chore: start linting in CI

Author: f0ssel

.github/workflows/ci.yml

@@ -7,6 +7,35 @@ on:
     branches: [ main ]
 
 jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.25'
+        check-latest: true
+
+    - name: Cache Go modules
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Download and verify dependencies
+      run: make deps
+
+    - name: Run linting
+      run: make lint
+
   test:
     name: Test
     strategy:

boundary

@@ -9,6 +9,7 @@ import (
 
 // Version information injected at build time
 var (
+	//nolint:unused
 	version = "dev" // Set via -ldflags "-X main.version=v1.0.0"
 )
 

cmd/boundary/main.go

@@ -272,7 +272,7 @@ func (n *MacOSJail) setupPFRules() error {
 
 	// Enable PF if not already enabled
 	cmd = exec.Command("pfctl", "-E")
-	cmd.Run() // Ignore error as PF might already be enabled
+	_ = cmd.Run() // Ignore error as PF might already be enabled
 
 	// Create and load main ruleset that includes our anchor
 	mainRules := fmt.Sprintf(`# Temporary main ruleset to include boundary anchor
@@ -318,17 +318,17 @@ anchor "%s"
 func (n *MacOSJail) removePFRules() error {
 	// Flush the anchor
 	cmd := exec.Command("pfctl", "-a", pfAnchorName, "-F", "all")
-	cmd.Run() // Ignore errors during cleanup
+	_ = cmd.Run() // Ignore errors during cleanup
 
 	return nil
 }
 
 // cleanupTempFiles removes temporary rule files
 func (n *MacOSJail) cleanupTempFiles() {
 	if n.pfRulesPath != "" {
-		os.Remove(n.pfRulesPath)
+		_ = os.Remove(n.pfRulesPath)
 	}
 	if n.mainRulesPath != "" {
-		os.Remove(n.mainRulesPath)
+		_ = os.Remove(n.mainRulesPath)
 	}
 }

jail/macos.go

@@ -71,7 +71,7 @@ func (p *Server) Start(ctx context.Context) error {
 			if err != nil {
 				select {
 				case <-ctx.Done():
-					listener.Close()
+					_ = listener.Close()
 					return
 				default:
 					p.logger.Error("Failed to accept connection", "error", err)
@@ -194,7 +194,7 @@ func (p *Server) forwardRequest(w http.ResponseWriter, r *http.Request, https bo
 		http.Error(w, fmt.Sprintf("Failed to make request: %v", err), http.StatusBadGateway)
 		return
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	p.logger.Debug("Received response", "status", resp.StatusCode, "target", targetURL.String())
 
@@ -238,7 +238,7 @@ func (p *Server) writeBlockedResponse(w http.ResponseWriter, r *http.Request) {
 		host = r.Host
 	}
 
-	fmt.Fprintf(w, `🚫 Request Blocked by Boundary
+	_, _ = fmt.Fprintf(w, `🚫 Request Blocked by Boundary
 
 Request: %s %s
 Host: %s
@@ -290,7 +290,7 @@ func (p *Server) handleConnect(w http.ResponseWriter, r *http.Request) {
 		p.logger.Error("Failed to hijack connection", "error", err)
 		return
 	}
-	defer conn.Close()
+	defer func() { _ = conn.Close() }()
 
 	// Send 200 Connection established response manually
 	_, err = conn.Write([]byte("HTTP/1.1 200 Connection established\r\n\r\n"))
@@ -416,7 +416,7 @@ func (p *Server) handleDecryptedHTTPS(w http.ResponseWriter, r *http.Request) {
 
 // handleConnectionWithTLSDetection detects TLS vs HTTP and handles appropriately
 func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) {
-	defer conn.Close()
+	defer func() { _ = conn.Close() }()
 
 	// Peek at first byte to detect protocol
 	buf := make([]byte, 1)
@@ -442,15 +442,15 @@ func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) {
 		p.logger.Debug("TLS handshake successful")
 		// Use HTTP server with TLS connection
 		listener := newSingleConnectionListener(tlsConn)
-		defer listener.Close()
+		defer func() { _ = listener.Close() }()
 		err = http.Serve(listener, http.HandlerFunc(p.handleDecryptedHTTPS))
 		p.logger.Debug("http.Serve completed for HTTPS", "error", err)
 	} else {
 		p.logger.Debug("Detected HTTP request, handling normally")
 		// Use HTTP server with regular connection
 		p.logger.Debug("About to call http.Serve for HTTP connection")
 		listener := newSingleConnectionListener(connWrapper)
-		defer listener.Close()
+		defer func() { _ = listener.Close() }()
 		err = http.Serve(listener, http.HandlerFunc(p.handleHTTP))
 		p.logger.Debug("http.Serve completed", "error", err)
 	}
@@ -519,7 +519,7 @@ func (sl *singleConnectionListener) Close() error {
 	}
 
 	if sl.conn != nil {
-		sl.conn.Close()
+		_ = sl.conn.Close()
 		sl.conn = nil
 	}
 	return nil
@@ -613,9 +613,9 @@ func (p *Server) constructFullURL(req *http.Request, hostname string) string {
 
 // writeBlockedResponseStreaming writes a blocked response directly to the TLS connection
 func (p *Server) writeBlockedResponseStreaming(tlsConn *tls.Conn, req *http.Request) {
-	response := fmt.Sprintf("HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\n🚫 Request Blocked by Boundary\n\nRequest: %s %s\nHost: %s\n\nTo allow this request, restart boundary with:\n  --allow \"%s\"\n", 
+	response := fmt.Sprintf("HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\n🚫 Request Blocked by Boundary\n\nRequest: %s %s\nHost: %s\n\nTo allow this request, restart boundary with:\n  --allow \"%s\"\n",
 		req.Method, req.URL.Path, req.Host, req.Host)
-	tlsConn.Write([]byte(response))
+	_, _ = tlsConn.Write([]byte(response))
 }
 
 // streamRequestToTarget streams the HTTP request (including body) to the target server
@@ -625,29 +625,29 @@ func (p *Server) streamRequestToTarget(clientConn *tls.Conn, bufReader *bufio.Re
 	if err != nil {
 		return fmt.Errorf("failed to connect to target %s: %v", hostname, err)
 	}
-	defer targetConn.Close()
+	defer func() { _ = targetConn.Close() }()
 
 	// Send HTTP request headers to target
 	reqLine := fmt.Sprintf("%s %s %s\r\n", req.Method, req.URL.RequestURI(), req.Proto)
-	targetConn.Write([]byte(reqLine))
+	_, _ = targetConn.Write([]byte(reqLine))
 
 	// Send headers
 	for name, values := range req.Header {
 		for _, value := range values {
 			headerLine := fmt.Sprintf("%s: %s\r\n", name, value)
-			targetConn.Write([]byte(headerLine))
+			_, _ = targetConn.Write([]byte(headerLine))
 		}
 	}
-	targetConn.Write([]byte("\r\n")) // End of headers
+	_, _ = targetConn.Write([]byte("\r\n")) // End of headers
 
 	// Stream request body and response bidirectionally
 	go func() {
 		// Stream request body: client -> target
-		io.Copy(targetConn, bufReader)
+		_, _ = io.Copy(targetConn, bufReader)
 	}()
 
 	// Stream response: target -> client
-	io.Copy(clientConn, targetConn)
+	_, _ = io.Copy(clientConn, targetConn)
 	return nil
 }
 
@@ -661,7 +661,7 @@ func (p *Server) handleConnectStreaming(tlsConn *tls.Conn, req *http.Request, ho
 
 	// Send CONNECT response
 	response := "HTTP/1.1 200 Connection established\r\n\r\n"
-	tlsConn.Write([]byte(response))
+	_, _ = tlsConn.Write([]byte(response))
 
 	// Now the client will try to do TLS handshake for the target server
 	// But we want to intercept and terminate it
@@ -676,9 +676,9 @@ func (p *Server) handleConnectStreaming(tlsConn *tls.Conn, req *http.Request, ho
 		p.logger.Error("Failed to connect to CONNECT target", "target", req.Host, "error", err)
 		return
 	}
-	defer targetConn.Close()
-	
+	defer func() { _ = targetConn.Close() }()
+
 	// Bidirectional copy
-	go io.Copy(targetConn, tlsConn)
-	io.Copy(tlsConn, targetConn)
+	go func() { _, _ = io.Copy(targetConn, tlsConn) }()
+	_, _ = io.Copy(tlsConn, targetConn)
 }

proxy/proxy.go

@@ -185,7 +185,7 @@ func newAllowRule(spec string) (Rule, error) {
 		right := strings.TrimSpace(s[idx:])
 		// methods part is valid if it only contains letters and commas
 		valid := left != "" && strings.IndexFunc(left, func(r rune) bool {
-			return !(r == ',' || (r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z'))
+			return r != ',' && (r < 'A' || r > 'Z') && (r < 'a' || r > 'z')
 		}) == -1
 		if valid {
 			methods = make(map[string]bool)

rules/rules.go

@@ -229,9 +229,9 @@ func (cm *CertificateManager) generateCA(keyPath, certPath string) error {
 	if err != nil {
 		return fmt.Errorf("failed to create key file: %v", err)
 	}
-	defer keyFile.Close()
+	defer func() { _ = keyFile.Close() }()
 
-	pem.Encode(keyFile, &pem.Block{
+	_ = pem.Encode(keyFile, &pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
 	})
@@ -241,9 +241,9 @@ func (cm *CertificateManager) generateCA(keyPath, certPath string) error {
 	if err != nil {
 		return fmt.Errorf("failed to create cert file: %v", err)
 	}
-	defer certFile.Close()
+	defer func() { _ = certFile.Close() }()
 
-	pem.Encode(certFile, &pem.Block{
+	_ = pem.Encode(certFile, &pem.Block{
 		Type:  "CERTIFICATE",
 		Bytes: certDER,
 	})