chore(lint): enable concurrent execution for the linter and enable formatters (#5752)

Co-authored-by: Jakob Möller <contact@jakob-moeller.com>

.github/workflows/ci.yml

@@ -35,34 +35,6 @@ jobs:
           do_not_skip: '["workflow_dispatch", "schedule", "push"]'
           concurrent_skipping: false
 
-  lint:
-    permissions:
-      contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
-    runs-on: ubuntu-latest
-    needs: detect-noop
-    if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
-
-    steps:
-      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
-        with:
-          egress-policy: audit
-      - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-
-      - name: Setup Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
-        id: setup-go
-        with:
-          go-version-file: "go.mod"
-
-      - name: Download Go modules
-        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
-        run: go mod download
-
-      - name: Run lint
-        run: make lint
-
   license-check:
     permissions:
       contents: read  # for actions/checkout to fetch code
@@ -99,7 +71,6 @@ jobs:
           go-version-file: "go.mod"
 
       - name: Download Go modules
-        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
         run: go mod download
 
       - name: Configure Git
@@ -108,8 +79,11 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Check Diff
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          make check-diff
+          # make check-diff will also execute linting so there is no need for a separate lint action
+          make check-diff LINT_JOBS=2
 
   unit-tests:
     runs-on: ubuntu-latest
@@ -133,7 +107,6 @@ jobs:
           go-version-file: "go.mod"
 
       - name: Download Go modules
-        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
         run: go mod download
 
       - name: Cache envtest binaries

.github/workflows/publish.yml

@@ -80,7 +80,6 @@ jobs:
           go-version-file: "go.mod"
 
       - name: Download Go modules
-        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
         run: go mod download
 
       - name: Fetch History
@@ -139,7 +138,7 @@ jobs:
       # consistently
       - name: Cleanup unused cache
         shell: bash
-        run: | 
+        run: |
           docker system prune --force
           go clean -cache
           go clean -modcache

.github/workflows/release.yml

@@ -160,7 +160,6 @@ jobs:
           go-version-file: "go.mod"
 
       - name: Download Go modules
-        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
         run: go mod download
 
       - name: Login to Docker

.github/workflows/release_esoctl.yml

@@ -60,7 +60,6 @@ jobs:
           go-version-file: "go.mod"
 
       - name: Download Go modules
-        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
         run: go mod download
 
       - name: Install Syft

.golangci.yaml

@@ -125,7 +125,15 @@ issues:
   max-same-issues: 0
 
 formatters:
+  enable:
+    - gci
+    - gofmt
+    - goimports
+    - golines
   settings:
+    goimports:
+      local-prefixes:
+        - github.com/external-secrets/external-secrets
     golines:
       # Target maximum line length.
       # Default: 100

Makefile

@@ -146,47 +146,40 @@ build-%: generate ## Build binary for the specified arch
 		go build -tags $(PROVIDER) -o '$(OUTPUT_DIR)/external-secrets-linux-$*' main.go
 	@$(OK) go build $*
 
-lint: golangci-lint ## Run golangci-lint (set LINT_TARGET to run on specific module)
+lint: golangci-lint ## Run golangci-lint (set LINT_TARGET to run on specific module, LINT_JOBS for parallel jobs)
 	@if [ -n "$(LINT_TARGET)" ]; then \
 		$(INFO) Running golangci-lint on $(LINT_TARGET); \
 		(cd $(LINT_TARGET) && $(GOLANGCI_LINT) run ./...) || exit 1; \
 		$(OK) Finished linting $(LINT_TARGET); \
 	else \
-		$(INFO) Running golangci-lint on all modules; \
-		FAILED=0; \
-		MODULES=$$(find . -name go.mod -not -path "*/vendor/*" -not -path "*/e2e/*" -not -path "*/node_modules/*" -exec dirname {} \;); \
-		for module in $$MODULES; do \
+		$(INFO) Running golangci-lint on all modules in parallel; \
+		JOBS=$${LINT_JOBS:-20}; \
+		TMPDIR=$$(mktemp -d); \
+		GOLANGCI=$(GOLANGCI_LINT); \
+		trap "rm -rf $$TMPDIR" EXIT; \
+		export TMPDIR GOLANGCI; \
+		find . -name go.mod -not -path "*/vendor/*" -not -path "*/e2e/*" -not -path "*/node_modules/*" -exec dirname {} \; | \
+		xargs -n 1 -P $$JOBS sh -c ' \
+			module="$$0"; \
+			name=$$(echo "$$module" | sed "s/[\/\.]/_/g"); \
 			echo "Linting $$module"; \
-			(cd $$module && $(GOLANGCI_LINT) run ./...) || FAILED=$$((FAILED + 1)); \
-		done; \
+			if (cd "$$module" && $$GOLANGCI run ./... 2>&1); then \
+				echo "✓ $$module" > "$$TMPDIR/$$name.success"; \
+			else \
+				echo "✗ $$module" > "$$TMPDIR/$$name.failed"; \
+				exit 1; \
+			fi \
+		'; \
+		FAILED=$$(find $$TMPDIR -name "*.failed" 2>/dev/null | wc -l | tr -d " "); \
+		SUCCESS=$$(find $$TMPDIR -name "*.success" 2>/dev/null | wc -l | tr -d " "); \
+		echo "Results: $$SUCCESS passed, $$FAILED failed"; \
 		if [ $$FAILED -ne 0 ]; then \
+			echo "Failed modules:"; \
+			cat $$TMPDIR/*.failed 2>/dev/null || true; \
 			$(ERR) Linting failed in $$FAILED module\(s\); \
 			exit 1; \
 		fi; \
-		$(OK) Finished linting; \
-	fi
-
-fmt: golangci-lint ## Ensure consistent code style (set LINT_TARGET to run on specific module)
-	@go mod tidy
-	@cd e2e/ && go mod tidy
-	@go fmt ./...
-	@if [ -n "$(LINT_TARGET)" ]; then \
-		$(INFO) Running golangci-lint --fix on $(LINT_TARGET); \
-		(cd $(LINT_TARGET) && $(GOLANGCI_LINT) run --fix ./...); \
-		$(OK) Finished fixing $(LINT_TARGET); \
-	else \
-		$(INFO) Running golangci-lint --fix on all modules; \
-		FAILED=0; \
-		MODULES=$$(find . -name go.mod -not -path "*/vendor/*" -not -path "*/e2e/*" -not -path "*/node_modules/*" -exec dirname {} \;); \
-		for module in $$MODULES; do \
-			echo "Fixing $$module"; \
-			(cd $$module && $(GOLANGCI_LINT) run --fix ./...) || FAILED=$$((FAILED + 1)); \
-		done; \
-		if [ $$FAILED -ne 0 ]; then \
-			$(ERR) Fixing failed in $$FAILED module\(s\); \
-			exit 1; \
-		fi; \
-		$(OK) Ensured consistent code style; \
+		$(OK) Finished linting all modules; \
 	fi
 
 generate: ## Generate code and crds
@@ -293,6 +286,7 @@ helm.update.appversion:
 
 # ====================================================================================
 # Documentation
+
 .PHONY: docs
 docs: generate ## Generate docs
 	$(MAKE) -C ./hack/api-docs build

apis/externalsecrets/v1/fakes/pushremoteref.go

@@ -20,7 +20,7 @@ package fakes
 import (
 	"sync"
 
-	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	v1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
 // PushRemoteRef is a fake implementation of the PushRemoteRef interface for testing.

apis/externalsecrets/v1/secretstore_barbican_types.go

@@ -35,11 +35,11 @@ type BarbicanProviderPasswordRef struct {
 
 // BarbicanProvider setup a store to sync secrets with barbican.
 type BarbicanProvider struct {
-	AuthURL    string              `json:"authURL,omitempty"`
-	TenantName string              `json:"tenantName,omitempty"`
-	DomainName string              `json:"domainName,omitempty"`
-	Region     string              `json:"region,omitempty"`
-	Auth       BarbicanAuth        `json:"auth"`
+	AuthURL    string       `json:"authURL,omitempty"`
+	TenantName string       `json:"tenantName,omitempty"`
+	DomainName string       `json:"domainName,omitempty"`
+	Region     string       `json:"region,omitempty"`
+	Auth       BarbicanAuth `json:"auth"`
 }
 
 // BarbicanAuth contains the authentication information for Barbican.

apis/externalsecrets/v1/secretstore_validator_test.go

@@ -118,7 +118,11 @@ func TestValidateSecretStore(t *testing.T) {
 				}, MaintenanceStatusMaintained)
 			},
 			assertErr: func(t *testing.T, err error) {
-				assert.EqualError(t, err, "failed to compile 0th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\1`\nfailed to compile 1th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\2`")
+				assert.EqualError(
+					t,
+					err,
+					"failed to compile 0th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\1`\nfailed to compile 1th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\2`",
+				)
 			},
 		},
 		{

apis/externalsecrets/v1beta1/secretstore_validator_test.go

@@ -106,7 +106,11 @@ func TestValidateSecretStore(t *testing.T) {
 				})
 			},
 			assertErr: func(t *testing.T, err error) {
-				assert.EqualError(t, err, "failed to compile 0th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\1`\nfailed to compile 1th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\2`")
+				assert.EqualError(
+					t,
+					err,
+					"failed to compile 0th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\1`\nfailed to compile 1th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\2`",
+				)
 			},
 		},
 		{

apis/generators/v1alpha1/types_mfa.go

@@ -17,8 +17,9 @@ limitations under the License.
 package v1alpha1
 
 import (
-	smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
 // MFASpec controls the behavior of the mfa generator.

cmd/controller/certcontroller.go

@@ -193,7 +193,8 @@ func init() {
 	certcontrollerCmd.Flags().StringVar(&serviceNamespace, "service-namespace", "default", "Webhook service namespace")
 	certcontrollerCmd.Flags().StringVar(&secretName, "secret-name", "external-secrets-webhook", "Secret to store certs for webhook")
 	certcontrollerCmd.Flags().StringVar(&secretNamespace, "secret-namespace", "default", "namespace of the secret to store certs")
-	certcontrollerCmd.Flags().StringSliceVar(&crdNames, "crd-names", []string{"externalsecrets.external-secrets.io", "clustersecretstores.external-secrets.io", "secretstores.external-secrets.io"}, "CRD names reconciled by the controller")
+	certcontrollerCmd.Flags().
+		StringSliceVar(&crdNames, "crd-names", []string{"externalsecrets.external-secrets.io", "clustersecretstores.external-secrets.io", "secretstores.external-secrets.io"}, "CRD names reconciled by the controller")
 	certcontrollerCmd.Flags().BoolVar(&enablePartialCache, "enable-partial-cache", false,
 		"Enable caching of only the relevant CRDs and Webhook configurations in the Informer to improve memory efficiency")
 	certcontrollerCmd.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,

cmd/controller/root.go

@@ -356,7 +356,8 @@ func init() {
 	rootCmd.Flags().StringVar(&liveAddr, "live-addr", ":8082", "The address the live endpoint binds to.")
 	rootCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
 	rootCmd.Flags().StringVar(&zapTimeEncoding, "zap-time-encoding", "epoch", "Zap time encoding (one of 'epoch', 'millis', 'nano', 'iso8601', 'rfc3339' or 'rfc3339nano')")
-	rootCmd.Flags().StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
+	rootCmd.Flags().
+		StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
 	rootCmd.Flags().BoolVar(&enableClusterStoreReconciler, "enable-cluster-store-reconciler", true, "Enable cluster store reconciler.")
 	rootCmd.Flags().BoolVar(&enableSecretStoreReconciler, "enable-secret-store-reconciler", true, "Enable secret store reconciler.")
 	rootCmd.Flags().BoolVar(&enableClusterExternalSecretReconciler, "enable-cluster-external-secret-reconciler", true, "Enable cluster external secret reconciler.")
@@ -371,7 +372,8 @@ func init() {
 	rootCmd.Flags().BoolVar(&enableExtendedMetricLabels, "enable-extended-metric-labels", false, "Enable recommended kubernetes annotations as labels in metrics.")
 	rootCmd.Flags().BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics server")
-	rootCmd.Flags().BoolVar(&allowGenericTargets, "unsafe-allow-generic-targets", false, "Enable support for creating generic resources (ConfigMaps, Custom Resources). WARNING: Using generic resources, please sure all policies are correctly configured.")
+	rootCmd.Flags().
+		BoolVar(&allowGenericTargets, "unsafe-allow-generic-targets", false, "Enable support for creating generic resources (ConfigMaps, Custom Resources). WARNING: Using generic resources, please sure all policies are correctly configured.")
 	fs := feature.Features()
 	for _, f := range fs {
 		rootCmd.Flags().AddFlagSet(f.Flags)

generators/v1/acr/acr.go

@@ -242,7 +242,14 @@ func fetchACRRefreshToken(aadAccessToken, tenantID, registryURL string) (string,
 	return refreshToken, nil
 }
 
-func accessTokenForWorkloadIdentity(ctx context.Context, crClient client.Client, kubeClient kcorev1.CoreV1Interface, envType esv1.AzureEnvironmentType, serviceAccountRef *smmeta.ServiceAccountSelector, namespace string) (string, error) {
+func accessTokenForWorkloadIdentity(
+	ctx context.Context,
+	crClient client.Client,
+	kubeClient kcorev1.CoreV1Interface,
+	envType esv1.AzureEnvironmentType,
+	serviceAccountRef *smmeta.ServiceAccountSelector,
+	namespace string,
+) (string, error) {
 	aadEndpoint := keyvault.AadEndpointForType(envType)
 	scope := keyvault.ServiceManagementEndpointForType(envType)
 	// if no serviceAccountRef was provided
@@ -323,7 +330,14 @@ func accessTokenForManagedIdentity(ctx context.Context, envType esv1.AzureEnviro
 	return accessToken.Token, nil
 }
 
-func (g *Generator) accessTokenForServicePrincipal(ctx context.Context, crClient client.Client, namespace string, envType esv1.AzureEnvironmentType, tenantID string, idRef, secretRef smmeta.SecretKeySelector) (string, error) {
+func (g *Generator) accessTokenForServicePrincipal(
+	ctx context.Context,
+	crClient client.Client,
+	namespace string,
+	envType esv1.AzureEnvironmentType,
+	tenantID string,
+	idRef, secretRef smmeta.SecretKeySelector,
+) (string, error) {
 	cid, err := secretKeyRef(ctx, crClient, namespace, idRef)
 	if err != nil {
 		return "", err
@@ -397,7 +411,6 @@ func parseSpec(data []byte) (*genv1alpha1.ACRAccessToken, error) {
 	return &spec, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/cloudsmith/cloudsmith.go

@@ -193,7 +193,6 @@ func parseSpec(specData []byte) (*genv1alpha1.CloudsmithAccessToken, error) {
 	return &spec, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/ecr/resolver.go

@@ -17,6 +17,7 @@ limitations under the License.
 package ecr
 
 import (
+	"context"
 	"fmt"
 	"net/url"
 	"os"
@@ -26,10 +27,6 @@ import (
 	smithyendpoints "github.com/aws/smithy-go/endpoints"
 )
 
-import (
-	"context"
-)
-
 const (
 	// ECREndpointEnv is the environment variable name for specifying a custom ECR endpoint.
 	ECREndpointEnv = "AWS_ECR_ENDPOINT"

generators/v1/fake/fake.go

@@ -61,7 +61,6 @@ func parseSpec(data []byte) (*genv1alpha1.Fake, error) {
 	return &spec, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/gcr/gcr.go

@@ -30,8 +30,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
-	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/providers/v1/gcp/secretmanager"
+	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 )
 
 // Generator implements GCR token generation functionality.
@@ -103,7 +103,6 @@ func parseSpec(data []byte) (*genv1alpha1.GCRAccessToken, error) {
 	return &spec, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/github/github.go

@@ -215,7 +215,6 @@ func parseSpec(data []byte) (*genv1alpha1.GithubAccessToken, error) {
 	return &spec, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/grafana/grafana.go

@@ -211,7 +211,6 @@ func parseStatus(data []byte) (*genv1alpha1.GrafanaServiceAccountTokenState, err
 	return &state, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Grafana{}

generators/v1/mfa/mfa.go

@@ -94,7 +94,6 @@ func parseSpec(data []byte) (*genv1alpha1.MFA, error) {
 	return &spec, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/quay/quay.go

@@ -158,7 +158,6 @@ func parseSpec(data []byte) (*genv1alpha1.QuayAccessToken, error) {
 	return &spec, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/sts/sts.go

@@ -126,7 +126,6 @@ func parseSpec(data []byte) (*genv1alpha1.STSSessionToken, error) {
 	return &spec, err
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/uuid/uuid.go

@@ -61,7 +61,6 @@ func generateUUID() (string, error) {
 	return uuid.String(), nil
 }
 
-
 // NewGenerator creates a new Generator instance.
 func NewGenerator() genv1alpha1.Generator {
 	return &Generator{}

generators/v1/vault/vault.go

@@ -33,7 +33,7 @@ import (
 
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	provider "github.com/external-secrets/external-secrets/providers/v1/vault"
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
@@ -71,7 +71,14 @@ func (g *Generator) Cleanup(_ context.Context, _ *apiextensions.JSON, _ genv1alp
 	return nil
 }
 
-func (g *Generator) generate(ctx context.Context, c *provider.Provider, jsonSpec *apiextensions.JSON, kube client.Client, corev1 typedcorev1.CoreV1Interface, namespace string) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
+func (g *Generator) generate(
+	ctx context.Context,
+	c *provider.Provider,
+	jsonSpec *apiextensions.JSON,
+	kube client.Client,
+	corev1 typedcorev1.CoreV1Interface,
+	namespace string,
+) (map[string][]byte, genv1alpha1.GeneratorProviderState, error) {
 	if jsonSpec == nil {
 		return nil, nil, errors.New(errNoSpec)
 	}

generators/v1/vault/vault_test.go

@@ -32,7 +32,7 @@ import (
 
 	provider "github.com/external-secrets/external-secrets/providers/v1/vault"
 	"github.com/external-secrets/external-secrets/providers/v1/vault/fake"
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
 	utilfake "github.com/external-secrets/external-secrets/runtime/util/fake"
 )
 

hack/api-docs/Makefile

@@ -22,6 +22,7 @@ MAJOR_VERSION ?= $(shell echo $(VERSION_NO_V) | cut -d'.' -f1)
 MINOR_VERSION ?= $(shell echo $(VERSION_NO_V) | cut -d'.' -f2)
 VERSION_TO_CHECK ?= $(shell echo $(MAJOR_VERSION).$(MINOR_VERSION))
 DOCS_ALIAS ?= unstable
+GITHUB_TOKEN ?= invalid
 SERVE_BIND_ADDRESS ?= 127.0.0.1
 SHELL := /usr/bin/env bash
 

main.go

@@ -19,6 +19,7 @@ package main
 
 import (
 	"github.com/external-secrets/external-secrets/cmd/controller"
+
 	_ "github.com/external-secrets/external-secrets/pkg/register" // Register all providers and generators
 )
 

pkg/controllers/clusterexternalsecret/clusterexternalsecret_controller.go

@@ -371,7 +371,13 @@ func (r *Reconciler) updateNamespaceRemoveFinalizer(ctx context.Context, log log
 	return nil
 }
 
-func (r *Reconciler) createOrUpdateExternalSecret(ctx context.Context, clusterExternalSecret *esv1.ClusterExternalSecret, namespace v1.Namespace, esName string, esMetadata esv1.ExternalSecretMetadata) error {
+func (r *Reconciler) createOrUpdateExternalSecret(
+	ctx context.Context,
+	clusterExternalSecret *esv1.ClusterExternalSecret,
+	namespace v1.Namespace,
+	esName string,
+	esMetadata esv1.ExternalSecretMetadata,
+) error {
 	// Add namespace finalizer first to prevent deletion race conditions
 	if err := r.ensureNamespaceFinalizer(ctx, &namespace, clusterExternalSecret.Name); err != nil {
 		return err

pkg/controllers/crds/crds_controller.go

@@ -36,7 +36,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -47,6 +46,8 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
+
+	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
 const (

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -608,7 +608,14 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ct
 }
 
 // reconcileGenericTarget handles reconciliation for generic targets (ConfigMaps, Custom Resources).
-func (r *Reconciler) reconcileGenericTarget(ctx context.Context, externalSecret *esv1.ExternalSecret, log logr.Logger, start time.Time, resourceLabels map[string]string, syncCallsError *prometheus.CounterVec) (ctrl.Result, error) {
+func (r *Reconciler) reconcileGenericTarget(
+	ctx context.Context,
+	externalSecret *esv1.ExternalSecret,
+	log logr.Logger,
+	start time.Time,
+	resourceLabels map[string]string,
+	syncCallsError *prometheus.CounterVec,
+) (ctrl.Result, error) {
 	// retrieve the provider secret data
 	dataMap, err := r.GetProviderSecretData(ctx, externalSecret)
 	if err != nil {

pkg/controllers/externalsecret/externalsecret_controller_secret.go

@@ -35,7 +35,6 @@ import (
 
 	// Loading registered generators.
 	_ "github.com/external-secrets/external-secrets/pkg/register"
-	_ "github.com/external-secrets/external-secrets/pkg/register"
 )
 
 // GetProviderSecretData returns the provider's secret data with the provided ExternalSecret.
@@ -153,7 +152,13 @@ func toStoreGenSourceRef(ref *esv1.StoreSourceRef) *esv1.StoreGeneratorSourceRef
 	}
 }
 
-func (r *Reconciler) handleGenerateSecrets(ctx context.Context, namespace string, remoteRef esv1.ExternalSecretDataFromRemoteRef, i int, generatorState *statemanager.Manager) (map[string][]byte, error) {
+func (r *Reconciler) handleGenerateSecrets(
+	ctx context.Context,
+	namespace string,
+	remoteRef esv1.ExternalSecretDataFromRemoteRef,
+	i int,
+	generatorState *statemanager.Manager,
+) (map[string][]byte, error) {
 	impl, generatorResource, err := resolvers.GeneratorRef(ctx, r.Client, r.Scheme, namespace, remoteRef.SourceRef.GeneratorRef)
 	if err != nil {
 		return nil, err
@@ -199,7 +204,14 @@ func generatorStateKey(i int) string {
 	return strconv.Itoa(i)
 }
 
-func (r *Reconciler) handleExtractSecrets(ctx context.Context, externalSecret *esv1.ExternalSecret, remoteRef esv1.ExternalSecretDataFromRemoteRef, cmgr *secretstore.Manager, genState *statemanager.Manager, i int) (map[string][]byte, error) {
+func (r *Reconciler) handleExtractSecrets(
+	ctx context.Context,
+	externalSecret *esv1.ExternalSecret,
+	remoteRef esv1.ExternalSecretDataFromRemoteRef,
+	cmgr *secretstore.Manager,
+	genState *statemanager.Manager,
+	i int,
+) (map[string][]byte, error) {
 	client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, remoteRef.SourceRef)
 	if err != nil {
 		return nil, err
@@ -240,7 +252,14 @@ func (r *Reconciler) handleExtractSecrets(ctx context.Context, externalSecret *e
 	return secretMap, nil
 }
 
-func (r *Reconciler) handleFindAllSecrets(ctx context.Context, externalSecret *esv1.ExternalSecret, remoteRef esv1.ExternalSecretDataFromRemoteRef, cmgr *secretstore.Manager, genState *statemanager.Manager, i int) (map[string][]byte, error) {
+func (r *Reconciler) handleFindAllSecrets(
+	ctx context.Context,
+	externalSecret *esv1.ExternalSecret,
+	remoteRef esv1.ExternalSecretDataFromRemoteRef,
+	cmgr *secretstore.Manager,
+	genState *statemanager.Manager,
+	i int,
+) (map[string][]byte, error) {
 	client, err := cmgr.Get(ctx, externalSecret.Spec.SecretStoreRef, externalSecret.Namespace, remoteRef.SourceRef)
 	if err != nil {
 		return nil, err

pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -43,7 +43,7 @@ import (
 	ctest "github.com/external-secrets/external-secrets/pkg/controllers/commontest"
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
-	"github.com/external-secrets/external-secrets/pkg/controllers/util"
+	ctrlutil "github.com/external-secrets/external-secrets/pkg/controllers/util"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/testing/fake"
 
@@ -513,7 +513,13 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 			oldCharactersAroundMismatchToInclude := format.CharactersAroundMismatchToInclude
 			format.CharactersAroundMismatchToInclude = 10
 			Expect(ctest.FirstManagedFieldForManager(secret.ObjectMeta, ExternalSecretFQDN)).To(
-				Equal(fmt.Sprintf(`{"f:data":{"f:targetProperty":{}},"f:metadata":{"f:annotations":{"f:es-annotation-key":{},"f:%s":{}},"f:labels":{"f:es-label-key":{},"f:%s":{}}}}`, esv1.AnnotationDataHash, esv1.LabelManaged)),
+				Equal(
+					fmt.Sprintf(
+						`{"f:data":{"f:targetProperty":{}},"f:metadata":{"f:annotations":{"f:es-annotation-key":{},"f:%s":{}},"f:labels":{"f:es-label-key":{},"f:%s":{}}}}`,
+						esv1.AnnotationDataHash,
+						esv1.LabelManaged,
+					),
+				),
 			)
 			Expect(ctest.FirstManagedFieldForManager(secret.ObjectMeta, FakeManager)).To(
 				Equal(`{"f:data":{".":{},"f:pre-existing-key":{}},"f:metadata":{"f:annotations":{".":{},"f:existing-annotation-key":{}},"f:labels":{".":{},"f:existing-label-key":{}}},"f:type":{}}`),
@@ -1933,12 +1939,16 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		tc.checkExternalSecret = func(_ *esv1.ExternalSecret) {
 			// Condition True and False should be 0, since the Condition was not created
 			Eventually(func() float64 {
-				Expect(testExternalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
+				Expect(
+					testExternalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric),
+				).To(Succeed())
 				return metric.GetGauge().GetValue()
 			}, timeout, interval).Should(Equal(0.0))
 
 			Eventually(func() float64 {
-				Expect(testExternalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1.ExternalSecretReady), string(v1.ConditionFalse)).Write(&metric)).To(Succeed())
+				Expect(
+					testExternalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1.ExternalSecretReady), string(v1.ConditionFalse)).Write(&metric),
+				).To(Succeed())
 				return metric.GetGauge().GetValue()
 			}, timeout, interval).Should(Equal(0.0))
 
@@ -2317,7 +2327,8 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		}
 	}
 
-	DescribeTable("When reconciling an ExternalSecret",
+	DescribeTable(
+		"When reconciling an ExternalSecret",
 		func(tweaks ...testTweaks) {
 			tc := makeDefaultTestcase()
 			for _, tweak := range tweaks {
@@ -2412,17 +2423,49 @@ var _ = Describe("ExternalSecret controller", Serial, func() {
 		Entry("should update the status properly even if the deletionPolicy is Retain and the data is empty", deletionPolicyRetainEmptyData),
 		Entry("should not delete pre-existing secret with deletionPolicy=Merge", deletionPolicyMerge),
 		Entry("secret is created when there are no conditions for the cluster secret store", useClusterSecretStore, noConditionsSecretCreated),
-		Entry("secret is not created when the condition for the cluster secret store states a different namespace single string condition", useClusterSecretStore, noSecretCreatedWhenNamespaceDoesntMatchStringCondition),
-		Entry("secret is not created when the condition for the cluster secret store states a different namespace single string condition with multiple names", useClusterSecretStore, noSecretCreatedWhenNamespaceDoesntMatchStringConditionWithMultipleNames),
-		Entry("secret is not created when the condition for the cluster secret store states a different namespace multiple string conditions", useClusterSecretStore, noSecretCreatedWhenNamespaceDoesntMatchMultipleStringCondition),
-		Entry("secret is created when the condition for the cluster secret store has only one matching namespace by string condition", useClusterSecretStore, secretCreatedWhenNamespaceMatchesSingleStringCondition),
-		Entry("secret is created when the condition for the cluster secret store has one matching namespace of multiple namespaces by string condition", useClusterSecretStore, secretCreatedWhenNamespaceMatchesMultipleStringConditions),
-		Entry("secret is not created when the condition for the cluster secret store states a non-matching label condition", useClusterSecretStore, noSecretCreatedWhenNamespaceDoesntMatchLabelCondition),
+		Entry(
+			"secret is not created when the condition for the cluster secret store states a different namespace single string condition",
+			useClusterSecretStore,
+			noSecretCreatedWhenNamespaceDoesntMatchStringCondition,
+		),
+		Entry(
+			"secret is not created when the condition for the cluster secret store states a different namespace single string condition with multiple names",
+			useClusterSecretStore,
+			noSecretCreatedWhenNamespaceDoesntMatchStringConditionWithMultipleNames,
+		),
+		Entry(
+			"secret is not created when the condition for the cluster secret store states a different namespace multiple string conditions",
+			useClusterSecretStore,
+			noSecretCreatedWhenNamespaceDoesntMatchMultipleStringCondition,
+		),
+		Entry(
+			"secret is created when the condition for the cluster secret store has only one matching namespace by string condition",
+			useClusterSecretStore,
+			secretCreatedWhenNamespaceMatchesSingleStringCondition,
+		),
+		Entry(
+			"secret is created when the condition for the cluster secret store has one matching namespace of multiple namespaces by string condition",
+			useClusterSecretStore,
+			secretCreatedWhenNamespaceMatchesMultipleStringConditions,
+		),
+		Entry(
+			"secret is not created when the condition for the cluster secret store states a non-matching label condition",
+			useClusterSecretStore,
+			noSecretCreatedWhenNamespaceDoesntMatchLabelCondition,
+		),
 		Entry("secret is created when the condition for the cluster secret store states a single matching label condition", useClusterSecretStore, secretCreatedWhenNamespaceMatchOnlyLabelCondition),
-		Entry("secret is not created when the condition for the cluster secret store states a partially-matching label condition", useClusterSecretStore, noSecretCreatedWhenNamespacePartiallyMatchLabelCondition),
+		Entry(
+			"secret is not created when the condition for the cluster secret store states a partially-matching label condition",
+			useClusterSecretStore,
+			noSecretCreatedWhenNamespacePartiallyMatchLabelCondition,
+		),
 		Entry("secret is created when one of the label conditions for the cluster secret store matches", useClusterSecretStore, secretCreatedWhenNamespaceMatchOneLabelCondition),
 		Entry("secret is created when the namespaces matches multiple cluster secret store conditions", useClusterSecretStore, secretCreatedWhenNamespaceMatchMultipleConditions),
-		Entry("secret is not created when the namespaces doesn't match any of multiple cluster secret store conditions", useClusterSecretStore, noSecretCreatedWhenNamespaceMatchMultipleNonMatchingConditions),
+		Entry(
+			"secret is not created when the namespaces doesn't match any of multiple cluster secret store conditions",
+			useClusterSecretStore,
+			noSecretCreatedWhenNamespaceMatchMultipleNonMatchingConditions,
+		),
 	)
 })
 

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -44,7 +44,7 @@ import (
 	ctrlmetrics "github.com/external-secrets/external-secrets/pkg/controllers/metrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/pushsecret/psmetrics"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
-	"github.com/external-secrets/external-secrets/pkg/controllers/util"
+	ctrlutil "github.com/external-secrets/external-secrets/pkg/controllers/util"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/runtime/statemanager"
@@ -391,7 +391,13 @@ func (r *Reconciler) DeleteSecretFromStore(ctx context.Context, client esv1.Secr
 // PushSecretToProviders pushes the secret data to the specified secret stores.
 // It iterates over each store and handles the push operation according to the
 // defined update policies and conversion strategies.
-func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores map[esapi.PushSecretStoreRef]esv1.GenericStore, ps esapi.PushSecret, secret *v1.Secret, mgr *secretstore.Manager) (esapi.SyncedPushSecretsMap, error) {
+func (r *Reconciler) PushSecretToProviders(
+	ctx context.Context,
+	stores map[esapi.PushSecretStoreRef]esv1.GenericStore,
+	ps esapi.PushSecret,
+	secret *v1.Secret,
+	mgr *secretstore.Manager,
+) (esapi.SyncedPushSecretsMap, error) {
 	out := make(esapi.SyncedPushSecretsMap)
 	for ref, store := range stores {
 		out, err := r.handlePushSecretDataForStore(ctx, ps, secret, out, mgr, store.GetName(), ref.Kind)
@@ -402,7 +408,14 @@ func (r *Reconciler) PushSecretToProviders(ctx context.Context, stores map[esapi
 	return out, nil
 }
 
-func (r *Reconciler) handlePushSecretDataForStore(ctx context.Context, ps esapi.PushSecret, secret *v1.Secret, out esapi.SyncedPushSecretsMap, mgr *secretstore.Manager, storeName, refKind string) (esapi.SyncedPushSecretsMap, error) {
+func (r *Reconciler) handlePushSecretDataForStore(
+	ctx context.Context,
+	ps esapi.PushSecret,
+	secret *v1.Secret,
+	out esapi.SyncedPushSecretsMap,
+	mgr *secretstore.Manager,
+	storeName, refKind string,
+) (esapi.SyncedPushSecretsMap, error) {
 	storeKey := fmt.Sprintf("%v/%v", refKind, storeName)
 	out[storeKey] = make(map[string]esapi.PushSecretData)
 	storeRef := esv1.SecretStoreRef{

pkg/controllers/secretstore/common_test.go

@@ -27,6 +27,7 @@ import (
 
 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 )

pkg/controllers/webhookconfig/webhookconfig.go

@@ -26,7 +26,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/go-logr/logr"
 	admissionregistration "k8s.io/api/admissionregistration/v1"
 	v1 "k8s.io/api/core/v1"
@@ -40,6 +39,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 
 	"github.com/external-secrets/external-secrets/runtime/constants"
+	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
 // Reconciler reconciles a ValidatingWebhookConfiguration object

pkg/register/generators.go

@@ -18,7 +18,6 @@ package register
 
 import (
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
-
 	acr "github.com/external-secrets/external-secrets/generators/v1/acr"
 	cloudsmith "github.com/external-secrets/external-secrets/generators/v1/cloudsmith"
 	ecr "github.com/external-secrets/external-secrets/generators/v1/ecr"

providers/v1/akeyless/akeyless_test.go

@@ -312,7 +312,11 @@ func TestSecretExists(t *testing.T) {
 		failGetTestCase(),
 		makeValidAkeylessTestCase("success without property").SetExpectVal(true).SetExpectInput(&testingfake.PushSecretData{Property: ""}).
 			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return "my secret", nil })),
-		makeValidAkeylessTestCase("fail unmarshal").SetExpectVal(false).SetExpectErr("invalid character 'd' looking for beginning of value").SetExpectInput(&testingfake.PushSecretData{Property: "prop"}).
+		makeValidAkeylessTestCase(
+			"fail unmarshal",
+		).SetExpectVal(false).
+			SetExpectErr("invalid character 'd' looking for beginning of value").
+			SetExpectInput(&testingfake.PushSecretData{Property: "prop"}).
 			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return "daenerys", nil })),
 		makeValidAkeylessTestCase("no property").SetExpectVal(false).SetExpectInput(&testingfake.PushSecretData{Property: "prop"}).
 			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return `{"propa": "a"}`, nil })),

providers/v1/alibaba/kms_test.go

@@ -27,8 +27,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 	fakesm "github.com/external-secrets/external-secrets/providers/v1/alibaba/fake"
+	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
 const (

providers/v1/aws/auth/auth.go

@@ -35,12 +35,12 @@ import (
 	"k8s.io/client-go/kubernetes"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	awsutil "github.com/external-secrets/external-secrets/providers/v1/aws/util"
 	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/runtime/feature"
-	"github.com/external-secrets/external-secrets/providers/v1/aws/util"
-	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 )
 
 // Config contains configuration to create a new AWS provider.
@@ -176,7 +176,15 @@ func constructCredsProvider(ctx context.Context, prov *esv1.AWSProvider, isClust
 // * service-account token authentication via AssumeRoleWithWebIdentity
 // * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
 // * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
-func NewGeneratorSession(ctx context.Context, auth esv1.AWSAuth, role, region string, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*aws.Config, error) {
+func NewGeneratorSession(
+	ctx context.Context,
+	auth esv1.AWSAuth,
+	role, region string,
+	kube client.Client,
+	namespace string,
+	assumeRoler STSProvider,
+	jwtProvider jwtProviderFactory,
+) (*aws.Config, error) {
 	var (
 		credsProvider aws.CredentialsProvider
 		err           error
@@ -250,7 +258,15 @@ func credsFromSecretRef(ctx context.Context, auth esv1.AWSAuth, storeKind string
 // in the ServiceAccount annotation.
 // If the ClusterSecretStore does not define a namespace it will use the namespace from the ExternalSecret (referentAuth).
 // If the ClusterSecretStore defines the namespace it will take precedence.
-func credsFromServiceAccount(ctx context.Context, auth esv1.AWSAuth, region string, isClusterKind bool, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (aws.CredentialsProvider, error) {
+func credsFromServiceAccount(
+	ctx context.Context,
+	auth esv1.AWSAuth,
+	region string,
+	isClusterKind bool,
+	kube client.Client,
+	namespace string,
+	jwtProvider jwtProviderFactory,
+) (aws.CredentialsProvider, error) {
 	name := auth.JWTAuth.ServiceAccountRef.Name
 	if isClusterKind && auth.JWTAuth.ServiceAccountRef.Namespace != nil {
 		namespace = *auth.JWTAuth.ServiceAccountRef.Namespace

providers/v1/aws/auth/auth_test.go

@@ -771,29 +771,38 @@ func TestNewGeneratorSession_AssumeRoleWithDefaultCredentials(t *testing.T) {
 	t.Setenv("AWS_SECRET_ACCESS_KEY", "BASE_SECRET_KEY")
 
 	stsProviderCalled := false
-	cfg, err := NewGeneratorSession(context.Background(), esv1.AWSAuth{}, "arn:aws:iam::123456789012:role/assumed-role", "us-east-1", clientfake.NewClientBuilder().Build(), "test-ns", func(cfg *aws.Config) STSprovider {
-		stsProviderCalled = true
-		creds, err := cfg.Credentials.Retrieve(context.Background())
-		assert.NoError(t, err)
-		assert.Equal(t, "BASE_ACCESS_KEY", creds.AccessKeyID)
-		return &fakesess.AssumeRoler{
-			AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
-				assert.Equal(t, "arn:aws:iam::123456789012:role/assumed-role", *input.RoleArn)
-				return &sts.AssumeRoleOutput{
-					AssumedRoleUser: &ststypes.AssumedRoleUser{
-						Arn:           aws.String("arn:aws:sts::123456789012:assumed-role/assumed-role/session"),
-						AssumedRoleId: aws.String("AROA123456"),
-					},
-					Credentials: &ststypes.Credentials{
-						AccessKeyId:     aws.String("ASSUMED_ACCESS_KEY"),
-						SecretAccessKey: aws.String("ASSUMED_SECRET_KEY"),
-						SessionToken:    aws.String("ASSUMED_SESSION_TOKEN"),
-						Expiration:      aws.Time(time.Now().Add(time.Hour)),
-					},
-				}, nil
-			},
-		}
-	}, DefaultJWTProvider)
+	cfg, err := NewGeneratorSession(
+		context.Background(),
+		esv1.AWSAuth{},
+		"arn:aws:iam::123456789012:role/assumed-role",
+		"us-east-1",
+		clientfake.NewClientBuilder().Build(),
+		"test-ns",
+		func(cfg *aws.Config) STSprovider {
+			stsProviderCalled = true
+			creds, err := cfg.Credentials.Retrieve(context.Background())
+			assert.NoError(t, err)
+			assert.Equal(t, "BASE_ACCESS_KEY", creds.AccessKeyID)
+			return &fakesess.AssumeRoler{
+				AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
+					assert.Equal(t, "arn:aws:iam::123456789012:role/assumed-role", *input.RoleArn)
+					return &sts.AssumeRoleOutput{
+						AssumedRoleUser: &ststypes.AssumedRoleUser{
+							Arn:           aws.String("arn:aws:sts::123456789012:assumed-role/assumed-role/session"),
+							AssumedRoleId: aws.String("AROA123456"),
+						},
+						Credentials: &ststypes.Credentials{
+							AccessKeyId:     aws.String("ASSUMED_ACCESS_KEY"),
+							SecretAccessKey: aws.String("ASSUMED_SECRET_KEY"),
+							SessionToken:    aws.String("ASSUMED_SESSION_TOKEN"),
+							Expiration:      aws.Time(time.Now().Add(time.Hour)),
+						},
+					}, nil
+				},
+			}
+		},
+		DefaultJWTProvider,
+	)
 
 	assert.NoError(t, err)
 	assert.NotNil(t, cfg)

providers/v1/aws/parameterstore/parameterstore.go

@@ -35,12 +35,12 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	awsutil "github.com/external-secrets/external-secrets/providers/v1/aws/util"
 	"github.com/external-secrets/external-secrets/runtime/constants"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 	"github.com/external-secrets/external-secrets/runtime/find"
 	"github.com/external-secrets/external-secrets/runtime/metrics"
-	"github.com/external-secrets/external-secrets/providers/v1/aws/util"
 )
 
 // Tier defines policy details for PushSecret.

providers/v1/aws/parameterstore/parameterstore_test.go

@@ -25,7 +25,6 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	ssmtypes "github.com/aws/aws-sdk-go-v2/service/ssm/types"
-	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -36,7 +35,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	fakeps "github.com/external-secrets/external-secrets/providers/v1/aws/parameterstore/fake"
-	"github.com/external-secrets/external-secrets/providers/v1/aws/util"
+	awsutil "github.com/external-secrets/external-secrets/providers/v1/aws/util"
+	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 	"github.com/external-secrets/external-secrets/runtime/testing/fake"
 )
 
@@ -514,7 +514,9 @@ func TestPushSecret(t *testing.T) {
 				},
 			},
 			want: want{
-				err: errors.New(`failed to parse metadata: failed to parse kubernetes.external-secrets.io/v1alpha1 PushSecretMetadata: error unmarshaling JSON: while decoding JSON: json: unknown field "fakeMetadataKey"`),
+				err: errors.New(
+					`failed to parse metadata: failed to parse kubernetes.external-secrets.io/v1alpha1 PushSecretMetadata: error unmarshaling JSON: while decoding JSON: json: unknown field "fakeMetadataKey"`,
+				),
 			},
 		},
 		"GetRemoteSecretWithoutDecryption": {

providers/v1/aws/secretsmanager/secretsmanager.go

@@ -30,7 +30,6 @@ import (
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/aws/smithy-go"
-	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
@@ -44,6 +43,7 @@ import (
 	awsutil "github.com/external-secrets/external-secrets/providers/v1/aws/util"
 	"github.com/external-secrets/external-secrets/runtime/constants"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
+	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 	"github.com/external-secrets/external-secrets/runtime/find"
 	"github.com/external-secrets/external-secrets/runtime/metrics"
 )

providers/v1/aws/secretsmanager/secretsmanager_test.go

@@ -30,7 +30,6 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
-	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -44,6 +43,7 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	fakesm "github.com/external-secrets/external-secrets/providers/v1/aws/secretsmanager/fake"
 	awsutil "github.com/external-secrets/external-secrets/providers/v1/aws/util"
+	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 	"github.com/external-secrets/external-secrets/runtime/testing/fake"
 )
 
@@ -1547,7 +1547,7 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 		secretValue           string
 		batchGetSecretValueFn func(context.Context, *awssm.BatchGetSecretValueInput, ...func(*awssm.Options)) (*awssm.BatchGetSecretValueOutput, error)
 		listSecretsFn         func(context.Context, *awssm.ListSecretsInput, ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error)
-		getSecretValueFn     func(context.Context, *awssm.GetSecretValueInput, ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error)
+		getSecretValueFn      func(context.Context, *awssm.GetSecretValueInput, ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error)
 		expectedData          map[string][]byte
 		expectedError         string
 	}{
@@ -1694,63 +1694,67 @@ func TestSecretsManagerGetAllSecrets(t *testing.T) {
 				Tags: secretTags,
 			},
 			listSecretsFn: func(_ context.Context, input *awssm.ListSecretsInput, _ ...func(*awssm.Options)) (*awssm.ListSecretsOutput, error) {
-			    allSecrets := []types.SecretListEntry{
-			        {
-			            Name: ptr.To(secretName),
-			            Tags: []types.Tag{
-			                { Key: ptr.To("foo"), Value: ptr.To("bar") },
-			            },
-			        },
-			        {
-			            Name: ptr.To(fmt.Sprintf("%ssomeothertext", secretName)),
-			        },
-			        {
-			            Name: ptr.To("unmatched-secret"),
-			            Tags: []types.Tag{
-			                { Key: ptr.To("foo"), Value: ptr.To("bar") },
-			            },
-			        },
-			    }
+				allSecrets := []types.SecretListEntry{
+					{
+						Name: ptr.To(secretName),
+						Tags: []types.Tag{
+							{Key: ptr.To("foo"), Value: ptr.To("bar")},
+						},
+					},
+					{
+						Name: ptr.To(fmt.Sprintf("%ssomeothertext", secretName)),
+					},
+					{
+						Name: ptr.To("unmatched-secret"),
+						Tags: []types.Tag{
+							{Key: ptr.To("foo"), Value: ptr.To("bar")},
+						},
+					},
+				}
 
 				filtered := make([]types.SecretListEntry, 0, len(allSecrets))
 				for _, secret := range allSecrets {
-    			    exclude := false
-
-    			    tagMap := map[string]string{}
-    			    for _, t := range secret.Tags {
-    			        if t.Key != nil && t.Value != nil {
-    			            tagMap[*t.Key] = *t.Value
-    			        }
-    			    }
-
-    			    for _, f := range input.Filters {
-    			        switch f.Key {
-    			        case types.FilterNameStringTypeName:
-    			            if secret.Name != nil {
-    			                for _, v := range f.Values {
-    			                    if strings.Contains(*secret.Name, v) {
-    			                        exclude = true
-    			                        break
-    			                    }
-    			                }
-    			            }
-    			        case types.FilterNameStringTypeTagKey:
-    			            for _, v := range f.Values {
-    			                if tagMap[v] == "" {
-    			                    exclude = true
-    			                    break
-    			                }
-    			            }
-						case types.FilterNameStringTypeDescription, types.FilterNameStringTypeTagValue, types.FilterNameStringTypePrimaryRegion, types.FilterNameStringTypeOwningService, types.FilterNameStringTypeAll:
+					exclude := false
+
+					tagMap := map[string]string{}
+					for _, t := range secret.Tags {
+						if t.Key != nil && t.Value != nil {
+							tagMap[*t.Key] = *t.Value
+						}
+					}
+
+					for _, f := range input.Filters {
+						switch f.Key {
+						case types.FilterNameStringTypeName:
+							if secret.Name != nil {
+								for _, v := range f.Values {
+									if strings.Contains(*secret.Name, v) {
+										exclude = true
+										break
+									}
+								}
+							}
+						case types.FilterNameStringTypeTagKey:
+							for _, v := range f.Values {
+								if tagMap[v] == "" {
+									exclude = true
+									break
+								}
+							}
+						case types.FilterNameStringTypeDescription,
+							types.FilterNameStringTypeTagValue,
+							types.FilterNameStringTypePrimaryRegion,
+							types.FilterNameStringTypeOwningService,
+							types.FilterNameStringTypeAll:
 							continue
-    			        }
-    			    }
-
-    			    if !exclude {
-    			        filtered = append(filtered, secret)
-    			    }
-    			}
-			    return &awssm.ListSecretsOutput{SecretList: filtered}, nil
+						}
+					}
+
+					if !exclude {
+						filtered = append(filtered, secret)
+					}
+				}
+				return &awssm.ListSecretsOutput{SecretList: filtered}, nil
 			},
 			getSecretValueFn: func(_ context.Context, input *awssm.GetSecretValueInput, _ ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error) {
 				if *input.SecretId == secretName {

providers/v1/aws/util/errors_test.go

@@ -29,11 +29,15 @@ func TestSanitize(t *testing.T) {
 		expected string
 	}{
 		{
-			err:      errors.New("some AccessDeniedException: User: arn:aws:sts::123123123123:assumed-role/foobar is not authorized to perform: secretsmanager:GetSecretValue on resource: example\n\tstatus code: 400, request id: df34-75f-0c5f-4b4c-a71a-f93d581d177c"),
+			err: errors.New(
+				"some AccessDeniedException: User: arn:aws:sts::123123123123:assumed-role/foobar is not authorized to perform: secretsmanager:GetSecretValue on resource: example\n\tstatus code: 400, request id: df34-75f-0c5f-4b4c-a71a-f93d581d177c",
+			),
 			expected: "some AccessDeniedException: User: arn:aws:sts::123123123123:assumed-role/foobar is not authorized to perform: secretsmanager:GetSecretValue on resource: example\n\tstatus code: 400, ",
 		},
 		{
-			err:      errors.New("IncompleteSignature: 'something' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=You,Can Get\"Almost{Anything}Here', SignedHeaders=content-length;content-type;host;x-amz-date, Signature=42ee80d90508ee472701f8fb7014f10c0ac16b6d6ac59379f0612ca2d35d7464'"),
+			err: errors.New(
+				"IncompleteSignature: 'something' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256 Credential=You,Can Get\"Almost{Anything}Here', SignedHeaders=content-length;content-type;host;x-amz-date, Signature=42ee80d90508ee472701f8fb7014f10c0ac16b6d6ac59379f0612ca2d35d7464'",
+			),
 			expected: "IncompleteSignature: 'something' not a valid key=value pair (missing equal-sign) in Authorization header: 'AWS4-HMAC-SHA256",
 		},
 		{

providers/v1/aws/util/provider.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
+
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 

providers/v1/azure/keyvault/fake/fake.go

@@ -55,7 +55,11 @@ func (mc *AzureMockClient) SetSecret(ctx context.Context, vaultBaseURL, secretNa
 	return mc.setSecret(ctx, vaultBaseURL, secretName, parameters)
 }
 
-func (mc *AzureMockClient) ImportCertificate(ctx context.Context, vaultBaseURL, certificateName string, parameters keyvault.CertificateImportParameters) (result keyvault.CertificateBundle, err error) {
+func (mc *AzureMockClient) ImportCertificate(
+	ctx context.Context,
+	vaultBaseURL, certificateName string,
+	parameters keyvault.CertificateImportParameters,
+) (result keyvault.CertificateBundle, err error) {
 	return mc.importCertificate(ctx, vaultBaseURL, certificateName, parameters)
 }
 

providers/v1/azure/keyvault/keyvault_dual_sdk_test.go

@@ -20,12 +20,13 @@ import (
 	"context"
 	"testing"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
 // TestFeatureFlagRouting tests that the UseAzureSDK feature flag correctly routes to the appropriate implementation.

providers/v1/azure/keyvault/keyvault_new_sdk.go

@@ -339,7 +339,9 @@ func getCloudConfiguration(provider *esv1.AzureKVProvider) (cloud.Configuration,
 		var baseConfig cloud.Configuration
 		switch provider.EnvironmentType {
 		case esv1.AzureEnvironmentGermanCloud:
-			return cloud.Configuration{}, errors.New("Azure Germany (Microsoft Cloud Deutschland) was discontinued on October 29, 2021. Please use AzureStackCloud with custom configuration or migrate to public cloud regions")
+			return cloud.Configuration{}, errors.New(
+				"Azure Germany (Microsoft Cloud Deutschland) was discontinued on October 29, 2021. Please use AzureStackCloud with custom configuration or migrate to public cloud regions",
+			)
 		case esv1.AzureEnvironmentPublicCloud:
 			baseConfig = cloud.AzurePublic
 		case esv1.AzureEnvironmentUSGovernmentCloud:
@@ -366,7 +368,9 @@ func getCloudConfiguration(provider *esv1.AzureKVProvider) (cloud.Configuration,
 	case esv1.AzureEnvironmentChinaCloud:
 		return cloud.AzureChina, nil
 	case esv1.AzureEnvironmentGermanCloud:
-		return cloud.Configuration{}, errors.New("Azure Germany (Microsoft Cloud Deutschland) was discontinued on October 29, 2021. Please use AzureStackCloud with custom configuration or migrate to public cloud regions")
+		return cloud.Configuration{}, errors.New(
+			"Azure Germany (Microsoft Cloud Deutschland) was discontinued on October 29, 2021. Please use AzureStackCloud with custom configuration or migrate to public cloud regions",
+		)
 	case esv1.AzureEnvironmentAzureStackCloud:
 		return cloud.Configuration{}, errors.New("CustomCloudConfig is required when EnvironmentType is AzureStackCloud")
 	default:

providers/v1/barbican/client.go

@@ -26,20 +26,19 @@ import (
 
 	"github.com/gophercloud/gophercloud/v2"
 	"github.com/gophercloud/gophercloud/v2/openstack/keymanager/v1/secrets"
-
 	corev1 "k8s.io/api/core/v1"
 
 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
 const (
-	errClientGeneric      = "barbican client: %w"
-	errClientMissingField = "barbican client: missing field %w"
-	errClientListAllSecrets = "barbican client: failed to list all secrets: %w"
-	errClientExtractSecrets = "barbican client: failed to extract secrets: %w"
-	errClientGetSecretPayload = "barbican client: failed to get secret payload: %w"
+	errClientGeneric                  = "barbican client: %w"
+	errClientMissingField             = "barbican client: missing field %w"
+	errClientListAllSecrets           = "barbican client: failed to list all secrets: %w"
+	errClientExtractSecrets           = "barbican client: failed to extract secrets: %w"
+	errClientGetSecretPayload         = "barbican client: failed to get secret payload: %w"
 	errClientGetSecretPayloadProperty = "barbican client: failed to get secret payload property: %w"
-	errClientJSONUnmarshal = "barbican client: failed to unmarshal json: %w"
+	errClientJSONUnmarshal            = "barbican client: failed to unmarshal json: %w"
 )
 
 var _ esapi.SecretsClient = &Client{}
@@ -180,5 +179,5 @@ func extractUUIDFromRef(secretRef string) string {
 		return secretRef[lastSlash+1:] // <- will not result in overflow even if it's the last `/`
 	}
 
-  return ""
+	return ""
 }

providers/v1/barbican/client_test.go

@@ -202,7 +202,7 @@ func TestGetAllSecretsValidation(t *testing.T) {
 				assert.Error(t, err)
 				assert.Contains(t, err.Error(), tc.errorMessage)
 			} else if err != nil {
-					assert.Contains(t, err.Error(), "barbican client")
+				assert.Contains(t, err.Error(), "barbican client")
 			}
 		})
 	}

providers/v1/barbican/fake/mock.go

@@ -89,7 +89,7 @@ func (m *MockKeyManagerClient) ListSecrets(_ context.Context, _ *gophercloud.Ser
 		return nil, fmt.Errorf("%s", m.errorMessage)
 	}
 
-	var result =  make([]secrets.Secret, 10)
+	var result = make([]secrets.Secret, 10)
 	for _, secret := range m.secretsInfo {
 		// Apply name filter if provided
 		if opts != nil {

providers/v1/barbican/provider.go

@@ -23,7 +23,6 @@ import (
 
 	"github.com/gophercloud/gophercloud/v2"
 	"github.com/gophercloud/gophercloud/v2/openstack"
-
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 

providers/v1/beyondtrust/provider.go

@@ -28,13 +28,12 @@ import (
 
 	auth "github.com/BeyondTrust/go-client-library-passwordsafe/api/authentication"
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/entities"
-	v1 "k8s.io/api/core/v1"
-
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/logging"
 	managedaccount "github.com/BeyondTrust/go-client-library-passwordsafe/api/managed_account"
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/secrets"
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/utils"
 	"github.com/cenkalti/backoff/v4"
+	v1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

providers/v1/beyondtrust/provider_test.go

@@ -27,11 +27,11 @@ import (
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/logging"
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/utils"
 	"github.com/cenkalti/backoff/v4"
-	"go.uber.org/zap"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
 	v1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@@ -40,10 +40,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
 const (

providers/v1/chef/chef.go

@@ -26,7 +26,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/external-secrets/external-secrets/runtime/metrics"
 	"github.com/go-chef/chef"
 	"github.com/go-logr/logr"
 	"github.com/tidwall/gjson"
@@ -38,6 +37,7 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
+	"github.com/external-secrets/external-secrets/runtime/metrics"
 )
 
 const (

providers/v1/chef/chef_test.go

@@ -31,8 +31,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 	fake "github.com/external-secrets/external-secrets/providers/v1/chef/fake"
+	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
 const (

providers/v1/cloudru/secretmanager/client.go

@@ -31,8 +31,8 @@ import (
 	corev1 "k8s.io/api/core/v1"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/providers/v1/cloudru/secretmanager/adapter"
+	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
 var (

providers/v1/cloudru/secretmanager/resolver.go

@@ -23,8 +23,8 @@ import (
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/providers/v1/cloudru/secretmanager/adapter"
+	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 )
 
 // KubeCredentialsResolver resolves the credentials from the Kubernetes secret.

providers/v1/conjur/client.go

@@ -28,9 +28,9 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	conjurutil "github.com/external-secrets/external-secrets/providers/v1/conjur/util"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
-	"github.com/external-secrets/external-secrets/providers/v1/conjur/util"
 )
 
 var (

providers/v1/conjur/provider.go

@@ -58,7 +58,14 @@ func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 }
 
 // newConjurProvider creates and returns a new Conjur client with the specified configuration.
-func newConjurProvider(_ context.Context, store esv1.GenericStore, kube client.Client, namespace string, corev1 typedcorev1.CoreV1Interface, clientAPI SecretsClientFactory) (esv1.SecretsClient, error) {
+func newConjurProvider(
+	_ context.Context,
+	store esv1.GenericStore,
+	kube client.Client,
+	namespace string,
+	corev1 typedcorev1.CoreV1Interface,
+	clientAPI SecretsClientFactory,
+) (esv1.SecretsClient, error) {
 	return &Client{
 		StoreKind: store.GetObjectKind().GroupVersionKind().Kind,
 		store:     store,

providers/v1/conjur/validate.go

@@ -24,8 +24,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	conjurutil "github.com/external-secrets/external-secrets/providers/v1/conjur/util"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
-	"github.com/external-secrets/external-secrets/providers/v1/conjur/util"
 )
 
 // ValidateStore validates the store.

providers/v1/doppler/client.go

@@ -26,15 +26,15 @@ import (
 	"strings"
 	"time"
 
-	"github.com/external-secrets/external-secrets/runtime/find"
 	corev1 "k8s.io/api/core/v1"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	dclient "github.com/external-secrets/external-secrets/providers/v1/doppler/client"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
-	dclient "github.com/external-secrets/external-secrets/providers/v1/doppler/client"
+	"github.com/external-secrets/external-secrets/runtime/find"
 )
 
 const (

providers/v1/doppler/provider.go

@@ -30,10 +30,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	dclient "github.com/external-secrets/external-secrets/providers/v1/doppler/client"
 	"github.com/external-secrets/external-secrets/runtime/cache"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/feature"
-	dclient "github.com/external-secrets/external-secrets/providers/v1/doppler/client"
 )
 
 const (

providers/v1/gcp/secretmanager/workload_identity_federation.go

@@ -405,7 +405,13 @@ func validateCredConfigAWSCredentialSource(credSource *externalaccount.Credentia
 
 func (r *k8sSATokenReader) SubjectToken(ctx context.Context, options externalaccount.SupplierOptions) (string, error) {
 	if options.Audience != r.audience || options.SubjectTokenType != r.subjectTokenType {
-		return "", fmt.Errorf("invalid subject token request, audience is %s(expected %s) and subject_token_type is %s(expected %s)", options.Audience, r.audience, options.SubjectTokenType, r.subjectTokenType)
+		return "", fmt.Errorf(
+			"invalid subject token request, audience is %s(expected %s) and subject_token_type is %s(expected %s)",
+			options.Audience,
+			r.audience,
+			options.SubjectTokenType,
+			r.subjectTokenType,
+		)
 	}
 
 	resp, err := r.saTokenGenerator.Generate(ctx, r.saAudience, r.serviceAccount.Name, r.serviceAccount.Namespace)

providers/v1/gcp/secretmanager/workload_identity_federation_test.go

@@ -747,9 +747,11 @@ func TestK8sSATokenReader(t *testing.T) {
 		SubjectTokenType: workloadIdentitySubjectTokenType,
 	})
 	assert.Error(t, err)
-	assert.Equal(t,
+	assert.Equal(
+		t,
 		`invalid subject token request, audience is invalid-audience(expected //iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/test-pool/providers/test-provider) and subject_token_type is urn:ietf:params:oauth:token-type:jwt(expected urn:ietf:params:oauth:token-type:jwt)`,
-		err.Error())
+		err.Error(),
+	)
 
 	// Test invalid subject token type
 	_, err = r.SubjectToken(ctx, externalaccount.SupplierOptions{
@@ -757,9 +759,11 @@ func TestK8sSATokenReader(t *testing.T) {
 		SubjectTokenType: "invalid-type",
 	})
 	assert.Error(t, err)
-	assert.Equal(t,
+	assert.Equal(
+		t,
 		`invalid subject token request, audience is //iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/test-pool/providers/test-provider(expected //iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/test-pool/providers/test-provider) and subject_token_type is invalid-type(expected urn:ietf:params:oauth:token-type:jwt)`,
-		err.Error())
+		err.Error(),
+	)
 }
 
 func TestAWSSecurityCredentialsReader(t *testing.T) {

providers/v1/gitlab/gitlab_test.go

@@ -257,7 +257,10 @@ func makeValidSecretManagerGetAllTestCaseCustom(tweaks ...func(smtc *secretManag
 func prepareMockProjectVarClient(smtc *secretManagerTestCase) {
 	responses := make([]fakegitlab.APIResponse[[]*gitlab.ProjectVariable], 0)
 	if smtc.projectAPIOutput != nil {
-		responses = append(responses, fakegitlab.APIResponse[[]*gitlab.ProjectVariable]{Output: []*gitlab.ProjectVariable{smtc.projectAPIOutput}, Response: smtc.projectAPIResponse, Error: smtc.apiErr})
+		responses = append(
+			responses,
+			fakegitlab.APIResponse[[]*gitlab.ProjectVariable]{Output: []*gitlab.ProjectVariable{smtc.projectAPIOutput}, Response: smtc.projectAPIResponse, Error: smtc.apiErr},
+		)
 	}
 	for _, response := range smtc.projectAPIOutputs {
 		responses = append(responses, *response)

providers/v1/ibm/fake/fake.go

@@ -44,7 +44,10 @@ func (mc *IBMMockClient) GetSecretWithContext(ctx context.Context, getSecretOpti
 	return mc.getSecretWithContext(ctx, getSecretOptions)
 }
 
-func (mc *IBMMockClient) GetSecretByNameTypeWithContext(ctx context.Context, getSecretByNameTypeOptions *sm.GetSecretByNameTypeOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error) {
+func (mc *IBMMockClient) GetSecretByNameTypeWithContext(
+	ctx context.Context,
+	getSecretByNameTypeOptions *sm.GetSecretByNameTypeOptions,
+) (result sm.SecretIntf, response *core.DetailedResponse, err error) {
 	return mc.getSecretByNameTypeWithContext(ctx, getSecretByNameTypeOptions)
 }
 

providers/v1/infisical/client.go

@@ -29,9 +29,9 @@ import (
 	corev1 "k8s.io/api/core/v1"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/providers/v1/infisical/constants"
 	"github.com/external-secrets/external-secrets/runtime/find"
 	"github.com/external-secrets/external-secrets/runtime/metrics"
-	"github.com/external-secrets/external-secrets/providers/v1/infisical/constants"
 )
 
 var (
@@ -197,7 +197,14 @@ func (p *Provider) Validate() (esv1.ValidationResult, error) {
 	metrics.ObserveAPICall(constants.ProviderName, getSecretsV3, err)
 
 	if err != nil {
-		return esv1.ValidationResultError, fmt.Errorf("cannot read secrets with provided project scope project:%s environment:%s secret-path:%s recursive:%t, %w", p.apiScope.ProjectSlug, p.apiScope.EnvironmentSlug, p.apiScope.SecretPath, p.apiScope.Recursive, err)
+		return esv1.ValidationResultError, fmt.Errorf(
+			"cannot read secrets with provided project scope project:%s environment:%s secret-path:%s recursive:%t, %w",
+			p.apiScope.ProjectSlug,
+			p.apiScope.EnvironmentSlug,
+			p.apiScope.SecretPath,
+			p.apiScope.Recursive,
+			err,
+		)
 	}
 
 	return esv1.ValidationResultReady, nil

providers/v1/infisical/provider.go

@@ -21,16 +21,16 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/external-secrets/external-secrets/runtime/metrics"
-	"github.com/external-secrets/external-secrets/providers/v1/infisical/constants"
 	infisicalSdk "github.com/infisical/go-sdk"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"github.com/external-secrets/external-secrets/providers/v1/infisical/constants"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
+	"github.com/external-secrets/external-secrets/runtime/metrics"
 )
 
 const (
@@ -75,7 +75,14 @@ func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
-func performUniversalAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performUniversalAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	universalAuthCredentials := infisicalSpec.Auth.UniversalAuthCredentials
 	clientID, err := GetStoreSecretData(ctx, store, kube, namespace, universalAuthCredentials.ClientID)
 	if err != nil {
@@ -97,7 +104,14 @@ func performUniversalAuthLogin(ctx context.Context, store esv1.GenericStore, inf
 	return nil
 }
 
-func performAzureAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performAzureAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	azureAuthCredentials := infisicalSpec.Auth.AzureAuthCredentials
 	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, azureAuthCredentials.IdentityID)
 	if err != nil {
@@ -123,7 +137,14 @@ func performAzureAuthLogin(ctx context.Context, store esv1.GenericStore, infisic
 	return nil
 }
 
-func performGcpIDTokenAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performGcpIDTokenAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	gcpIDTokenAuthCredentials := infisicalSpec.Auth.GcpIDTokenAuthCredentials
 	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, gcpIDTokenAuthCredentials.IdentityID)
 	if err != nil {
@@ -140,7 +161,14 @@ func performGcpIDTokenAuthLogin(ctx context.Context, store esv1.GenericStore, in
 	return nil
 }
 
-func performGcpIamAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performGcpIamAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	gcpIamAuthCredentials := infisicalSpec.Auth.GcpIamAuthCredentials
 	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, gcpIamAuthCredentials.IdentityID)
 	if err != nil {
@@ -162,7 +190,14 @@ func performGcpIamAuthLogin(ctx context.Context, store esv1.GenericStore, infisi
 	return nil
 }
 
-func performJwtAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performJwtAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	jwtAuthCredentials := infisicalSpec.Auth.JwtAuthCredentials
 	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, jwtAuthCredentials.IdentityID)
 	if err != nil {
@@ -184,7 +219,14 @@ func performJwtAuthLogin(ctx context.Context, store esv1.GenericStore, infisical
 	return nil
 }
 
-func performLdapAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performLdapAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	ldapAuthCredentials := infisicalSpec.Auth.LdapAuthCredentials
 	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, ldapAuthCredentials.IdentityID)
 	if err != nil {
@@ -211,7 +253,14 @@ func performLdapAuthLogin(ctx context.Context, store esv1.GenericStore, infisica
 	return nil
 }
 
-func performOciAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performOciAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	ociAuthCredentials := infisicalSpec.Auth.OciAuthCredentials
 	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, ociAuthCredentials.IdentityID)
 	if err != nil {
@@ -270,7 +319,14 @@ func performOciAuthLogin(ctx context.Context, store esv1.GenericStore, infisical
 	return nil
 }
 
-func performKubernetesAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performKubernetesAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	kubernetesAuthCredentials := infisicalSpec.Auth.KubernetesAuthCredentials
 	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, kubernetesAuthCredentials.IdentityID)
 	if err != nil {
@@ -296,7 +352,14 @@ func performKubernetesAuthLogin(ctx context.Context, store esv1.GenericStore, in
 	return nil
 }
 
-func performAwsAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performAwsAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	awsAuthCredentials := infisicalSpec.Auth.AwsAuthCredentials
 	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, awsAuthCredentials.IdentityID)
 	if err != nil {
@@ -313,7 +376,14 @@ func performAwsAuthLogin(ctx context.Context, store esv1.GenericStore, infisical
 	return nil
 }
 
-func performTokenAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+func performTokenAuthLogin(
+	ctx context.Context,
+	store esv1.GenericStore,
+	infisicalSpec *esv1.InfisicalProvider,
+	sdkClient infisicalSdk.InfisicalClientInterface,
+	kube kclient.Client,
+	namespace string,
+) error {
 	tokenAuthCredentials := infisicalSpec.Auth.TokenAuthCredentials
 	accessToken, err := GetStoreSecretData(ctx, store, kube, namespace, tokenAuthCredentials.AccessToken)
 	if err != nil {

providers/v1/keepersecurity/client_test.go

@@ -33,23 +33,23 @@ import (
 )
 
 const (
-	folderID            = "a8ekf031k"
-	validExistingRecord = "record0/login"
-	invalidRecord       = "record5/login"
-	outputRecord0       = "{\"title\":\"record0\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"value\":[\"foo\"]},{\"type\":\"password\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host0\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}],\"files\":null}"
-	outputRecord1       = "{\"title\":\"record1\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"value\":[\"foo\"]},{\"type\":\"password\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host1\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}],\"files\":null}"
-	outputRecord2       = "{\"title\":\"record2\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"value\":[\"foo\"]},{\"type\":\"password\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host2\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}],\"files\":null}"
+	folderID               = "a8ekf031k"
+	validExistingRecord    = "record0/login"
+	invalidRecord          = "record5/login"
+	outputRecord0          = "{\"title\":\"record0\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"value\":[\"foo\"]},{\"type\":\"password\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host0\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}],\"files\":null}"
+	outputRecord1          = "{\"title\":\"record1\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"value\":[\"foo\"]},{\"type\":\"password\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host1\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}],\"files\":null}"
+	outputRecord2          = "{\"title\":\"record2\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"value\":[\"foo\"]},{\"type\":\"password\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host2\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}],\"files\":null}"
 	outputRecordWithLabels = "{\"title\":\"recordWithLabels\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"label\":\"username\",\"value\":[\"foo\"]},{\"type\":\"password\",\"label\":\"pass\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host0\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}],\"files\":null}"
-	record0                 = "record0"
-	record1                 = "record1"
-	record2                 = "record2"
-	recordWithLabels        = "recordWithLabels"
-	LoginKey                = "login"
-	PasswordKey             = "password"
-	HostKeyFormat           = "host%d"
-	RecordNameFormat        = "record%d"
-	UsernameLabel = "username"
-	PassLabel     = "pass"
+	record0                = "record0"
+	record1                = "record1"
+	record2                = "record2"
+	recordWithLabels       = "recordWithLabels"
+	LoginKey               = "login"
+	PasswordKey            = "password"
+	HostKeyFormat          = "host%d"
+	RecordNameFormat       = "record%d"
+	UsernameLabel          = "username"
+	PassLabel              = "pass"
 )
 
 func TestClientDeleteSecret(t *testing.T) {
@@ -809,7 +809,11 @@ func generateRecords() []*ksm.Record {
 				},
 			}
 		}
-		sec := fmt.Sprintf("{\"title\":\"record%d\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"value\":[\"foo\"]},{\"type\":\"password\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host%d\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}]}", i, i)
+		sec := fmt.Sprintf(
+			"{\"title\":\"record%d\",\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"value\":[\"foo\"]},{\"type\":\"password\",\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host%d\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}]}",
+			i,
+			i,
+		)
 		record.SetTitle(fmt.Sprintf(RecordNameFormat, i))
 		record.SetStandardFieldValue(LoginKey, "foo")
 		record.SetStandardFieldValue(PasswordKey, "bar")
@@ -829,7 +833,12 @@ func generateRecordWithLabels() *ksm.Record {
 		},
 	}
 	// Fields with labels - using label as key
-	sec := fmt.Sprintf("{\"title\":%q,\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"label\":%q,\"value\":[\"foo\"]},{\"type\":\"password\",\"label\":%q,\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host0\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}]}", recordWithLabels, UsernameLabel, PassLabel)
+	sec := fmt.Sprintf(
+		"{\"title\":%q,\"type\":\"login\",\"fields\":[{\"type\":\"login\",\"label\":%q,\"value\":[\"foo\"]},{\"type\":\"password\",\"label\":%q,\"value\":[\"bar\"]}],\"custom\":[{\"type\":\"host\",\"label\":\"host0\",\"value\":[{\"hostName\":\"mysql\",\"port\":\"3306\"}]}]}",
+		recordWithLabels,
+		UsernameLabel,
+		PassLabel,
+	)
 	record.SetTitle(recordWithLabels)
 	record.SetStandardFieldValue(LoginKey, "foo")
 	record.SetStandardFieldValue(PasswordKey, "bar")

providers/v1/kubernetes/client_test.go

@@ -589,21 +589,21 @@ func TestDeleteSecret(t *testing.T) {
 			ref: v1alpha1.PushSecretRemoteRef{
 				RemoteKey: "mysec",
 			},
-			wantErr: false,
+			wantErr:       false,
 			wantSecretMap: map[string]*v1.Secret{},
 		},
 		{
 			name: "delete whole secret if no property specified and empty properties",
 			fields: fields{
 				Client: &fakeClient{
-					t: t,
+					t:         t,
 					secretMap: map[string]*v1.Secret{},
 				},
 			},
 			ref: v1alpha1.PushSecretRemoteRef{
 				RemoteKey: "mysec",
 			},
-			wantErr: false,
+			wantErr:       false,
 			wantSecretMap: map[string]*v1.Secret{},
 		},
 		{
@@ -1181,7 +1181,9 @@ func TestPushSecret(t *testing.T) {
 				RemoteKey: "mysec",
 				Property:  "secret",
 				Metadata: &apiextensionsv1.JSON{
-					Raw: []byte(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1", "kind": "PushSecretMetadata", spec: { "sourceMergePolicy": "Replace", "annotations": {"another-field": "from-remote-ref"}, "labels": {"other-label": "from-remote-ref"}}}`),
+					Raw: []byte(
+						`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1", "kind": "PushSecretMetadata", spec: { "sourceMergePolicy": "Replace", "annotations": {"another-field": "from-remote-ref"}, "labels": {"other-label": "from-remote-ref"}}}`,
+					),
 				},
 			},
 			wantErr: false,

providers/v1/kubernetes/metadata.go

@@ -89,7 +89,11 @@ func mergeSourceMetadata(localSecret *v1.Secret, pushMeta *metadata.PushSecretMe
 // Takes the remote secret metadata and merges it with the source metadata.
 // The source metadata may replace the existing labels/annotations
 // or merge into it depending on policy.
-func mergeTargetMetadata(remoteSecret *v1.Secret, pushMeta *metadata.PushSecretMetadata[PushSecretMetadataSpec], sourceLabels, sourceAnnotations map[string]string) (map[string]string, map[string]string, error) {
+func mergeTargetMetadata(
+	remoteSecret *v1.Secret,
+	pushMeta *metadata.PushSecretMetadata[PushSecretMetadataSpec],
+	sourceLabels, sourceAnnotations map[string]string,
+) (map[string]string, map[string]string, error) {
 	labels := remoteSecret.ObjectMeta.Labels
 	annotations := remoteSecret.ObjectMeta.Annotations
 	if labels == nil {

providers/v1/ngrok/client_test.go

@@ -21,8 +21,6 @@ import (
 	"errors"
 
 	"github.com/ngrok/ngrok-api-go/v7"
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -30,6 +28,9 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/providers/v1/ngrok/fake"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 )
 
 type pushSecretRemoteRef struct {

providers/v1/ngrok/provider.go

@@ -22,14 +22,14 @@ import (
 	"fmt"
 	"net/url"
 
+	"github.com/ngrok/ngrok-api-go/v7"
+	"github.com/ngrok/ngrok-api-go/v7/secrets"
+	"github.com/ngrok/ngrok-api-go/v7/vaults"
 	kubeClient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
-	"github.com/ngrok/ngrok-api-go/v7"
-	"github.com/ngrok/ngrok-api-go/v7/secrets"
-	"github.com/ngrok/ngrok-api-go/v7/vaults"
 )
 
 var (

providers/v1/ngrok/provider_test.go

@@ -21,8 +21,6 @@ import (
 	"testing"
 
 	"github.com/ngrok/ngrok-api-go/v7"
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/ptr"
@@ -33,6 +31,9 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/providers/v1/ngrok/fake"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
 )
 
 func newTestClusterSecretStore(provider *esv1.SecretStoreProvider) esv1.GenericStore {

providers/v1/onboardbase/client.go

@@ -32,9 +32,9 @@ import (
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	obclient "github.com/external-secrets/external-secrets/providers/v1/onboardbase/client"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/find"
-	obclient "github.com/external-secrets/external-secrets/providers/v1/onboardbase/client"
 )
 
 const (

providers/v1/onboardbase/provider.go

@@ -25,8 +25,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils"
 	oClient "github.com/external-secrets/external-secrets/providers/v1/onboardbase/client"
+	"github.com/external-secrets/external-secrets/runtime/esutils"
 )
 
 const (

providers/v1/onepassword/onepassword_test.go

@@ -32,8 +32,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 	"github.com/external-secrets/external-secrets/providers/v1/onepassword/fake"
+	"github.com/external-secrets/external-secrets/runtime/esutils/metadata"
 )
 
 const (

providers/v1/oracle/oracle.go

@@ -587,7 +587,11 @@ func (vms *VaultManagementService) ValidateStore(store esv1.GenericStore) (admis
 	return nil, nil
 }
 
-func (vms *VaultManagementService) getWorkloadIdentityProvider(store esv1.GenericStore, serviceAcccountRef *esmeta.ServiceAccountSelector, region, namespace string) (configurationProvider common.ConfigurationProvider, err error) {
+func (vms *VaultManagementService) getWorkloadIdentityProvider(
+	store esv1.GenericStore,
+	serviceAcccountRef *esmeta.ServiceAccountSelector,
+	region, namespace string,
+) (configurationProvider common.ConfigurationProvider, err error) {
 	defer func() {
 		if uerr := os.Unsetenv(auth.ResourcePrincipalVersionEnvVar); uerr != nil {
 			err = errors.Join(err, fmt.Errorf(errSettingOCIEnvVariables, auth.ResourcePrincipalRegionEnvVar, uerr))
@@ -641,7 +645,13 @@ func (vms *VaultManagementService) getWorkloadIdentityProvider(store esv1.Generi
 	return vms.authConfigurationsCache[store.GetResourceVersion()], nil
 }
 
-func (vms *VaultManagementService) constructProvider(ctx context.Context, store esv1.GenericStore, oracleSpec *esv1.OracleProvider, kube kclient.Client, namespace string) (common.ConfigurationProvider, error) {
+func (vms *VaultManagementService) constructProvider(
+	ctx context.Context,
+	store esv1.GenericStore,
+	oracleSpec *esv1.OracleProvider,
+	kube kclient.Client,
+	namespace string,
+) (common.ConfigurationProvider, error) {
 	var (
 		configurationProvider common.ConfigurationProvider
 		err                   error
@@ -696,7 +706,13 @@ func sanitizeOCISDKErr(err error) error {
 	// If we have a ServiceError from the OCI SDK, strip only the message from the verbose error
 
 	if serviceError, ok := err.(common.ServiceErrorRichInfo); ok {
-		return fmt.Errorf("%s service failed to %s, HTTP status code %d: %s", serviceError.GetTargetService(), serviceError.GetOperationName(), serviceError.GetHTTPStatusCode(), serviceError.GetMessage())
+		return fmt.Errorf(
+			"%s service failed to %s, HTTP status code %d: %s",
+			serviceError.GetTargetService(),
+			serviceError.GetOperationName(),
+			serviceError.GetHTTPStatusCode(),
+			serviceError.GetMessage(),
+		)
 	}
 	return err
 }

providers/v1/previder/provider.go

@@ -21,6 +21,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+
 	previderclient "github.com/previder/vault-cli/pkg"
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"

providers/v1/senhasegura/auth/iso.go

@@ -80,7 +80,13 @@ func Authenticate(ctx context.Context, store esv1.GenericStore, provider *esv1.S
 /*
 IsoSessionFromSecretRef initialize an ISO OAuth2 flow with .spec.provider.senhasegura.auth.isoSecretRef parameters.
 */
-func (s *SenhaseguraIsoSession) IsoSessionFromSecretRef(ctx context.Context, provider *esv1.SenhaseguraProvider, store esv1.GenericStore, kube client.Client, namespace string) (*SenhaseguraIsoSession, error) {
+func (s *SenhaseguraIsoSession) IsoSessionFromSecretRef(
+	ctx context.Context,
+	provider *esv1.SenhaseguraProvider,
+	store esv1.GenericStore,
+	kube client.Client,
+	namespace string,
+) (*SenhaseguraIsoSession, error) {
 	secret, err := resolvers.SecretKeyRef(
 		ctx,
 		kube,

providers/v1/vault/auth.go

@@ -29,10 +29,10 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+	vaultiamauth "github.com/external-secrets/external-secrets/providers/v1/vault/iamauth"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
 	"github.com/external-secrets/external-secrets/runtime/constants"
 	"github.com/external-secrets/external-secrets/runtime/metrics"
-	vaultiamauth "github.com/external-secrets/external-secrets/providers/v1/vault/iamauth"
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
 )
 
 const (

providers/v1/vault/auth_gcp_test.go

@@ -21,12 +21,13 @@ import (
 	"os"
 	"testing"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
 func TestSetEnvVar(t *testing.T) {

providers/v1/vault/auth_iam.go

@@ -60,7 +60,15 @@ func setIamAuthToken(ctx context.Context, v *client, jwtProvider vaultutil.JwtPr
 	return false, nil
 }
 
-func (c *client) requestTokenWithIamAuth(ctx context.Context, iamAuth *esv1.VaultIamAuth, isClusterKind bool, k kclient.Client, n string, jwtProvider vaultutil.JwtProviderFactory, assumeRoler vaultiamauth.STSProvider) error {
+func (c *client) requestTokenWithIamAuth(
+	ctx context.Context,
+	iamAuth *esv1.VaultIamAuth,
+	isClusterKind bool,
+	k kclient.Client,
+	n string,
+	jwtProvider vaultutil.JwtProviderFactory,
+	assumeRoler vaultiamauth.STSProvider,
+) error {
 	jwtAuth := iamAuth.JWTAuth
 	secretRefAuth := iamAuth.SecretRef
 	regionAWS := c.getRegionOrDefault(iamAuth.Region)
@@ -126,7 +134,13 @@ func (c *client) requestTokenWithIamAuth(ctx context.Context, iamAuth *esv1.Vaul
 	var awsAuthClient *authaws.AWSAuth
 
 	if iamAuth.VaultAWSIAMServerID != "" {
-		awsAuthClient, err = authaws.NewAWSAuth(authaws.WithRegion(regionAWS), authaws.WithIAMAuth(), authaws.WithRole(iamAuth.Role), authaws.WithMountPath(awsAuthMountPath), authaws.WithIAMServerIDHeader(iamAuth.VaultAWSIAMServerID))
+		awsAuthClient, err = authaws.NewAWSAuth(
+			authaws.WithRegion(regionAWS),
+			authaws.WithIAMAuth(),
+			authaws.WithRole(iamAuth.Role),
+			authaws.WithMountPath(awsAuthMountPath),
+			authaws.WithIAMServerIDHeader(iamAuth.VaultAWSIAMServerID),
+		)
 		if err != nil {
 			return err
 		}

providers/v1/vault/client.go

@@ -31,7 +31,7 @@ import (
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
 	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 )

providers/v1/vault/client_get_all_secrets_test.go

@@ -27,7 +27,7 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/providers/v1/vault/fake"
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
 )
 
 func TestGetAllSecrets(t *testing.T) {

providers/v1/vault/client_get_test.go

@@ -30,7 +30,7 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/providers/v1/vault/fake"
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
 	testingfake "github.com/external-secrets/external-secrets/runtime/testing/fake"
 )
 

providers/v1/vault/client_push_test.go

@@ -27,7 +27,7 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/providers/v1/vault/fake"
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
 	testingfake "github.com/external-secrets/external-secrets/runtime/testing/fake"
 )
 

providers/v1/vault/fake/vault.go

@@ -26,7 +26,7 @@ import (
 
 	vault "github.com/hashicorp/vault/api"
 
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
 )
 
 // LoginFn is a function type that represents logging in to Vault using a specific authentication method.

providers/v1/vault/iamauth/iamauth.go

@@ -161,7 +161,15 @@ func (p *authTokenFetcher) GetIdentityToken() ([]byte, error) {
 // in the ServiceAccount annotation.
 // If the ClusterSecretStore does not define a namespace it will use the namespace from the ExternalSecret (referentAuth).
 // If the ClusterSecretStore defines the namespace it will take precedence.
-func CredsFromServiceAccount(ctx context.Context, auth esv1.VaultIamAuth, region string, isClusterKind bool, kube kclient.Client, namespace string, jwtProvider vaultutil.JwtProviderFactory) (aws.CredentialsProvider, error) {
+func CredsFromServiceAccount(
+	ctx context.Context,
+	auth esv1.VaultIamAuth,
+	region string,
+	isClusterKind bool,
+	kube kclient.Client,
+	namespace string,
+	jwtProvider vaultutil.JwtProviderFactory,
+) (aws.CredentialsProvider, error) {
 	name := auth.JWTAuth.ServiceAccountRef.Name
 	if isClusterKind && auth.JWTAuth.ServiceAccountRef.Namespace != nil {
 		namespace = *auth.JWTAuth.ServiceAccountRef.Namespace

providers/v1/vault/provider.go

@@ -104,7 +104,14 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 }
 
 // NewGeneratorClient creates a new Vault client for the generator controller.
-func (p *Provider) NewGeneratorClient(ctx context.Context, kube kclient.Client, corev1 typedcorev1.CoreV1Interface, vaultSpec *esv1.VaultProvider, namespace string, retrySettings *esv1.SecretStoreRetrySettings) (vaultutil.Client, error) {
+func (p *Provider) NewGeneratorClient(
+	ctx context.Context,
+	kube kclient.Client,
+	corev1 typedcorev1.CoreV1Interface,
+	vaultSpec *esv1.VaultProvider,
+	namespace string,
+	retrySettings *esv1.SecretStoreRetrySettings,
+) (vaultutil.Client, error) {
 	vStore, cfg, err := p.prepareConfig(ctx, kube, corev1, vaultSpec, retrySettings, namespace, resolvers.EmptyStoreKind)
 	if err != nil {
 		return nil, err
@@ -182,7 +189,14 @@ func (p *Provider) initClient(ctx context.Context, c *client, client vaultutil.C
 	return c, nil
 }
 
-func (p *Provider) prepareConfig(ctx context.Context, kube kclient.Client, corev1 typedcorev1.CoreV1Interface, vaultSpec *esv1.VaultProvider, retrySettings *esv1.SecretStoreRetrySettings, namespace, storeKind string) (*client, *vault.Config, error) {
+func (p *Provider) prepareConfig(
+	ctx context.Context,
+	kube kclient.Client,
+	corev1 typedcorev1.CoreV1Interface,
+	vaultSpec *esv1.VaultProvider,
+	retrySettings *esv1.SecretStoreRetrySettings,
+	namespace, storeKind string,
+) (*client, *vault.Config, error) {
 	c := &client{
 		kube:      kube,
 		corev1:    corev1,
@@ -311,9 +325,19 @@ func initCache(size int) {
 func init() {
 	var vaultTokenCacheSize int
 	fs := pflag.NewFlagSet("vault", pflag.ExitOnError)
-	fs.BoolVar(&enableCache, "experimental-enable-vault-token-cache", false, "Enable experimental Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.")
+	fs.BoolVar(
+		&enableCache,
+		"experimental-enable-vault-token-cache",
+		false,
+		"Enable experimental Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.",
+	)
 	// max. 265k vault leases with 30bytes each ~= 7MB
-	fs.IntVar(&vaultTokenCacheSize, "experimental-vault-token-cache-size", defaultCacheSize, "Maximum size of Vault token cache. When more tokens than Only used if --experimental-enable-vault-token-cache is set.")
+	fs.IntVar(
+		&vaultTokenCacheSize,
+		"experimental-vault-token-cache-size",
+		defaultCacheSize,
+		"Maximum size of Vault token cache. When more tokens than Only used if --experimental-enable-vault-token-cache is set.",
+	)
 	feature.Register(feature.Feature{
 		Flags:      fs,
 		Initialize: func() { initCache(vaultTokenCacheSize) },

providers/v1/vault/provider_test.go

@@ -32,9 +32,9 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	utilfake "github.com/external-secrets/external-secrets/runtime/util/fake"
 	"github.com/external-secrets/external-secrets/providers/v1/vault/fake"
-	"github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	vaultutil "github.com/external-secrets/external-secrets/providers/v1/vault/util"
+	utilfake "github.com/external-secrets/external-secrets/runtime/util/fake"
 )
 
 const (

providers/v1/volcengine/provider.go

@@ -21,12 +21,12 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/volcengine/volcengine-go-sdk/service/kms"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/runtime/esutils"
-	"github.com/volcengine/volcengine-go-sdk/service/kms"
 )
 
 var _ esv1.Provider = &Provider{}

providers/v1/yandex/certificatemanager/certificatemanagersecretgetter.go

@@ -21,9 +21,10 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/external-secrets/external-secrets/providers/v1/yandex/certificatemanager/client"
-	"github.com/external-secrets/external-secrets/providers/v1/yandex/common"
 	api "github.com/yandex-cloud/go-genproto/yandex/cloud/certificatemanager/v1"
+
+	"github.com/external-secrets/external-secrets/providers/v1/yandex/certificatemanager/client"
+	ydxcommon "github.com/external-secrets/external-secrets/providers/v1/yandex/common"
 )
 
 const (
@@ -63,7 +64,12 @@ func (g *certificateManagerSecretGetter) GetSecret(ctx context.Context, iamToken
 	}
 }
 
-func (g *certificateManagerSecretGetter) GetSecretMap(ctx context.Context, iamToken, resourceID string, resourceKeyType ydxcommon.ResourceKeyType, folderID, versionID string) (map[string][]byte, error) {
+func (g *certificateManagerSecretGetter) GetSecretMap(
+	ctx context.Context,
+	iamToken, resourceID string,
+	resourceKeyType ydxcommon.ResourceKeyType,
+	folderID, versionID string,
+) (map[string][]byte, error) {
 	response, err := g.fetchCertificateContentResponse(ctx, iamToken, resourceID, resourceKeyType, folderID, versionID)
 	if err != nil {
 		return nil, fmt.Errorf("unable to request certificate content to get secret map: %w", err)
@@ -77,7 +83,12 @@ func (g *certificateManagerSecretGetter) GetSecretMap(ctx context.Context, iamTo
 	}, nil
 }
 
-func (g *certificateManagerSecretGetter) fetchCertificateContentResponse(ctx context.Context, iamToken, resourceID string, resourceKeyType ydxcommon.ResourceKeyType, folderID, versionID string) (*api.GetCertificateContentResponse, error) {
+func (g *certificateManagerSecretGetter) fetchCertificateContentResponse(
+	ctx context.Context,
+	iamToken, resourceID string,
+	resourceKeyType ydxcommon.ResourceKeyType,
+	folderID, versionID string,
+) (*api.GetCertificateContentResponse, error) {
 	switch resourceKeyType {
 	case ydxcommon.ResourceKeyTypeID:
 		return g.certificateManagerClient.GetCertificateContent(ctx, iamToken, resourceID, versionID)

providers/v1/yandex/certificatemanager/client/fakeclient.go

@@ -28,7 +28,7 @@ import (
 	api "github.com/yandex-cloud/go-genproto/yandex/cloud/certificatemanager/v1"
 	"github.com/yandex-cloud/go-sdk/iamkey"
 
-	"github.com/external-secrets/external-secrets/providers/v1/yandex/common"
+	ydxcommon "github.com/external-secrets/external-secrets/providers/v1/yandex/common"
 	"github.com/external-secrets/external-secrets/providers/v1/yandex/common/clock"
 )
 

providers/v1/yandex/certificatemanager/client/grpcclient.go

@@ -23,7 +23,7 @@ import (
 	"github.com/yandex-cloud/go-sdk/iamkey"
 	"google.golang.org/grpc"
 
-	"github.com/external-secrets/external-secrets/providers/v1/yandex/common"
+	ydxcommon "github.com/external-secrets/external-secrets/providers/v1/yandex/common"
 )
 
 // Real/gRPC implementation of CertificateManagerClient.

providers/v1/yandex/common/provider.go

@@ -33,8 +33,8 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 	"github.com/external-secrets/external-secrets/providers/v1/yandex/common/clock"
+	"github.com/external-secrets/external-secrets/runtime/esutils/resolvers"
 )
 
 const maxSecretsClientLifetime = 5 * time.Minute // supposed SecretsClient lifetime is quite short