Bump golangci/golangci-lint-action from 6.5.2 to 7.0.0 (#1983)

* Bump golangci/golangci-lint-action from 6.5.2 to 7.0.0

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.5.2 to 7.0.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@55c2c14...1481404)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* lint fixes and bump version in CI

Signed-off-by: Bob Callaway <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Bob Callaway <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Bob Callaway <[email protected]>

Author: dependabot[bot]

.github/workflows/verify.yml

@@ -70,9 +70,9 @@ jobs:
           check-latest: true
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd # v7.0.0
         with:
-          version: v1.64
+          version: v2.0
 
   oidc-config:
     name: oidc-config

.golangci.yml

@@ -13,39 +13,58 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+version: "2"
+run:
+  issues-exit-code: 1
 linters:
   enable:
-    - unused
     - errcheck
-    - gofmt
-    - goimports
-    - gosec
     - gocritic
+    - gosec
     - misspell
     - revive
-linters-settings:
-  gosec:
-    excludes:
-      - G115  # integer overflow conversion int -> uint32
-      - G602  # slice index out of range
+    - unused
+  settings:
+    gosec:
+      excludes:
+        - G115  # integer overflow conversion int -> uint32
+        - G602  # slice index out of range
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - errcheck
+          - gosec
+        path: _test\.go
+      - linters:
+          - staticcheck
+        # the following section is due to the legacy API being deprecated
+        path: pkg/server/legacy_server.go
+        text: SA1019
+      - linters:
+          - staticcheck
+        path: pkg/ca/tinkca/signer.go
+        text: SA1019
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - errcheck
-        - gosec
-    # the following section is due to the legacy API being deprecated
-    - path: pkg/server/legacy_server.go
-      linters:
-        - staticcheck
-      text: SA1019
-    - path: pkg/ca/tinkca/signer.go
-      linters:
-        - staticcheck
-      text: SA1019
   max-issues-per-linter: 0
   max-same-issues: 0
   uniq-by-line: false
-run:
-  issues-exit-code: 1
-  timeout: 10m
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

cmd/app/grpc.go

@@ -222,7 +222,7 @@ func (g *grpcServer) startTCPListener(wg *sync.WaitGroup) {
 		<-sigint
 
 		// received an interrupt signal, shut down
-		g.Server.GracefulStop()
+		g.GracefulStop()
 		close(idleConnsClosed)
 		log.Logger.Info("stopped grpc server")
 	}()
@@ -232,7 +232,7 @@ func (g *grpcServer) startTCPListener(wg *sync.WaitGroup) {
 		if g.tlsCertWatcher != nil {
 			defer g.tlsCertWatcher.Close()
 		}
-		if err := g.Server.Serve(lis); err != nil {
+		if err := g.Serve(lis); err != nil {
 			log.Logger.Fatalf("error shutting down grpcServer: %w", err)
 		}
 		<-idleConnsClosed
@@ -263,7 +263,7 @@ func (g *grpcServer) startUnixListener() {
 
 		log.Logger.Infof("listening on grpc at %s", unixAddr.String())
 
-		log.Logger.Fatal(g.Server.Serve(lis))
+		log.Logger.Fatal(g.Serve(lis))
 	}()
 }
 

examples/request-certificate/main.go

@@ -37,7 +37,7 @@ import (
 )
 
 var (
-	fulcioUrl    = "https://fulcio.sigstore.dev"
+	fulcioURL    = "https://fulcio.sigstore.dev"
 	oidcIssuer   = "https://oauth2.sigstore.dev/auth"
 	oidcClientID = "sigstore"
 )
@@ -87,11 +87,13 @@ func NewClient(fulcioURL string) (fulciopb.CAClient, error) {
 	dialOpt := grpc.WithTransportCredentials(insecure.NewCredentials())
 	hostWithPort := fmt.Sprintf("%s:80", fulcioServer.Host)
 	if fulcioServer.Scheme == "https" {
-		dialOpt = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+		dialOpt = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}))
 		hostWithPort = fmt.Sprintf("%s:443", fulcioServer.Host)
 	}
 
-	conn, err := grpc.Dial(hostWithPort, dialOpt)
+	conn, err := grpc.NewClient(hostWithPort, dialOpt)
 	if err != nil {
 		return nil, err
 	}
@@ -104,7 +106,7 @@ func main() {
 		log.Fatal(err)
 	}
 
-	fClient, err := NewClient(fulcioUrl)
+	fClient, err := NewClient(fulcioURL)
 	if err != nil {
 		log.Fatal(err)
 	}

pkg/ca/tinkca/signer.go

@@ -68,9 +68,9 @@ func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, error) {
 		if c == nil {
 			return nil, errors.New("tink ecdsa signer: invalid curve")
 		}
-		p.PublicKey.Curve = c
+		p.Curve = c
 		p.D = new(big.Int).SetBytes(privKey.GetKeyValue())
-		p.PublicKey.X, p.PublicKey.Y = c.ScalarBaseMult(privKey.GetKeyValue())
+		p.X, p.Y = c.ScalarBaseMult(privKey.GetKeyValue())
 		return p, nil
 	case ed25519SignerTypeURL:
 		// https://github.com/tink-crypto/tink-go/blob/0aadc94a816408c4bdf95885b3c9860ecfd55fc0/signature/ed25519/signer_key_manager.go#L47

pkg/server/grpc_server.go

@@ -87,7 +87,7 @@ func (g *grpcaCAServer) CreateSigningCertificate(ctx context.Context, request *f
 	}
 
 	// Authenticate OIDC ID token by checking signature
-	principal, err := g.IssuerPool.Authenticate(ctx, token)
+	principal, err := g.Authenticate(ctx, token)
 	if err != nil {
 		return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidIdentityToken)
 	}