shipwright-io · dependabot · Nov 21, 2025 · Nov 21, 2025
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
@@ -32,7 +32,7 @@ jobs:
         check-latest: true
         cache-dependency-path: go/src/github.com/shipwright-io/build
     - name: Run golangci-lint
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@v9
       with:
         working-directory: go/src/github.com/shipwright-io/build
         args: --timeout=10m

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -1,23 +1,31 @@
+version: "2"
+
 linters:
+  disable:
+    - errcheck
   enable:
-    - ineffassign
-    - revive
     - gosec
     - govet
+    - ineffassign
     - misspell
+    - revive
     - staticcheck
-  disable:
-    - errcheck
+    - unused
+
+  exclusions:
+    rules:
+      - path: test
+        linters:
+          - revive
 
-linters-settings:
-  gosec:
-    excludes:
-      - G101 # Look for hard coded credentials
-      - G305 # File traversal when extracting zip/tar archive
-      - G306 # Poor file permissions used when writing to a new file
+  settings:
+    gosec:
+      excludes:
+        - G101 # Look for hard coded credentials
+        - G305 # File traversal when extracting zip/tar archive
+        - G306 # Poor file permissions used when writing to a new file
 
-issues:
-  exclude-rules:
-    - path: test
-      linters:
-        - revive
+    revive:
+      rules:
+        - name: package-comments
+          disabled: true
diff --git a/cmd/bundle/main_test.go b/cmd/bundle/main_test.go
@@ -79,6 +79,7 @@ var _ = Describe("Bundle Loader", func() {
 	}
 
 	filecontent := func(path string) string {
+		// #nosec G304 ok in tests
 		data, err := os.ReadFile(path)
 		Expect(err).ToNot(HaveOccurred())
 		return string(data)

diff --git a/cmd/git/main.go b/cmd/git/main.go
@@ -252,6 +252,7 @@ func checkEnvironment(ctx context.Context) error {
 		if flagValues.verbose {
 			log.Printf("Debug: %s %s\n", path, check.versionArg)
 		}
+		// #nosec G204 in the default container configuration, it is impossible to inject other binaries, as such it is safe that we have no hard-coded path
 		out, err := exec.CommandContext(ctx, path, check.versionArg).CombinedOutput()
 		if err != nil {
 			log.Printf("Error: %s: %s\n", check.toolName, strings.TrimRight(string(out), "\n"))
@@ -474,13 +475,16 @@ func git(ctx context.Context, args ...string) (string, error) {
 		fmt.Sprintf("safe.directory=%s", flagValues.target),
 	}
 	fullArgs = append(fullArgs, args...)
+	// #nosec G204 arguments are well-defined by the code
 	cmd := exec.CommandContext(ctx, "git", fullArgs...)
 
 	// Print the command to be executed, but replace the URL with a safe version
 	log.Print(strings.ReplaceAll(cmd.String(), flagValues.url, displayURL))
 
 	// Make sure that the spawned process does not try to prompt for infos
-	os.Setenv("GIT_TERMINAL_PROMPT", "0")
+	if err := os.Setenv("GIT_TERMINAL_PROMPT", "0"); err != nil {
+		return "", err
+	}
 	cmd.Stdin = nil
 
 	out, err := cmd.CombinedOutput()

diff --git a/cmd/git/main_test.go b/cmd/git/main_test.go
@@ -79,6 +79,7 @@ var _ = Describe("Git Resource", func() {
 	}
 
 	var filecontent = func(path string) string {
+		// #nosec: G304 fine in tests
 		data, err := os.ReadFile(path)
 		Expect(err).ToNot(HaveOccurred())
 		return string(data)
@@ -509,6 +510,7 @@ var _ = Describe("Git Resource", func() {
 						lfsFile := filepath.Join(target, "assets", "shipwright-logo-lightbg-512.png")
 						Expect(lfsFile).To(BeAnExistingFile())
 
+						// #nosec: G304 fine in tests
 						data, err := os.ReadFile(lfsFile)
 						Expect(err).ToNot(HaveOccurred())
 						Expect(http.DetectContentType(data)).To(Equal("image/png"))
@@ -524,14 +526,14 @@ var _ = Describe("Git Resource", func() {
 				git_config_nosystem := os.Getenv("GIT_CONFIG_NOSYSTEM")
 
 				// unset all pre-existing git configurations to avoid credential helpers and authentication
-				os.Setenv("GIT_CONFIG_NOSYSTEM", "1")
-				os.Setenv("GIT_CONFIG", "/dev/null")
-				os.Setenv("GIT_CONFIG_GLOBAL", "/dev/null")
+				Expect(os.Setenv("GIT_CONFIG_NOSYSTEM", "1")).To(Succeed())
+				Expect(os.Setenv("GIT_CONFIG", "/dev/null")).To(Succeed())
+				Expect(os.Setenv("GIT_CONFIG_GLOBAL", "/dev/null")).To(Succeed())
 
 				DeferCleanup(func() {
-					os.Setenv("GIT_CONFIG_NOSYSTEM", git_config_nosystem)
-					os.Setenv("GIT_CONFIG", git_config)
-					os.Setenv("GIT_CONFIG_GLOBAL", git_global_config)
+					Expect(os.Setenv("GIT_CONFIG_NOSYSTEM", git_config_nosystem)).To(Succeed())
+					Expect(os.Setenv("GIT_CONFIG", git_config)).To(Succeed())
+					Expect(os.Setenv("GIT_CONFIG_GLOBAL", git_global_config)).To(Succeed())
 				})
 			})
 

diff --git a/cmd/image-processing/main_test.go b/cmd/image-processing/main_test.go
@@ -153,6 +153,7 @@ var _ = Describe("Image Processing Resource", Ordered, func() {
 	}
 
 	filecontent := func(path string) string {
+		// #nosec G304 ok in tests
 		data, err := os.ReadFile(path)
 		Expect(err).ToNot(HaveOccurred())
 		return string(data)

diff --git a/cmd/waiter/main_test.go b/cmd/waiter/main_test.go
@@ -31,6 +31,7 @@ var _ = BeforeSuite(func() {
 var _ = Describe("Waiter", func() {
 	// run creates a exec.Command instance using the arguments informed.
 	var run = func(args ...string) *gexec.Session {
+		// #nosec G204 necessary for the test
 		cmd := exec.Command(executable)
 		cmd.Args = append(cmd.Args, args...)
 		stdin := &bytes.Buffer{}

diff --git a/pkg/apis/build/v1beta1/build_conversion.go b/pkg/apis/build/v1beta1/build_conversion.go
@@ -32,11 +32,14 @@
 	var alphaBuild v1alpha1.Build

 	alphaBuild.TypeMeta = src.TypeMeta
 	alphaBuild.TypeMeta.APIVersion = alphaGroupVersion
 
 	alphaBuild.ObjectMeta = src.ObjectMeta
 
-	src.Spec.ConvertTo(&alphaBuild.Spec)
+	if err := src.Spec.ConvertTo(&alphaBuild.Spec); err != nil {
+		ctxlog.Error(ctx, err, "failed to convert object")
+		return err
+	}
 
 	alphaBuild.Status = v1alpha1.BuildStatus{
 		Registered: src.Status.Registered,
@@ -47,16 +50,17 @@
 	// convert annotation-controlled features
 	if src.Spec.Retention != nil && src.Spec.Retention.AtBuildDeletion != nil {
 		// We must create a new Map as otherwise the addition is not kept
 		alphaBuild.ObjectMeta.Annotations = map[string]string{}
 		for k, v := range src.Annotations {
 			alphaBuild.ObjectMeta.Annotations[k] = v
 		}
 		alphaBuild.ObjectMeta.Annotations[v1alpha1.AnnotationBuildRunDeletion] = strconv.FormatBool(*src.Spec.Retention.AtBuildDeletion)
 	}

 	mapito, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&alphaBuild)
 	if err != nil {
 		ctxlog.Error(ctx, err, "failed structuring the newObject")
+		return err
 	}
 	obj.Object = mapito
 
@@ -73,15 +77,19 @@
 	err := runtime.DefaultUnstructuredConverter.FromUnstructured(unstructured, &alphaBuild)
 	if err != nil {
 		ctxlog.Error(ctx, err, "failed unstructuring the convertedObject")
+		return err
 	}
 
 	ctxlog.Info(ctx, "converting Build from alpha to beta", "namespace", alphaBuild.Namespace, "name", alphaBuild.Name)

 	src.ObjectMeta = alphaBuild.ObjectMeta
 	src.TypeMeta = alphaBuild.TypeMeta
 	src.TypeMeta.APIVersion = betaGroupVersion
 
-	src.Spec.ConvertFrom(&alphaBuild.Spec)
+	if err := src.Spec.ConvertFrom(&alphaBuild.Spec); err != nil {
+		ctxlog.Error(ctx, err, "failed to convert object")
+		return err
+	}
 
 	// convert annotation-controlled features
 	if value, set := alphaBuild.Annotations[v1alpha1.AnnotationBuildRunDeletion]; set {
@@ -265,7 +273,7 @@
 	bs.ParamValues = nil
 	for _, p := range dest.ParamValues {
 		if p.Name == "dockerfile" && p.SingleValue != nil {
 			bs.Dockerfile = p.SingleValue.Value
 			continue
 		}


diff --git a/pkg/apis/build/v1beta1/buildrun_conversion.go b/pkg/apis/build/v1beta1/buildrun_conversion.go
@@ -187,13 +187,17 @@ func (src *BuildRun) ConvertTo(ctx context.Context, obj *unstructured.Unstructur
 
 	aux := &v1alpha1.BuildSpec{}
 	if src.Status.BuildSpec != nil {
-		src.Status.BuildSpec.ConvertTo(aux)
+		if err := src.Status.BuildSpec.ConvertTo(aux); err != nil {
+			ctxlog.Error(ctx, err, "failed to convert object")
+			return err
+		}
 		alphaBuildRun.Status.BuildSpec = aux
 	}
 
 	mapito, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&alphaBuildRun)
 	if err != nil {
 		ctxlog.Error(ctx, err, "failed structuring the newObject")
+		return err
 	}
 	obj.Object = mapito
 
@@ -210,6 +214,7 @@ func (src *BuildRun) ConvertFrom(ctx context.Context, obj *unstructured.Unstruct
 	err := runtime.DefaultUnstructuredConverter.FromUnstructured(unstructured, &alphaBuildRun)
 	if err != nil {
 		ctxlog.Error(ctx, err, "failed unstructuring the buildrun convertedObject")
+		return err
 	}
 
 	ctxlog.Info(ctx, "converting BuildRun from alpha to beta", "namespace", alphaBuildRun.Namespace, "name", alphaBuildRun.Name)
@@ -218,7 +223,10 @@ func (src *BuildRun) ConvertFrom(ctx context.Context, obj *unstructured.Unstruct
 	src.TypeMeta = alphaBuildRun.TypeMeta
 	src.TypeMeta.APIVersion = betaGroupVersion
 
-	src.Spec.ConvertFrom(&alphaBuildRun.Spec)
+	if err = src.Spec.ConvertFrom(ctx, &alphaBuildRun.Spec); err != nil {
+		ctxlog.Error(ctx, err, "failed to convert object")
+		return err
+	}
 
 	var sourceStatus *SourceResult
 	for _, s := range alphaBuildRun.Status.Sources {
@@ -282,19 +290,25 @@ func (src *BuildRun) ConvertFrom(ctx context.Context, obj *unstructured.Unstruct
 
 	buildBeta := Build{}
 	if alphaBuildRun.Status.BuildSpec != nil {
-		buildBeta.Spec.ConvertFrom(alphaBuildRun.Status.BuildSpec)
+		if err = buildBeta.Spec.ConvertFrom(alphaBuildRun.Status.BuildSpec); err != nil {
+			ctxlog.Error(ctx, err, "failed to convert object")
+			return err
+		}
 		src.Status.BuildSpec = &buildBeta.Spec
 	}
 
 	return nil
 }
 
-func (dest *BuildRunSpec) ConvertFrom(orig *v1alpha1.BuildRunSpec) error {
+func (dest *BuildRunSpec) ConvertFrom(ctx context.Context, orig *v1alpha1.BuildRunSpec) error {
 
 	// BuildRunSpec BuildSpec
 	if orig.BuildSpec != nil {
 		dest.Build.Spec = &BuildSpec{}
-		dest.Build.Spec.ConvertFrom(orig.BuildSpec)
+		if err := dest.Build.Spec.ConvertFrom(orig.BuildSpec); err != nil {
+			ctxlog.Error(ctx, err, "failed to convert object")
+			return err
+		}
 	}
 	if orig.BuildRef != nil {
 		dest.Build.Name = &orig.BuildRef.Name

diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go
@@ -98,6 +98,7 @@ func Pack(directory string) (io.ReadCloser, error) {
 	var split = func(path string) []string { return strings.Split(path, string(filepath.Separator)) }
 
 	var write = func(w io.Writer, path string) error {
+		// #nosec G304 names are safe, they come from the listing
 		file, err := os.Open(path)
 		if err != nil {
 			return err
@@ -127,6 +128,7 @@ func Pack(directory string) (io.ReadCloser, error) {
 	}
 
 	var patterns []gitignore.Pattern
+	// #nosec G304 names are safe
 	if file, err := os.Open(filepath.Join(directory, shpIgnoreFilename)); err == nil {
 		defer file.Close()
 
@@ -293,13 +295,14 @@ func Unpack(in io.Reader, targetPath string) (*UnpackDetails, error) {
 				return nil, err
 			}
 
+			// #nosec G304 names are safe, they come from the listing
 			file, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, fileMode(header))
 			if err != nil {
 				return nil, err
 			}
 
 			if _, err := io.Copy(file, tr); err != nil {
-				file.Close()
+				_ = file.Close()
 				return nil, err
 			}
 

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -285,7 +285,7 @@ func configWithEnvVariableOverrides(settings map[string]string, f func(config *C
 			backup[k] = nil
 		}
 
-		os.Setenv(k, v)
+		Expect(os.Setenv(k, v)).To(Succeed())
 	}
 
 	config := NewDefaultConfig()
@@ -298,9 +298,9 @@ func configWithEnvVariableOverrides(settings map[string]string, f func(config *C
 
 	for k, v := range backup {
 		if v != nil {
-			os.Setenv(k, *v)
+			Expect(os.Setenv(k, *v)).To(Succeed())
 		} else {
-			os.Unsetenv(k)
+			Expect(os.Unsetenv(k)).To(Succeed())
 		}
 	}
 }
diff --git a/pkg/image/options.go b/pkg/image/options.go
@@ -74,6 +74,7 @@ func GetOptions(ctx context.Context, imageName name.Reference, insecure bool, do
 
 	var dockerconfig *configfile.ConfigFile
 	if dockerConfigJSONPath != "" {
+		// #nosec G304 user provided by design
 		file, err := os.Open(dockerConfigJSONPath)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to open the config json: %w", err)

diff --git a/pkg/metrics/pprof.go b/pkg/metrics/pprof.go
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-// +build pprof_enabled
+//go:build pprof_enabled
 
 package metrics
 

diff --git a/pkg/reconciler/buildrun/buildrun_test.go b/pkg/reconciler/buildrun/buildrun_test.go
@@ -91,7 +91,7 @@ var _ = Describe("Reconcile BuildRun", func() {
 
 		// ensure resources are added to the Scheme
 		// via the manager and initialize the fake Manager
-		apis.AddToScheme(scheme.Scheme)
+		Expect(apis.AddToScheme(scheme.Scheme)).To(Succeed())
 		manager = &fakes.FakeManager{}
 		manager.GetSchemeReturns(scheme.Scheme)