chore(deps): bump golangci/golangci-lint-action from 6.5.2 to 8.0.0 (#4734)

* chore(deps): bump golangci/golangci-lint-action from 6.5.2 to 8.0.0

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.5.2 to 8.0.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/55c2c1448f86e01eaae002a5a3a9624417608d84...4afd733a84b1f43292c63897423277bb7f4313a9)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: update the linter and fix some of the linter issues

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

.github/workflows/ci.yml

@@ -9,7 +9,7 @@ on:
 
 env:
   # Common versions
-  GOLANGCI_VERSION: 'v1.64.6'
+  GOLANGCI_VERSION: 'v2.1.6'
   KUBERNETES_VERSION: '1.31.x'
 
   # Sonar
@@ -65,7 +65,7 @@ jobs:
         run: go mod download
 
       - name: Lint
-        uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: ${{ env.GOLANGCI_VERSION }}
           skip-pkg-cache: true

.golangci.yaml

@@ -1,54 +1,11 @@
+version: "2"
+
 run:
   timeout: 10m
-
-linters-settings:
-  gci:
-    sections:
-      - "standard"
-      - "default"
-      - "prefix(github.com/external-secrets/external-secrets)"
-      - "blank"
-      - "dot"
-  goconst:
-    min-len: 3
-    min-occurrences: 3
-  gocritic:
-    enabled-tags:
-      - diagnostic
-      - experimental
-      - opinionated
-      - performance
-      - style
-    disabled-checks:
-      - dupImport
-      - ifElseChain
-      - octalLiteral
-      - whyNoLint
-      - wrapperFunc
-      - importShadow
-      - unnamedResult
-      - unnecessaryBlock
-    settings:
-      rangeValCopy:
-        sizeThreshold: 512
-      hugeParam:
-        sizeThreshold: 512
-  gocyclo:
-    min-complexity: 16
-  goheader:
-    template-path: ./hack/boilerplate.go.txt
-  dupl:
-    threshold: 200
-  govet:
-    disable:
-      - shadow
-  lll:
-    line-length: 300
-  misspell:
-    locale: US
+  allow-parallel-runners: true
 
 linters:
-  disable-all: true
+  default: none
   enable:
     - asciicheck
     - bodyclose
@@ -58,65 +15,112 @@ linters:
     - errorlint
     - exhaustive
     - copyloopvar
-    - gci
     - goheader
     - goconst
     - gocritic
     - godot
-    - gofmt
     - goprintffuncname
     - gosec
-    - gosimple
     - govet
     - ineffassign
-    - lll
     - misspell
     - nakedret
     - nolintlint
     - prealloc
-    - staticcheck
-    - stylecheck
-    - typecheck
+    - lll
     - unconvert
     - unparam
     - unused
     - whitespace
+  settings:
+    goconst:
+      min-len: 3
+      min-occurrences: 3
+    gocritic:
+      enabled-tags:
+        - diagnostic
+        - experimental
+        - opinionated
+        - performance
+        - style
+      disabled-checks:
+        - dupImport
+        - ifElseChain
+        - octalLiteral
+        - whyNoLint
+        - wrapperFunc
+        - importShadow
+        - unnamedResult
+        - unnecessaryBlock
+      settings:
+        rangeValCopy:
+          sizeThreshold: 512
+        hugeParam:
+          sizeThreshold: 512
+    gocyclo:
+      min-complexity: 16
+    goheader:
+      template-path: ./hack/boilerplate.go.txt
+    dupl:
+      threshold: 200
+    govet:
+      disable:
+        - shadow
+    lll:
+      line-length: 300
+#    staticcheck:
+#      checks:
+#        - QF1008
+    misspell:
+      locale: US
+  exclusions:
+    rules:
+      # Exclude some linters from running on tests files.
+      - path: _test(ing)?\.go
+        linters:
+          - gocyclo
+          - errcheck
+          - dupl
+          - gosec
+          - unparam
+          - lll
 
-issues:
-  # Excluding configuration per-path and per-linter
-  exclude-rules:
-    # Exclude some linters from running on tests files.
-    - path: _test(ing)?\.go
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-        - unparam
-        - lll
+      # Ease some gocritic warnings on test files.
+      - path: _test\.go
+        text: "(unnamedResult|exitAfterDefer)"
+        linters:
+          - gocritic
 
-    # Ease some gocritic warnings on test files.
-    - path: _test\.go
-      text: "(unnamedResult|exitAfterDefer)"
-      linters:
-        - gocritic
-
-    # This is a "potential hardcoded credentials" warning. It's triggered by
-    # any variable with 'secret' in the same, and thus hits a lot of false
-    # positives in Kubernetes land where a Secret is an object type.
-    - text: "G101:"
-      linters:
-        - gosec
-
-    # The header check doesn't correctly parse the header as a code comment and is
-    # triggered by the perceived diff. The header check still correctly detects missing
-    # license headers and is useful for some cases.
-    - text: "Actual:"
-      linters:
-        - goheader
+      # This is a "potential hardcoded credentials" warning. It's triggered by
+      # any variable with 'secret' in the same, and thus hits a lot of false
+      # positives in Kubernetes land where a Secret is an object type.
+      - text: "G101:"
+        linters:
+          - gosec
 
+      # The header check doesn't correctly parse the header as a code comment and is
+      # triggered by the perceived diff. The header check still correctly detects missing
+      # license headers and is useful for some cases.
+      - text: "Actual:"
+        linters:
+          - goheader
+issues:
   # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
   max-issues-per-linter: 0
 
   # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
   max-same-issues: 0
+
+formatters:
+  settings:
+    golines:
+      # Target maximum line length.
+      # Default: 100
+      max-len: 200
+    gci:
+      sections:
+        - "standard"
+        - "default"
+        - "prefix(github.com/external-secrets/external-secrets)"
+        - "blank"
+        - "dot"

Makefile

@@ -353,7 +353,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
 
 ## Tool Versions
-GOLANGCI_VERSION := 1.64.6
+GOLANGCI_VERSION := 2.1.6
 KUBERNETES_VERSION := 1.30.x
 TILT_VERSION := 0.33.21
 CTY_VERSION := 1.1.3
@@ -367,7 +367,7 @@ $(ENVTEST): $(LOCALBIN)
 .PHONY: $(GOLANGCI_LINT)
 golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)
-	test -s $(LOCALBIN)/golangci-lint && $(LOCALBIN)/golangci-lint version --format short | grep -q $(GOLANGCI_VERSION) || \
+	test -s $(LOCALBIN)/golangci-lint && $(LOCALBIN)/golangci-lint version | grep -q $(GOLANGCI_VERSION) || \
 	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(LOCALBIN) v$(GOLANGCI_VERSION)
 
 .PHONY: tilt

cmd/esoctl/template.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -75,7 +76,7 @@ func templateRun(_ *cobra.Command, _ []string) error {
 
 	ctx := context.Background()
 	obj := &unstructured.Unstructured{}
-	content, err := os.ReadFile(templateFile)
+	content, err := os.ReadFile(filepath.Clean(templateFile))
 	if err != nil {
 		return fmt.Errorf("could not read template file: %w", err)
 	}
@@ -90,7 +91,7 @@ func templateRun(_ *cobra.Command, _ []string) error {
 	}
 
 	data := map[string][]byte{}
-	sourceDataContent, err := os.ReadFile(secretDataFile)
+	sourceDataContent, err := os.ReadFile(filepath.Clean(secretDataFile))
 	if err != nil {
 		return fmt.Errorf("could not read source secret file: %w", err)
 	}
@@ -121,7 +122,7 @@ func templateRun(_ *cobra.Command, _ []string) error {
 
 	out := os.Stdout
 	if outputFile != "" {
-		f, err := os.Create(outputFile)
+		f, err := os.Create(filepath.Clean(outputFile))
 		if err != nil {
 			return fmt.Errorf("could not create output file: %w", err)
 		}
@@ -201,7 +202,7 @@ func executeTemplate(p *templating.Parser, ctx context.Context, tmpl *esv1.Exter
 func setupFromConfigAndFromSecret(p *templating.Parser) error {
 	if templateFromConfigMapFile != "" {
 		var configMap corev1.ConfigMap
-		configMapContent, err := os.ReadFile(templateFromConfigMapFile)
+		configMapContent, err := os.ReadFile(filepath.Clean(templateFromConfigMapFile))
 		if err != nil {
 			return err
 		}
@@ -215,7 +216,7 @@ func setupFromConfigAndFromSecret(p *templating.Parser) error {
 
 	if templateFromSecretFile != "" {
 		var secret corev1.Secret
-		secretContent, err := os.ReadFile(templateFromSecretFile)
+		secretContent, err := os.ReadFile(filepath.Clean(templateFromSecretFile))
 		if err != nil {
 			return err
 		}

e2e/framework/addon/eso_argocd_application.go

@@ -150,7 +150,9 @@ func (c *ArgoCDApplication) Install() error {
 		if err != nil {
 			return false, nil
 		}
-		defer res.Body.Close()
+		defer func() {
+			_ = res.Body.Close()
+		}()
 		ginkgo.GinkgoWriter.Printf("webhook res: %d", res.StatusCode)
 		return res.StatusCode == http.StatusOK, nil
 	})

e2e/framework/addon/eso_flux_helm.go

@@ -137,7 +137,9 @@ func (c *FluxHelmRelease) Install() error {
 		if err != nil {
 			return false, nil
 		}
-		defer res.Body.Close()
+		defer func() {
+			_ = res.Body.Close()
+		}()
 		ginkgo.GinkgoWriter.Printf("webhook res: %d", res.StatusCode)
 		return res.StatusCode == http.StatusOK, nil
 	})

e2e/framework/addon/vault.go

@@ -275,7 +275,9 @@ func (l *Vault) configureVault() error {
 	if err != nil {
 		return err
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	sec, err := vault.ParseSecret(res.Body)
 	if err != nil {
 		return err
@@ -289,7 +291,9 @@ func (l *Vault) configureVault() error {
 	if err != nil {
 		return err
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	sec, err = vault.ParseSecret(res.Body)
 	if err != nil {
 		return err

e2e/framework/util/util.go

@@ -244,7 +244,9 @@ func WaitForURL(url string) error {
 		if err != nil {
 			return false, nil
 		}
-		defer res.Body.Close()
+		defer func() {
+			_ = res.Body.Close()
+		}()
 		if res.StatusCode == http.StatusOK {
 			return true, nil
 		}

e2e/suites/provider/cases/akeyless/provider.go

@@ -221,7 +221,9 @@ func readK8SServiceAccountJWT() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer data.Close()
+	defer func() {
+		_ = data.Close()
+	}()
 
 	contentBytes, err := io.ReadAll(data)
 	if err != nil {

pkg/common/webhook/webhook.go

@@ -276,7 +276,9 @@ func (w *Webhook) executeRequest(ctx context.Context, provider *Spec, data []byt
 	if err != nil {
 		return nil, fmt.Errorf("failed to call endpoint: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 	if resp.StatusCode == 404 {
 		return nil, esv1.NoSecretError{}
 	}

pkg/controllers/crds/crds_controller_test.go

@@ -340,14 +340,16 @@ func TestCheckCertChain(t *testing.T) {
 	if err != nil {
 		t.Errorf(failedCreateServerCerts, err)
 	}
-	os.WriteFile(cacrt, caArtifacts.CertPEM, 0644)
-	os.WriteFile(tlscrt, certPEM, 0644)
+	_ = os.WriteFile(cacrt, caArtifacts.CertPEM, 0644)
+	_ = os.WriteFile(tlscrt, certPEM, 0644)
 	f, _ := os.OpenFile(tlscrt, os.O_APPEND|os.O_WRONLY, 0644)
-	defer f.Close()
+	defer func() {
+		_ = f.Close()
+	}()
 	if _, err = f.Write(chainArtifacts.CertPEM); err != nil {
 		t.Errorf(failedCreateCaChain, err)
 	}
-	os.WriteFile(tlskey, keyPEM, 0644)
+	_ = os.WriteFile(tlskey, keyPEM, 0644)
 	cert := CertInfo{
 		CertDir:  "/tmp",
 		CertName: "tls",

pkg/controllers/externalsecret/externalsecret_controller_secret.go

@@ -43,7 +43,9 @@ func (r *Reconciler) getProviderSecretData(ctx context.Context, externalSecret *
 	// that are created during the fetching process and closes clients
 	// if needed.
 	mgr := secretstore.NewManager(r.Client, r.ControllerClass, r.EnableFloodGate)
-	defer mgr.Close(ctx)
+	defer func() {
+		_ = mgr.Close(ctx)
+	}()
 
 	// statemanager takes care of managing the state of the generators.
 	// Since ExternalSecrets can have multiple generators, we need to keep track of the state of each generator

pkg/controllers/pushsecret/pushsecret_controller.go

@@ -91,7 +91,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	var ps esapi.PushSecret
 	mgr := secretstore.NewManager(r.Client, r.ControllerClass, false)
-	defer mgr.Close(ctx)
+	defer func() {
+		_ = mgr.Close(ctx)
+	}()
 
 	if err := r.Get(ctx, req.NamespacedName, &ps); err != nil {
 		if apierrors.IsNotFound(err) {

pkg/controllers/secretstore/client_manager.go

@@ -160,7 +160,7 @@ func (m *Manager) getStoredClient(ctx context.Context, storeProvider esv1.Provid
 		"store", storeName)
 	// if we have a client, but it points to a different store
 	// we must clean it up
-	val.client.Close(ctx)
+	_ = val.client.Close(ctx)
 	delete(m.clientMap, idx)
 	return nil
 }

pkg/controllers/secretstore/common.go

@@ -112,7 +112,9 @@ func reconcile(ctx context.Context, req ctrl.Request, ss esapi.GenericStore, cl
 func validateStore(ctx context.Context, namespace, controllerClass string, store esapi.GenericStore,
 	client client.Client, gaugeVecGetter metrics.GaugeVevGetter, recorder record.EventRecorder) error {
 	mgr := NewManager(client, controllerClass, false)
-	defer mgr.Close(ctx)
+	defer func() {
+		_ = mgr.Close(ctx)
+	}()
 	cl, err := mgr.GetFromStore(ctx, store, namespace)
 	if err != nil {
 		cond := NewSecretStoreCondition(esapi.SecretStoreReady, v1.ConditionFalse, esapi.ReasonInvalidProviderConfig, errUnableCreateClient)

pkg/generator/acr/acr.go

@@ -22,6 +22,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
@@ -176,7 +177,9 @@ func fetchACRAccessToken(acrRefreshToken, _, registryURL, scope string) (string,
 	if err != nil {
 		return "", err
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	if res.StatusCode != http.StatusOK {
 		return "", fmt.Errorf("could not generate access token, unexpected status code: %d", res.StatusCode)
 	}
@@ -211,7 +214,9 @@ func fetchACRRefreshToken(aadAccessToken, tenantID, registryURL string) (string,
 	if err != nil {
 		return "", err
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	if res.StatusCode != http.StatusOK {
 		return "", fmt.Errorf("count not generate refresh token, unexpected status code %d, expected %d", res.StatusCode, http.StatusOK)
 	}
@@ -244,7 +249,7 @@ func accessTokenForWorkloadIdentity(ctx context.Context, crClient client.Client,
 		if clientID == "" || tenantID == "" || tokenFilePath == "" {
 			return "", errors.New("missing environment variables")
 		}
-		token, err := os.ReadFile(tokenFilePath)
+		token, err := os.ReadFile(filepath.Clean(tokenFilePath))
 		if err != nil {
 			return "", fmt.Errorf("unable to read token file %s: %w", tokenFilePath, err)
 		}

pkg/generator/github/github.go

@@ -119,7 +119,9 @@ func (g *Generator) generate(
 	if err != nil {
 		return nil, nil, fmt.Errorf("error performing request: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	// git access token
 	var gat map[string]any

pkg/generator/quay/quay.go

@@ -154,7 +154,9 @@ func getQuayRobotToken(ctx context.Context, fedToken, robotAccount, url string,
 	if err != nil {
 		return "", err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	if resp.StatusCode != 200 {
 		return "", fmt.Errorf("request failed do to unexpected status: %s", resp.Status)

pkg/provider/akeyless/akeyless_api.go

@@ -85,7 +85,9 @@ func (a *akeylessBase) GetToken(ctx context.Context, accessID, accType, accTypeP
 	if err != nil {
 		return "", fmt.Errorf("authentication failed: %w", err)
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	token := authOut.GetToken()
 	return token, nil
 }
@@ -145,7 +147,9 @@ func (a *akeylessBase) DescribeItem(ctx context.Context, itemName string) (*akey
 	if err != nil {
 		return nil, fmt.Errorf("can't describe item: %w", err)
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 
 	return &gsvOut, nil
 }
@@ -166,7 +170,9 @@ func (a *akeylessBase) GetCertificate(ctx context.Context, certificateName strin
 	if err != nil {
 		return "", fmt.Errorf("can't get certificate value: %w", err)
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 
 	out, err := json.Marshal(gcvOut)
 	if err != nil {
@@ -192,7 +198,9 @@ func (a *akeylessBase) GetRotatedSecrets(ctx context.Context, secretName string,
 	if err != nil {
 		return "", fmt.Errorf("can't get rotated secret value: %w", err)
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	valI, ok := gsvOut["value"]
 	var out []byte
 	if ok {
@@ -231,7 +239,9 @@ func (a *akeylessBase) GetDynamicSecrets(ctx context.Context, secretName string)
 	if err != nil {
 		return "", fmt.Errorf("can't get dynamic secret value: %w", err)
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	out, err := json.Marshal(gsvOut)
 	if err != nil {
 		return "", fmt.Errorf("can't marshal dynamic secret value: %w", err)
@@ -255,7 +265,9 @@ func (a *akeylessBase) GetStaticSecret(ctx context.Context, secretName string, v
 	if err != nil {
 		return "", fmt.Errorf("can't get secret value: %w", err)
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	val, ok := gsvOut[secretName]
 	if !ok {
 		return "", fmt.Errorf("can't get secret: %v", secretName)
@@ -303,7 +315,9 @@ func (a *akeylessBase) ListSecrets(ctx context.Context, path, tag string) ([]str
 	if err != nil {
 		return nil, fmt.Errorf("error on get secrets list: %w", err)
 	}
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	if lipOut.Items == nil {
 		return nil, nil
 	}
@@ -327,7 +341,9 @@ func (a *akeylessBase) CreateSecret(ctx context.Context, remoteKey, data string)
 		return err
 	}
 	_, res, err := a.RestAPI.CreateSecret(ctx).Body(body).Execute()
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	metrics.ObserveAPICall(constants.ProviderAKEYLESSSM, constants.CallAKEYLESSSMCreateSecret, err)
 	return err
 }
@@ -341,7 +357,9 @@ func (a *akeylessBase) UpdateSecret(ctx context.Context, remoteKey, data string)
 		return err
 	}
 	_, res, err := a.RestAPI.UpdateSecretVal(ctx).Body(body).Execute()
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	metrics.ObserveAPICall(constants.ProviderAKEYLESSSM, constants.CallAKEYLESSSMUpdateSecretVal, err)
 	return err
 }
@@ -354,7 +372,9 @@ func (a *akeylessBase) DeleteSecret(ctx context.Context, remoteKey string) error
 		return err
 	}
 	_, res, err := a.RestAPI.DeleteItem(ctx).Body(body).Execute()
-	defer res.Body.Close()
+	defer func() {
+		_ = res.Body.Close()
+	}()
 	metrics.ObserveAPICall(constants.ProviderAKEYLESSSM, constants.CallAKEYLESSSMDeleteItem, err)
 	return err
 }
@@ -455,7 +475,9 @@ func readK8SServiceAccountJWT() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer data.Close()
+	defer func() {
+		_ = data.Close()
+	}()
 
 	contentBytes, err := io.ReadAll(data)
 	if err != nil {

pkg/provider/akeyless/utils.go

@@ -104,7 +104,9 @@ func sendReq(url string) string {
 	if err != nil {
 		return ""
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	body, _ := io.ReadAll(resp.Body)
 	return string(body)

pkg/provider/alibaba/client.go

@@ -147,7 +147,9 @@ func (s *secretsManagerClient) doAPICall(ctx context.Context,
 	if err != nil {
 		return nil, fmt.Errorf("error invoking http request: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	return s.parseResponse(resp)
 }

pkg/provider/azure/keyvault/keyvault.go

@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
@@ -888,7 +889,7 @@ func (a *Azure) authorizerForWorkloadIdentity(ctx context.Context, tokenProvider
 		if clientID == "" || tenantID == "" || tokenFilePath == "" {
 			return nil, errors.New(errMissingWorkloadEnvVars)
 		}
-		token, err := os.ReadFile(tokenFilePath)
+		token, err := os.ReadFile(filepath.Clean(tokenFilePath))
 		if err != nil {
 			return nil, fmt.Errorf(errReadTokenFile, tokenFilePath, err)
 		}

pkg/provider/bitwarden/bitwarden_sdk.go

@@ -244,7 +244,9 @@ func (s *SdkClient) performHTTPRequestOperation(ctx context.Context, params para
 	if err != nil {
 		return fmt.Errorf("failed to do request: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	if resp.StatusCode != http.StatusOK {
 		content, _ := io.ReadAll(resp.Body)

pkg/provider/cloudru/secretmanager/endpoints.go

@@ -46,7 +46,9 @@ func GetEndpoints(url string) (*EndpointsResponse, error) {
 	if err != nil {
 		return nil, fmt.Errorf("get cloud.ru endpoints: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("get cloud.ru endpoints: unexpected status code %d", resp.StatusCode)

pkg/provider/doppler/client/client.go

@@ -310,7 +310,9 @@ func (c *DopplerClient) performRequest(path, method string, headers headers, par
 	if err != nil {
 		return nil, &APIError{Err: err, Message: "unable to load response"}
 	}
-	defer r.Body.Close()
+	defer func() {
+		_ = r.Body.Close()
+	}()
 
 	bodyResponse, err := io.ReadAll(r.Body)
 	if err != nil {

pkg/provider/gcp/secretmanager/auth.go

@@ -36,7 +36,9 @@ func NewTokenSource(ctx context.Context, auth esv1.GCPSMAuth, projectID, storeKi
 	if err != nil {
 		return nil, errors.New("unable to initialize workload identity")
 	}
-	defer wi.Close()
+	defer func() {
+		_ = wi.Close()
+	}()
 	isClusterKind := storeKind == esv1.ClusterSecretStoreKind
 	ts, err = wi.TokenSource(ctx, auth, isClusterKind, kube, namespace)
 	if ts != nil || err != nil {

pkg/provider/gcp/secretmanager/workload_identity.go

@@ -302,7 +302,9 @@ func (g *gcpIDBindTokenGenerator) Generate(ctx context.Context, client *http.Cli
 		return nil, fmt.Errorf("could not get idbindtoken token, status: %v", resp.StatusCode)
 	}
 
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 	respBody, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err

pkg/provider/infisical/api/api.go

@@ -208,7 +208,9 @@ func (a *InfisicalClient) do(endpoint, method string, params map[string]string,
 	if err != nil {
 		return err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	if err := checkError(resp); err != nil {
 		return err

pkg/provider/onboardbase/client/client.go

@@ -388,7 +388,9 @@ func (c *OnboardbaseClient) performRequest(config *performRequestConfig) (*apiRe
 	if err != nil {
 		return nil, &APIError{Err: err, Message: "unable to load response"}
 	}
-	defer r.Body.Close()
+	defer func() {
+		_ = r.Body.Close()
+	}()
 
 	bodyResponse, err := io.ReadAll(r.Body)
 	if err != nil {

pkg/provider/passworddepot/passworddepot_api.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package passworddepot
 
 import (
@@ -229,9 +230,7 @@ func (api *API) ListSecrets(dbFingerprint, folder string) (DatabaseEntries, erro
 func ReadAndUnmarshal(resp *http.Response, target any) error {
 	var buf bytes.Buffer
 	defer func() {
-		if resp.Body != nil {
-			resp.Body.Close()
-		}
+		_ = resp.Body.Close()
 	}()
 	if resp.StatusCode < 200 || resp.StatusCode > 299 {
 		return fmt.Errorf("failed to authenticate with the given credentials: %d %s", resp.StatusCode, buf.String())

pkg/provider/senhasegura/auth/iso.go

@@ -132,7 +132,9 @@ func (s *SenhaseguraIsoSession) GetIsoToken(clientID, clientSecret, systemURL st
 	if err != nil {
 		return "", errCannotDoRequest
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	if resp.StatusCode != 200 {
 		return "", errInvalidHTTPCode

pkg/provider/senhasegura/dsm/dsm.go

@@ -199,7 +199,9 @@ func (dsm *DSM) FetchSecrets() (respObj IsoDappResponse, err error) {
 	if err != nil {
 		return respObj, errCannotDoRequest
 	}
-	defer resp.Body.Close()
+	defer func() {
+		_ = resp.Body.Close()
+	}()
 
 	if resp.StatusCode != 200 {
 		return respObj, errInvalidHTTPCode

pkg/provider/vault/auth_iam.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"path/filepath"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
@@ -97,7 +98,7 @@ func (c *client) requestTokenWithIamAuth(ctx context.Context, iamAuth *esv1.Vaul
 		}
 
 		// everything looks good so far, let's fetch the jwt token from AWS_WEB_IDENTITY_TOKEN_FILE
-		jwtByte, err := os.ReadFile(tokenFile)
+		jwtByte, err := os.ReadFile(filepath.Clean(tokenFile))
 		if err != nil {
 			return fmt.Errorf(errIrsaTokenFileNotReadable, tokenFile, err)
 		}
@@ -157,9 +158,9 @@ func (c *client) requestTokenWithIamAuth(ctx context.Context, iamAuth *esv1.Vaul
 		return err
 	}
 	// Set environment variables. These would be fetched by Login
-	os.Setenv("AWS_ACCESS_KEY_ID", getCreds.AccessKeyID)
-	os.Setenv("AWS_SECRET_ACCESS_KEY", getCreds.SecretAccessKey)
-	os.Setenv("AWS_SESSION_TOKEN", getCreds.SessionToken)
+	_ = os.Setenv("AWS_ACCESS_KEY_ID", getCreds.AccessKeyID)
+	_ = os.Setenv("AWS_SECRET_ACCESS_KEY", getCreds.SecretAccessKey)
+	_ = os.Setenv("AWS_SESSION_TOKEN", getCreds.SessionToken)
 
 	var awsAuthClient *authaws.AWSAuth
 

pkg/utils/utils.go

@@ -450,7 +450,9 @@ func NetworkValidate(endpoint string, timeout time.Duration) error {
 	if err != nil {
 		return fmt.Errorf("error accessing external store: %w", err)
 	}
-	defer conn.Close()
+	defer func() {
+		_ = conn.Close()
+	}()
 	return nil
 }