From a11c5bdfe899b353864b916a17de54cba5f68164 Mon Sep 17 00:00:00 2001 From: TJ Moore Date: Thu, 12 Mar 2026 09:13:15 -0400 Subject: [PATCH 1/2] Backpatch: Address Go linter issues --- internal/collector/postgres_metrics.go | 2 +- internal/controller/standalone_pgadmin/users.go | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/internal/collector/postgres_metrics.go b/internal/collector/postgres_metrics.go index fe4202fb4b..7fc46cf943 100644 --- a/internal/collector/postgres_metrics.go +++ b/internal/collector/postgres_metrics.go @@ -256,7 +256,7 @@ func EnablePostgresMetrics(ctx context.Context, inCluster *v1beta1.PostgresClust // appendToJSONArray appends elements of a json.RawMessage containing an array // to another json.RawMessage containing an array. func appendToJSONArray(a1, a2 json.RawMessage) (json.RawMessage, error) { - var slc1 []json.RawMessage + var slc1 []json.RawMessage //nolint:prealloc // Populated by json.Unmarshal, not manual appends. if err := json.Unmarshal(a1, &slc1); err != nil { return nil, err } diff --git a/internal/controller/standalone_pgadmin/users.go b/internal/controller/standalone_pgadmin/users.go index f39a7395e6..ca21d182c4 100644 --- a/internal/controller/standalone_pgadmin/users.go +++ b/internal/controller/standalone_pgadmin/users.go @@ -35,7 +35,6 @@ type pgAdminUserForJson struct { IsAdmin bool `json:"isAdmin"` // The user's password - //nolint:gosec // G117: This is a JSON serialization struct, not a hardcoded credential. Password string `json:"password"` // The username for User in pgAdmin. @@ -332,6 +331,8 @@ cd $PGADMIN_DIR // to add a user, that user will not be in intentUsers. If errors occurred when attempting to // update a user, the user will be in intentUsers as it existed before. We now want to marshal the // intentUsers to json and write the users.json file to the secret. + + //nolint:gosec // G117: Password is intentionally stored in a Kubernetes Secret. intentUserSecret.Data["users.json"], _ = json.Marshal(intentUsers) err = errors.WithStack(r.setControllerReference(pgadmin, intentUserSecret)) From a46e9b3381980477d4ab90b6d8e67c42de326e93 Mon Sep 17 00:00:00 2001 From: TJ Moore Date: Thu, 12 Mar 2026 09:50:59 -0400 Subject: [PATCH 2/2] Additional linter fixes --- internal/bridge/client.go | 10 ++++------ internal/bridge/client_test.go | 3 +++ .../bridge/crunchybridgecluster/mock_bridge_api.go | 1 - internal/bridge/installation.go | 3 +-- .../v1beta1/crunchy_bridgecluster_types.go | 1 - 5 files changed, 8 insertions(+), 10 deletions(-) diff --git a/internal/bridge/client.go b/internal/bridge/client.go index f75a718669..f53a2fe4ed 100644 --- a/internal/bridge/client.go +++ b/internal/bridge/client.go @@ -155,10 +155,9 @@ type ClusterRoleApiResource struct { ClusterId string `json:"cluster_id"` Flavor string `json:"flavor"` Name string `json:"name"` - //nolint:gosec // G117: JSON serialization field for API response, not a hardcoded credential. - Password string `json:"password"` - Team string `json:"team_id"` - URI string `json:"uri"` + Password string `json:"password"` + Team string `json:"team_id"` + URI string `json:"uri"` } // ClusterRoleList holds a slice of ClusterRoleApiResource @@ -279,8 +278,7 @@ func (c *Client) doWithBackoff( if err == nil { request.Header = headers.Clone() - - //nolint:bodyclose,gosec // bodyclose: response returned to caller; G704: URL is from trusted Bridge API configuration. + //nolint:bodyclose // response returned to caller. response, err = c.Do(request) } diff --git a/internal/bridge/client_test.go b/internal/bridge/client_test.go index 4ddd9ca224..ceb49c6099 100644 --- a/internal/bridge/client_test.go +++ b/internal/bridge/client_test.go @@ -1229,6 +1229,7 @@ func TestGetClusterRole(t *testing.T) { } t.Run("WeSendCorrectData", func(t *testing.T) { + //nolint:gosec // G117: Password is part of the API resource struct, not a credential in test context. responsePayloadJson, err := json.Marshal(clusterRoleApiResource) assert.NilError(t, err) @@ -1251,6 +1252,7 @@ func TestGetClusterRole(t *testing.T) { }) t.Run("OkResponse", func(t *testing.T) { + //nolint:gosec // G117: Password is part of the API resource struct, not a credential in test context. responsePayloadJson, err := json.Marshal(clusterRoleApiResource) assert.NilError(t, err) @@ -1269,6 +1271,7 @@ func TestGetClusterRole(t *testing.T) { }) t.Run("ErrorResponse", func(t *testing.T) { + //nolint:gosec // G117: Password is part of the API resource struct, not a credential in test context. responsePayloadJson, err := json.Marshal(clusterRoleApiResource) assert.NilError(t, err) diff --git a/internal/bridge/crunchybridgecluster/mock_bridge_api.go b/internal/bridge/crunchybridgecluster/mock_bridge_api.go index f37cef4e2a..0387f5da2a 100644 --- a/internal/bridge/crunchybridgecluster/mock_bridge_api.go +++ b/internal/bridge/crunchybridgecluster/mock_bridge_api.go @@ -17,7 +17,6 @@ import ( ) type TestBridgeClient struct { - //nolint:gosec // G117: Test mock struct field, not a hardcoded credential. ApiKey string `json:"apiKey,omitempty"` TeamId string `json:"teamId,omitempty"` Clusters []*bridge.ClusterApiResource `json:"clusters,omitempty"` diff --git a/internal/bridge/installation.go b/internal/bridge/installation.go index 46e519b692..d1a417b746 100644 --- a/internal/bridge/installation.go +++ b/internal/bridge/installation.go @@ -39,8 +39,7 @@ var self = new(struct { type AuthObject struct { ID string `json:"id"` ExpiresAt time.Time `json:"expires_at"` - //nolint:gosec // G117: JSON serialization field for API response, not a hardcoded credential. - Secret string `json:"secret"` + Secret string `json:"secret"` } type Installation struct { diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/crunchy_bridgecluster_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/crunchy_bridgecluster_types.go index 3d6e169f3b..880c800a3b 100644 --- a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/crunchy_bridgecluster_types.go +++ b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/crunchy_bridgecluster_types.go @@ -77,7 +77,6 @@ type CrunchyBridgeClusterSpec struct { // The name of the secret containing the API key and team id // +kubebuilder:validation:Required - //nolint:gosec // G117: Field holds secret name reference, not actual secret data. Secret string `json:"secret"` // The amount of storage available to the cluster in gigabytes.