fix(ci): suppress gosec false positives and handle cleanup errors in lock acquisition paths

piotr-roslaniec · piotr-roslaniec · commit 31ce8225d1ad · 2026-04-10T13:10:04.000Z
diff --git a/pkg/covenantsigner/server.go b/pkg/covenantsigner/server.go
@@ -148,6 +148,9 @@ func Initialize(
 		// operations observe shutdown and terminate promptly.
 		cancelService()
 
+		// #nosec G118 -- context.Background is required here because ctx is
+		// already cancelled at this point; using it would make Shutdown return
+		// immediately with context.Canceled before the drain completes.
 		shutdownCtx, cancelShutdown := context.WithTimeout(
 			context.Background(),
 			5*time.Second,
diff --git a/pkg/covenantsigner/service.go b/pkg/covenantsigner/service.go
@@ -103,7 +103,9 @@ func NewService(
 	// Release the file lock if any subsequent initialization step fails.
 	defer func() {
 		if retErr != nil {
-			service.store.Close()
+			if closeErr := service.store.Close(); closeErr != nil {
+				logger.Warnf("failed to close store after init failure: [%v]", closeErr)
+			}
 		}
 	}()
 
diff --git a/pkg/covenantsigner/store.go b/pkg/covenantsigner/store.go
@@ -48,7 +48,9 @@ func NewStore(handle persistence.BasicHandle, dataDir string) (*Store, error) {
 
 	if err := store.load(); err != nil {
 		// Release the lock if loading fails after successful acquisition.
-		store.Close()
+		if closeErr := store.Close(); closeErr != nil {
+			logger.Warnf("failed to release store lock after load failure: [%v]", closeErr)
+		}
 		return nil, err
 	}
 
@@ -75,6 +77,8 @@ func acquireFileLock(dataDir string) (*os.File, error) {
 		)
 	}
 
+	// #nosec G304 -- lockPath is derived from operator-configured dataDir, not
+	// from untrusted user input. The operator controls the data directory.
 	lockFile, err := os.OpenFile(lockPath, os.O_CREATE|os.O_RDWR, 0600)
 	if err != nil {
 		return nil, fmt.Errorf(
@@ -88,7 +92,9 @@ func acquireFileLock(dataDir string) (*os.File, error) {
 		int(lockFile.Fd()),
 		syscall.LOCK_EX|syscall.LOCK_NB,
 	); err != nil {
-		lockFile.Close()
+		if closeErr := lockFile.Close(); closeErr != nil {
+			logger.Warnf("failed to close lock file after failed flock: [%v]", closeErr)
+		}
 		return nil, fmt.Errorf(
 			"cannot acquire exclusive lock on [%s]: "+
 				"another process may already own the store: %w",
