Audit some command executions and tell the linter that they're OK

Author: mhagger

git/git.go

@@ -101,6 +101,8 @@ func NewRepository(path string) (*Repository, error) {
 		)
 	}
 
+	//nolint:gosec // `gitBin` is chosen carefully, and `path` is the
+	// path to the repository.
 	cmd := exec.Command(gitBin, "-C", path, "rev-parse", "--git-dir")
 	out, err := cmd.Output()
 	if err != nil {
@@ -119,6 +121,7 @@ func NewRepository(path string) (*Repository, error) {
 	}
 	gitDir := smartJoin(path, string(bytes.TrimSpace(out)))
 
+	//nolint:gosec // `gitBin` is chosen carefully.
 	cmd = exec.Command(gitBin, "rev-parse", "--git-path", "shallow")
 	cmd.Dir = gitDir
 	out, err = cmd.Output()
@@ -152,6 +155,8 @@ func (repo *Repository) gitCommand(callerArgs ...string) *exec.Cmd {
 
 	args = append(args, callerArgs...)
 
+	//nolint:gosec // `gitBin` is chosen carefully, and the rest of
+	// the args have been checked.
 	cmd := exec.Command(repo.gitBin, args...)
 
 	cmd.Env = append(

internal/testutils/repoutils.go

@@ -49,8 +49,10 @@ func (repo *TestRepo) Init(t *testing.T, bare bool) {
 	// exist yet:
 	var cmd *exec.Cmd
 	if bare {
+		//nolint:gosec // `repo.Path` is a path that we created.
 		cmd = exec.Command("git", "init", "--bare", repo.Path)
 	} else {
+		//nolint:gosec // `repo.Path` is a path that we created.
 		cmd = exec.Command("git", "init", repo.Path)
 	}
 	cmd.Env = CleanGitEnv()
@@ -143,6 +145,8 @@ func (repo *TestRepo) GitCommand(t *testing.T, args ...string) *exec.Cmd {
 
 	gitArgs := []string{"-C", repo.Path}
 	gitArgs = append(gitArgs, args...)
+
+	//nolint:gosec // The args all come from the test code.
 	cmd := exec.Command("git", gitArgs...)
 	cmd.Env = CleanGitEnv()
 	return cmd