader) (cloudprovider.Interface, error) {
 	}, nil
 }
 
-// newCloudscaleClient spawns a new cloudscale API client
+// newCloudscaleClient spawns a new cloudscale API client.
 func newCloudscaleClient(
 	token string, timeout time.Duration) *cloudscale.Client {
 
@@ -159,7 +163,7 @@ func (c *cloud) ProviderName() string {
 	return ProviderName
 }
 
-// HasClusterID returns true if a ClusterID is required and set
+// HasClusterID returns true if a ClusterID is required and set.
 func (c *cloud) HasClusterID() bool {
 	return false
 }

pkg/cloudscale_ccm/cloud_test.go

@@ -2,7 +2,6 @@ package cloudscale_ccm
 
 import (
 	"errors"
-	"os"
 	"testing"
 	"testing/iotest"
 	"time"
@@ -11,6 +10,7 @@ import (
 )
 
 func TestMaskAccessToken(t *testing.T) {
+	t.Parallel()
 
 	assertMasked := func(input string, expected string) {
 		assert.Equal(t, expected, maskAccessToken(input))
@@ -24,32 +24,38 @@ func TestMaskAccessToken(t *testing.T) {
 }
 
 func TestNewCloudscaleProviderWithoutToken(t *testing.T) {
+	t.Parallel()
+
 	if _, err := newCloudscaleProvider(nil); err == nil {
 		t.Error("no token in env: newCloudscaleProvider should have failed")
 	}
 }
 
 func TestNewCloudscaleProviderWithToken(t *testing.T) {
-	os.Setenv(AccessToken, "1234")
+	t.Setenv(AccessToken, "1234")
 	if _, err := newCloudscaleProvider(nil); err != nil {
 		t.Error("newCloudscaleProvider should initialize with just a token")
 	}
 }
 
 func TestNewCloudscaleProviderWithBadConfig(t *testing.T) {
+	t.Setenv(AccessToken, "1234")
+
 	cfg := iotest.ErrReader(errors.New("bad config"))
 	if _, err := newCloudscaleProvider(cfg); err != nil {
 		t.Error("newCloudscaleProvider should ignore the config file")
 	}
 }
 
 func TestDefaultTimeout(t *testing.T) {
+	t.Parallel()
+
 	timeout := apiTimeout()
 	assert.Equal(t, timeout, 20*time.Second)
 }
 
 func TestCustomTimeout(t *testing.T) {
-	os.Setenv(ApiTimeout, "5")
+	t.Setenv(ApiTimeout, "5")
 	timeout := apiTimeout()
 	assert.Equal(t, timeout, 5*time.Second)
 }

pkg/cloudscale_ccm/instances.go

@@ -44,6 +44,7 @@ func (i *instances) InstanceExists(ctx context.Context, node *v1.Node) (
 			"Node", node.Name,
 			"ProviderID", node.Spec.ProviderID,
 		)
+
 		return false, nil
 	}
 
@@ -52,6 +53,7 @@ func (i *instances) InstanceExists(ctx context.Context, node *v1.Node) (
 		"Node", node.Name,
 		"ProviderID", node.Spec.ProviderID,
 	)
+
 	return true, nil
 }
 
@@ -77,6 +79,7 @@ func (i *instances) InstanceShutdown(ctx context.Context, node *v1.Node) (
 		"ProviderID", node.Spec.ProviderID,
 		"Server.Status", server.Status,
 	)
+
 	return server.Status == "stopped", nil
 }