SEC-090: Automated trusted workflow pinning (2025-04-07) (#332)

* Result of tsccr-helper -log-level=info gha update -latest .github/

* golangci-lint migrate

* Un-flip tables

---------

Co-authored-by: hashicorp-tsccr[bot] <hashicorp-tsccr[bot]@users.noreply.github.com>
Co-authored-by: Baraa Basata <[email protected]>

Author: hashicorp-tsccr[bot]

.github/workflows/test.yml

@@ -21,13 +21,13 @@ jobs:
     timeout-minutes: 5
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+    - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
         go-version-file: 'go.mod'
       id: go
 
     - name: Run linters
-      uses: golangci/golangci-lint-action@4696ba8babb6127d732c3c6dde519db15edab9ea # v6.5.1
+      uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
       with:
         version: latest
 
@@ -55,7 +55,7 @@ jobs:
         terraform: ${{ fromJSON(vars.TF_VERSIONS_PROTOCOL_V5) }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version-file: 'go.mod'
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
@@ -86,7 +86,7 @@ jobs:
         terraform: ${{ fromJSON(vars.TF_VERSIONS_PROTOCOL_V6) }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version-file: 'go.mod'
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2

.golangci.yml

@@ -1,16 +1,11 @@
-issues:
-  max-issues-per-linter: 0
-  max-same-issues: 0
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
   enable:
     - copyloopvar
     - durationcheck
     - errcheck
     - forcetypeassert
-    - gofmt
-    - gosimple
     - govet
     - ineffassign
     - makezero
@@ -22,7 +17,33 @@ linters:
     - unparam
     - unused
     - usetesting
-
-run:
-  # Prevent false positive timeouts in CI
-  timeout: 5m
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+  settings:
+    staticcheck:
+      checks:
+        - all
+        - '-QF1011' # could omit type *schema.Provider from declaration -- https://staticcheck.dev/docs/checks/#QF1011
+        - '-ST1003' # example: "const autoTFVarsJson should be autoTFVarsJSON" -- https://staticcheck.dev/docs/checks/#ST1003
+        - '-ST1005' # "error strings should not end with punctuation or newlines" -- https://staticcheck.dev/docs/checks/#ST1005
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gofmt
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

internal/framework5provider/identity_resource_test.go

@@ -18,10 +18,8 @@ import (
 
 func TestIdentityResource(t *testing.T) {
 	resource.UnitTest(t, resource.TestCase{
-		// Latest alpha version that this JSON data is available in
-		// https://github.com/hashicorp/terraform/releases/tag/v1.12.0-alpha20250319
 		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
-			tfversion.SkipBelow(version.Must(version.NewVersion("1.12.0-alpha20250319"))),
+			tfversion.SkipBelow(version.Must(version.NewVersion("1.12.0-beta1"))),
 		},
 		ProtoV5ProviderFactories: map[string]func() (tfprotov5.ProviderServer, error){
 			"framework": providerserver.NewProtocol5WithError(New()),

internal/framework6provider/identity_resource_test.go

@@ -4,7 +4,6 @@
 package framework
 
 import (
-	"regexp"
 	"testing"
 
 	"github.com/hashicorp/go-version"
@@ -19,10 +18,8 @@ import (
 
 func TestIdentityResource(t *testing.T) {
 	resource.UnitTest(t, resource.TestCase{
-		// Latest alpha version that this JSON data is available in
-		// https://github.com/hashicorp/terraform/releases/tag/v1.12.0-alpha20250319
 		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
-			tfversion.SkipBelow(version.Must(version.NewVersion("1.12.0-alpha20250319"))),
+			tfversion.SkipBelow(version.Must(version.NewVersion("1.12.0-beta1"))),
 		},
 		ProtoV6ProviderFactories: map[string]func() (tfprotov6.ProviderServer, error){
 			"framework": providerserver.NewProtocol6WithError(New()),
@@ -38,11 +35,6 @@ func TestIdentityResource(t *testing.T) {
 						"name": knownvalue.StringExact("my name is john"),
 					}),
 				},
-				// TODO: This is definitely not the expected behavior, so this line should be removed once the next alpha of
-				// Terraform core is released with this bug fix: https://github.com/hashicorp/terraform/pull/36756
-				//
-				// (╯°□°)╯︵ ┻━┻ => ┬─┬ノ( º _ ºノ)
-				ExpectError: regexp.MustCompile(`!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!`),
 			},
 			{
 				Config: `resource "framework_identity" "test" {
@@ -59,11 +51,6 @@ func TestIdentityResource(t *testing.T) {
 						"name": knownvalue.StringExact("my name is john"), // doesn't get updated, since identity should not change.
 					}),
 				},
-				// TODO: This is definitely not the expected behavior, so this line should be removed once the next alpha of
-				// Terraform core is released with this bug fix: https://github.com/hashicorp/terraform/pull/36756
-				//
-				// (╯°□°)╯︵ ┻━┻ => ┬─┬ノ( º _ ºノ)
-				ExpectError: regexp.MustCompile(`!!!!!!!!!!!!!!!!!!!!!!!!!!! TERRAFORM CRASH !!!!!!!!!!!!!!!!!!!!!!!!!!!!`),
 			},
 		},
 	})