upgrade go to 1.22 / general housekeeping and lint fixes

.github/dependabot.yml

@@ -8,9 +8,18 @@ updates:
     schedule:
       interval: "daily"
     open-pull-requests-limit: 10
+    groups:
+      all:
+        update-types:
+          - "minor"
+          - "patch"
 
   - package-ecosystem: gomod
     directory: "/"
     schedule:
       interval: "daily"
     open-pull-requests-limit: 10
+    groups:
+      all:
+        update-types:
+          - "patch"

.github/workflows/ci-build-test.yaml

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           check-latest: true
           cache: true
 
@@ -35,7 +35,7 @@ jobs:
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           check-latest: true
           cache: true
 

.github/workflows/release.yaml

@@ -26,7 +26,7 @@ jobs:
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v3.3.0
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           check-latest: true
 
       - name: Install cosign

.github/workflows/snapshot.yaml

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           check-latest: true
 
       - name: Install GoReleaser

.github/workflows/verify.yaml

@@ -19,11 +19,11 @@ jobs:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v3
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           check-latest: true
           cache: true
       - name: golangci-lint
         uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
         with:
-          version: v1.55
+          version: v1.57
           args: --timeout=5m

.golangci.yml

@@ -1,7 +1,9 @@
+# Copyright 2023 The OpenVEX Authors
+# SPDX-License-Identifier: Apache-2.0
+
 ---
 run:
   concurrency: 6
-  deadline: 5m
 issues:
   exclude-rules:
     # counterfeiter fakes are usually named 'fake_<something>.go'
@@ -98,22 +100,8 @@ linters-settings:
   gocritic:
     enabled-checks:
       # Diagnostic
-      - appendAssign
-      - argOrder
-      - badCond
-      - caseOrder
-      - codegenComment
       - commentedOutCode
-      - deprecatedComment
-      - dupArg
-      - dupBranchBody
-      - dupCase
-      - dupSubExpr
-      - exitAfterDefer
-      - flagDeref
-      - flagName
       - nilValReturn
-      - offBy1
       - sloppyReassign
       - weakCond
       - octalLiteral
@@ -127,31 +115,16 @@ linters-settings:
       - rangeValCopy
 
       # Style
-      - assignOp
       - boolExprSimplify
-      - captLocal
-      - commentFormatting
       - commentedOutImport
-      - defaultCaseOrder
       - docStub
-      - elseif
       - emptyFallthrough
       - emptyStringTest
       - hexLiteral
       - methodExprCall
-      - regexpMust
-      - singleCaseSwitch
-      - sloppyLen
       - stringXbytes
-      - switchTrue
       - typeAssertChain
-      - typeSwitchVar
-      - underef
       - unlabelStmt
-      - unlambda
-      - unslice
-      - valSwap
-      - wrapperFunc
       - yodaStyleExpr
       # - ifElseChain
 

Makefile

@@ -1,5 +1,6 @@
 # Copyright 2022 The OpenVEX Authors
 # SPDX-License-Identifier: Apache-2.0
+
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin

go.mod

@@ -1,6 +1,6 @@
 module github.com/openvex/vexctl
 
-go 1.21
+go 1.22
 
 require (
 	github.com/google/go-containerregistry v0.19.1

internal/cmd/add.go

@@ -92,7 +92,7 @@ to preserve the original file, specify it using the --file flag:
 		SilenceUsage:      false,
 		SilenceErrors:     true,
 		PersistentPreRunE: initLogging,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, args []string) error {
 			// If we have arguments, add them
 			for i := range args {
 				switch i {

internal/cmd/create.go

@@ -82,7 +82,7 @@ Examples:
 		SilenceUsage:      false,
 		SilenceErrors:     true,
 		PersistentPreRunE: initLogging,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, args []string) error {
 			// If we have arguments, add them
 			for i := range args {
 				switch i {

internal/cmd/generate.go

@@ -151,7 +151,7 @@ using its canonicalization hash.
 		SilenceUsage:      false,
 		SilenceErrors:     true,
 		PersistentPreRunE: initLogging,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, args []string) error {
 			if len(args) > 0 {
 				if opts.Product != "" && opts.Product != args[0] {
 					return errors.New("product can only be specified once")

internal/cmd/list.go

@@ -36,7 +36,7 @@ Examples:
 		SilenceUsage:      false,
 		SilenceErrors:     false,
 		PersistentPreRunE: initLogging,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, args []string) error {
 			if len(args) == 0 {
 				return fmt.Errorf("selection of 'status' or 'justification' is required")
 			}

internal/cmd/merge.go

@@ -62,7 +62,7 @@ Examples:
 		SilenceUsage:      false,
 		SilenceErrors:     false,
 		PersistentPreRunE: initLogging,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, args []string) error {
 			vexctl := ctl.New()
 
 			// TODO(puerco): Change this to vex merge options when we move

internal/cmd/options_test.go

@@ -131,7 +131,7 @@ func TestAddOptionsValidate(t *testing.T) {
 	}{
 		{
 			name:    "no-error",
-			prepare: func(ao *addOptions) {},
+			prepare: func(_ *addOptions) {},
 			sut: &addOptions{
 				vexStatementOptions: stubOpts,
 				documentPath:        filepath.Join(d, "openvex.test"),
@@ -141,7 +141,7 @@ func TestAddOptionsValidate(t *testing.T) {
 		},
 		{
 			name:    "inplace-and-outfile",
-			prepare: func(ao *addOptions) {},
+			prepare: func(_ *addOptions) {},
 			sut: &addOptions{
 				vexStatementOptions: stubOpts,
 				outFileOption: outFileOption{

pkg/ctl/implementation.go

@@ -538,8 +538,9 @@ func (impl *defaultVexCtlImplementation) NormalizeProducts(subjects []productRef
 		if pref.Hashes == nil {
 			pref.Hashes = make(map[vex.Algorithm]vex.Hash)
 		}
-		if strings.HasPrefix(pref.Name, "pkg:oci/") ||
-			strings.HasPrefix(pref.Name, "pkg:/oci/") { // Some buggy tools add this wrong slash
+		switch {
+		case strings.HasPrefix(pref.Name, "pkg:/oci/"),
+			strings.HasPrefix(pref.Name, "pkg:oci/"):
 			// Deduct image purls to the reference as much as possible
 			p, err := purl.FromString(pref.Name)
 			if err != nil {
@@ -577,15 +578,15 @@ func (impl *defaultVexCtlImplementation) NormalizeProducts(subjects []productRef
 			pref.Name = ref
 			logrus.Debugf("%s is a purl for %s", pref.Name, ref)
 			imageRefs = append(imageRefs, pref)
-		} else if strings.HasPrefix(pref.Name, "pkg:") {
+		case strings.HasPrefix(pref.Name, "pkg:"):
 			// When there are other purls, we only attest them as subjects if
 			// the product reference has hashes
 			if pref.Hashes != nil && len(pref.Hashes) > 0 {
 				otherRefs = append(otherRefs, pref)
 			} else {
 				unattestableRefs = append(unattestableRefs, pref)
 			}
-		} else {
+		default:
 			// If not,try to parse the string as an image reference. If they can
 			// be parsed as image references but they cannot be looked up, attestting
 			// will fail trying to fetch their digests.

pkg/ctl/implementation_test.go

@@ -388,7 +388,7 @@ func TestInitTemplatesDir(t *testing.T) {
 	}{
 		{
 			name:      "normal",
-			prepare:   func(s string) {},
+			prepare:   func(_ string) {},
 			shouldErr: false,
 		},
 		{