Bump Go to 1.26.1 and golangci-lint to 2.11.3

.github/workflows/ci.yaml

@@ -30,7 +30,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.25.4
+        go-version: v1.26.1
     - uses: actions/setup-node@v4
       with:
         node-version: '20'
@@ -45,7 +45,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.25.4
+        go-version: v1.26.1
     - uses: actions/setup-node@v4
       with:
         node-version: '20'
@@ -60,7 +60,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.25.4
+        go-version: v1.26.1
     - run: make test
 
   lint:
@@ -70,7 +70,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.25.4
+        go-version: v1.26.1
     - run: make lint
 
   verify:
@@ -80,5 +80,5 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.25.4
+        go-version: v1.26.1
     - run: make verify

.github/workflows/docs-gen-and-push.yaml

@@ -34,7 +34,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: v1.25.4
+          go-version: v1.26.1
           cache: true
 
       - uses: actions/setup-python@v5

.github/workflows/goreleaser.yaml

@@ -22,7 +22,7 @@ jobs:
         fetch-depth: 0
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.25.4
+        go-version: v1.26.1
     - name: Delete non-semver tags
       run: 'git tag -d $(git tag -l | grep -v "^v")'
     - name: Set LDFLAGS
@@ -51,4 +51,4 @@ jobs:
       if: ${{ always() }}
       with:
         name: binaries
-        path: dist/*.tar.gz
+        path: dist/*.tar.gz

.github/workflows/image.yaml

@@ -19,7 +19,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: v1.25.4
+        go-version: v1.26.1
         check-latest: true
 
     # We need this to remove local tags that are not semver so goreleaser doesn't get confused.
@@ -33,7 +33,7 @@ jobs:
     # If you notice signing errors, you may need to update the cosign version.
     - uses: sigstore/cosign-installer@v3.7.0
 
-    
+
     - name: Install Helm
       uses: azure/setup-helm@v3
       with:
@@ -43,7 +43,7 @@ jobs:
       run: echo LDFLAGS="$(make ldflags)" | tee -a >> $GITHUB_ENV
 
     # Login to GitHub Container Registry (used by both ko and Docker)
-    - name: Login to GitHub Container Registry  
+    - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
@@ -134,7 +134,7 @@ jobs:
       run: |
         # Login to GitHub Container Registry for Helm
         echo "${{ github.token }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin
-        
+
         # Set chart version - use tag name if available, otherwise use semver format
         if [[ "${{ github.ref_type }}" == "tag" ]]; then
           CHART_VERSION="${{ github.ref_name }}"
@@ -143,23 +143,23 @@ jobs:
         else
           CHART_VERSION="0.0.0-${{ github.sha }}"
         fi
-        
+
         # Package and push each chart in deploy/charts/
         for chart_dir in deploy/charts/*/; do
           if [ -f "${chart_dir}Chart.yaml" ]; then
             chart_name=$(basename "$chart_dir")
             echo "Processing chart: $chart_name"
-            
+
             # Update chart version and appVersion in Chart.yaml
             sed -i "s/^version:.*/version: ${CHART_VERSION}/" "${chart_dir}Chart.yaml"
             sed -i "s/^appVersion:.*/appVersion: ${CHART_VERSION}/" "${chart_dir}Chart.yaml"
-            
+
             # Package the chart
             helm package "$chart_dir" --version "${CHART_VERSION}"
-            
+
             # Push to GitHub Container Registry
             helm push "${chart_name}-${CHART_VERSION}.tgz" "oci://ghcr.io/${{ github.repository_owner }}/charts"
-            
+
             echo "Helm chart pushed to oci://ghcr.io/${{ github.repository_owner }}/charts/${chart_name}:${CHART_VERSION}"
           fi
         done

.golangci.yaml

@@ -67,6 +67,10 @@ linters:
       - linters:
           - goconst
         path: (.+)_test\.go
+      - linters:
+          - gosec
+        path: (.+)_test\.go
+        text: G101
       - linters:
           - staticcheck
         text: QF1008

.ko.yaml

@@ -1,5 +1,5 @@
 baseImageOverrides:
-  github.com/google/ko: golang:1.25.4
+  github.com/google/ko: golang:1.26.1
 
 builds:
 - id: konnector

Dockerfile

@@ -17,7 +17,7 @@ FROM node:20.18.0-alpine3.20 AS ui-build-env
 WORKDIR /app
 
 # Install build dependencies needed for native modules
-RUN apk add --no-cache python3 make g++ 
+RUN apk add --no-cache python3 make g++
 
 # Copy package files
 COPY ./web/package*.json ./
@@ -39,7 +39,7 @@ ENV VITE_BUILD_TARGET=docker
 RUN npm run build
 
 # Build Go binary with embedded UI assets
-FROM golang:1.25.4 AS go-build-env
+FROM golang:1.26.1 AS go-build-env
 WORKDIR /app
 
 # Accept build arguments for multi-arch support
@@ -75,4 +75,4 @@ COPY --from=ui-build-env /app/dist /www
 
 
 
-ENTRYPOINT ["/bin/backend"]
+ENTRYPOINT ["/bin/backend"]

Dockerfile.konnector

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.25.4 AS builder
+FROM golang:1.26.1 AS builder
 WORKDIR /app
 
 # Accept build arguments for multi-arch support
@@ -32,4 +32,4 @@ RUN apk --update add ca-certificates
 
 COPY --from=builder /app/bin/konnector /bin/konnector
 
-ENTRYPOINT ["/bin/konnector"]
+ENTRYPOINT ["/bin/konnector"]

Makefile

@@ -32,7 +32,7 @@ BOILERPLATE_VERSION := 201dcad9616c117927232ee0bc499ff38a27023e
 CODE_GENERATOR_VERSION := v2.4.0
 CONTROLLER_GEN_VERSION := v0.17.3
 DEX_VERSION := v2.43.1
-GOLANGCI_LINT_VERSION := 2.1.6
+GOLANGCI_LINT_VERSION := 2.11.3
 GORELEASER_VERSION := 2.13.0
 GOTESTSUM_VERSION := 1.8.1
 HELM_DOCS_VERSION := 1.14.2

backend/auth/handler.go

@@ -55,6 +55,8 @@ type AuthHandler struct {
 	tokenExpiry         time.Duration
 }
 
+const maxCallbackFormSize int64 = 1 << 20 // 1 MiB
+
 func NewAuthHandler(oidc OIDCProvider, jwtService *JWTService, cookieSigningKey, cookieEncryptionKey []byte, sessionStore session.Store, tokenExpiry time.Duration) *AuthHandler {
 	return &AuthHandler{
 		oidc:                oidc,
@@ -136,6 +138,7 @@ func (ah *AuthHandler) HandleAuthorize(w http.ResponseWriter, r *http.Request) {
 func (ah *AuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 	logger := klog.FromContext(r.Context()).WithValues("method", r.Method, "url", r.URL.String())
 
+	r.Body = http.MaxBytesReader(w, r.Body, maxCallbackFormSize)
 	if err := r.ParseForm(); err != nil {
 		logger.Error(err, "failed to parse form")
 		ah.respondWithError(w, "", "failed to parse form", http.StatusBadRequest)

backend/controllers/serviceexportrequest/serviceexportrequest_reconcile.go

@@ -118,7 +118,7 @@ func (r *reconciler) getExportedSchemas(ctx context.Context, cl client.Client) (
 		resources.ExportedCRDsLabel: "true",
 	}
 
-	listOpts := []client.ListOption{}
+	listOpts := make([]client.ListOption, 0, 1)
 	listOpts = append(listOpts, client.MatchingLabelsSelector{Selector: labelSelector.AsSelector()})
 
 	if err := cl.List(ctx, list, listOpts...); err != nil {

backend/oidc/oidc_test.go

@@ -179,12 +179,19 @@ func TestLoadTLSConfig_MultipleCerts(t *testing.T) {
 	}
 
 	// Write combined CA bundle
-	combinedCAFile := filepath.Join(tmpDir, "combined-ca.crt")
-	ca1Data = append(ca1Data, ca2Data...)
-	err = os.WriteFile(combinedCAFile, ca1Data, 0600)
+	combinedCA, err := os.CreateTemp(tmpDir, "combined-ca-*.crt")
 	if err != nil {
+		t.Fatalf("Failed to create combined CA file: %v", err)
+	}
+	combinedCAFile := combinedCA.Name()
+
+	ca1Data = append(ca1Data, ca2Data...)
+	if _, err = combinedCA.Write(ca1Data); err != nil {
 		t.Fatalf("Failed to write combined CA file: %v", err)
 	}
+	if err = combinedCA.Close(); err != nil {
+		t.Fatalf("Failed to close combined CA file: %v", err)
+	}
 
 	// Test LoadTLSConfig with multiple certs
 	config, err := LoadTLSConfig(combinedCAFile)

backend/options/serve.go

@@ -17,6 +17,7 @@ limitations under the License.
 package options
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"strconv"
@@ -58,7 +59,8 @@ func (options *Serve) Complete() error {
 			addr = net.JoinHostPort(options.ListenIP, strconv.Itoa(options.ListenPort))
 		}
 		// We only support TCP4 for now to avoid dual stack complications in embedded OIDC server tests.
-		options.Listener, err = net.Listen("tcp4", addr)
+		var lc net.ListenConfig
+		options.Listener, err = lc.Listen(context.Background(), "tcp4", addr)
 		if err != nil {
 			return err
 		}

cli/go.mod

@@ -1,6 +1,6 @@
 module github.com/kube-bind/kube-bind/cli
 
-go 1.24.0
+go 1.26.0
 
 replace (
 	github.com/kube-bind/kube-bind => ../

cli/pkg/kubectl/base/browser.go

@@ -17,38 +17,24 @@ limitations under the License.
 package base
 
 import (
+	"context"
 	"os/exec"
-	"strings"
+	"runtime"
 )
 
 // openBrowser opens the given URL in the default browser
 func OpenBrowser(url string) error {
 	var cmd *exec.Cmd
 
 	// Determine the command based on the operating system
-	switch {
-	case isWindows():
-		cmd = exec.Command("cmd", "/c", "start", url)
-	case isMacOS():
-		cmd = exec.Command("open", url)
+	switch runtime.GOOS {
+	case "windows":
+		cmd = exec.CommandContext(context.Background(), "cmd", "/c", "start", url)
+	case "darwin":
+		cmd = exec.CommandContext(context.Background(), "open", url)
 	default: // Linux and other Unix-like systems
-		cmd = exec.Command("xdg-open", url)
+		cmd = exec.CommandContext(context.Background(), "xdg-open", url)
 	}
 
 	return cmd.Run()
 }
-
-// isWindows checks if the current OS is Windows
-func isWindows() bool {
-	return strings.Contains(strings.ToLower(exec.Command("uname").String()), "windows")
-}
-
-// isMacOS checks if the current OS is macOS
-func isMacOS() bool {
-	cmd := exec.Command("uname")
-	output, err := cmd.Output()
-	if err != nil {
-		return false
-	}
-	return strings.TrimSpace(string(output)) == "Darwin"
-}

cli/pkg/kubectl/bind-apiservice/plugin/binder.go

@@ -145,7 +145,6 @@ func (b *Binder) BindFromFile(ctx context.Context) ([]*kubebindv1alpha2.APIServi
 	}
 
 	// Create bindings for all requests
-	var bindings []*kubebindv1alpha2.APIServiceBinding
 	result, err := b.createServiceExportRequest(ctx, remoteConfig, remoteNamespaceActual, request)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create service export request: %w", err)
@@ -160,9 +159,8 @@ func (b *Binder) BindFromFile(ctx context.Context) ([]*kubebindv1alpha2.APIServi
 	if err != nil {
 		return nil, fmt.Errorf("failed to create API service bindings: %w", err)
 	}
-	bindings = append(bindings, results...)
 
-	return bindings, nil
+	return results, nil
 }
 
 // BindFromResponse processes a BindingResourceResponse and creates all necessary bindings
@@ -237,7 +235,7 @@ func (b *Binder) BindFromResponse(ctx context.Context, response *kubebindv1alpha
 	}
 
 	// Create bindings for all requests
-	var bindings []*kubebindv1alpha2.APIServiceBinding
+	bindings := make([]*kubebindv1alpha2.APIServiceBinding, 0, len(apiRequests))
 	for _, request := range apiRequests {
 		result, err := b.createServiceExportRequest(ctx, remoteConfig, remoteNamespaceActual, request)
 		if err != nil {

cli/pkg/kubectl/bind-login/plugin/login.go

@@ -298,13 +298,13 @@ func (o *LoginOptions) buildAuthURL(provider *kubebindv1alpha2.BindingProvider,
 }
 
 func (o *LoginOptions) startCallbackServerWithRandomPort(tokenCh chan<- *TokenResponse, errCh chan<- error) (*http.Server, string, error) {
-	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	var lc net.ListenConfig
+	listener, err := lc.Listen(context.Background(), "tcp", "127.0.0.1:0")
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to find available port: %w", err)
 	}
 
 	port := listener.Addr().(*net.TCPAddr).Port
-	listener.Close()
 
 	callbackURL := fmt.Sprintf("http://127.0.0.1:%d/callback", port)
 
@@ -362,7 +362,7 @@ func (o *LoginOptions) startCallbackServerWithRandomPort(tokenCh chan<- *TokenRe
 	}
 
 	go func() {
-		if err := server.ListenAndServe(); err != http.ErrServerClosed {
+		if err := server.Serve(listener); err != http.ErrServerClosed {
 			select {
 			case errCh <- err:
 			default: