Switch to golangci lint v2, fix or suppress found warnings

.github/workflows/test.yml

@@ -11,47 +11,47 @@ on:
 jobs:
 
   lint:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@v6
         with:
-          go-version: 1.x # latest
-      - uses: actions/checkout@v4
-      - uses: golangci/golangci-lint-action@v6
+          go-version: stable
+      - uses: actions/checkout@v5
+      - uses: golangci/golangci-lint-action@v8
         with:
-          version: v1.61
+          version: v2.6
 
   commit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # Only check commits on pull requests.
     if: github.event_name == 'pull_request'
     steps:
       - name: get pr commits
         id: 'get-pr-commits'
-        uses: tim-actions/get-pr-commits@v1.1.0
+        uses: tim-actions/get-pr-commits@v1.3.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: check subject line length
-        uses: tim-actions/[email protected].1
+        uses: tim-actions/[email protected].2
         with:
           commits: ${{ steps.get-pr-commits.outputs.commits }}
           pattern: '^.{0,72}(\n.*)*$'
           error: 'Subject too long (max 72)'
 
   test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.21.x, 1.22.x, 1.23.x]
+        go-version: [1.21.x, oldstable, stable]
         race: ["-race", ""]
 
     steps:
     - name: checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: install go ${{ matrix.go-version }}
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version: ${{ matrix.go-version }}
     - name: build

.golangci.yml

@@ -1,5 +1,15 @@
-# For documentation, see https://golangci-lint.run/usage/configuration/
+version: "2"
+
+formatters:
+  enable:
+    - gofmt
 
 linters:
   disable:
     - errcheck
+  settings:
+    staticcheck:
+      checks:
+        - all # Enable all checks, except...
+        - -ST1005 # https://staticcheck.dev/docs/checks/#ST1005 Incorrectly formatted error string.
+        - -ST1000 # https://staticcheck.dev/docs/checks/#ST1000 Incorrect or missing package comment.

cgroups/cgroups.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
@@ -89,10 +90,8 @@ func GetSubsystemPath(pid int, subsystem string) (string, error) {
 			continue
 		}
 		subelems := strings.Split(elem[1], ",")
-		for _, subelem := range subelems {
-			if subelem == subsystem {
-				return elem[2], nil
-			}
+		if slices.Contains(subelems, subsystem) {
+			return elem[2], nil
 		}
 	}
 

cmd/runtimetest/main.go

@@ -236,13 +236,13 @@ func (c *complianceTester) validateLinuxProcess(spec *rspec.Spec) error {
 
 	args := bytes.Split(bytes.Trim(cmdlineBytes, "\x00"), []byte("\x00"))
 	c.harness.Ok(len(args) == len(spec.Process.Args), "has expected number of process arguments")
-	_ = c.harness.YAML(map[string]interface{}{
+	_ = c.harness.YAML(map[string]any{
 		"expected": spec.Process.Args,
 		"actual":   args,
 	})
 	for i, a := range args {
 		c.harness.Ok(string(a) == spec.Process.Args[i], fmt.Sprintf("has expected process argument %d", i))
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"index":    i,
 			"expected": spec.Process.Args[i],
 			"actual":   string(a),
@@ -362,7 +362,7 @@ func (c *complianceTester) validateRlimits(spec *rspec.Spec) error {
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"type":      r.Type,
@@ -374,7 +374,7 @@ func (c *complianceTester) validateRlimits(spec *rspec.Spec) error {
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"type":      r.Type,
@@ -392,7 +392,7 @@ func (c *complianceTester) validateSysctls(spec *rspec.Spec) error {
 	}
 
 	for k, v := range spec.Linux.Sysctl {
-		keyPath := filepath.Join("/proc/sys", strings.Replace(k, ".", "/", -1))
+		keyPath := filepath.Join("/proc/sys", strings.ReplaceAll(k, ".", "/"))
 		vBytes, err := os.ReadFile(keyPath)
 		if err != nil {
 			return err
@@ -454,9 +454,10 @@ func testFileReadAccess(path string) (readable bool, err error) {
 	defer f.Close()
 	b := make([]byte, 1)
 	_, err = f.Read(b)
-	if err == nil {
+	switch err {
+	case nil:
 		return true, nil
-	} else if err == io.EOF {
+	case io.EOF:
 		// Our validation/ tests only use non-empty files for read-access
 		// tests. So if we get an EOF on the first read, the runtime did
 		// successfully block readability.
@@ -727,7 +728,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"path":      device.Path,
@@ -738,7 +739,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"path":      device.Path,
@@ -756,7 +757,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"path":      device.Path,
@@ -777,7 +778,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"path":      device.Path,
@@ -793,7 +794,7 @@ func (c *complianceTester) validateDevice(device *rspec.LinuxDevice, condition s
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"path":      device.Path,
@@ -838,7 +839,7 @@ func (c *complianceTester) validateDefaultSymlinks(spec *rspec.Spec) error {
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"path":      symlink,
@@ -991,7 +992,7 @@ func (c *complianceTester) validateOOMScoreAdj(spec *rspec.Spec) error {
 		if err != nil {
 			return err
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":     rfcError.Level.String(),
 			"reference": rfcError.Reference,
 			"expected":  expected,
@@ -1052,7 +1053,7 @@ func (c *complianceTester) validateIDMappings(mappings []rspec.LinuxIDMapping, p
 		return err
 	}
 	c.harness.Ok(len(idMaps) == len(mappings), fmt.Sprintf("%s has expected number of mappings", path))
-	_ = c.harness.YAML(map[string]interface{}{
+	_ = c.harness.YAML(map[string]any{
 		"expected": mappings,
 		"actual":   idMaps,
 	})
@@ -1185,13 +1186,13 @@ func (c *complianceTester) validatePosixMounts(spec *rspec.Spec) error {
 		} else {
 			rfcError, err = c.Ok(foundInOrder, specerror.MountsInOrder, spec.Version, fmt.Sprintf("mounts[%d] (%s) found in order", i, configMount.Destination))
 		}
-		_ = c.harness.YAML(map[string]interface{}{
+		_ = c.harness.YAML(map[string]any{
 			"level":       rfcError.Level.String(),
 			"reference":   rfcError.Reference,
 			"config":      configMount,
 			"indexConfig": i,
 			"indexSystem": configSys[i],
-			"earlier": map[string]interface{}{
+			"earlier": map[string]any{
 				"config":      spec.Mounts[highestMatchedConfig],
 				"indexConfig": highestMatchedConfig,
 				"indexSystem": configSys[highestMatchedConfig],
@@ -1310,10 +1311,11 @@ func run(context *cli.Context) error {
 	}
 
 	validations := defaultValidations
-	if platform == "linux" {
+	switch platform {
+	case "linux":
 		validations = append(validations, posixValidations...)
 		validations = append(validations, linuxValidations...)
-	} else if platform == "solaris" {
+	case "solaris":
 		validations = append(validations, posixValidations...)
 	}
 

generate/generate.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"slices"
 	"strings"
 
 	"github.com/moby/sys/capability"
@@ -88,7 +89,8 @@ func New(os string) (generator Generator, err error) {
 		}
 	}
 
-	if os == "linux" {
+	switch os {
+	case "linux":
 		config.Process.Capabilities = &rspec.LinuxCapabilities{
 			Bounding: []string{
 				"CAP_CHOWN",
@@ -237,7 +239,7 @@ func New(os string) (generator Generator, err error) {
 			},
 			Seccomp: seccomp.DefaultProfile(&config),
 		}
-	} else if os == "freebsd" {
+	case "freebsd":
 		config.Mounts = []rspec.Mount{
 			{
 				Destination: "/dev",
@@ -593,12 +595,10 @@ func (g *Generator) ClearProcessAdditionalGids() {
 }
 
 // AddProcessAdditionalGid adds an additional gid into g.Config.Process.AdditionalGids.
-func (g *Generator) AddProcessAdditionalGid(gid uint32) {
+func (g *Generator) AddProcessAdditionalGid(gid uint32) { //nolint:staticcheck // Ignore ST1003: method AddProcessAdditionalGid should be AddProcessAdditionalGID
 	g.initConfigProcess()
-	for _, group := range g.Config.Process.User.AdditionalGids {
-		if group == gid {
-			return
-		}
+	if slices.Contains(g.Config.Process.User.AdditionalGids, gid) {
+		return
 	}
 	g.Config.Process.User.AdditionalGids = append(g.Config.Process.User.AdditionalGids, gid)
 }
@@ -868,7 +868,7 @@ func (g *Generator) DropLinuxResourcesHugepageLimit(pageSize string) {
 	}
 }
 
-// AddLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified
+// SetLinuxResourcesUnified sets the g.Config.Linux.Resources.Unified.
 func (g *Generator) SetLinuxResourcesUnified(unified map[string]string) {
 	g.initConfigLinuxResourcesUnified()
 	for k, v := range unified {

generate/seccomp/seccomp_default.go

@@ -3,7 +3,6 @@ package seccomp
 import (
 	"runtime"
 
-	"github.com/opencontainers/runtime-spec/specs-go"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -31,7 +30,7 @@ func arches() []rspec.Arch {
 }
 
 // DefaultProfile defines the whitelist for the default seccomp profile.
-func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp {
+func DefaultProfile(rs *rspec.Spec) *rspec.LinuxSeccomp {
 	syscalls := []rspec.LinuxSyscall{
 		{
 			Names: []string{

generate/seccomp/seccomp_default_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package seccomp
 

generate/seccomp/seccomp_default_unsupported.go

@@ -1,5 +1,4 @@
 //go:build !linux
-// +build !linux
 
 package seccomp
 

validate/validate.go

@@ -11,6 +11,7 @@ import (
 	"reflect"
 	"regexp"
 	"runtime"
+	"slices"
 	"strings"
 	"unicode"
 	"unicode/utf8"
@@ -440,7 +441,7 @@ func (v *Validator) CheckCapabilities() (errs error) {
 		if effective && !permitted {
 			errs = multierror.Append(errs, fmt.Errorf("effective capability %q is not allowed, as it's not permitted", capability))
 		}
-		if ambient && !(permitted && inheritable) {
+		if ambient && !(permitted && inheritable) { //nolint:staticcheck // Ignore QF1001: could apply De Morgan's law.
 			errs = multierror.Append(errs, fmt.Errorf("ambient capability %q is not allowed, as it's not permitted and inheribate", capability))
 		}
 	}
@@ -718,21 +719,18 @@ func (v *Validator) rlimitValid(rlimit rspec.POSIXRlimit) (errs error) {
 		errs = multierror.Append(errs, fmt.Errorf("hard limit of rlimit %s should not be less than soft limit", rlimit.Type))
 	}
 
-	if v.platform == "linux" {
-		for _, val := range linuxRlimits {
-			if val == rlimit.Type {
-				return
-			}
+	switch v.platform {
+	case "linux":
+		if slices.Contains(linuxRlimits, rlimit.Type) {
+			return
 		}
 		errs = multierror.Append(errs, specerror.NewError(specerror.PosixProcRlimitsTypeValueError, fmt.Errorf("rlimit type %q may not be valid", rlimit.Type), v.spec.Version))
-	} else if v.platform == "solaris" {
-		for _, val := range posixRlimits {
-			if val == rlimit.Type {
-				return
-			}
+	case "solaris":
+		if slices.Contains(posixRlimits, rlimit.Type) {
+			return
 		}
 		errs = multierror.Append(errs, specerror.NewError(specerror.PosixProcRlimitsTypeValueError, fmt.Errorf("rlimit type %q may not be valid", rlimit.Type), v.spec.Version))
-	} else {
+	default:
 		logrus.Warnf("process.rlimits validation not yet implemented for platform %q", v.platform)
 	}
 
@@ -787,7 +785,7 @@ func checkMandatoryUnit(field reflect.Value, tagField reflect.StructField, paren
 	return
 }
 
-func checkMandatory(obj interface{}) (errs error) {
+func checkMandatory(obj any) (errs error) {
 	objT := reflect.TypeOf(obj)
 	objV := reflect.ValueOf(obj)
 	if isStructPtr(objT) {

validate/validate_linux.go

@@ -1,5 +1,4 @@
 //go:build linux
-// +build linux
 
 package validate