fix: resolve remaining golangci-lint 2.10.1 taint-analysis findings

Suppress false-positive gosec G703 (path traversal) and G704 (SSRF)
findings from stricter taint analysis in golangci-lint 2.10.1.

Also exclude modernize/newexpr check globally — it incorrectly suggests
replacing ptr(true) with new(bool), but new(T) only produces zero-value
pointers.

Author: tempusfrangit

.golangci.yaml

@@ -86,3 +86,8 @@ linters:
       - linters:
           - staticcheck
         text: 'ST1005:'
+      # modernize newexpr false positives: ptr(true) cannot be simplified to new(bool)
+      # because new(T) only produces zero-value pointers
+      - linters:
+          - modernize
+        text: 'newexpr:'

integration-tests/harness/harness.go

@@ -521,7 +521,7 @@ func (h *Harness) cmdCurl(ts *testscript.TestScript, neg bool, args []string) {
 			req.Header.Set(h[0], h[1])
 		}
 
-		resp, err := client.Do(req)
+		resp, err := client.Do(req) //nolint:gosec // G704: URL from test harness, not user input
 		if err != nil {
 			lastErr = err
 			time.Sleep(retryDelay)

pkg/dockerfile/cacert.go

@@ -44,7 +44,7 @@ func ReadCACert() ([]byte, error) {
 	value = strings.TrimSpace(value)
 
 	// Check if it's a file path
-	if info, err := os.Stat(value); err == nil {
+	if info, err := os.Stat(value); err == nil { //nolint:gosec // G703: path from trusted COG_CA_CERT env var
 		if info.IsDir() {
 			return readCACertDirectory(value)
 		}
@@ -67,7 +67,7 @@ func ReadCACert() ([]byte, error) {
 
 // readCACertFile reads a single certificate file
 func readCACertFile(path string) ([]byte, error) {
-	data, err := os.ReadFile(path)
+	data, err := os.ReadFile(path) //nolint:gosec // G703: path from trusted COG_CA_CERT env var
 	if err != nil {
 		return nil, fmt.Errorf("%s: failed to read file %s: %w", CACertEnvVar, path, err)
 	}
@@ -93,7 +93,7 @@ func readCACertDirectory(dir string) ([]byte, error) {
 		}
 
 		path := filepath.Join(dir, entry.Name())
-		data, err := os.ReadFile(path)
+		data, err := os.ReadFile(path) //nolint:gosec // G703: path from trusted COG_CA_CERT env var directory
 		if err != nil {
 			return nil, fmt.Errorf("%s: failed to read file %s: %w", CACertEnvVar, path, err)
 		}

pkg/model/image_pusher.go

@@ -129,8 +129,8 @@ func (p *ImagePusher) ociPush(ctx context.Context, imageRef string, opt imagePus
 	if err != nil {
 		return fmt.Errorf("create temp tar file: %w", err)
 	}
-	defer func() { _ = os.Remove(tmpTar.Name()) }()
-	defer tmpTar.Close() //nolint:errcheck
+	defer func() { _ = os.Remove(tmpTar.Name()) }() //nolint:gosec // G703: path from os.CreateTemp, not user input
+	defer tmpTar.Close()                            //nolint:errcheck
 
 	if _, err := io.Copy(tmpTar, rc); err != nil {
 		return fmt.Errorf("write image tar: %w", err)

pkg/predict/predictor.go

@@ -127,7 +127,7 @@ func (p *Predictor) waitForContainerReady(ctx context.Context, timeout time.Dura
 				return nil, fmt.Errorf("Failed to create HTTP request to %s: %w", url, err)
 			}
 
-			resp, err := http.DefaultClient.Do(req)
+			resp, err := http.DefaultClient.Do(req) //nolint:gosec // G704: URL from localhost health check
 			if err != nil {
 				return nil, nil
 			}
@@ -190,7 +190,7 @@ func (p *Predictor) Predict(inputs Inputs, context RequestContext) (*Response, e
 	req.Close = true
 
 	httpClient := &http.Client{}
-	resp, err := httpClient.Do(req)
+	resp, err := httpClient.Do(req) //nolint:gosec // G704: URL from localhost prediction endpoint
 	if err != nil {
 		return nil, fmt.Errorf("Failed to POST HTTP request to %s: %w", url, err)
 	}

pkg/registry/registry_client.go

@@ -592,7 +592,7 @@ func (c *RegistryClient) checkBlobExists(ctx context.Context, client *http.Clien
 		return false, err
 	}
 
-	resp, err := client.Do(req)
+	resp, err := client.Do(req) //nolint:gosec // G704: URL from registry reference, not user input
 	if err != nil {
 		return false, err
 	}
@@ -660,7 +660,7 @@ func (c *RegistryClient) initiateUpload(ctx context.Context, client *http.Client
 	}
 	req.Header.Set("Content-Type", "application/json")
 
-	resp, err := client.Do(req)
+	resp, err := client.Do(req) //nolint:gosec // G704: URL from registry reference, not user input
 	if err != nil {
 		return uploadSession{}, err
 	}
@@ -864,7 +864,7 @@ func (c *RegistryClient) uploadBlobSingle(ctx context.Context, client *http.Clie
 	req.Header.Set("Content-Type", "application/octet-stream")
 	req.ContentLength = totalSize
 
-	resp, err := client.Do(req)
+	resp, err := client.Do(req) //nolint:gosec // G704: URL from registry upload session, not user input
 	if err != nil {
 		return "", err
 	}
@@ -924,7 +924,7 @@ func (c *RegistryClient) uploadChunk(ctx context.Context, client *http.Client, l
 	req.Header.Set("Content-Length", strconv.FormatInt(int64(len(chunk)), 10))
 	req.Header.Set("Content-Range", fmt.Sprintf("%d-%d", start, end))
 
-	resp, err := client.Do(req)
+	resp, err := client.Do(req) //nolint:gosec // G704: URL from registry upload session, not user input
 	if err != nil {
 		return "", err
 	}
@@ -988,7 +988,7 @@ func (c *RegistryClient) commitUpload(ctx context.Context, client *http.Client,
 
 	req.Header.Set("Content-Type", "application/octet-stream")
 
-	resp, err := client.Do(req)
+	resp, err := client.Do(req) //nolint:gosec // G704: URL from registry upload session, not user input
 	if err != nil {
 		return err
 	}

pkg/web/client.go

@@ -225,7 +225,7 @@ func (c *Client) FetchAPIToken(ctx context.Context, entity string) (string, erro
 		return "", err
 	}
 
-	tokenResp, err := c.client.Do(req)
+	tokenResp, err := c.client.Do(req) //nolint:gosec // G704: URL from configured endpoint
 	if err != nil {
 		return "", err
 	}
@@ -421,7 +421,7 @@ func (c *Client) doSingleFileChallenge(ctx context.Context, file File, fileType
 	if err != nil {
 		return answer, util.WrapError(err, "build HTTP request")
 	}
-	resp, err := c.client.Do(req)
+	resp, err := c.client.Do(req) //nolint:gosec // G704: URL from configured endpoint
 	if err != nil {
 		return answer, util.WrapError(err, "do HTTP request")
 	}