chore: add nolint annotations for gosec linter

andreynering · andreynering · commit 219bf3e5a5f2 · 2026-04-13T10:46:19.000-03:00
Add //nolint:gosec annotations for intentional code patterns
that are safe in context (path traversal in release tool,
uintptr conversion for terminals, weak rand in tests,
TLS skip verify for user-configured insecure mode).

Assisted-by: Kimi-K2.5 via Crush &lt;crush@charm.land&gt;
diff --git a/cmd/release/main.go b/cmd/release/main.go
@@ -117,7 +117,7 @@ func changelog(version *semver.Version) error {
 	changelog = changelogReleaseRegex.ReplaceAllString(changelog, fmt.Sprintf("## v%s - %s", version, date))
 
 	// Write the changelog to the source file
-	if err := os.WriteFile(changelogSource, []byte(changelog), 0o644); err != nil {
+	if err := os.WriteFile(changelogSource, []byte(changelog), 0o644); err != nil { //nolint:gosec
 		return err
 	}
 
@@ -129,7 +129,7 @@ func changelog(version *semver.Version) error {
 	changelogWithFrontmatter := fmt.Sprintf("---\n%s\n---\n\n%s", frontmatter, changelogWithVPre)
 
 	// Write the changelog to the target file
-	return os.WriteFile(changelogTarget, []byte(changelogWithFrontmatter), 0o644)
+	return os.WriteFile(changelogTarget, []byte(changelogWithFrontmatter), 0o644) //nolint:gosec
 }
 
 func setVersionFile(fileName string, version *semver.Version) error {
diff --git a/internal/term/term.go b/internal/term/term.go
@@ -7,5 +7,5 @@ import (
 )
 
 func IsTerminal() bool {
-	return term.IsTerminal(int(os.Stdin.Fd())) && term.IsTerminal(int(os.Stdout.Fd()))
+	return term.IsTerminal(int(os.Stdin.Fd())) && term.IsTerminal(int(os.Stdout.Fd())) //nolint:gosec
 }
diff --git a/task_test.go b/task_test.go
@@ -1022,7 +1022,7 @@ func TestIncludesRemote(t *testing.T) {
 
 					for k, taskCall := range taskCalls {
 						t.Run(taskCall.Task, func(t *testing.T) {
-							expectedContent := fmt.Sprint(rand.Int64())
+							expectedContent := fmt.Sprint(rand.Int64()) //nolint:gosec
 							t.Setenv("CONTENT", expectedContent)
 
 							outputFile := fmt.Sprintf("%d.%d.txt", i, k)
diff --git a/taskfile/node_http.go b/taskfile/node_http.go
@@ -38,7 +38,7 @@ func buildHTTPClient(insecure bool, caCert, cert, certKey string) (*http.Client,
 	}
 
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: insecure,
+		InsecureSkipVerify: insecure, //nolint:gosec
 	}
 
 	// Load custom CA certificate if provided
diff --git a/taskrc/reader.go b/taskrc/reader.go
@@ -65,7 +65,7 @@ func (r *Reader) Read(node *Node) (*ast.TaskRC, error) {
 	}
 
 	// Read the file
-	b, err := os.ReadFile(node.entrypoint)
+	b, err := os.ReadFile(node.entrypoint) //nolint:gosec
 	if err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ func changelog(version *semver.Version) error {`
`117`	`117`	`changelog = changelogReleaseRegex.ReplaceAllString(changelog, fmt.Sprintf("## v%s - %s", version, date))`
`118`	`118`
`119`	`119`	`// Write the changelog to the source file`
`120`		`- if err := os.WriteFile(changelogSource, []byte(changelog), 0o644); err != nil {`
	`120`	`+ if err := os.WriteFile(changelogSource, []byte(changelog), 0o644); err != nil { //nolint:gosec`
`121`	`121`	`return err`
`122`	`122`	`}`
`123`	`123`
`@@ -129,7 +129,7 @@ func changelog(version *semver.Version) error {`
`129`	`129`	`changelogWithFrontmatter := fmt.Sprintf("---\n%s\n---\n\n%s", frontmatter, changelogWithVPre)`
`130`	`130`
`131`	`131`	`// Write the changelog to the target file`
`132`		`- return os.WriteFile(changelogTarget, []byte(changelogWithFrontmatter), 0o644)`
	`132`	`+ return os.WriteFile(changelogTarget, []byte(changelogWithFrontmatter), 0o644) //nolint:gosec`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`func setVersionFile(fileName string, version *semver.Version) error {`
Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,5 @@ import (`
`7`	`7`	`)`
`8`	`8`
`9`	`9`	`func IsTerminal() bool {`
`10`		`- return term.IsTerminal(int(os.Stdin.Fd())) && term.IsTerminal(int(os.Stdout.Fd()))`
	`10`	`+ return term.IsTerminal(int(os.Stdin.Fd())) && term.IsTerminal(int(os.Stdout.Fd())) //nolint:gosec`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func buildHTTPClient(insecure bool, caCert, cert, certKey string) (*http.Client,`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`tlsConfig := &tls.Config{`
`41`		`- InsecureSkipVerify: insecure,`
	`41`	`+ InsecureSkipVerify: insecure, //nolint:gosec`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`// Load custom CA certificate if provided`
Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ func (r Reader) Read(node Node) (*ast.TaskRC, error) {`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`// Read the file`
`68`		`- b, err := os.ReadFile(node.entrypoint)`
	`68`	`+ b, err := os.ReadFile(node.entrypoint) //nolint:gosec`
`69`	`69`	`if err != nil {`
`70`	`70`	`return nil, err`
`71`	`71`	`}`