chore(lint): fix revive lint errors `(pkg/providers)` (#5362)

* chore(lint): fix revive lint errors in providers package

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* feat: add support for decryption scheme from properties in senhasegura Devops Secrets Management (DSM) provider (#3895)

* Initial Commit

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* Building an RSA-Based Sensitive Data Decryption Feature with Advanced Templating v2

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* test: building an rsa-based sensitive data decryption feature with advanced templating v2

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* docs: building an rsa-based sensitive data decryption feature with advanced templating v2

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* reviewable: building an rsa-based sensitive data decryption feature with advanced templating v2

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* docs: building an rsa-based sensitive data decryption feature with advanced templating v2

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* docs: building an rsa-based sensitive data decryption feature with advanced templating v2

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* chore(license): building an rsa-based sensitive data decryption feature with advanced templating v2

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* test: building an rsa-based sensitive data decryption feature with advanced templating v2

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* test: remove bin data test on building an rsa-based sensitive data decryption feature

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* test: add encrypted data test on building an rsa-based sensitive data decryption feature

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

* test: add encrypted data test on building an rsa-based sensitive data decryption feature

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>

---------

Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>
Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* chore(lint): fix dot error

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

---------

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>
Signed-off-by: Felipe Oliveira dos Santos <felipeoliveira.s.br@gmail.com>
Signed-off-by: Gergely Brautigam <skarlso777@gmail.com>
Co-authored-by: Felipe Oliveira <felipeoliveira.s.br@gmail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

pkg/provider/akeyless/akeyless.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package akeyless provides integration with Akeyless Vault for secrets management.
 package akeyless
 
 import (
@@ -45,12 +46,13 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
-type AkeylessCtx string
+// Ctx is a type used for context keys in Akeyless provider implementations.
+type Ctx string
 
 const (
-	defaultAPIUrl                   = "https://api.akeyless.io"
-	extSecretManagedTag             = "k8s-external-secrets"
-	aKeylessToken       AkeylessCtx = "AKEYLESS_TOKEN"
+	defaultAPIUrl           = "https://api.akeyless.io"
+	extSecretManagedTag     = "k8s-external-secrets"
+	aKeylessToken       Ctx = "AKEYLESS_TOKEN"
 )
 
 // https://github.com/external-secrets/external-secrets/issues/644
@@ -72,11 +74,13 @@ type akeylessBase struct {
 	RestAPI          *akeyless.V2ApiService
 }
 
+// Akeyless represents a client for the Akeyless Vault service.
 type Akeyless struct {
 	Client akeylessVaultInterface
 	url    string
 }
 
+// Item represents an item in the Akeyless Vault.
 type Item struct {
 	ItemName    string `json:"item_name"`
 	ItemType    string `json:"item_type"`
@@ -121,6 +125,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return newClient(ctx, store, kube, clientset.CoreV1(), namespace)
 }
 
+// ValidateStore validates the configuration of the Akeyless provider in the store.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	akeylessSpec := storeSpec.Provider.Akeyless
@@ -128,12 +133,12 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	akeylessGWApiURL := akeylessSpec.AkeylessGWApiURL
 
 	if akeylessGWApiURL != nil && *akeylessGWApiURL != "" {
-		url, err := url.Parse(*akeylessGWApiURL)
+		parsedURL, err := url.Parse(*akeylessGWApiURL)
 		if err != nil {
 			return nil, errors.New(errInvalidAkeylessURL)
 		}
 
-		if url.Host == "" {
+		if parsedURL.Host == "" {
 			return nil, errors.New(errInvalidAkeylessURL)
 		}
 	}
@@ -241,23 +246,25 @@ func (a *Akeyless) contextWithToken(ctx context.Context) (context.Context, error
 	return context.WithValue(ctx, aKeylessToken, token), nil
 }
 
+// Close closes the Akeyless client connection.
 func (a *Akeyless) Close(_ context.Context) error {
 	return nil
 }
 
+// Validate validates the Akeyless connection by testing network connectivity.
 func (a *Akeyless) Validate() (esv1.ValidationResult, error) {
 	timeout := 15 * time.Second
-	url := a.url
+	serviceURL := a.url
 
-	if err := utils.NetworkValidate(url, timeout); err != nil {
+	if err := utils.NetworkValidate(serviceURL, timeout); err != nil {
 		return esv1.ValidationResultError, err
 	}
 
 	return esv1.ValidationResultReady, nil
 }
 
+// GetSecret retrieves a secret with the secret name defined in ref.Name.
 // Implements store.Client.GetSecret Interface.
-// Retrieves a secret with the secret name defined in ref.Name.
 func (a *Akeyless) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(a.Client) {
 		return nil, errors.New(errUninitalizedAkeylessProvider)
@@ -413,6 +420,7 @@ func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretData
 	return secretData, nil
 }
 
+// SecretExists checks if a secret exists in Akeyless Vault at the specified remote reference.
 func (a *Akeyless) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 	if utils.IsNil(a.Client) {
 		return false, errors.New(errUninitalizedAkeylessProvider)
@@ -444,6 +452,7 @@ func initMapIfNotExist(psd esv1.PushSecretData, secretMapSize int) map[string]an
 	return make(map[string]any, mapSize)
 }
 
+// PushSecret pushes a Kubernetes secret to Akeyless Vault using the provided data.
 func (a *Akeyless) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1.PushSecretData) error {
 	if utils.IsNil(a.Client) {
 		return errors.New(errUninitalizedAkeylessProvider)
@@ -487,6 +496,7 @@ func (a *Akeyless) PushSecret(ctx context.Context, secret *corev1.Secret, psd es
 	return a.Client.UpdateSecret(ctx, psd.GetRemoteKey(), string(dataByte))
 }
 
+// DeleteSecret deletes a secret from Akeyless Vault at the specified remote reference.
 func (a *Akeyless) DeleteSecret(ctx context.Context, psr esv1.PushSecretRemoteRef) error {
 	if utils.IsNil(a.Client) {
 		return errors.New(errUninitalizedAkeylessProvider)

pkg/provider/akeyless/akeyless_api.go

@@ -43,18 +43,25 @@ import (
 )
 
 var (
-	apiErr            akeyless.GenericOpenAPIError
-	ErrItemNotExists  = errors.New("item does not exist")
+	apiErr akeyless.GenericOpenAPIError
+	// ErrItemNotExists is returned when a requested item doesn't exist in Akeyless vault.
+	ErrItemNotExists = errors.New("item does not exist")
+	// ErrTokenNotExists is returned when the authentication token is not available.
 	ErrTokenNotExists = errors.New("token does not exist")
 )
 
+// DefServiceAccountFile is the default path to the Kubernetes service account token.
 const DefServiceAccountFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 
+// Tokener is the interface for types that can have tokens set on them.
 type Tokener interface {
 	SetToken(v string)
 	SetUidToken(v string)
 }
 
+// GetToken retrieves an authentication token from Akeyless Gateway.
+// It supports various authentication methods including API key, access key,
+// Kubernetes service account token, and cloud provider-specific methods.
 func (a *akeylessBase) GetToken(ctx context.Context, accessID, accType, accTypeParam string, k8sAuth *esv1.AkeylessKubernetesAuth) (string, error) {
 	authBody := akeyless.NewAuthWithDefaults()
 	authBody.AccessId = akeyless.PtrString(accessID)
@@ -94,6 +101,7 @@ func (a *akeylessBase) GetToken(ctx context.Context, accessID, accType, accTypeP
 	return token, nil
 }
 
+// GetSecretByType retrieves a secret from Akeyless based on its type.
 func (a *akeylessBase) GetSecretByType(ctx context.Context, secretName string, version int32) (string, error) {
 	item, err := a.DescribeItem(ctx, secretName)
 	if err != nil {
@@ -117,7 +125,8 @@ func (a *akeylessBase) GetSecretByType(ctx context.Context, secretName string, v
 	}
 }
 
-func SetBodyToken(t Tokener, ctx context.Context) error {
+// SetBodyToken sets the appropriate token in the request body based on the context.
+func SetBodyToken(ctx context.Context, t Tokener) error {
 	token, ok := ctx.Value(aKeylessToken).(string)
 	if !ok {
 		return ErrTokenNotExists
@@ -134,7 +143,7 @@ func (a *akeylessBase) DescribeItem(ctx context.Context, itemName string) (*akey
 	body := akeyless.DescribeItem{
 		Name: itemName,
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return nil, err
 	}
 	gsvOut, res, err := a.RestAPI.DescribeItem(ctx).Body(body).Execute()
@@ -161,7 +170,7 @@ func (a *akeylessBase) GetCertificate(ctx context.Context, certificateName strin
 		Name:    certificateName,
 		Version: &version,
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return "", err
 	}
 	gcvOut, res, err := a.RestAPI.GetCertificateValue(ctx).Body(body).Execute()
@@ -189,7 +198,7 @@ func (a *akeylessBase) GetRotatedSecrets(ctx context.Context, secretName string,
 		Names:   secretName,
 		Version: &version,
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return "", err
 	}
 	gsvOut, res, err := a.RestAPI.GetRotatedSecretValue(ctx).Body(body).Execute()
@@ -230,7 +239,7 @@ func (a *akeylessBase) GetDynamicSecrets(ctx context.Context, secretName string)
 	body := akeyless.GetDynamicSecretValue{
 		Name: secretName,
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return "", err
 	}
 	gsvOut, res, err := a.RestAPI.GetDynamicSecretValue(ctx).Body(body).Execute()
@@ -256,7 +265,7 @@ func (a *akeylessBase) GetStaticSecret(ctx context.Context, secretName string, v
 		Names:   []string{secretName},
 		Version: &version,
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return "", err
 	}
 	gsvOut, res, err := a.RestAPI.GetSecretValue(ctx).Body(body).Execute()
@@ -310,7 +319,7 @@ func (a *akeylessBase) ListSecrets(ctx context.Context, path, tag string) ([]str
 		MinimalView: &MinimalView,
 		Tag:         &tag,
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return nil, err
 	}
 	lipOut, res, err := a.RestAPI.ListItems(ctx).Body(body).Execute()
@@ -343,7 +352,7 @@ func (a *akeylessBase) CreateSecret(ctx context.Context, remoteKey, data string)
 		Value: data,
 		Tags:  &[]string{extSecretManagedTag},
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return err
 	}
 	_, res, err := a.RestAPI.CreateSecret(ctx).Body(body).Execute()
@@ -359,7 +368,7 @@ func (a *akeylessBase) UpdateSecret(ctx context.Context, remoteKey, data string)
 		Name:  remoteKey,
 		Value: data,
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return err
 	}
 	_, res, err := a.RestAPI.UpdateSecretVal(ctx).Body(body).Execute()
@@ -374,7 +383,7 @@ func (a *akeylessBase) DeleteSecret(ctx context.Context, remoteKey string) error
 	body := akeyless.DeleteItem{
 		Name: remoteKey,
 	}
-	if err := SetBodyToken(&body, ctx); err != nil {
+	if err := SetBodyToken(ctx, &body); err != nil {
 		return err
 	}
 	_, res, err := a.RestAPI.DeleteItem(ctx).Body(body).Execute()

pkg/provider/akeyless/akeyless_test.go

@@ -92,7 +92,7 @@ func nilProviderTestCase() *akeylessTestCase {
 }
 func failGetTestCase() *akeylessTestCase {
 	return makeValidAkeylessTestCase("fail GetSecret").SetExpectVal(false).SetExpectErr("fail get").
-		SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return "", errors.New("fail get") }))
+		SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return "", errors.New("fail get") }))
 }
 
 func makeValidRef() *esv1.ExternalSecretDataRemoteRef {
@@ -308,16 +308,16 @@ func TestSecretExists(t *testing.T) {
 	testCases := []*akeylessTestCase{
 		nilProviderTestCase().SetExpectVal(false),
 		makeValidAkeylessTestCase("no secret").SetExpectVal(false).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return "", ErrItemNotExists })),
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return "", ErrItemNotExists })),
 		failGetTestCase(),
 		makeValidAkeylessTestCase("success without property").SetExpectVal(true).SetExpectInput(&testingfake.PushSecretData{Property: ""}).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return "my secret", nil })),
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return "my secret", nil })),
 		makeValidAkeylessTestCase("fail unmarshal").SetExpectVal(false).SetExpectErr("invalid character 'd' looking for beginning of value").SetExpectInput(&testingfake.PushSecretData{Property: "prop"}).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return "daenerys", nil })),
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return "daenerys", nil })),
 		makeValidAkeylessTestCase("no property").SetExpectVal(false).SetExpectInput(&testingfake.PushSecretData{Property: "prop"}).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return `{"propa": "a"}`, nil })),
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return `{"propa": "a"}`, nil })),
 		makeValidAkeylessTestCase("success with property").SetExpectVal(true).SetExpectInput(&testingfake.PushSecretData{Property: "prop"}).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return `{"prop": "a"}`, nil })),
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return `{"prop": "a"}`, nil })),
 	}
 
 	sm := Akeyless{}
@@ -340,29 +340,29 @@ func TestPushSecret(t *testing.T) {
 		nilProviderTestCase(),
 		failGetTestCase(),
 		makeValidAkeylessTestCase("fail unmarshal").SetExpectErr("invalid character 'm' looking for beginning of value").
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return "morgoth", nil })),
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return "morgoth", nil })),
 		makeValidAkeylessTestCase("create new secret").SetExpectInput(&corev1.Secret{Data: map[string][]byte{"test": []byte("test")}}).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return "", ErrItemNotExists }).
-				SetCreateSecretFn(func(ctx context.Context, remoteKey string, data string) error {
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return "", ErrItemNotExists }).
+				SetCreateSecretFn(func(_ context.Context, _ string, data string) error {
 					if data != `{"test":"test"}` {
 						return errors.New("secret is not good")
 					}
 					return nil
 				})),
 		makeValidAkeylessTestCase("update secret").SetExpectInput(&corev1.Secret{Data: map[string][]byte{"test2": []byte("test2")}}).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return `{"test2":"untest"}`, nil }).
-				SetUpdateSecretFn(func(ctx context.Context, remoteKey string, data string) error {
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return `{"test2":"untest"}`, nil }).
+				SetUpdateSecretFn(func(_ context.Context, _ string, data string) error {
 					if data != `{"test2":"test2"}` {
 						return errors.New("secret is not good")
 					}
 					return nil
 				})),
 		makeValidAkeylessTestCase("shouldnt update").SetExpectInput(&corev1.Secret{Data: map[string][]byte{"test": []byte("test")}}).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return `{"test":"test"}`, nil })),
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return `{"test":"test"}`, nil })),
 		makeValidAkeylessTestCase("merge secret maps").SetExpectInput(&corev1.Secret{Data: map[string][]byte{"test": []byte("test")}}).
 			SetExpectInput2(&testingfake.PushSecretData{Property: "test", SecretKey: "test"}).
-			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(secretName string, version int32) (string, error) { return `{"test2":"test2"}`, nil }).
-				SetUpdateSecretFn(func(ctx context.Context, remoteKey string, data string) error {
+			SetMockClient(fakeakeyless.New().SetGetSecretFn(func(_ string, _ int32) (string, error) { return `{"test2":"test2"}`, nil }).
+				SetUpdateSecretFn(func(_ context.Context, _ string, data string) error {
 					expected := `{"test":"test","test2":"test2"}`
 					if data != expected {
 						return fmt.Errorf("secret %s expected %s", data, expected)
@@ -392,31 +392,31 @@ func TestDeleteSecret(t *testing.T) {
 	testCases := []*akeylessTestCase{
 		nilProviderTestCase(),
 		makeValidAkeylessTestCase("fail describe").SetExpectErr("err desc").
-			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(ctx context.Context, itemName string) (*akeyless.Item, error) { return nil, errors.New("err desc") })),
+			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(_ context.Context, _ string) (*akeyless.Item, error) { return nil, errors.New("err desc") })),
 		makeValidAkeylessTestCase("no such item").
-			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(ctx context.Context, itemName string) (*akeyless.Item, error) { return nil, nil })),
+			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(_ context.Context, _ string) (*akeyless.Item, error) { return nil, nil })),
 		makeValidAkeylessTestCase("tags nil").
-			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(ctx context.Context, itemName string) (*akeyless.Item, error) { return &akeyless.Item{}, nil })),
+			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(_ context.Context, _ string) (*akeyless.Item, error) { return &akeyless.Item{}, nil })),
 		makeValidAkeylessTestCase("no external secret managed tags").
-			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(ctx context.Context, itemName string) (*akeyless.Item, error) {
+			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(_ context.Context, _ string) (*akeyless.Item, error) {
 				return &akeyless.Item{ItemTags: &[]string{"some-random-tag"}}, nil
 			})),
 		makeValidAkeylessTestCase("delete whole secret").SetExpectInput(&testingfake.PushSecretData{RemoteKey: "42"}).
-			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(ctx context.Context, itemName string) (*akeyless.Item, error) {
+			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(_ context.Context, _ string) (*akeyless.Item, error) {
 				return &akeyless.Item{ItemTags: &[]string{extSecretManagedTag}}, nil
-			}).SetDeleteSecretFn(func(ctx context.Context, remoteKey string) error {
+			}).SetDeleteSecretFn(func(_ context.Context, remoteKey string) error {
 				if remoteKey != "42" {
 					return fmt.Errorf("remote key %s expected %s", remoteKey, "42")
 				}
 				return nil
 			})),
 		makeValidAkeylessTestCase("delete property of secret").SetExpectInput(&testingfake.PushSecretData{Property: "Foo"}).
-			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(ctx context.Context, itemName string) (*akeyless.Item, error) {
+			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(_ context.Context, _ string) (*akeyless.Item, error) {
 				return &akeyless.Item{ItemTags: &[]string{extSecretManagedTag}}, nil
-			}).SetGetSecretFn(func(secretName string, version int32) (string, error) {
+			}).SetGetSecretFn(func(_ string, _ int32) (string, error) {
 				return `{"Dio": "Brando", "Foo": "Fighters"}`, nil
 			}).
-				SetUpdateSecretFn(func(ctx context.Context, remoteKey string, data string) error {
+				SetUpdateSecretFn(func(_ context.Context, _ string, data string) error {
 					expected := `{"Dio":"Brando"}`
 					if data != expected {
 						return fmt.Errorf("secret %s expected %s", data, expected)
@@ -424,12 +424,12 @@ func TestDeleteSecret(t *testing.T) {
 					return nil
 				})),
 		makeValidAkeylessTestCase("delete secret if one property left").SetExpectInput(&testingfake.PushSecretData{RemoteKey: "Rings", Property: "Annatar"}).
-			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(ctx context.Context, itemName string) (*akeyless.Item, error) {
+			SetMockClient(fakeakeyless.New().SetDescribeItemFn(func(_ context.Context, _ string) (*akeyless.Item, error) {
 				return &akeyless.Item{ItemTags: &[]string{extSecretManagedTag}}, nil
-			}).SetGetSecretFn(func(secretName string, version int32) (string, error) {
+			}).SetGetSecretFn(func(_ string, _ int32) (string, error) {
 				return `{"Annatar": "The Lord of Gifts"}`, nil
 			}).
-				SetDeleteSecretFn(func(ctx context.Context, remoteKey string) error {
+				SetDeleteSecretFn(func(_ context.Context, remoteKey string) error {
 					if remoteKey != "Rings" {
 						return fmt.Errorf("remote key %s expected %s", remoteKey, "Annatar")
 					}

pkg/provider/akeyless/fake/fake.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package fake provides mock implementations for Akeyless provider testing.
 package fake
 
 import (
@@ -22,6 +23,7 @@ import (
 	akeyless "github.com/akeylesslabs/akeyless-go/v4"
 )
 
+// AkeylessMockClient implements a mock client for Akeyless API operations.
 type AkeylessMockClient struct {
 	getSecret    func(secretName string, version int32) (string, error)
 	createSecret func(ctx context.Context, remoteKey, data string) error
@@ -30,77 +32,93 @@ type AkeylessMockClient struct {
 	describeItem func(ctx context.Context, itemName string) (*akeyless.Item, error)
 }
 
+// New creates and returns a new AkeylessMockClient.
 func New() *AkeylessMockClient {
 	return &AkeylessMockClient{}
 }
 
+// SetGetSecretFn sets the function to be called when GetSecret is invoked.
 func (mc *AkeylessMockClient) SetGetSecretFn(f func(secretName string, version int32) (string, error)) *AkeylessMockClient {
 	mc.getSecret = f
 	return mc
 }
 
+// SetCreateSecretFn sets the function to be called when CreateSecret is invoked.
 func (mc *AkeylessMockClient) SetCreateSecretFn(f func(ctx context.Context, remoteKey, data string) error) *AkeylessMockClient {
 	mc.createSecret = f
 	return mc
 }
 
+// SetUpdateSecretFn sets the function to be called when UpdateSecret is invoked.
 func (mc *AkeylessMockClient) SetUpdateSecretFn(f func(ctx context.Context, remoteKey, data string) error) *AkeylessMockClient {
 	mc.updateSecret = f
 	return mc
 }
 
+// SetDeleteSecretFn sets the function to be called when DeleteSecret is invoked.
 func (mc *AkeylessMockClient) SetDeleteSecretFn(f func(ctx context.Context, remoteKey string) error) *AkeylessMockClient {
 	mc.deleteSecret = f
 	return mc
 }
 
+// SetDescribeItemFn sets the function to be called when DescribeItem is invoked.
 func (mc *AkeylessMockClient) SetDescribeItemFn(f func(ctx context.Context, itemName string) (*akeyless.Item, error)) *AkeylessMockClient {
 	mc.describeItem = f
 	return mc
 }
 
+// CreateSecret creates a new secret in the mock Akeyless client.
 func (mc *AkeylessMockClient) CreateSecret(ctx context.Context, remoteKey, data string) error {
 	return mc.createSecret(ctx, remoteKey, data)
 }
 
+// DeleteSecret deletes a secret from the mock Akeyless client.
 func (mc *AkeylessMockClient) DeleteSecret(ctx context.Context, remoteKey string) error {
 	return mc.deleteSecret(ctx, remoteKey)
 }
 
+// DescribeItem retrieves an item description from the mock Akeyless client.
 func (mc *AkeylessMockClient) DescribeItem(ctx context.Context, itemName string) (*akeyless.Item, error) {
 	return mc.describeItem(ctx, itemName)
 }
 
+// UpdateSecret updates an existing secret in the mock Akeyless client.
 func (mc *AkeylessMockClient) UpdateSecret(ctx context.Context, remoteKey, data string) error {
 	return mc.updateSecret(ctx, remoteKey, data)
 }
 
+// TokenFromSecretRef returns a new token for the mock Akeyless client.
 func (mc *AkeylessMockClient) TokenFromSecretRef(_ context.Context) (string, error) {
 	return "newToken", nil
 }
 
+// GetSecretByType retrieves a secret by its type from the mock Akeyless client.
 func (mc *AkeylessMockClient) GetSecretByType(_ context.Context, secretName string, version int32) (string, error) {
 	return mc.getSecret(secretName, version)
 }
 
+// ListSecrets lists secrets from the mock Akeyless client.
 func (mc *AkeylessMockClient) ListSecrets(_ context.Context, _, _ string) ([]string, error) {
 	return nil, nil
 }
 
+// WithValue sets the behavior of the mock client based on input and output values.
 func (mc *AkeylessMockClient) WithValue(_ *Input, out *Output) {
 	if mc != nil {
-		mc.getSecret = func(secretName string, version int32) (string, error) {
+		mc.getSecret = func(_ string, _ int32) (string, error) {
 			return out.Value, out.Err
 		}
 	}
 }
 
+// Input represents the input parameters for the mock client functions.
 type Input struct {
 	SecretName string
 	Token      string
 	Version    int32
 }
 
+// Output represents the output values for the mock client functions.
 type Output struct {
 	Value string
 	Err   error

pkg/provider/alibaba/client.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package alibaba provides an implementation to interact with the Alibaba Cloud KMS and Secrets Manager.
 package alibaba
 
 import (
@@ -40,6 +41,7 @@ const (
 	kmsAPIVersion = "2016-01-20"
 )
 
+// SecretsManagerClient defines the interface for interacting with the Alibaba Cloud Secrets Manager service.
 type SecretsManagerClient interface {
 	GetSecretValue(
 		ctx context.Context,
@@ -72,10 +74,7 @@ func newClient(config *openapi.Config, options *util.RuntimeOptions) (*secretsMa
 		return nil, errors.New("error KMS endpoint is missing")
 	}
 
-	const (
-		connectTimeoutSec   = 30
-		readWriteTimeoutSec = 60
-	)
+	const readWriteTimeoutSec = 60
 
 	retryClient := retryablehttp.NewClient()
 	retryClient.CheckRetry = retryablehttp.ErrorPropagatedRetryPolicy

pkg/provider/alibaba/fake/fake.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package fake provides mock implementations for Alibaba provider testing.
 package fake
 
 import (
@@ -22,22 +23,26 @@ import (
 	kmssdk "github.com/alibabacloud-go/kms-20160120/v3/client"
 )
 
+// AlibabaMockClient implements a mock client for Alibaba KMS service.
 type AlibabaMockClient struct {
 	getSecretValue func(request *kmssdk.GetSecretValueRequest) (response *kmssdk.GetSecretValueResponseBody, err error)
 }
 
+// GetSecretValue retrieves a secret value from the mock Alibaba client.
 func (mc *AlibabaMockClient) GetSecretValue(context.Context, *kmssdk.GetSecretValueRequest) (result *kmssdk.GetSecretValueResponseBody, err error) {
 	return mc.getSecretValue(&kmssdk.GetSecretValueRequest{})
 }
 
+// WithValue sets the behavior of the mock client based on input and output values.
 func (mc *AlibabaMockClient) WithValue(_ *kmssdk.GetSecretValueRequest, val *kmssdk.GetSecretValueResponseBody, err error) {
 	if mc != nil {
-		mc.getSecretValue = func(paramIn *kmssdk.GetSecretValueRequest) (*kmssdk.GetSecretValueResponseBody, error) {
+		mc.getSecretValue = func(_ *kmssdk.GetSecretValueRequest) (*kmssdk.GetSecretValueResponseBody, error) {
 			return val, err
 		}
 	}
 }
 
+// Endpoint returns the endpoint URL of the mock Alibaba client.
 func (mc *AlibabaMockClient) Endpoint() string {
 	return ""
 }

pkg/provider/alibaba/kms.go

@@ -49,29 +49,34 @@ const (
 var _ esv1.SecretsClient = &KeyManagementService{}
 var _ esv1.Provider = &KeyManagementService{}
 
+// KeyManagementService implements the Alibaba KMS provider for External Secrets.
 type KeyManagementService struct {
 	Client SMInterface
 	Config *openapi.Config
 }
 
+// SMInterface defines the interface for interacting with the Alibaba Secrets Manager.
 type SMInterface interface {
 	GetSecretValue(ctx context.Context, request *kmssdk.GetSecretValueRequest) (*kmssdk.GetSecretValueResponseBody, error)
 	Endpoint() string
 }
 
+// PushSecret implements the SecretsClient PushSecret interface for Alibaba Cloud KMS.
 func (kms *KeyManagementService) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
 	return errors.New(errNotImplemented)
 }
 
+// DeleteSecret implements the SecretsClient DeleteSecret interface for Alibaba Cloud KMS.
 func (kms *KeyManagementService) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	return errors.New(errNotImplemented)
 }
 
+// SecretExists implements the SecretsClient SecretExists interface for Alibaba Cloud KMS.
 func (kms *KeyManagementService) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New(errNotImplemented)
 }
 
-// Empty GetAllSecrets.
+// GetAllSecrets returns all secrets from the provider.
 func (kms *KeyManagementService) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, errors.New(errNotImplemented)
@@ -246,15 +251,16 @@ func newAccessKeyAuth(ctx context.Context, kube kclient.Client, store esv1.Gener
 	return credential.NewCredential(credentialConfig)
 }
 
+// Close cleans up resources when the provider is done being used.
 func (kms *KeyManagementService) Close(_ context.Context) error {
 	return nil
 }
 
+// Validate checks if the provider is properly configured and ready to use.
 func (kms *KeyManagementService) Validate() (esv1.ValidationResult, error) {
 	err := retry.Do(
 		func() error {
-			_, err := kms.Config.Credential.GetCredential()
-			if err != nil {
+			if _, err := kms.Config.Credential.GetCredential(); err != nil {
 				return err
 			}
 
@@ -269,6 +275,7 @@ func (kms *KeyManagementService) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// ValidateStore validates the configuration of the store.
 func (kms *KeyManagementService) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	alibabaSpec := storeSpec.Provider.Alibaba

pkg/provider/aws/auth/auth.go

@@ -14,6 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package auth provides authentication functionality for the AWS provider, handling
+// various authentication methods including static credentials, IAM roles,
+// and web identity tokens.
 package auth
 
 import (
@@ -325,6 +328,8 @@ func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region st
 		}), nil
 }
 
+// STSprovider defines the interface for interacting with AWS STS API operations.
+// This allows for mocking STS operations during testing.
 type STSprovider interface {
 	AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
 	AssumeRoleWithSAML(ctx context.Context, params *sts.AssumeRoleWithSAMLInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithSAMLOutput, error)
@@ -333,8 +338,11 @@ type STSprovider interface {
 	DecodeAuthorizationMessage(ctx context.Context, params *sts.DecodeAuthorizationMessageInput, optFns ...func(*sts.Options)) (*sts.DecodeAuthorizationMessageOutput, error)
 }
 
+// STSProvider is a function type that returns an STSprovider implementation.
+// Used to inject custom or mock STS clients.
 type STSProvider func(*aws.Config) STSprovider
 
+// DefaultSTSProvider creates and returns a new STS client from the provided AWS config.
 func DefaultSTSProvider(cfg *aws.Config) STSprovider {
 	stsClient := sts.NewFromConfig(*cfg, func(o *sts.Options) {
 		o.EndpointResolverV2 = customEndpointResolver{}

pkg/provider/aws/auth/auth_test.go

@@ -102,7 +102,7 @@ func TestNewSession(t *testing.T) {
 		},
 		{
 			name: "configure aws using environment variables + assume role",
-			stsProvider: func(cfg *aws.Config) STSprovider {
+			stsProvider: func(_ *aws.Config) STSprovider {
 				return &fakesess.AssumeRoler{
 					AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
 						assert.Equal(t, *input.RoleArn, "foo-bar-baz")
@@ -377,7 +377,7 @@ func TestNewSession(t *testing.T) {
 					},
 				},
 			},
-			jwtProvider: func(name, namespace, roleArn string, aud []string, region string) (aws.CredentialsProvider, error) {
+			jwtProvider: func(name, namespace, roleArn string, _ []string, _ string) (aws.CredentialsProvider, error) {
 				assert.Equal(t, myServiceAccountKey, name)
 				assert.Equal(t, otherNsName, namespace)
 				assert.Equal(t, "my-sa-role", roleArn)
@@ -418,7 +418,7 @@ func TestNewSession(t *testing.T) {
 		},
 		{
 			name: "configure aws using environment variables + assume role + check external id",
-			stsProvider: func(cfg *aws.Config) STSprovider {
+			stsProvider: func(_ *aws.Config) STSprovider {
 				return &fakesess.AssumeRoler{
 					AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
 						assert.Equal(t, *input.ExternalId, "12345678")
@@ -577,22 +577,22 @@ func TestSMAssumeRole(t *testing.T) {
 						SessionToken:    aws.String("99992"),
 					},
 				}, nil
-			} else {
-				// make sure the correct role is passed in
-				assert.Equal(t, *input.RoleArn, "my-awesome-role")
-				return &sts.AssumeRoleOutput{
-					AssumedRoleUser: &ststypes.AssumedRoleUser{
-						Arn:           aws.String("1123132"),
-						AssumedRoleId: aws.String("xxxxx"),
-					},
-					Credentials: &ststypes.Credentials{
-						AccessKeyId:     aws.String("3333"),
-						SecretAccessKey: aws.String("4444"),
-						Expiration:      aws.Time(time.Now().Add(time.Hour)),
-						SessionToken:    aws.String("6666"),
-					},
-				}, nil
 			}
+
+			// make sure the correct role is passed in
+			assert.Equal(t, *input.RoleArn, "my-awesome-role")
+			return &sts.AssumeRoleOutput{
+				AssumedRoleUser: &ststypes.AssumedRoleUser{
+					Arn:           aws.String("1123132"),
+					AssumedRoleId: aws.String("xxxxx"),
+				},
+				Credentials: &ststypes.Credentials{
+					AccessKeyId:     aws.String("3333"),
+					SecretAccessKey: aws.String("4444"),
+					Expiration:      aws.Time(time.Now().Add(time.Hour)),
+					SessionToken:    aws.String("6666"),
+				},
+			}, nil
 		},
 	}
 	t.Setenv("AWS_SECRET_ACCESS_KEY", "1111")
@@ -686,7 +686,7 @@ func TestNewGeneratorSession_CredentialProviderPriority(t *testing.T) {
 			AccessKeyID:     esmeta.SecretKeySelector{Name: "aws-creds", Key: "access-key"},
 			SecretAccessKey: esmeta.SecretKeySelector{Name: "aws-creds", Key: "secret-key"},
 		},
-	}, "", "us-east-1", k8sClient, "test-ns", DefaultSTSProvider, func(name, namespace, roleArn string, aud []string, region string) (aws.CredentialsProvider, error) {
+	}, "", "us-east-1", k8sClient, "test-ns", DefaultSTSProvider, func(name, namespace, roleArn string, _ []string, _ string) (aws.CredentialsProvider, error) {
 		jwtProviderCalled = true
 		assert.Equal(t, "test-sa", name)
 		assert.Equal(t, "test-ns", namespace)

pkg/provider/aws/auth/fake/assumeroler.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package fake implements mocks for AWS auth service clients.
 package fake
 
 import (
@@ -31,19 +32,23 @@ type stsAPI interface {
 	DecodeAuthorizationMessage(ctx context.Context, params *sts.DecodeAuthorizationMessageInput, optFns ...func(*sts.Options)) (*sts.DecodeAuthorizationMessageOutput, error)
 }
 
+// AssumeRoler is a mock implementation of the AWS STS AssumeRole API.
 type AssumeRoler struct {
 	stsAPI
 	AssumeRoleFunc func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
 }
 
-func (f *AssumeRoler) AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error) {
+// AssumeRole mocks the AWS STS AssumeRole API.
+func (f *AssumeRoler) AssumeRole(_ context.Context, params *sts.AssumeRoleInput, _ ...func(*sts.Options)) (*sts.AssumeRoleOutput, error) {
 	return f.AssumeRoleFunc(params)
 }
 
+// CredentialsProvider is a mock implementation of the AWS credentials provider.
 type CredentialsProvider struct {
 	RetrieveFunc func() (aws.Credentials, error)
 }
 
-func (t CredentialsProvider) Retrieve(ctx context.Context) (aws.Credentials, error) {
+// Retrieve mocks the AWS credentials provider Retrieve method.
+func (t CredentialsProvider) Retrieve(_ context.Context) (aws.Credentials, error) {
 	return t.RetrieveFunc()
 }

pkg/provider/aws/auth/resolver.go

@@ -27,6 +27,7 @@ import (
 )
 
 const (
+	// STSEndpointEnv is the environment variable name for the AWS STS endpoint URL.
 	STSEndpointEnv = "AWS_STS_ENDPOINT"
 )
 

pkg/provider/aws/parameterstore/fake/fake.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package fake implements mocks for AWS Parameter Store service clients.
 package fake
 
 import (
@@ -39,21 +40,36 @@ type Client struct {
 	AddTagsToResourceFn      AddTagsToResourceFn
 }
 
+// GetParameterFn defines a function type for mocking GetParameter API.
 type GetParameterFn func(context.Context, *ssm.GetParameterInput, ...func(*ssm.Options)) (*ssm.GetParameterOutput, error)
+
+// GetParametersByPathFn defines a function type for mocking GetParametersByPath API.
 type GetParametersByPathFn func(context.Context, *ssm.GetParametersByPathInput, ...func(*ssm.Options)) (*ssm.GetParametersByPathOutput, error)
+
+// PutParameterFn defines a function type for mocking PutParameter API.
 type PutParameterFn func(context.Context, *ssm.PutParameterInput, ...func(*ssm.Options)) (*ssm.PutParameterOutput, error)
+
+// DescribeParametersFn defines a function type for mocking DescribeParameters API.
 type DescribeParametersFn func(context.Context, *ssm.DescribeParametersInput, ...func(*ssm.Options)) (*ssm.DescribeParametersOutput, error)
+
+// ListTagsForResourceFn defines a function type for mocking ListTagsForResource API.
 type ListTagsForResourceFn func(context.Context, *ssm.ListTagsForResourceInput, ...func(*ssm.Options)) (*ssm.ListTagsForResourceOutput, error)
+
+// DeleteParameterFn defines a function type for mocking DeleteParameter API.
 type DeleteParameterFn func(ctx context.Context, input *ssm.DeleteParameterInput, opts ...func(*ssm.Options)) (*ssm.DeleteParameterOutput, error)
 
+// RemoveTagsFromResourceFn defines a function type for mocking RemoveTagsFromResource API.
 type RemoveTagsFromResourceFn func(ctx context.Context, params *ssm.RemoveTagsFromResourceInput, optFns ...func(*ssm.Options)) (*ssm.RemoveTagsFromResourceOutput, error)
 
+// AddTagsToResourceFn defines a function type for mocking AddTagsToResource API.
 type AddTagsToResourceFn func(ctx context.Context, params *ssm.AddTagsToResourceInput, optFns ...func(*ssm.Options)) (*ssm.AddTagsToResourceOutput, error)
 
+// ListTagsForResource executes the mocked ListTagsForResourceFn.
 func (sm *Client) ListTagsForResource(ctx context.Context, input *ssm.ListTagsForResourceInput, options ...func(*ssm.Options)) (*ssm.ListTagsForResourceOutput, error) {
 	return sm.ListTagsForResourceFn(ctx, input, options...)
 }
 
+// NewListTagsForResourceFn creates a new mock function for ListTagsForResource.
 func NewListTagsForResourceFn(output *ssm.ListTagsForResourceOutput, err error, aFunc ...func(input *ssm.ListTagsForResourceInput)) ListTagsForResourceFn {
 	return func(_ context.Context, params *ssm.ListTagsForResourceInput, _ ...func(*ssm.Options)) (*ssm.ListTagsForResourceOutput, error) {
 		if len(aFunc) > 0 {
@@ -65,46 +81,55 @@ func NewListTagsForResourceFn(output *ssm.ListTagsForResourceOutput, err error,
 	}
 }
 
+// DeleteParameter executes the mocked DeleteParameterFn.
 func (sm *Client) DeleteParameter(ctx context.Context, input *ssm.DeleteParameterInput, opts ...func(*ssm.Options)) (*ssm.DeleteParameterOutput, error) {
 	return sm.DeleteParameterFn(ctx, input, opts...)
 }
 
+// NewDeleteParameterFn creates a new mock function for DeleteParameter.
 func NewDeleteParameterFn(output *ssm.DeleteParameterOutput, err error) DeleteParameterFn {
 	return func(context.Context, *ssm.DeleteParameterInput, ...func(*ssm.Options)) (*ssm.DeleteParameterOutput, error) {
 		return output, err
 	}
 }
 
+// GetParameter executes the mocked GetParameterFn.
 func (sm *Client) GetParameter(ctx context.Context, input *ssm.GetParameterInput, options ...func(*ssm.Options)) (*ssm.GetParameterOutput, error) {
 	return sm.GetParameterFn(ctx, input, options...)
 }
 
+// GetParametersByPath executes the mocked GetParametersByPathFn.
 func (sm *Client) GetParametersByPath(ctx context.Context, input *ssm.GetParametersByPathInput, options ...func(*ssm.Options)) (*ssm.GetParametersByPathOutput, error) {
 	return sm.GetParametersByPathFn(ctx, input, options...)
 }
 
+// NewGetParameterFn creates a new mock function for GetParameter.
 func NewGetParameterFn(output *ssm.GetParameterOutput, err error) GetParameterFn {
 	return func(context.Context, *ssm.GetParameterInput, ...func(*ssm.Options)) (*ssm.GetParameterOutput, error) {
 		return output, err
 	}
 }
 
+// DescribeParameters executes the mocked DescribeParametersFn.
 func (sm *Client) DescribeParameters(ctx context.Context, input *ssm.DescribeParametersInput, options ...func(*ssm.Options)) (*ssm.DescribeParametersOutput, error) {
 	return sm.DescribeParametersFn(ctx, input, options...)
 }
 
+// NewDescribeParametersFn creates a new mock function for DescribeParameters.
 func NewDescribeParametersFn(output *ssm.DescribeParametersOutput, err error) DescribeParametersFn {
 	return func(context.Context, *ssm.DescribeParametersInput, ...func(*ssm.Options)) (*ssm.DescribeParametersOutput, error) {
 		return output, err
 	}
 }
 
+// PutParameter executes the mocked PutParameterFn and tracks call metadata.
 func (sm *Client) PutParameter(ctx context.Context, input *ssm.PutParameterInput, options ...func(*ssm.Options)) (*ssm.PutParameterOutput, error) {
 	sm.PutParameterCalledN++
 	sm.PutParameterFnCalledWith = append(sm.PutParameterFnCalledWith, []*ssm.PutParameterInput{input})
 	return sm.PutParameterFn(ctx, input, options...)
 }
 
+// NewPutParameterFn creates a new mock function for PutParameter.
 func NewPutParameterFn(output *ssm.PutParameterOutput, err error, aFunc ...func(input *ssm.PutParameterInput)) PutParameterFn {
 	return func(_ context.Context, params *ssm.PutParameterInput, _ ...func(*ssm.Options)) (*ssm.PutParameterOutput, error) {
 		if len(aFunc) > 0 {
@@ -116,8 +141,9 @@ func NewPutParameterFn(output *ssm.PutParameterOutput, err error, aFunc ...func(
 	}
 }
 
+// WithValue configures the GetParameterFn with specific input and output.
 func (sm *Client) WithValue(in *ssm.GetParameterInput, val *ssm.GetParameterOutput, err error) {
-	sm.GetParameterFn = func(ctx context.Context, paramIn *ssm.GetParameterInput, options ...func(*ssm.Options)) (*ssm.GetParameterOutput, error) {
+	sm.GetParameterFn = func(_ context.Context, paramIn *ssm.GetParameterInput, _ ...func(*ssm.Options)) (*ssm.GetParameterOutput, error) {
 		if !cmp.Equal(paramIn, in, cmpopts.IgnoreUnexported(ssm.GetParameterInput{})) {
 			return nil, errors.New("unexpected test argument")
 		}
@@ -125,12 +151,14 @@ func (sm *Client) WithValue(in *ssm.GetParameterInput, val *ssm.GetParameterOutp
 	}
 }
 
+// RemoveTagsFromResource executes the mocked RemoveTagsFromResourceFn.
 func (sm *Client) RemoveTagsFromResource(ctx context.Context, params *ssm.RemoveTagsFromResourceInput, optFns ...func(*ssm.Options)) (*ssm.RemoveTagsFromResourceOutput, error) {
 	return sm.RemoveTagsFromResourceFn(ctx, params, optFns...)
 }
 
+// NewRemoveTagsFromResourceFn creates a new mock function for RemoveTagsFromResource.
 func NewRemoveTagsFromResourceFn(output *ssm.RemoveTagsFromResourceOutput, err error, aFunc ...func(input *ssm.RemoveTagsFromResourceInput)) RemoveTagsFromResourceFn {
-	return func(ctx context.Context, params *ssm.RemoveTagsFromResourceInput, optFns ...func(*ssm.Options)) (*ssm.RemoveTagsFromResourceOutput, error) {
+	return func(_ context.Context, params *ssm.RemoveTagsFromResourceInput, _ ...func(*ssm.Options)) (*ssm.RemoveTagsFromResourceOutput, error) {
 		if len(aFunc) > 0 {
 			for _, f := range aFunc {
 				f(params)
@@ -140,12 +168,14 @@ func NewRemoveTagsFromResourceFn(output *ssm.RemoveTagsFromResourceOutput, err e
 	}
 }
 
+// AddTagsToResource executes the mocked AddTagsToResourceFn.
 func (sm *Client) AddTagsToResource(ctx context.Context, params *ssm.AddTagsToResourceInput, optFns ...func(*ssm.Options)) (*ssm.AddTagsToResourceOutput, error) {
 	return sm.AddTagsToResourceFn(ctx, params, optFns...)
 }
 
+// NewAddTagsToResourceFn creates a new mock function for AddTagsToResource.
 func NewAddTagsToResourceFn(output *ssm.AddTagsToResourceOutput, err error, aFunc ...func(input *ssm.AddTagsToResourceInput)) AddTagsToResourceFn {
-	return func(ctx context.Context, params *ssm.AddTagsToResourceInput, optFns ...func(*ssm.Options)) (*ssm.AddTagsToResourceOutput, error) {
+	return func(_ context.Context, params *ssm.AddTagsToResourceInput, _ ...func(*ssm.Options)) (*ssm.AddTagsToResourceOutput, error) {
 		if len(aFunc) > 0 {
 			for _, f := range aFunc {
 				f(params)

pkg/provider/aws/parameterstore/parameterstore.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package parameterstore implements the AWS SSM Parameter Store provider for external-secrets
 package parameterstore
 
 import (
@@ -125,6 +126,8 @@ func (pm *ParameterStore) getTagsByName(ctx context.Context, ref *ssm.GetParamet
 	return tags, nil
 }
 
+// DeleteSecret deletes a secret from AWS Parameter Store.
+// It will only delete secrets that are managed by external-secrets (have the managed-by tag).
 func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
 	secretName := pm.prefix + remoteRef.GetRemoteKey()
 	secretValue := ssm.GetParameterInput{
@@ -161,6 +164,7 @@ func (pm *ParameterStore) DeleteSecret(ctx context.Context, remoteRef esv1.PushS
 	return nil
 }
 
+// SecretExists checks if a secret exists in AWS Parameter Store.
 func (pm *ParameterStore) SecretExists(ctx context.Context, pushSecretRef esv1.PushSecretRemoteRef) (bool, error) {
 	secretName := pm.prefix + pushSecretRef.GetRemoteKey()
 
@@ -168,12 +172,10 @@ func (pm *ParameterStore) SecretExists(ctx context.Context, pushSecretRef esv1.P
 		Name: &secretName,
 	}
 
-	_, err := pm.client.GetParameter(ctx, &secretValue)
-
 	var resourceNotFoundErr *ssmTypes.ResourceNotFoundException
 	var parameterNotFoundErr *ssmTypes.ParameterNotFound
 
-	if err != nil {
+	if _, err := pm.client.GetParameter(ctx, &secretValue); err != nil {
 		if errors.As(err, &resourceNotFoundErr) {
 			return false, nil
 		}
@@ -186,6 +188,11 @@ func (pm *ParameterStore) SecretExists(ctx context.Context, pushSecretRef esv1.P
 	return true, nil
 }
 
+// PushSecret uploads a secret to AWS Parameter Store.
+// It can create a new secret or update an existing one.
+// The secret is identified by the remote key, which is the name of the parameter in Parameter Store.
+// The value of the secret is taken from the secret data, and can be either the entire secret or a specific key within the secret.
+// Tags are applied to the secret for management and identification.
 func (pm *ParameterStore) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
 	var (
 		value []byte
@@ -619,10 +626,12 @@ func (pm *ParameterStore) parameterNameWithVersion(ref esv1.ExternalSecretDataRe
 	return &name
 }
 
+// Close cleans up resources held by the ParameterStore provider.
 func (pm *ParameterStore) Close(_ context.Context) error {
 	return nil
 }
 
+// Validate checks if the provider is configured correctly.
 func (pm *ParameterStore) Validate() (esv1.ValidationResult, error) {
 	// skip validation stack because it depends on the namespace
 	// of the ExternalSecret

pkg/provider/aws/provider.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package aws implements AWS provider interfaces for External Secrets Operator,
+// supporting SecretManager and ParameterStore services.
 package aws
 
 import (
@@ -61,6 +63,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return newClient(ctx, store, kube, namespace, awsauth.DefaultSTSProvider)
 }
 
+// ValidateStore validates the configuration of the AWS SecretStore.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	prov, err := util.GetAWSProvider(store)
 	if err != nil {
@@ -222,7 +225,7 @@ type fixedDelayer struct {
 	delay time.Duration
 }
 
-func (f fixedDelayer) BackoffDelay(attempt int, err error) (time.Duration, error) {
+func (f fixedDelayer) BackoffDelay(int, error) (time.Duration, error) {
 	return f.delay, nil
 }
 

pkg/provider/aws/secretsmanager/fake/fake.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package fake provides mock implementations of AWS Secrets Manager interfaces for testing.
+// It allows simulating AWS API responses without making actual API calls.
 package fake
 
 import (
@@ -77,8 +79,9 @@ func (sm *Client) DeleteSecret(ctx context.Context, input *awssm.DeleteSecretInp
 	return sm.DeleteSecretFn(ctx, input, opts...)
 }
 
+// NewDeleteSecretFn returns a DeleteSecretFn that simulates AWS DeleteSecret API behavior.
 func NewDeleteSecretFn(output *awssm.DeleteSecretOutput, err error) DeleteSecretFn {
-	return func(ctx context.Context, input *awssm.DeleteSecretInput, opts ...func(*awssm.Options)) (*awssm.DeleteSecretOutput, error) {
+	return func(_ context.Context, input *awssm.DeleteSecretInput, opts ...func(*awssm.Options)) (*awssm.DeleteSecretOutput, error) {
 		if input.ForceDeleteWithoutRecovery != nil && *input.ForceDeleteWithoutRecovery {
 			output.DeletionDate = ptr.To(time.Now())
 		}
@@ -86,8 +89,9 @@ func NewDeleteSecretFn(output *awssm.DeleteSecretOutput, err error) DeleteSecret
 	}
 }
 
+// NewGetSecretValueFn returns a GetSecretValueFn that returns the provided output and error.
 func NewGetSecretValueFn(output *awssm.GetSecretValueOutput, err error) GetSecretValueFn {
-	return func(ctx context.Context, input *awssm.GetSecretValueInput, options ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error) {
+	return func(_ context.Context, input *awssm.GetSecretValueInput, options ...func(*awssm.Options)) (*awssm.GetSecretValueOutput, error) {
 		return output, err
 	}
 }

pkg/provider/aws/secretsmanager/resolver.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package secretsmanager implements AWS Secrets Manager provider for External Secrets Operator
 package secretsmanager
 
 import (
@@ -27,6 +28,7 @@ import (
 )
 
 const (
+	// SecretsManagerEndpointEnv is the environment variable name for custom AWS Secrets Manager endpoint.
 	SecretsManagerEndpointEnv = "AWS_SECRETSMANAGER_ENDPOINT"
 )
 

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -29,6 +29,7 @@ import (
 	awssm "github.com/aws/aws-sdk-go-v2/service/secretsmanager"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
 	"github.com/aws/smithy-go"
+	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
 	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	"github.com/tidwall/sjson"
@@ -43,9 +44,9 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/utils"
-	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
 )
 
+// PushSecretMetadataSpec contains metadata information for pushing secrets to AWS Secret Manager.
 type PushSecretMetadataSpec struct {
 	Tags             map[string]string `json:"tags,omitempty"`
 	Description      string            `json:"description,omitempty"`
@@ -141,6 +142,7 @@ func (sm *SecretsManager) fetch(ctx context.Context, ref esv1.ExternalSecretData
 	return secretOut, nil
 }
 
+// DeleteSecret deletes a secret from AWS Secrets Manager.
 func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
 	secretName := sm.prefix + remoteRef.GetRemoteKey()
 	secretValue := awssm.GetSecretValueInput{
@@ -187,6 +189,7 @@ func (sm *SecretsManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushS
 	return err
 }
 
+// SecretExists checks if a secret exists in AWS Secrets Manager.
 func (sm *SecretsManager) SecretExists(ctx context.Context, pushSecretRef esv1.PushSecretRemoteRef) (bool, error) {
 	secretName := sm.prefix + pushSecretRef.GetRemoteKey()
 	secretValue := awssm.GetSecretValueInput{
@@ -210,6 +213,7 @@ func (sm *SecretsManager) handleSecretError(err error) (bool, error) {
 	return false, err
 }
 
+// PushSecret pushes a secret to AWS Secrets Manager.
 func (sm *SecretsManager) PushSecret(ctx context.Context, secret *corev1.Secret, psd esv1.PushSecretData) error {
 	value, err := utils.ExtractSecretData(psd, secret)
 	if err != nil {
@@ -479,10 +483,12 @@ func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1.ExternalSec
 	return secretData, nil
 }
 
+// Close closes the provider client connection.
 func (sm *SecretsManager) Close(_ context.Context) error {
 	return nil
 }
 
+// Validate validates the provider configuration.
 func (sm *SecretsManager) Validate() (esv1.ValidationResult, error) {
 	// skip validation stack because it depends on the namespace
 	// of the ExternalSecret
@@ -497,6 +503,7 @@ func (sm *SecretsManager) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// Capabilities returns the provider's esv1.SecretStoreCapabilities.
 func (sm *SecretsManager) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadWrite
 }
@@ -575,7 +582,7 @@ func (sm *SecretsManager) putSecretValueWithContext(ctx context.Context, secretA
 	return sm.patchTags(ctx, psd.GetMetadata(), &secretArn, currentTags)
 }
 
-func (sm *SecretsManager) patchTags(ctx context.Context, metadata *apiextensionsv1.JSON, secretId *string, tags map[string]string) error {
+func (sm *SecretsManager) patchTags(ctx context.Context, metadata *apiextensionsv1.JSON, secretID *string, tags map[string]string) error {
 	meta, err := sm.constructMetadataWithDefaults(metadata)
 	if err != nil {
 		return err
@@ -584,7 +591,7 @@ func (sm *SecretsManager) patchTags(ctx context.Context, metadata *apiextensions
 	tagKeysToRemove := util.FindTagKeysToRemove(tags, meta.Spec.Tags)
 	if len(tagKeysToRemove) > 0 {
 		_, err = sm.client.UntagResource(ctx, &awssm.UntagResourceInput{
-			SecretId: secretId,
+			SecretId: secretID,
 			TagKeys:  tagKeysToRemove,
 		})
 		metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMUntagResource, err)
@@ -596,7 +603,7 @@ func (sm *SecretsManager) patchTags(ctx context.Context, metadata *apiextensions
 	tagsToUpdate, isModified := computeTagsToUpdate(tags, meta.Spec.Tags)
 	if isModified {
 		_, err = sm.client.TagResource(ctx, &awssm.TagResourceInput{
-			SecretId: secretId,
+			SecretId: secretID,
 			Tags:     tagsToUpdate,
 		})
 		metrics.ObserveAPICall(constants.ProviderAWSSM, constants.CallAWSSMTagResource, err)

pkg/provider/aws/util/errors.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package util provides utility functions for AWS providers in External Secrets Operator
 package util
 
 import (

pkg/provider/aws/util/provider.go

@@ -52,6 +52,7 @@ func GetAWSProvider(store esv1.GenericStore) (*esv1.AWSProvider, error) {
 	return prov, nil
 }
 
+// IsReferentSpec checks if the AWS authentication configuration refers to resources in a different namespace.
 func IsReferentSpec(prov esv1.AWSAuth) bool {
 	if prov.JWTAuth != nil && prov.JWTAuth.ServiceAccountRef != nil && prov.JWTAuth.ServiceAccountRef.Namespace == nil {
 		return true
@@ -66,6 +67,7 @@ func IsReferentSpec(prov esv1.AWSAuth) bool {
 	return false
 }
 
+// SecretTagsToJSONString converts AWS Secrets Manager tags to a JSON string.
 func SecretTagsToJSONString(tags []awssm.Tag) (string, error) {
 	tagMap := make(map[string]string, len(tags))
 	for _, tag := range tags {
@@ -80,6 +82,7 @@ func SecretTagsToJSONString(tags []awssm.Tag) (string, error) {
 	return string(byteArr), nil
 }
 
+// ParameterTagsToJSONString converts parameter tags map to a JSON string.
 func ParameterTagsToJSONString(tags map[string]string) (string, error) {
 	byteArr, err := json.Marshal(tags)
 	if err != nil {
@@ -94,7 +97,7 @@ func ParameterTagsToJSONString(tags map[string]string) (string, error) {
 // synchronize the tags with the desired state.
 func FindTagKeysToRemove(tags, metaTags map[string]string) []string {
 	var diff []string
-	for key, _ := range tags {
+	for key := range tags {
 		if _, ok := metaTags[key]; !ok {
 			diff = append(diff, key)
 		}

pkg/provider/azure/keyvault/keyvault.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package keyvault implements a provider for Azure Key Vault secrets, allowing
+// External Secrets to read from and write to Azure Key Vault.
 package keyvault
 
 import (
@@ -66,14 +68,21 @@ import (
 )
 
 const (
-	defaultObjType       = "secret"
-	objectTypeCert       = "cert"
-	objectTypeKey        = "key"
+	defaultObjType = "secret"
+	objectTypeCert = "cert"
+	objectTypeKey  = "key"
+
+	// AzureDefaultAudience is the default audience used for Azure AD token exchange.
 	AzureDefaultAudience = "api://AzureADTokenExchange"
-	AnnotationClientID   = "azure.workload.identity/client-id"
-	AnnotationTenantID   = "azure.workload.identity/tenant-id"
-	managerLabel         = "external-secrets"
-	managedBy            = "managed-by"
+
+	// AnnotationClientID is the annotation key for Azure Workload Identity client ID.
+	AnnotationClientID = "azure.workload.identity/client-id"
+
+	// AnnotationTenantID is the annotation key for Azure Workload Identity tenant ID.
+	AnnotationTenantID = "azure.workload.identity/tenant-id"
+
+	managerLabel = "external-secrets"
+	managedBy    = "managed-by"
 
 	errUnexpectedStoreSpec      = "unexpected store spec"
 	errMissingAuthType          = "cannot initialize Azure Client: no valid authType was specified"
@@ -107,7 +116,7 @@ const (
 var _ esv1.SecretsClient = &Azure{}
 var _ esv1.Provider = &Azure{}
 
-// interface to keyvault.BaseClient.
+// SecretClient is an interface to keyvault.BaseClient.
 type SecretClient interface {
 	GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (result keyvault.KeyBundle, err error)
 	GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (result keyvault.SecretBundle, err error)
@@ -121,6 +130,7 @@ type SecretClient interface {
 	DeleteSecret(ctx context.Context, vaultBaseURL string, secretName string) (result keyvault.DeletedSecretBundle, err error)
 }
 
+// Azure implements the External Secrets provider for Azure Key Vault.
 type Azure struct {
 	crClient   client.Client
 	kubeClient kcorev1.CoreV1Interface
@@ -137,6 +147,8 @@ type Azure struct {
 	certsClient   *azcertificates.Client
 }
 
+// PushSecretMetadataSpec defines metadata for pushing secrets to Azure Key Vault,
+// including expiration date and tags.
 type PushSecretMetadataSpec struct {
 	ExpirationDate string            `json:"expirationDate,omitempty"`
 	Tags           map[string]string `json:"tags,omitempty"`
@@ -289,6 +301,7 @@ func getProvider(store esv1.GenericStore) (*esv1.AzureKVProvider, error) {
 	return spc.Provider.AzureKV, nil
 }
 
+// ValidateStore validates the Azure Key Vault provider configuration.
 func (a *Azure) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	if store == nil {
 		return nil, errors.New(errInvalidStore)
@@ -414,6 +427,7 @@ func (a *Azure) deleteKeyVaultCertificate(ctx context.Context, certName string)
 	return nil
 }
 
+// DeleteSecret deletes a secret from Azure Key Vault.
 func (a *Azure) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
 	objectType, secretName := getObjType(esv1.ExternalSecretDataRemoteRef{Key: remoteRef.GetRemoteKey()})
 	switch objectType {
@@ -437,6 +451,7 @@ func (a *Azure) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemot
 	}
 }
 
+// SecretExists checks if a secret exists in Azure Key Vault.
 func (a *Azure) SecretExists(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) (bool, error) {
 	if a.useNewSDK() {
 		return a.secretExistsWithNewSDK(ctx, remoteRef)
@@ -758,7 +773,7 @@ func (a *Azure) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1
 	}
 }
 
-// Implements store.Client.GetAllSecrets Interface.
+// GetAllSecrets implements store.Client.GetAllSecrets Interface.
 // Retrieves a map[string][]byte with the secret names as key and the secret itself as the calue.
 func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 	if a.useNewSDK() {
@@ -912,8 +927,9 @@ func (a *Azure) getSecretTagsWithLegacySDK(ctx context.Context, ref esv1.Externa
 	return secretTagsData, nil
 }
 
-// Implements store.Client.GetSecretMap Interface.
-// New version of GetSecretMap.
+// GetSecretMap returns a map of secret values from Azure KeyVault by fetching the secret with
+// the given name and parsing it as a JSON object. If MetadataPolicy is set to Fetch, it will
+// return the secret tags instead.
 func (a *Azure) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	objectType, secretName := getObjType(ref)
 
@@ -1087,10 +1103,12 @@ func (a *Azure) authorizerForWorkloadIdentity(ctx context.Context, tokenProvider
 	if len(a.provider.ServiceAccountRef.Audiences) > 0 {
 		audiences = append(audiences, a.provider.ServiceAccountRef.Audiences...)
 	}
+
 	token, err := FetchSAToken(ctx, ns, a.provider.ServiceAccountRef.Name, audiences, a.kubeClient)
 	if err != nil {
 		return nil, err
 	}
+
 	tp, err := tokenProvider(ctx, token, clientID, tenantID, aadEndpoint, kvResource)
 	if err != nil {
 		return nil, err
@@ -1098,6 +1116,9 @@ func (a *Azure) authorizerForWorkloadIdentity(ctx context.Context, tokenProvider
 	return autorest.NewBearerAuthorizer(tp), nil
 }
 
+// FetchSAToken retrieves a service account token from Kubernetes with the specified audiences.
+// It takes the service account namespace, name, audience list, and Kubernetes client interface.
+// Returns the token string or an error if the token creation fails.
 func FetchSAToken(ctx context.Context, ns, name string, audiences []string, kubeClient kcorev1.CoreV1Interface) (string, error) {
 	token, err := kubeClient.ServiceAccounts(ns).CreateToken(ctx, name, &authv1.TokenRequest{
 		Spec: authv1.TokenRequestSpec{
@@ -1117,11 +1138,12 @@ type tokenProvider struct {
 
 type tokenProviderFunc func(ctx context.Context, token, clientID, tenantID, aadEndpoint, kvResource string) (adal.OAuthTokenProvider, error)
 
+// NewTokenProvider creates a new Azure OAuth token provider for authentication.
 func NewTokenProvider(ctx context.Context, token, clientID, tenantID, aadEndpoint, kvResource string) (adal.OAuthTokenProvider, error) {
-	// exchange token with Azure AccessToken
-	cred := confidential.NewCredFromAssertionCallback(func(ctx context.Context, aro confidential.AssertionRequestOptions) (string, error) {
+	cred := confidential.NewCredFromAssertionCallback(func(_ context.Context, _ confidential.AssertionRequestOptions) (string, error) {
 		return token, nil
 	})
+
 	cClient, err := confidential.New(fmt.Sprintf("%s%s", aadEndpoint, tenantID), clientID, cred)
 	if err != nil {
 		return nil, err
@@ -1202,25 +1224,25 @@ func (a *Azure) getAuthorizerFromCredentials(ctx context.Context) (autorest.Auth
 			*a.provider.TenantID,
 			a.provider.EnvironmentType,
 		)
-	} else {
-		clientCertificate, err := resolvers.SecretKeyRef(
-			ctx,
-			a.crClient,
-			a.store.GetKind(),
-			a.namespace, a.provider.AuthSecretRef.ClientCertificate,
-		)
+	}
 
-		if err != nil {
-			return nil, err
-		}
+	clientCertificate, err := resolvers.SecretKeyRef(
+		ctx,
+		a.crClient,
+		a.store.GetKind(),
+		a.namespace, a.provider.AuthSecretRef.ClientCertificate,
+	)
 
-		return getAuthorizerForClientCertificate(
-			clientID,
-			[]byte(clientCertificate),
-			*a.provider.TenantID,
-			a.provider.EnvironmentType,
-		)
+	if err != nil {
+		return nil, err
 	}
+
+	return getAuthorizerForClientCertificate(
+		clientID,
+		[]byte(clientCertificate),
+		*a.provider.TenantID,
+		a.provider.EnvironmentType,
+	)
 }
 
 func getAuthorizerForClientSecret(clientID, clientSecret, tenantID string, environmentType esv1.AzureEnvironmentType) (autorest.Authorizer, error) {
@@ -1237,10 +1259,12 @@ func getAuthorizerForClientCertificate(clientID string, certificateBytes []byte,
 	return clientCertificateConfig.Authorizer()
 }
 
+// Close closes the Azure Key Vault provider.
 func (a *Azure) Close(_ context.Context) error {
 	return nil
 }
 
+// Validate validates the Azure Key Vault provider configuration.
 func (a *Azure) Validate() (esv1.ValidationResult, error) {
 	if a.store.GetKind() == esv1.ClusterSecretStoreKind && isReferentSpec(a.provider) {
 		return esv1.ValidationResultUnknown, nil
@@ -1263,6 +1287,7 @@ func isReferentSpec(prov *esv1.AzureKVProvider) bool {
 	return false
 }
 
+// AadEndpointForType returns the Azure Active Directory endpoint for the specified Azure environment type.
 func AadEndpointForType(t esv1.AzureEnvironmentType) string {
 	switch t {
 	case esv1.AzureEnvironmentPublicCloud:
@@ -1282,6 +1307,7 @@ func AadEndpointForType(t esv1.AzureEnvironmentType) string {
 	}
 }
 
+// ServiceManagementEndpointForType returns the service management endpoint for the specified Azure environment type.
 func ServiceManagementEndpointForType(t esv1.AzureEnvironmentType) string {
 	switch t {
 	case esv1.AzureEnvironmentPublicCloud:

pkg/provider/azure/keyvault/keyvault_certificate.go

@@ -13,6 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
+// Package keyvault provides functionality to authenticate to Azure Key Vault using in-memory certificates.
 package keyvault
 
 import (
@@ -37,6 +39,7 @@ type ClientInMemoryCertificateConfig struct {
 	Resource    string
 }
 
+// NewClientInMemoryCertificateConfig creates a new ClientInMemoryCertificateConfig.
 func NewClientInMemoryCertificateConfig(clientID string, certificate []byte, tenantID string) ClientInMemoryCertificateConfig {
 	return ClientInMemoryCertificateConfig{
 		ClientID:    clientID,
@@ -113,7 +116,7 @@ func parsePrivateKey(der []byte) (*rsa.PrivateKey, error) {
 	return nil, errors.New("failed to parse private key")
 }
 
-// Implementation of the AuthorizerConfig interface.
+// Authorizer creates an autorest.Authorizer from the ServicePrincipalToken.
 func (ccc ClientInMemoryCertificateConfig) Authorizer() (autorest.Authorizer, error) {
 	spToken, err := ccc.ServicePrincipalToken()
 	if err != nil {

pkg/provider/beyondtrust/provider.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package beyondtrust provides a Password Safe secrets provider for External Secrets Operator.
 package beyondtrust
 
 import (
@@ -26,7 +27,7 @@ import (
 
 	auth "github.com/BeyondTrust/go-client-library-passwordsafe/api/authentication"
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/logging"
-	managed_account "github.com/BeyondTrust/go-client-library-passwordsafe/api/managed_account"
+	managedaccount "github.com/BeyondTrust/go-client-library-passwordsafe/api/managed_account"
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/secrets"
 	"github.com/BeyondTrust/go-client-library-passwordsafe/api/utils"
 	"github.com/cenkalti/backoff/v4"
@@ -36,8 +37,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	esoClient "github.com/external-secrets/external-secrets/pkg/utils"
-	resolvers "github.com/external-secrets/external-secrets/pkg/utils/resolvers"
+	esutils "github.com/external-secrets/external-secrets/pkg/utils"
+	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
 const (
@@ -55,8 +56,9 @@ var (
 	errSecretRefAndValueConflict = errors.New("cannot specify both secret reference and value")
 	errMissingSecretName         = errors.New("must specify a secret name")
 	errMissingSecretKey          = errors.New("must specify a secret key")
-	ESOLogger                    = ctrl.Log.WithName("provider").WithName("beyondtrust")
-	maxFileSecretSizeBytes       = 5000000
+	// ESOLogger is the logger instance for the Beyondtrust provider.
+	ESOLogger              = ctrl.Log.WithName("provider").WithName("beyondtrust")
+	maxFileSecretSizeBytes = 5000000
 )
 
 // Provider is a Password Safe secrets provider implementing NewClient and ValidateStore for the esv1.Provider interface.
@@ -68,6 +70,7 @@ type Provider struct {
 	separator     string
 }
 
+// AuthenticatorInput is used to pass parameters to the getAuthenticator function.
 type AuthenticatorInput struct {
 	Config                     *esv1.BeyondtrustProvider
 	HTTPClientObj              utils.HttpClientObj
@@ -111,7 +114,7 @@ func (p *Provider) Validate() (esv1.ValidationResult, error) {
 	timeout := 15 * time.Second
 	clientURL := p.apiURL
 
-	if err := esoClient.NetworkValidate(clientURL, timeout); err != nil {
+	if err := esutils.NetworkValidate(clientURL, timeout); err != nil {
 		ESOLogger.Error(err, "Network Validate", "clientURL:", clientURL)
 		return esv1.ValidationResultError, err
 	}
@@ -119,6 +122,8 @@ func (p *Provider) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// SecretExists checks if a secret exists in the provider.
+// Currently not implemented for this provider.
 func (*Provider) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New(errNotImplemented)
 }
@@ -139,10 +144,6 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 		return nil, fmt.Errorf("error loading certificate: %w", err)
 	}
 
-	if err != nil {
-		return nil, fmt.Errorf("error loading secrets: %w", err)
-	}
-
 	clientTimeOutInSeconds, separator, retryMaxElapsedTimeMinutes := getConfigValues(config)
 
 	backoffDefinition := getBackoffDefinition(retryMaxElapsedTimeMinutes)
@@ -309,6 +310,7 @@ func validateSecretRef(ref *esv1.BeyondTrustProviderSecretRef) error {
 	return nil
 }
 
+// GetAllSecrets retrieves all secrets from Beyondtrust.
 func (p *Provider) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
 	return nil, errors.New("GetAllSecrets not implemented")
 }
@@ -333,7 +335,7 @@ func (p *Provider) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemot
 
 	managedFetch := func() (string, error) {
 		ESOLogger.Info("retrieve managed account value", "retrievalPath:", retrievalPath)
-		manageAccountObj, _ := managed_account.NewManagedAccountObj(p.authenticate, &p.log)
+		manageAccountObj, _ := managedaccount.NewManagedAccountObj(p.authenticate, &p.log)
 		return manageAccountObj.GetSecret(retrievalPath, p.separator)
 	}
 	unmanagedFetch := func() (string, error) {

pkg/provider/bitwarden/bitwarden_sdk.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package bitwarden implements a secret manager provider for Bitwarden.
 package bitwarden
 
 import (
@@ -39,6 +40,7 @@ const (
 	restAPIURL = "/rest/api/1/secret"
 )
 
+// SecretResponse represents a response from the Bitwarden API containing secret details.
 type SecretResponse struct {
 	CreationDate   string  `json:"creationDate"`
 	ID             string  `json:"id"`
@@ -48,37 +50,45 @@ type SecretResponse struct {
 	ProjectID      *string `json:"projectId,omitempty"`
 	RevisionDate   string  `json:"revisionDate"`
 	Value          string  `json:"value"`
+	// fix ProjectIDS -> ProjectIDs
+	ProjectIDs []string `json:"projectIds,omitempty"`
 }
 
+// SecretsDeleteResponse represents the response when deleting multiple secrets.
 type SecretsDeleteResponse struct {
 	Data []SecretDeleteResponse `json:"data"`
 }
 
+// SecretDeleteResponse represents the response for a single secret deletion.
 type SecretDeleteResponse struct {
 	Error *string `json:"error,omitempty"`
 	ID    string  `json:"id"`
 }
 
+// SecretIdentifiersResponse represents the response when listing secret identifiers.
 type SecretIdentifiersResponse struct {
 	Data []SecretIdentifierResponse `json:"data"`
 }
 
+// SecretIdentifierResponse represents a single secret identifier in a list response.
 type SecretIdentifierResponse struct {
 	ID             string `json:"id"`
 	Key            string `json:"key"`
 	OrganizationID string `json:"organizationId"`
 }
 
+// SecretCreateRequest represents the request to create a new secret.
 type SecretCreateRequest struct {
 	Key  string `json:"key"`
 	Note string `json:"note"`
 	// Organization where the secret will be created
 	OrganizationID string `json:"organizationId"`
 	// IDs of the projects that this secret will belong to
-	ProjectIDS []string `json:"projectIds,omitempty"`
+	ProjectIDs []string `json:"projectIds,omitempty"` // Changed from ProjectIDS
 	Value      string   `json:"value"`
 }
 
+// SecretPutRequest represents the request to update an existing secret.
 type SecretPutRequest struct {
 	ID   string `json:"id"`
 	Key  string `json:"key"`
@@ -86,7 +96,7 @@ type SecretPutRequest struct {
 	// Organization where the secret will be created
 	OrganizationID string `json:"organizationId"`
 	// IDs of the projects that this secret will belong to
-	ProjectIDS []string `json:"projectIds,omitempty"`
+	ProjectIDs []string `json:"projectIds,omitempty"` // Changed from ProjectIDS
 	Value      string   `json:"value"`
 }
 
@@ -109,6 +119,7 @@ type SdkClient struct {
 	client *http.Client
 }
 
+// NewSdkClient creates a new Bitwarden SDK client instance.
 func NewSdkClient(ctx context.Context, c client.Client, storeKind, namespace string, provider *esv1.BitwardenSecretsManagerProvider, token string) (*SdkClient, error) {
 	httpsClient, err := newHTTPSClient(ctx, c, storeKind, namespace, provider)
 	if err != nil {
@@ -124,6 +135,7 @@ func NewSdkClient(ctx context.Context, c client.Client, storeKind, namespace str
 	}, nil
 }
 
+// GetSecret retrieves a secret from Bitwarden by its ID.
 func (s *SdkClient) GetSecret(ctx context.Context, id string) (*SecretResponse, error) {
 	body := struct {
 		ID string `json:"id"`
@@ -144,6 +156,7 @@ func (s *SdkClient) GetSecret(ctx context.Context, id string) (*SecretResponse,
 	return secretResp, nil
 }
 
+// DeleteSecret deletes secrets from Bitwarden by their IDs.
 func (s *SdkClient) DeleteSecret(ctx context.Context, ids []string) (*SecretsDeleteResponse, error) {
 	body := struct {
 		IDs []string `json:"ids"`
@@ -164,6 +177,7 @@ func (s *SdkClient) DeleteSecret(ctx context.Context, ids []string) (*SecretsDel
 	return secretResp, nil
 }
 
+// CreateSecret creates a new secret in Bitwarden.
 func (s *SdkClient) CreateSecret(ctx context.Context, createReq SecretCreateRequest) (*SecretResponse, error) {
 	secretResp := &SecretResponse{}
 	if err := s.performHTTPRequestOperation(ctx, params{
@@ -178,6 +192,7 @@ func (s *SdkClient) CreateSecret(ctx context.Context, createReq SecretCreateRequ
 	return secretResp, nil
 }
 
+// UpdateSecret updates an existing secret in Bitwarden.
 func (s *SdkClient) UpdateSecret(ctx context.Context, putReq SecretPutRequest) (*SecretResponse, error) {
 	secretResp := &SecretResponse{}
 	if err := s.performHTTPRequestOperation(ctx, params{
@@ -192,6 +207,7 @@ func (s *SdkClient) UpdateSecret(ctx context.Context, putReq SecretPutRequest) (
 	return secretResp, nil
 }
 
+// ListSecrets retrieves all secrets from a Bitwarden organization.
 func (s *SdkClient) ListSecrets(ctx context.Context, organizationID string) (*SecretIdentifiersResponse, error) {
 	body := struct {
 		ID string `json:"organizationID"`

pkg/provider/bitwarden/bitwarden_sdk_test.go

@@ -90,7 +90,7 @@ func TestSdkClientCreateSecret(t *testing.T) {
 					Key:            "key",
 					Note:           "note",
 					OrganizationID: "orgID",
-					ProjectIDS:     []string{projectID},
+					ProjectIDs:     []string{projectID},
 					Value:          "value",
 				},
 			},
@@ -138,7 +138,7 @@ func TestSdkClientCreateSecret(t *testing.T) {
 					Key:            "key",
 					Note:           "note",
 					OrganizationID: "orgID",
-					ProjectIDS:     []string{projectID},
+					ProjectIDs:     []string{projectID},
 					Value:          "value",
 				},
 			},

pkg/provider/bitwarden/client.go

@@ -100,7 +100,7 @@ func (p *Provider) PushSecret(ctx context.Context, secret *corev1.Secret, data e
 				Key:            data.GetRemoteKey(),
 				Note:           note,
 				OrganizationID: spec.Provider.BitwardenSecretsManager.OrganizationID,
-				ProjectIDS:     []string{spec.Provider.BitwardenSecretsManager.ProjectID},
+				ProjectIDs:     []string{spec.Provider.BitwardenSecretsManager.ProjectID},
 				Value:          string(value),
 			})
 
@@ -113,7 +113,7 @@ func (p *Provider) PushSecret(ctx context.Context, secret *corev1.Secret, data e
 		Key:            data.GetRemoteKey(),
 		Note:           note,
 		OrganizationID: spec.Provider.BitwardenSecretsManager.OrganizationID,
-		ProjectIDS:     []string{spec.Provider.BitwardenSecretsManager.ProjectID},
+		ProjectIDs:     []string{spec.Provider.BitwardenSecretsManager.ProjectID},
 		Value:          string(value),
 	})
 
@@ -163,6 +163,7 @@ func (p *Provider) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRem
 	return []byte(secret.Value), nil
 }
 
+// DeleteSecret deletes a secret from Bitwarden.
 func (p *Provider) DeleteSecret(ctx context.Context, ref esv1.PushSecretRemoteRef) error {
 	if strfmt.IsUUID(ref.GetRemoteKey()) {
 		return p.deleteSecret(ctx, ref.GetRemoteKey())
@@ -204,6 +205,7 @@ func (p *Provider) deleteSecret(ctx context.Context, id string) error {
 	return nil
 }
 
+// SecretExists checks if a secret exists in Bitwarden.
 func (p *Provider) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 	if strfmt.IsUUID(ref.GetRemoteKey()) {
 		_, err := p.bitwardenSdkClient.GetSecret(ctx, ref.GetRemoteKey())

pkg/provider/bitwarden/client_test.go

@@ -482,7 +482,7 @@ func TestProviderPushSecret(t *testing.T) {
 						Key:            testKey,
 						Note:           "",
 						OrganizationID: "orgid",
-						ProjectIDS:     []string{projectID},
+						ProjectIDs:     []string{projectID},
 						Value:          "value",
 					})
 				},
@@ -546,7 +546,7 @@ func TestProviderPushSecret(t *testing.T) {
 						Key:            testKey,
 						Note:           "",
 						OrganizationID: "orgid",
-						ProjectIDS:     []string{projectID},
+						ProjectIDs:     []string{projectID},
 						Value:          `{"key":"value"}`,
 					}, cargs)
 				},
@@ -612,7 +612,7 @@ func TestProviderPushSecret(t *testing.T) {
 						Key:            testKey,
 						Note:           "",
 						OrganizationID: "orgid",
-						ProjectIDS:     []string{projectID},
+						ProjectIDs:     []string{projectID},
 						Value:          "new-value",
 					})
 				},

pkg/provider/bitwarden/fake_client.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 )
 
+// FakeClient is a mock implementation of the Bitwarden client interface.
 type FakeClient struct {
 	getSecretCallArguments []string
 	getSecretReturnsOnCall map[int]*SecretResponse
@@ -43,6 +44,7 @@ type FakeClient struct {
 	listSecretsCalledN       int
 }
 
+// GetSecretReturnsOnCallN sets up the mock to return a specific response for GetSecret on the Nth call.
 func (c *FakeClient) GetSecretReturnsOnCallN(call int, ret *SecretResponse) {
 	if c.getSecretReturnsOnCall == nil {
 		c.getSecretReturnsOnCall = make(map[int]*SecretResponse)
@@ -51,7 +53,8 @@ func (c *FakeClient) GetSecretReturnsOnCallN(call int, ret *SecretResponse) {
 	c.getSecretReturnsOnCall[call] = ret
 }
 
-func (c *FakeClient) GetSecret(ctx context.Context, id string) (*SecretResponse, error) {
+// GetSecret retrieves a secret from the mock client.
+func (c *FakeClient) GetSecret(_ context.Context, id string) (*SecretResponse, error) {
 	ret, ok := c.getSecretReturnsOnCall[c.getSecretCalledN]
 	if !ok {
 		return nil, fmt.Errorf("get secret no canned responses set for call %d", c.getSecretCalledN)
@@ -62,6 +65,7 @@ func (c *FakeClient) GetSecret(ctx context.Context, id string) (*SecretResponse,
 	return ret, nil
 }
 
+// DeleteSecretReturnsOnCallN sets up the mock to return a specific response for DeleteSecret on the Nth call.
 func (c *FakeClient) DeleteSecretReturnsOnCallN(call int, ret *SecretsDeleteResponse) {
 	if c.deleteSecretReturnsOnCall == nil {
 		c.deleteSecretReturnsOnCall = make(map[int]*SecretsDeleteResponse)
@@ -70,7 +74,8 @@ func (c *FakeClient) DeleteSecretReturnsOnCallN(call int, ret *SecretsDeleteResp
 	c.deleteSecretReturnsOnCall[call] = ret
 }
 
-func (c *FakeClient) DeleteSecret(ctx context.Context, ids []string) (*SecretsDeleteResponse, error) {
+// DeleteSecret deletes secrets from the mock client.
+func (c *FakeClient) DeleteSecret(_ context.Context, ids []string) (*SecretsDeleteResponse, error) {
 	ret, ok := c.deleteSecretReturnsOnCall[c.deleteSecretCalledN]
 	if !ok {
 		return nil, fmt.Errorf("delete secret no canned responses set for call %d", c.deleteSecretCalledN)
@@ -81,6 +86,7 @@ func (c *FakeClient) DeleteSecret(ctx context.Context, ids []string) (*SecretsDe
 	return ret, nil
 }
 
+// CreateSecretReturnsOnCallN sets up the mock to return a specific response for CreateSecret on the Nth call.
 func (c *FakeClient) CreateSecretReturnsOnCallN(call int, ret *SecretResponse) {
 	if c.createSecretReturnsOnCall == nil {
 		c.createSecretReturnsOnCall = make(map[int]*SecretResponse)
@@ -89,7 +95,8 @@ func (c *FakeClient) CreateSecretReturnsOnCallN(call int, ret *SecretResponse) {
 	c.createSecretReturnsOnCall[call] = ret
 }
 
-func (c *FakeClient) CreateSecret(ctx context.Context, secret SecretCreateRequest) (*SecretResponse, error) {
+// CreateSecret creates a new secret in the mock client.
+func (c *FakeClient) CreateSecret(_ context.Context, secret SecretCreateRequest) (*SecretResponse, error) {
 	ret, ok := c.createSecretReturnsOnCall[c.createSecretCalledN]
 	if !ok {
 		return nil, fmt.Errorf("create secret no canned responses set for call %d", c.createSecretCalledN)
@@ -100,6 +107,7 @@ func (c *FakeClient) CreateSecret(ctx context.Context, secret SecretCreateReques
 	return ret, nil
 }
 
+// UpdateSecretReturnsOnCallN sets up the mock to return a specific response for UpdateSecret on the Nth call.
 func (c *FakeClient) UpdateSecretReturnsOnCallN(call int, ret *SecretResponse) {
 	if c.updateSecretReturnsOnCall == nil {
 		c.updateSecretReturnsOnCall = make(map[int]*SecretResponse)
@@ -108,7 +116,8 @@ func (c *FakeClient) UpdateSecretReturnsOnCallN(call int, ret *SecretResponse) {
 	c.updateSecretReturnsOnCall[call] = ret
 }
 
-func (c *FakeClient) UpdateSecret(ctx context.Context, secret SecretPutRequest) (*SecretResponse, error) {
+// UpdateSecret updates an existing secret in the mock client.
+func (c *FakeClient) UpdateSecret(_ context.Context, secret SecretPutRequest) (*SecretResponse, error) {
 	ret, ok := c.updateSecretReturnsOnCall[c.updateSecretCalledN]
 	if !ok {
 		return nil, fmt.Errorf("secret update no canned responses set for call %d", c.updateSecretCalledN)
@@ -119,6 +128,7 @@ func (c *FakeClient) UpdateSecret(ctx context.Context, secret SecretPutRequest)
 	return ret, nil
 }
 
+// ListSecretReturnsOnCallN sets up the mock to return a specific response for ListSecrets on the Nth call.
 func (c *FakeClient) ListSecretReturnsOnCallN(call int, ret *SecretIdentifiersResponse) {
 	if c.listSecretsReturnsOnCall == nil {
 		c.listSecretsReturnsOnCall = make(map[int]*SecretIdentifiersResponse)
@@ -127,7 +137,8 @@ func (c *FakeClient) ListSecretReturnsOnCallN(call int, ret *SecretIdentifiersRe
 	c.listSecretsReturnsOnCall[call] = ret
 }
 
-func (c *FakeClient) ListSecrets(ctx context.Context, organizationID string) (*SecretIdentifiersResponse, error) {
+// ListSecrets lists secrets from the mock client.
+func (c *FakeClient) ListSecrets(_ context.Context, organizationID string) (*SecretIdentifiersResponse, error) {
 	ret, ok := c.listSecretsReturnsOnCall[c.listSecretsCalledN]
 	if !ok {
 		return nil, fmt.Errorf("secret list no canned responses set for call %d", c.listSecretsCalledN)

pkg/provider/bitwarden/provider.go

@@ -33,6 +33,7 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
+// Provider implements the External Secrets provider interface for Bitwarden Secrets Manager.
 type Provider struct {
 	kube               client.Client
 	namespace          string

pkg/provider/chef/chef.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package chef implements a provider for Chef Infra Server secret management.
 package chef
 
 import (
@@ -25,6 +26,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/go-chef/chef"
 	"github.com/go-logr/logr"
 	"github.com/tidwall/gjson"
@@ -35,7 +37,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/metrics"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
@@ -65,23 +66,33 @@ const (
 	errInvalidDataform                       = "invalid key format in dataForm section. Expected only 'databagName'"
 	errNotImplemented                        = "not implemented"
 
-	ProviderChef             = "Chef"
-	CallChefGetDataBagItem   = "GetDataBagItem"
+	// ProviderChef is the name of the Chef Infra Server provider.
+	ProviderChef = "Chef"
+
+	// CallChefGetDataBagItem is the metric name for getting a data bag item.
+	CallChefGetDataBagItem = "GetDataBagItem"
+
+	// CallChefListDataBagItems is the metric name for listing data bag items from a data bag.
 	CallChefListDataBagItems = "ListDataBagItems"
-	CallChefGetUser          = "GetUser"
+
+	// CallChefGetUser is the metric name for getting user information.
+	CallChefGetUser = "GetUser"
 )
 
 var contextTimeout = time.Second * 25
 
+// DatabagFetcher defines the interface for fetching data bags from Chef Infra Server.
 type DatabagFetcher interface {
 	GetItem(databagName string, databagItem string) (item chef.DataBagItem, err error)
 	ListItems(name string) (data *chef.DataBagListResult, err error)
 }
 
+// UserInterface defines the interface for interacting with Chef Infra Server users.
 type UserInterface interface {
 	Get(name string) (user chef.User, err error)
 }
 
+// Providerchef implements the Provider interface for Chef Infra Server.
 type Providerchef struct {
 	clientName     string
 	databagService DatabagFetcher
@@ -98,6 +109,7 @@ func init() {
 	}, esv1.MaintenanceStatusMaintained)
 }
 
+// NewClient creates a new Chef Infra Server client.
 func (providerchef *Providerchef) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	chefProvider, err := getChefProvider(store)
 	if err != nil {
@@ -332,16 +344,17 @@ func getChefProvider(store esv1.GenericStore) (*esv1.ChefProvider, error) {
 	return chefProvider, nil
 }
 
-// Not Implemented DeleteSecret.
+// DeleteSecret implements the delete operation for Chef Infra Server secrets. Currently not implemented.
 func (providerchef *Providerchef) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	return errors.New(errNotImplemented)
 }
 
-// Not Implemented PushSecret.
+// PushSecret implements the push operation for Chef Infra Server secrets. Currently not implemented.
 func (providerchef *Providerchef) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
 	return errors.New(errNotImplemented)
 }
 
+// SecretExists checks if a secret exists in Chef Infra Server.
 func (providerchef *Providerchef) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New(errNotImplemented)
 }

pkg/provider/cloudru/secretmanager/adapter/csm_client.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package adapter provides the adapter implementation for CloudRU Secret Manager.
 package adapter
 
 import (
@@ -83,6 +84,7 @@ func NewAPIClient(cr CredentialsResolver, iamClient iamAuthV1.AuthServiceClient,
 	}
 }
 
+// ListSecrets retrieves a list of secrets from CloudRU Secret Manager.
 func (c *APIClient) ListSecrets(ctx context.Context, req *ListSecretsRequest) ([]*smsV2.Secret, error) {
 	searchReq := &smsV2.SearchSecretRequest{
 		ProjectId: req.ProjectID,
@@ -110,6 +112,7 @@ func (c *APIClient) ListSecrets(ctx context.Context, req *ListSecretsRequest) ([
 	return resp.Secrets, nil
 }
 
+// AccessSecretVersionByPath retrieves a secret version by its path from CloudRU Secret Manager.
 func (c *APIClient) AccessSecretVersionByPath(ctx context.Context, projectID, path string, version *int32) ([]byte, error) {
 	var err error
 	ctx, err = c.authCtx(ctx)
@@ -135,6 +138,7 @@ func (c *APIClient) AccessSecretVersionByPath(ctx context.Context, projectID, pa
 	return secret.GetPayload().GetValue(), nil
 }
 
+// AccessSecretVersion retrieves a specific version of a secret from CloudRU Secret Manager.
 func (c *APIClient) AccessSecretVersion(ctx context.Context, id, version string) ([]byte, error) {
 	var err error
 	ctx, err = c.authCtx(ctx)

pkg/provider/cloudru/secretmanager/client.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package secretmanager implements the External Secrets provider for CloudRu Secret Manager.
 package secretmanager
 
 import (
@@ -24,7 +25,7 @@ import (
 	"strconv"
 	"strings"
 
-	smsV2 "github.com/cloudru-tech/secret-manager-sdk/api/v2"
+	smsv2 "github.com/cloudru-tech/secret-manager-sdk/api/v2"
 	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 	corev1 "k8s.io/api/core/v1"
@@ -42,14 +43,14 @@ var (
 // SecretProvider is an API client for the Cloud.ru Secret Manager.
 type SecretProvider interface {
 	// ListSecrets lists secrets by the given request.
-	ListSecrets(ctx context.Context, req *adapter.ListSecretsRequest) ([]*smsV2.Secret, error)
+	ListSecrets(ctx context.Context, req *adapter.ListSecretsRequest) ([]*smsv2.Secret, error)
 	// AccessSecretVersionByPath gets the secret by the given path.
 	AccessSecretVersionByPath(ctx context.Context, projectID, path string, version *int32) ([]byte, error)
 	// AccessSecretVersion gets the secret by the given request.
 	AccessSecretVersion(ctx context.Context, id, version string) ([]byte, error)
 }
 
-// Client is a client for the Cloud.ru Secret Manager.
+// Client is a provider for CloudRu Secret Manager.
 type Client struct {
 	apiClient SecretProvider
 
@@ -86,6 +87,7 @@ func (c *Client) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemot
 	return []byte(result.Str), nil
 }
 
+// GetSecretMap retrieves a secret from CloudRu SecretManager and returns it as a map of key/value pairs.
 func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	secret, err := c.accessSecret(ctx, ref.Key, ref.Version)
 	if err != nil {
@@ -161,14 +163,17 @@ func (c *Client) accessSecret(ctx context.Context, key, version string) ([]byte,
 	return c.apiClient.AccessSecretVersion(ctx, key, version)
 }
 
+// PushSecret pushes a secret to CloudRu Secret Manager.
 func (c *Client) PushSecret(context.Context, *corev1.Secret, esv1.PushSecretData) error {
 	return fmt.Errorf("push secret is not supported")
 }
 
+// DeleteSecret deletes a secret from CloudRu Secret Manager.
 func (c *Client) DeleteSecret(context.Context, esv1.PushSecretRemoteRef) error {
-	return fmt.Errorf("delete secret is not supported")
+	return fmt.Errorf("not implemented")
 }
 
+// SecretExists checks if a secret exists in CloudRu Secret Manager.
 func (c *Client) SecretExists(context.Context, esv1.PushSecretRemoteRef) (bool, error) {
 	return false, fmt.Errorf("secret exists is not supported")
 }

pkg/provider/conjur/auth_jwt.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package conjur implements a provider for Conjur.
 package conjur
 
 import (
@@ -29,9 +30,11 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
+// JwtLifespan is the duration in seconds for which the JWT token is valid (10 minutes).
 const JwtLifespan = 600 // 10 minutes
 
-// getJWTToken retrieves a JWT token either using the TokenRequest API for a specified service account, or from a jwt stored in a k8s secret.
+// getJWTToken retrieves a JWT token either using the TokenRequest API for a specified service account,
+// or from a JWT stored in a k8s secret.
 func (c *Client) getJWTToken(ctx context.Context, conjurJWTConfig *esv1.ConjurJWT) (string, error) {
 	if conjurJWTConfig.ServiceAccountRef != nil {
 		// Should work for Kubernetes >=v1.22: fetch token via TokenRequest API
@@ -46,14 +49,10 @@ func (c *Client) getJWTToken(ctx context.Context, conjurJWTConfig *esv1.ConjurJW
 			tokenRef = conjurJWTConfig.SecretRef.DeepCopy()
 			tokenRef.Key = "token"
 		}
-		jwtToken, err := resolvers.SecretKeyRef(
-			ctx,
-			c.kube,
-			c.StoreKind,
-			c.namespace,
-			tokenRef)
+
+		jwtToken, err := resolvers.SecretKeyRef(ctx, c.kube, c.StoreKind, c.namespace, tokenRef)
 		if err != nil {
-			return "", err
+			return "", fmt.Errorf("could not get JWT token from secret: %w", err)
 		}
 		return jwtToken, nil
 	}

pkg/provider/conjur/client.go

@@ -52,6 +52,9 @@ type Client struct {
 	client    SecretsClient
 }
 
+// GetConjurClient returns an authenticated Conjur client.
+// If a client is already initialized, it returns the existing client.
+// Otherwise, it creates a new client based on the authentication method specified.
 func (c *Client) GetConjurClient(ctx context.Context) (SecretsClient, error) {
 	// if the client is initialized already, return it
 	if c.client != nil {
@@ -85,12 +88,12 @@ func (c *Client) GetConjurClient(ctx context.Context) (SecretsClient, error) {
 
 	if prov.Auth.APIKey != nil {
 		return c.conjurClientFromAPIKey(ctx, config, prov)
-	} else if prov.Auth.Jwt != nil {
+	}
+	if prov.Auth.Jwt != nil {
 		return c.conjurClientFromJWT(ctx, config, prov)
-	} else {
-		// Should not happen because validate func should catch this
-		return nil, errors.New("no authentication method provided")
 	}
+	// Should not happen because validate func should catch this
+	return nil, errors.New("no authentication method provided")
 }
 
 // PushSecret will write a single secret into the provider.
@@ -99,16 +102,18 @@ func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecr
 	return nil
 }
 
+// DeleteSecret removes a secret from the provider.
 func (c *Client) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	// NOT IMPLEMENTED
 	return nil
 }
 
+// SecretExists checks if a secret exists in the provider.
 func (c *Client) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New("not implemented")
 }
 
-// Validate validates the provider.
+// Validate validates the provider configuration.
 func (c *Client) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
@@ -118,6 +123,7 @@ func (c *Client) Close(_ context.Context) error {
 	return nil
 }
 
+// conjurClientFromAPIKey creates a new Conjur client using API key authentication.
 func (c *Client) conjurClientFromAPIKey(ctx context.Context, config conjurapi.Config, prov *esv1.ConjurProvider) (SecretsClient, error) {
 	config.Account = prov.Auth.APIKey.Account
 	conjUser, secErr := resolvers.SecretKeyRef(

pkg/provider/conjur/conjur_api.go

@@ -37,6 +37,7 @@ type SecretsClientFactory interface {
 // ClientAPIImpl is an implementation of the ClientAPI interface.
 type ClientAPIImpl struct{}
 
+// NewClientFromKey creates a new Conjur client using API key authentication.
 func (c *ClientAPIImpl) NewClientFromKey(config conjurapi.Config, loginPair authn.LoginPair) (SecretsClient, error) {
 	return conjurapi.NewClientFromKey(config, loginPair)
 }

pkg/provider/conjur/provider.go

@@ -28,11 +28,14 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
+// Provider implements the External Secrets provider interface for Conjur.
+// It facilitates creation of Conjur clients and manages their lifecycle.
 type Provider struct {
 	NewConjurProvider func(context context.Context, store esv1.GenericStore, kube client.Client, namespace string, corev1 typedcorev1.CoreV1Interface, clientApi SecretsClientFactory) (esv1.SecretsClient, error)
 }
 
-// NewClient creates a new Conjur client.
+// NewClient creates a new Conjur client using the provided store configuration.
+// It sets up necessary Kubernetes clients and creates a new Conjur provider instance.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
 	// controller-runtime/client does not support TokenRequest or other subresource APIs
 	// so we need to construct our own client and use it to create a TokenRequest
@@ -48,11 +51,13 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return p.NewConjurProvider(ctx, store, kube, namespace, clientset.CoreV1(), &ClientAPIImpl{})
 }
 
-// Capabilities returns the provider Capabilities (Read, Write, ReadWrite).
+// Capabilities returns the provider's supported capabilities.
+// Conjur provider supports read-only access to secrets.
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
+// newConjurProvider creates and returns a new Conjur client with the specified configuration.
 func newConjurProvider(_ context.Context, store esv1.GenericStore, kube client.Client, namespace string, corev1 typedcorev1.CoreV1Interface, clientAPI SecretsClientFactory) (esv1.SecretsClient, error) {
 	return &Client{
 		StoreKind: store.GetObjectKind().GroupVersionKind().Kind,

pkg/provider/conjur/util/provider.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package util provides utility functions for working with Conjur providers.
+// It contains helper functions for validating and extracting Conjur provider configurations.
 package util
 
 import (

pkg/provider/delinea/client.go

@@ -14,6 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package delinea implements a provider for Delinea DevOps Secrets Vault.
+// It provides functionality to interact with secrets stored in Delinea DSV,
+// supporting operations like fetching secrets and managing secret lifecycles.
 package delinea
 
 import (

pkg/provider/delinea/provider.go

@@ -42,6 +42,7 @@ var (
 	errClusterStoreRequiresNamespace = errors.New("when using a ClusterSecretStore, namespaces must be explicitly set")
 )
 
+// Provider implements the External Secrets provider for Delinea Secret Server.
 type Provider struct{}
 
 var _ esv1.Provider = &Provider{}
@@ -51,6 +52,7 @@ func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
+// NewClient creates a new Delinea Secret Server client.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kubeClient.Client, namespace string) (esv1.SecretsClient, error) {
 	cfg, err := getConfig(store)
 	if err != nil {
@@ -181,6 +183,7 @@ func getConfig(store esv1.GenericStore) (*esv1.DelineaProvider, error) {
 	return cfg, nil
 }
 
+// ValidateStore validates the Delinea SecretStore configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	_, err := getConfig(store)
 	return nil, err

pkg/provider/device42/device42.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package device42 implements a provider for Device42 password management.
 package device42
 
 import (
@@ -40,19 +41,22 @@ const (
 	errMissingSAK                             = "missing credentials while setting auth"
 )
 
+// Client defines the interface for interacting with Device42 passwords.
 type Client interface {
 	GetSecret(secretID string) (D42Password, error)
 }
 
-// Device42 Provider struct with reference to a Device42 client.
+// Device42 implements the Provider interface for Device42.
 type Device42 struct {
 	client Client
 }
 
+// ValidateStore validates the Device42 provider configuration.
 func (p *Device42) ValidateStore(esv1.GenericStore) (admission.Warnings, error) {
 	return nil, nil
 }
 
+// Capabilities returns the provider's supported capabilities (ReadOnly).
 func (p *Device42) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
@@ -64,8 +68,15 @@ type device42Client struct {
 	namespace string
 	storeKind string
 }
+
+// Provider implements the external-secrets provider for Device42.
 type Provider struct{}
 
+// NewDevice42Provider returns a reference to a new instance of a 'Device42' struct.
+func NewDevice42Provider() *Device42 {
+	return &Device42{}
+}
+
 func (c *device42Client) getAuth(ctx context.Context) (string, string, error) {
 	credentialsSecret := &corev1.Secret{}
 	credentialsSecretName := c.store.Auth.SecretRef.Credentials.Name
@@ -98,11 +109,7 @@ func (c *device42Client) getAuth(ctx context.Context) (string, string, error) {
 	return string(username), string(password), nil
 }
 
-// NewDevice42Provider returns a reference to a new instance of a 'Device42' struct.
-func NewDevice42Provider() *Device42 {
-	return &Device42{}
-}
-
+// NewClient creates a new Device42 client.
 func (p *Device42) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Device42 == nil {
@@ -127,10 +134,12 @@ func (p *Device42) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return p, nil
 }
 
+// SecretExists checks if a secret exists in Device42.
 func (p *Device42) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New(errNotImplemented)
 }
 
+// Validate validates the Device42 provider configuration.
 func (p *Device42) Validate() (esv1.ValidationResult, error) {
 	timeout := 15 * time.Second
 	url := fmt.Sprintf("https://%s:%s", p.client.(*API).baseURL, p.client.(*API).hostPort)
@@ -141,18 +150,22 @@ func (p *Device42) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// PushSecret creates or updates a secret in Device42.
 func (p *Device42) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
 	return errors.New(errNotImplemented)
 }
 
+// GetAllSecrets retrieves multiple secrets from Device42.
 func (p *Device42) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
 	return nil, errors.New(errNotImplemented)
 }
 
+// DeleteSecret removes a secret from Device42.
 func (p *Device42) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	return errors.New(errNotImplemented)
 }
 
+// GetSecret retrieves a secret from Device42.
 func (p *Device42) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(p.client) {
 		return nil, errors.New(errUninitializedProvider)
@@ -165,6 +178,7 @@ func (p *Device42) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemot
 	return []byte(data.Password), nil
 }
 
+// GetSecretMap retrieves a secret from Device42 and returns it as a map.
 func (p *Device42) GetSecretMap(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	data, err := p.client.GetSecret(ref.Key)
 	if err != nil {
@@ -174,6 +188,7 @@ func (p *Device42) GetSecretMap(_ context.Context, ref esv1.ExternalSecretDataRe
 	return data.ToMap(), nil
 }
 
+// Close implements cleanup operations for the Device42 client.
 func (p *Device42) Close(_ context.Context) error {
 	return nil
 }

pkg/provider/device42/device42_api.go

@@ -31,14 +31,17 @@ import (
 )
 
 const (
+	// DoRequestError is the error format string for HTTP request failures.
 	DoRequestError         = "error: do request: %w"
 	errJSONSecretUnmarshal = "unable to unmarshal secret from JSON: %w"
 )
 
+// HTTPClient is the interface for making HTTP requests.
 type HTTPClient interface {
 	Do(*http.Request) (*http.Response, error)
 }
 
+// API implements the Device42 REST API client.
 type API struct {
 	client   HTTPClient
 	baseURL  string
@@ -47,27 +50,30 @@ type API struct {
 	username string
 }
 
+// D42PasswordResponse represents the response from Device42 passwords API.
 type D42PasswordResponse struct {
 	Passwords []D42Password
 }
 
+// D42Password represents a password entry in Device42.
 type D42Password struct {
 	Password string `json:"password"`
 	ID       int    `json:"id"`
 }
 
+// NewAPI creates a new Device42 API client.
 func NewAPI(baseURL, username, password, hostPort string) *API {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12},
+	}
 	api := &API{
 		baseURL:  baseURL,
 		hostPort: hostPort,
 		username: username,
 		password: password,
-	}
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12},
+		client:   &http.Client{Transport: tr},
 	}
 
-	api.client = &http.Client{Transport: tr}
 	return api
 }
 
@@ -76,6 +82,7 @@ func (api *API) doAuthenticatedRequest(r *http.Request) (*http.Response, error)
 	return api.client.Do(r)
 }
 
+// ReadAndUnmarshal reads an HTTP response body and unmarshals it into the target structure.
 func ReadAndUnmarshal(resp *http.Response, target any) error {
 	var buf bytes.Buffer
 	defer func() {
@@ -94,6 +101,7 @@ func ReadAndUnmarshal(resp *http.Response, target any) error {
 	return json.Unmarshal(buf.Bytes(), target)
 }
 
+// GetSecret retrieves a password from Device42.
 func (api *API) GetSecret(secretID string) (D42Password, error) {
 	// https://api.device42.com/#!/Passwords/getPassword
 	endpointURL := fmt.Sprintf("https://%s:%s/api/1.0/passwords/?id=%s&plain_text=yes", api.baseURL, api.hostPort, secretID)
@@ -121,10 +129,12 @@ func (api *API) GetSecret(secretID string) (D42Password, error) {
 	return d42PasswordResponse.Passwords[0], err
 }
 
+// GetSecretMap returns a map of secret values from Device42.
 func (api *API) GetSecretMap(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	return nil, errors.New(errNotImplemented)
 }
 
+// ToMap converts a D42Password to a map of secret values.
 func (s D42Password) ToMap() map[string][]byte {
 	m := make(map[string][]byte)
 	m["password"] = []byte(s.Password)

pkg/provider/doppler/client.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package doppler implements a provider for Doppler secrets management.
 package doppler
 
 import (
@@ -25,12 +26,12 @@ import (
 	"strings"
 	"time"
 
+	"github.com/external-secrets/external-secrets/pkg/find"
 	corev1 "k8s.io/api/core/v1"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	"github.com/external-secrets/external-secrets/pkg/find"
-	dClient "github.com/external-secrets/external-secrets/pkg/provider/doppler/client"
+	dclient "github.com/external-secrets/external-secrets/pkg/provider/doppler/client"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
@@ -48,6 +49,7 @@ const (
 	errInvalidClusterStoreMissingDopplerTokenNamespace = "missing auth.secretRef.dopplerToken.namespace"
 )
 
+// Client implements the SecretsClient interface for Doppler.
 type Client struct {
 	doppler         SecretsClientInterface
 	dopplerToken    string
@@ -66,9 +68,9 @@ type Client struct {
 type SecretsClientInterface interface {
 	BaseURL() *url.URL
 	Authenticate() error
-	GetSecret(request dClient.SecretRequest) (*dClient.SecretResponse, error)
-	GetSecrets(request dClient.SecretsRequest) (*dClient.SecretsResponse, error)
-	UpdateSecrets(request dClient.UpdateSecretsRequest) error
+	GetSecret(request dclient.SecretRequest) (*dclient.SecretResponse, error)
+	GetSecrets(request dclient.SecretsRequest) (*dclient.SecretsResponse, error)
+	UpdateSecrets(request dclient.UpdateSecretsRequest) error
 }
 
 func (c *Client) setAuth(ctx context.Context) error {
@@ -85,6 +87,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 	return nil
 }
 
+// Validate validates the Doppler client configuration.
 func (c *Client) Validate() (esv1.ValidationResult, error) {
 	timeout := 15 * time.Second
 	clientURL := c.doppler.BaseURL().String()
@@ -100,9 +103,10 @@ func (c *Client) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// DeleteSecret removes a secret from Doppler.
 func (c *Client) DeleteSecret(_ context.Context, ref esv1.PushSecretRemoteRef) error {
-	request := dClient.UpdateSecretsRequest{
-		ChangeRequests: []dClient.Change{
+	request := dclient.UpdateSecretsRequest{
+		ChangeRequests: []dclient.Change{
 			{
 				Name:         ref.GetRemoteKey(),
 				OriginalName: ref.GetRemoteKey(),
@@ -121,15 +125,17 @@ func (c *Client) DeleteSecret(_ context.Context, ref esv1.PushSecretRemoteRef) e
 	return nil
 }
 
+// SecretExists checks if a secret exists in Doppler.
 func (c *Client) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New("not implemented")
 }
 
+// PushSecret creates or updates a secret in Doppler.
 func (c *Client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
 	value := secret.Data[data.GetSecretKey()]
 
-	request := dClient.UpdateSecretsRequest{
-		Secrets: dClient.Secrets{
+	request := dclient.UpdateSecretsRequest{
+		Secrets: dclient.Secrets{
 			data.GetRemoteKey(): string(value),
 		},
 		Project: c.project,
@@ -144,8 +150,9 @@ func (c *Client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1.
 	return nil
 }
 
+// GetSecret retrieves a secret from Doppler.
 func (c *Client) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	request := dClient.SecretRequest{
+	request := dclient.SecretRequest{
 		Name:    ref.Key,
 		Project: c.project,
 		Config:  c.config,
@@ -159,6 +166,7 @@ func (c *Client) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteR
 	return []byte(secret.Value), nil
 }
 
+// GetSecretMap retrieves a secret from Doppler and returns it as a map.
 func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	data, err := c.GetSecret(ctx, ref)
 	if err != nil {
@@ -184,6 +192,7 @@ func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRe
 	return secretData, nil
 }
 
+// GetAllSecrets retrieves all secrets from Doppler that match the given criteria.
 func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 	secrets, err := c.getSecrets(ctx)
 	selected := map[string][]byte{}
@@ -215,12 +224,13 @@ func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind)
 	return selected, nil
 }
 
+// Close implements cleanup operations for the Doppler client.
 func (c *Client) Close(_ context.Context) error {
 	return nil
 }
 
 func (c *Client) getSecrets(_ context.Context) (map[string][]byte, error) {
-	request := dClient.SecretsRequest{
+	request := dclient.SecretsRequest{
 		Project:         c.project,
 		Config:          c.config,
 		NameTransformer: c.nameTransformer,
@@ -241,7 +251,7 @@ func (c *Client) getSecrets(_ context.Context) (map[string][]byte, error) {
 	return externalSecretsFormat(response.Secrets), nil
 }
 
-func externalSecretsFormat(secrets dClient.Secrets) map[string][]byte {
+func externalSecretsFormat(secrets dclient.Secrets) map[string][]byte {
 	converted := make(map[string][]byte, len(secrets))
 	for key, value := range secrets {
 		converted[key] = []byte(value)

pkg/provider/doppler/client/client.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package client provides the client implementation for interacting with Doppler's API.
 package client
 
 import (
@@ -28,6 +29,7 @@ import (
 	"time"
 )
 
+// DopplerClient represents a client for interacting with Doppler's API.
 type DopplerClient struct {
 	baseURL      *url.URL
 	DopplerToken string
@@ -41,8 +43,10 @@ type headers map[string]string
 
 type httpRequestBody []byte
 
+// Secrets represents a map of secret names to their values.
 type Secrets map[string]string
 
+// Change represents a request to modify a secret in Doppler.
 type Change struct {
 	Name         string  `json:"name"`
 	OriginalName string  `json:"originalName"`
@@ -50,6 +54,7 @@ type Change struct {
 	ShouldDelete bool    `json:"shouldDelete,omitempty"`
 }
 
+// APIError represents an error returned by the Doppler API.
 type APIError struct {
 	Err     error
 	Message string
@@ -66,12 +71,14 @@ type apiErrorResponse struct {
 	Success  bool
 }
 
+// SecretRequest represents a request to retrieve a single secret.
 type SecretRequest struct {
 	Name    string
 	Project string
 	Config  string
 }
 
+// SecretsRequest represents a request to retrieve multiple secrets.
 type SecretsRequest struct {
 	Project         string
 	Config          string
@@ -80,6 +87,7 @@ type SecretsRequest struct {
 	ETag            string // Specifying an ETag implies that the caller has implemented response caching
 }
 
+// UpdateSecretsRequest represents a request to update secrets in Doppler.
 type UpdateSecretsRequest struct {
 	Secrets        Secrets  `json:"secrets,omitempty"`
 	ChangeRequests []Change `json:"change_requests,omitempty"`
@@ -97,11 +105,13 @@ type secretResponseBody struct {
 	Success  bool      `json:"success"`
 }
 
+// SecretResponse represents the response from retrieving a secret.
 type SecretResponse struct {
 	Name  string
 	Value string
 }
 
+// SecretsResponse represents the response from retrieving multiple secrets.
 type SecretsResponse struct {
 	Secrets  Secrets
 	Body     []byte
@@ -109,6 +119,7 @@ type SecretsResponse struct {
 	ETag     string
 }
 
+// NewDopplerClient creates a new Doppler API client.
 func NewDopplerClient(dopplerToken string) (*DopplerClient, error) {
 	client := &DopplerClient{
 		DopplerToken: dopplerToken,
@@ -123,11 +134,13 @@ func NewDopplerClient(dopplerToken string) (*DopplerClient, error) {
 	return client, nil
 }
 
+// BaseURL returns the base URL of the Doppler API.
 func (c *DopplerClient) BaseURL() *url.URL {
 	u := *c.baseURL
 	return &u
 }
 
+// SetBaseURL sets the base URL for the Doppler API.
 func (c *DopplerClient) SetBaseURL(urlStr string) error {
 	baseURL, err := url.Parse(strings.TrimSuffix(urlStr, "/"))
 
@@ -143,6 +156,7 @@ func (c *DopplerClient) SetBaseURL(urlStr string) error {
 	return nil
 }
 
+// Authenticate validates the authentication credentials.
 func (c *DopplerClient) Authenticate() error {
 	//  Choose projects as a lightweight endpoint for testing authentication
 	if _, err := c.performRequest("/v3/projects", "GET", headers{}, queryParams{}, httpRequestBody{}); err != nil {
@@ -152,6 +166,7 @@ func (c *DopplerClient) Authenticate() error {
 	return nil
 }
 
+// GetSecret retrieves a secret from Doppler.
 func (c *DopplerClient) GetSecret(request SecretRequest) (*SecretResponse, error) {
 	params := request.buildQueryParams(request.Name)
 	response, err := c.performRequest("/v3/configs/config/secret", "GET", headers{}, params, httpRequestBody{})
@@ -205,6 +220,7 @@ func (c *DopplerClient) GetSecrets(request SecretsRequest) (*SecretsResponse, er
 	return &SecretsResponse{Modified: true, Secrets: secrets, Body: response.Body, ETag: eTag}, nil
 }
 
+// UpdateSecrets updates secrets in Doppler.
 func (c *DopplerClient) UpdateSecrets(request UpdateSecretsRequest) error {
 	body, jsonErr := json.Marshal(request)
 	if jsonErr != nil {

pkg/provider/doppler/provider.go

@@ -27,7 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-	dClient "github.com/external-secrets/external-secrets/pkg/provider/doppler/client"
+	dclient "github.com/external-secrets/external-secrets/pkg/provider/doppler/client"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
@@ -50,10 +50,12 @@ func init() {
 	}, esv1.MaintenanceStatusMaintained)
 }
 
+// Capabilities returns the provider's supported capabilities.
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
+// NewClient creates a new Doppler client.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 
@@ -79,7 +81,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 		return nil, err
 	}
 
-	doppler, err := dClient.NewDopplerClient(client.dopplerToken)
+	doppler, err := dclient.NewDopplerClient(client.dopplerToken)
 	if err != nil {
 		return nil, fmt.Errorf(errNewClient, err)
 	}
@@ -106,6 +108,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return client, nil
 }
 
+// ValidateStore validates the Doppler provider configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	dopplerStoreSpec := storeSpec.Provider.Doppler

pkg/provider/fortanix/fortanix.go

@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fortanix
 
 import (

pkg/provider/fortanix/provider.go

@@ -13,6 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
+// Package fortanix provides a Fortanix provider implementation.
 package fortanix
 
 import (
@@ -30,6 +32,7 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
+// Provider implements provider interface for Fortanix Key Management.
 type Provider struct{}
 
 const (
@@ -50,10 +53,12 @@ func init() {
 	}, esv1.MaintenanceStatusMaintained)
 }
 
+// Capabilities returns the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
+// NewClient creates a new Fortanix Key Management client.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kubeclient.Client, namespace string) (esv1.SecretsClient, error) {
 	config, err := getConfig(store)
 	if err != nil {
@@ -76,6 +81,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	}, nil
 }
 
+// ValidateStore validates the Fortanix Key Management store configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	_, err := getConfig(store)
 	return nil, err

pkg/provider/gcp/secretmanager/auth.go

@@ -14,6 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+/*
+Package secretmanager implements the GCP Secret Manager provider for External Secrets.
+It provides functionality to interact with GCP Secret Manager, handle workload identity,
+and manage secret operations.
+*/
 package secretmanager
 
 import (
@@ -28,6 +33,9 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
+// NewTokenSource creates a new OAuth2 token source for GCP Secret Manager authentication.
+// It attempts to create a token source using service account credentials, workload identity,
+// or workload identity federation in that order.
 func NewTokenSource(ctx context.Context, auth esv1.GCPSMAuth, projectID, storeKind string, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
 	ts, err := serviceAccountTokenSource(ctx, auth, storeKind, kube, namespace)
 	if ts != nil || err != nil {

pkg/provider/gcp/secretmanager/client.go

@@ -50,7 +50,9 @@ import (
 )
 
 const (
-	CloudPlatformRole               = "https://www.googleapis.com/auth/cloud-platform"
+	// CloudPlatformRole is the OAuth2 scope required for GCP Cloud Platform access.
+	CloudPlatformRole = "https://www.googleapis.com/auth/cloud-platform"
+
 	defaultVersion                  = "latest"
 	errGCPSMStore                   = "received invalid GCPSM SecretStore resource"
 	errUnableGetCredentials         = "unable to get credentials: %w"
@@ -82,6 +84,7 @@ const (
 	regionalSecretVersionsPath = "projects/%s/locations/%s/secrets/%s/versions/%s"
 )
 
+// Client represents a Google Cloud Platform Secret Manager client.
 type Client struct {
 	smClient  GoogleSecretManagerClient
 	kube      kclient.Client
@@ -93,6 +96,7 @@ type Client struct {
 	workloadIdentity *workloadIdentity
 }
 
+// GoogleSecretManagerClient defines the interface for interacting with Google Secret Manager.
 type GoogleSecretManagerClient interface {
 	DeleteSecret(ctx context.Context, req *secretmanagerpb.DeleteSecretRequest, opts ...gax.CallOption) error
 	AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
@@ -107,6 +111,7 @@ type GoogleSecretManagerClient interface {
 
 var log = ctrl.Log.WithName("provider").WithName("gcp").WithName("secretsmanager")
 
+// DeleteSecret deletes a secret from Google Cloud Secret Manager.
 func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
 	name := getName(c.store.ProjectID, c.store.Location, remoteRef.GetRemoteKey())
 	gcpSecret, err := c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
@@ -141,6 +146,7 @@ func parseError(err error) error {
 	return err
 }
 
+// SecretExists checks if a secret exists in Google Cloud Secret Manager.
 func (c *Client) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 	secretName := fmt.Sprintf(globalSecretPath, c.store.ProjectID, ref.GetRemoteKey())
 	gcpSecret, err := c.smClient.GetSecret(ctx, &secretmanagerpb.GetSecretRequest{
@@ -641,6 +647,7 @@ func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRe
 	return secretData, nil
 }
 
+// Close closes the Google Cloud Secret Manager client connection.
 func (c *Client) Close(_ context.Context) error {
 	var err error
 	if c.smClient != nil {
@@ -656,6 +663,7 @@ func (c *Client) Close(_ context.Context) error {
 	return nil
 }
 
+// Validate performs validation of the Google Cloud Secret Manager client configuration.
 func (c *Client) Validate() (esv1.ValidationResult, error) {
 	if c.storeKind == esv1.ClusterSecretStoreKind && isReferentSpec(c.store) {
 		return esv1.ValidationResultUnknown, nil

pkg/provider/gcp/secretmanager/provider.go

@@ -55,6 +55,7 @@ A Mutex was implemented to make sure only one connection can be in place at a ti
 */
 var useMu = sync.Mutex{}
 
+// Capabilities returns the provider's capabilities to read/write secrets.
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadWrite
 }
@@ -124,6 +125,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return client, nil
 }
 
+// ValidateStore validates the configuration of the secret store.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	if store == nil {
 		return nil, errors.New(errInvalidStore)
@@ -155,11 +157,11 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 func clusterProjectID(spec *esv1.SecretStoreSpec) (string, error) {
 	if spec.Provider.GCPSM.Auth.WorkloadIdentity != nil && spec.Provider.GCPSM.Auth.WorkloadIdentity.ClusterProjectID != "" {
 		return spec.Provider.GCPSM.Auth.WorkloadIdentity.ClusterProjectID, nil
-	} else if spec.Provider.GCPSM.ProjectID != "" {
+	}
+	if spec.Provider.GCPSM.ProjectID != "" {
 		return spec.Provider.GCPSM.ProjectID, nil
-	} else {
-		return "", errors.New(errNoProjectID)
 	}
+	return "", errors.New(errNoProjectID)
 }
 
 func isReferentSpec(prov *esv1.GCPSMProvider) bool {

pkg/provider/gcp/secretmanager/push_secret.go

@@ -29,13 +29,17 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
 )
 
+// PushSecretMetadataMergePolicy defines how metadata should be merged when pushing secrets.
 type PushSecretMetadataMergePolicy string
 
 const (
+	// PushSecretMetadataMergePolicyReplace indicates that metadata should be replaced entirely.
 	PushSecretMetadataMergePolicyReplace PushSecretMetadataMergePolicy = "Replace"
-	PushSecretMetadataMergePolicyMerge   PushSecretMetadataMergePolicy = "Merge"
+	// PushSecretMetadataMergePolicyMerge indicates that metadata should be merged.
+	PushSecretMetadataMergePolicyMerge PushSecretMetadataMergePolicy = "Merge"
 )
 
+// PushSecretMetadataSpec defines the metadata specification for pushed secrets.
 type PushSecretMetadataSpec struct {
 	Annotations         map[string]string             `json:"annotations,omitempty"`
 	Labels              map[string]string             `json:"labels,omitempty"`

pkg/provider/gcp/secretmanager/workload_identity.go

@@ -92,13 +92,14 @@ type workloadIdentity struct {
 	clusterProjectID     string
 }
 
-// interface to GCP IAM API.
+// IamClient provides an interface to the GCP IAM API.
 type IamClient interface {
 	GenerateAccessToken(ctx context.Context, req *credentialspb.GenerateAccessTokenRequest, opts ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
 	Close() error
 }
 
-// interface to GCP Metadata API.
+// MetadataClient defines the interface for interacting with GCP Metadata service.
+// It provides access to instance metadata and project information.
 type MetadataClient interface {
 	InstanceAttributeValueWithContext(ctx context.Context, attr string) (string, error)
 	ProjectIDWithContext(ctx context.Context) (string, error)

pkg/provider/gcp/secretmanager/workload_identity_federation.go

@@ -121,7 +121,7 @@ const (
 	externalAccountCredentialType = "external_account"
 
 	awsEnvironmentIDPrefix    = "aws"
-	awsAccessKeyIdKeyName     = "aws_access_key_id"
+	awsAccessKeyIDKeyName     = "aws_access_key_id"
 	awsSecretAccessKeyKeyName = "aws_secret_access_key"
 	awsSessionTokenKeyName    = "aws_session_token"
 )
@@ -324,11 +324,11 @@ func (w *workloadIdentityFederation) readAWSSecurityCredentials(ctx context.Cont
 		return nil, fmt.Errorf("failed to fetch AwsSecurityCredentials secret %q: %w", key, err)
 	}
 
-	accessKeyID := string(secret.Data[awsAccessKeyIdKeyName])
+	accessKeyID := string(secret.Data[awsAccessKeyIDKeyName])
 	secretAccessKey := string(secret.Data[awsSecretAccessKeyKeyName])
 	sessionToken := string(secret.Data[awsSessionTokenKeyName])
 	if accessKeyID == "" || secretAccessKey == "" {
-		return nil, fmt.Errorf("%s and %s keys must be present in AwsSecurityCredentials secret", awsAccessKeyIdKeyName, awsSecretAccessKeyKeyName)
+		return nil, fmt.Errorf("%s and %s keys must be present in AwsSecurityCredentials secret", awsAccessKeyIDKeyName, awsSecretAccessKeyKeyName)
 	}
 
 	return &awsSecurityCredentialsReader{
@@ -417,10 +417,12 @@ func (r *k8sSATokenReader) SubjectToken(ctx context.Context, options externalacc
 	return resp.Status.Token, nil
 }
 
-func (a *awsSecurityCredentialsReader) AwsRegion(ctx context.Context, options externalaccount.SupplierOptions) (string, error) {
+// AwsRegion returns the AWS region for workload identity federation.
+func (a *awsSecurityCredentialsReader) AwsRegion(_ context.Context, _ externalaccount.SupplierOptions) (string, error) {
 	return a.region, nil
 }
 
-func (a *awsSecurityCredentialsReader) AwsSecurityCredentials(ctx context.Context, options externalaccount.SupplierOptions) (*externalaccount.AwsSecurityCredentials, error) {
+// AwsSecurityCredentials returns AWS security credentials for workload identity federation.
+func (a *awsSecurityCredentialsReader) AwsSecurityCredentials(_ context.Context, _ externalaccount.SupplierOptions) (*externalaccount.AwsSecurityCredentials, error) {
 	return a.awsSecurityCredentials, nil
 }

pkg/provider/gcp/secretmanager/workload_identity_federation_test.go

@@ -281,7 +281,7 @@ func TestWorkloadIdentityFederation(t *testing.T) {
 						Namespace: testNamespace,
 					},
 					Data: map[string][]byte{
-						awsAccessKeyIdKeyName:     []byte(testAwsAccessKey),
+						awsAccessKeyIDKeyName:     []byte(testAwsAccessKey),
 						awsSecretAccessKeyKeyName: []byte(testAwsSecretKey),
 						awsSessionTokenKeyName:    []byte(testAwsSessionToken),
 					},
@@ -403,7 +403,7 @@ func TestWorkloadIdentityFederation(t *testing.T) {
 						Namespace: testNamespace,
 					},
 					Data: map[string][]byte{
-						awsAccessKeyIdKeyName:     []byte(testAwsAccessKey),
+						awsAccessKeyIDKeyName:     []byte(testAwsAccessKey),
 						awsSecretAccessKeyKeyName: []byte(testAwsSecretKey),
 					},
 				},
@@ -507,7 +507,7 @@ func TestWorkloadIdentityFederation(t *testing.T) {
 						Namespace: testNamespace,
 					},
 					Data: map[string][]byte{
-						awsAccessKeyIdKeyName:     []byte(testAwsAccessKey),
+						awsAccessKeyIDKeyName:     []byte(testAwsAccessKey),
 						awsSecretAccessKeyKeyName: []byte(testAwsSecretKey),
 						awsSessionTokenKeyName:    []byte(testAwsSessionToken),
 					},
@@ -867,7 +867,7 @@ func TestGenerateExternalAccountConfig(t *testing.T) {
 				Namespace: testNamespace,
 			},
 			Data: map[string][]byte{
-				awsAccessKeyIdKeyName:     []byte(testAwsAccessKey),
+				awsAccessKeyIDKeyName:     []byte(testAwsAccessKey),
 				awsSecretAccessKeyKeyName: []byte(testAwsSecretKey),
 				awsSessionTokenKeyName:    []byte(testAwsSessionToken),
 			},

pkg/provider/github/auth.go

@@ -14,19 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// /*
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//	https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// */
+// Package github provides a client for GitHub API interactions.
 package github
 
 import (
@@ -40,6 +28,9 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
+// AuthWithPrivateKey creates a new GitHub client authenticated using a private key.
+// It retrieves the private key from the secret referenced in the provider configuration
+// and sets up GitHub App authentication.
 func (g *Client) AuthWithPrivateKey(ctx context.Context) (*github.Client, error) {
 	privateKey, err := resolvers.SecretKeyRef(ctx, g.crClient, g.storeKind, g.namespace, &g.provider.Auth.PrivateKey)
 	if err != nil {

pkg/provider/github/client.go

@@ -35,11 +35,17 @@ import (
 // https://github.com/external-secrets/external-secrets/issues/644
 var _ esv1.SecretsClient = &Client{}
 
+// ActionsServiceClient defines the interface for interacting with GitHub Actions secrets.
 type ActionsServiceClient interface {
+	// CreateOrUpdateOrgSecret creates or updates an organization secret.
 	CreateOrUpdateOrgSecret(ctx context.Context, org string, eSecret *github.EncryptedSecret) (response *github.Response, err error)
+	// GetOrgSecret retrieves an organization secret.
 	GetOrgSecret(ctx context.Context, org string, name string) (*github.Secret, *github.Response, error)
+	// ListOrgSecrets lists all organization secrets.
 	ListOrgSecrets(ctx context.Context, org string, opts *github.ListOptions) (*github.Secrets, *github.Response, error)
 }
+
+// Client implements the External Secrets Kubernetes provider for GitHub Actions secrets.
 type Client struct {
 	crClient         client.Client
 	store            esv1.GenericStore
@@ -55,6 +61,7 @@ type Client struct {
 	deleteSecretFn   func(ctx context.Context, ref esv1.PushSecretRemoteRef) (*github.Response, error)
 }
 
+// DeleteSecret deletes a secret from GitHub Actions.
 func (g *Client) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
 	_, err := g.deleteSecretFn(ctx, remoteRef)
 	if err != nil {
@@ -63,6 +70,7 @@ func (g *Client) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemo
 	return nil
 }
 
+// SecretExists checks if a secret exists in GitHub Actions.
 func (g *Client) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
 	githubSecret, _, err := g.getSecretFn(ctx, ref)
 	if err != nil {
@@ -74,6 +82,7 @@ func (g *Client) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef)
 	return false, nil
 }
 
+// PushSecret pushes a new secret to GitHub Actions.
 func (g *Client) PushSecret(ctx context.Context, secret *corev1.Secret, remoteRef esv1.PushSecretData) error {
 	githubSecret, response, err := g.getSecretFn(ctx, remoteRef)
 	if err != nil && (response == nil || response.StatusCode != 404) {
@@ -133,15 +142,18 @@ func (g *Client) PushSecret(ctx context.Context, secret *corev1.Secret, remoteRe
 	return nil
 }
 
-func (g *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
+// GetAllSecrets is not implemented as this provider is write-only.
+func (g *Client) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
 	return nil, fmt.Errorf("not implemented - this provider supports write-only operations")
 }
 
-func (g *Client) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
+// GetSecret is not implemented as this provider is write-only.
+func (g *Client) GetSecret(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	return nil, fmt.Errorf("not implemented - this provider supports write-only operations")
 }
 
-func (g *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+// GetSecretMap is not implemented as this provider is write-only.
+func (g *Client) GetSecretMap(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	return nil, fmt.Errorf("not implemented - this provider supports write-only operations")
 }
 
@@ -149,6 +161,7 @@ func (g *Client) Close(_ context.Context) error {
 	return nil
 }
 
+// Validate checks if the client is properly configured and has access to the GitHub Actions API.
 func (g *Client) Validate() (esv1.ValidationResult, error) {
 	if g.store.GetKind() == esv1.ClusterSecretStoreKind {
 		return esv1.ValidationResultUnknown, nil

pkg/provider/github/env_secrets.go

@@ -14,19 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// /*
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//	https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// */
 package github
 
 import (

pkg/provider/github/org_secrets.go

@@ -14,19 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// /*
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//	https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// */
 package github
 
 import (

pkg/provider/github/provider.go

@@ -14,19 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// /*
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//	https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// */
+// Package github implements a provider for GitHub secrets, allowing
+// External Secrets to write secrets to GitHub Actions.
 package github
 
 import (
@@ -46,9 +35,9 @@ const (
 	errInvalidStoreProv    = "invalid store provider"
 	errInvalidGithubProv   = "invalid github provider"
 	errInvalidStore        = "invalid store"
-	errInvalidProvider     = "invalid provider"
 )
 
+// Provider implements the GitHub provider for managing secrets through GitHub Actions.
 type Provider struct {
 }
 
@@ -87,11 +76,11 @@ func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client,
 	g.createOrUpdateFn = g.orgCreateOrUpdateSecret
 	g.listSecretsFn = g.orgListSecretsFn
 	g.deleteSecretFn = g.orgDeleteSecretsFn
-	client, err := g.AuthWithPrivateKey(ctx)
+	ghClient, err := g.AuthWithPrivateKey(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("could not get private key: %w", err)
 	}
-	g.baseClient = *client.Actions
+	g.baseClient = *ghClient.Actions
 	if provider.Repository != "" {
 		g.getSecretFn = g.repoGetSecretFn
 		g.getPublicKeyFn = g.repoGetPublicKeyFn
@@ -100,11 +89,11 @@ func newClient(ctx context.Context, store esv1.GenericStore, kube client.Client,
 		g.deleteSecretFn = g.repoDeleteSecretsFn
 		if provider.Environment != "" {
 			// For environment to work, we need the repository ID instead of its name.
-			repository, _, err := client.Repositories.Get(ctx, g.provider.Organization, g.provider.Repository)
+			repo, _, err := ghClient.Repositories.Get(ctx, g.provider.Organization, g.provider.Repository)
 			if err != nil {
 				return nil, fmt.Errorf("error fetching repository: %w", err)
 			}
-			g.repoID = repository.GetID()
+			g.repoID = repo.GetID()
 			g.getSecretFn = g.envGetSecretFn
 			g.getPublicKeyFn = g.envGetPublicKeyFn
 			g.createOrUpdateFn = g.envCreateOrUpdateSecret
@@ -125,6 +114,7 @@ func getProvider(store esv1.GenericStore) (*esv1.GithubProvider, error) {
 	return spc.Provider.Github, nil
 }
 
+// ValidateStore validates the configuration of a GitHub secret store.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	if store == nil {
 		return nil, errors.New(errInvalidStore)

pkg/provider/github/repo_secrets.go

@@ -14,19 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// /*
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//	https://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// */
 package github
 
 import (

pkg/provider/gitlab/gitlab.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package gitlab implements a GitLab provider for External Secrets.
 package gitlab
 
 import (
@@ -56,20 +57,24 @@ const (
 var _ esv1.SecretsClient = &gitlabBase{}
 var _ esv1.Provider = &Provider{}
 
+// ProjectsClient is an interface for interacting with GitLab project APIs.
 type ProjectsClient interface {
 	ListProjectsGroups(pid any, opt *gitlab.ListProjectGroupOptions, options ...gitlab.RequestOptionFunc) ([]*gitlab.ProjectGroup, *gitlab.Response, error)
 }
 
+// ProjectVariablesClient is an interface for managing GitLab project variables.
 type ProjectVariablesClient interface {
 	GetVariable(pid any, key string, opt *gitlab.GetProjectVariableOptions, options ...gitlab.RequestOptionFunc) (*gitlab.ProjectVariable, *gitlab.Response, error)
 	ListVariables(pid any, opt *gitlab.ListProjectVariablesOptions, options ...gitlab.RequestOptionFunc) ([]*gitlab.ProjectVariable, *gitlab.Response, error)
 }
 
+// GroupVariablesClient is an interface for managing GitLab group variables.
 type GroupVariablesClient interface {
 	GetVariable(gid any, key string, opts *gitlab.GetGroupVariableOptions, options ...gitlab.RequestOptionFunc) (*gitlab.GroupVariable, *gitlab.Response, error)
 	ListVariables(gid any, opt *gitlab.ListGroupVariablesOptions, options ...gitlab.RequestOptionFunc) ([]*gitlab.GroupVariable, *gitlab.Response, error)
 }
 
+// ProjectGroupPathSorter implements sort.Interface for sorting project groups by path length.
 type ProjectGroupPathSorter []*gitlab.ProjectGroup
 
 func (a ProjectGroupPathSorter) Len() int           { return len(a) }
@@ -132,7 +137,7 @@ func (g *gitlabBase) GetAllSecrets(_ context.Context, ref esv1.ExternalSecretFin
 		matcher = m
 	}
 
-	err := g.ResolveGroupIds()
+	err := g.ResolveGroupIDs()
 	if err != nil {
 		return nil, err
 	}
@@ -247,6 +252,7 @@ func (g *gitlabBase) setGroupValues(
 	}
 }
 
+// ExtractTag extracts the environment scope from the provided tags map.
 func ExtractTag(tags map[string]string) (string, error) {
 	var environmentScope string
 	for tag, value := range tags {
@@ -312,7 +318,7 @@ func (g *gitlabBase) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRem
 		return nil, err
 	}
 
-	err = g.ResolveGroupIds()
+	err = g.ResolveGroupIDs()
 	if err != nil {
 		return nil, err
 	}
@@ -409,7 +415,7 @@ func (g *gitlabBase) Close(_ context.Context) error {
 	return nil
 }
 
-func (g *gitlabBase) ResolveGroupIds() error {
+func (g *gitlabBase) ResolveGroupIDs() error {
 	if g.store.InheritFromGroups {
 		projectGroups, resp, err := g.projectsClient.ListProjectsGroups(g.store.ProjectID, nil)
 		metrics.ObserveAPICall(constants.ProviderGitLab, constants.CallGitLabListProjectsGroups, err)
@@ -417,11 +423,11 @@ func (g *gitlabBase) ResolveGroupIds() error {
 			return err
 		}
 		sort.Sort(ProjectGroupPathSorter(projectGroups))
-		discoveredIds := make([]string, len(projectGroups))
+		discoveredIDs := make([]string, len(projectGroups))
 		for i, group := range projectGroups {
-			discoveredIds[i] = strconv.Itoa(group.ID)
+			discoveredIDs[i] = strconv.Itoa(group.ID)
 		}
-		g.store.GroupIDs = discoveredIds
+		g.store.GroupIDs = discoveredIDs
 	}
 	return nil
 }
@@ -437,7 +443,7 @@ func (g *gitlabBase) Validate() (esv1.ValidationResult, error) {
 			return esv1.ValidationResultError, fmt.Errorf(errProjectAuth, g.store.ProjectID)
 		}
 
-		err = g.ResolveGroupIds()
+		err = g.ResolveGroupIDs()
 		if err != nil {
 			return esv1.ValidationResultError, fmt.Errorf(errList, err)
 		}

pkg/provider/gitlab/gitlab_test.go

@@ -457,19 +457,21 @@ func TestGetSecret(t *testing.T) {
 	}
 }
 
-func TestResolveGroupIds(t *testing.T) {
+// TestResolveGroupIDs tests the resolving of group IDs for a GitLab store.
+func TestResolveGroupIDs(t *testing.T) {
 	v := makeValidSecretManagerTestCaseCustom()
 	sm := gitlabBase{}
 	sm.store = &esv1.GitlabProvider{}
 	sm.projectsClient = v.mockProjectsClient
 	sm.store.ProjectID = v.projectID
 	sm.store.InheritFromGroups = true
-	err := sm.ResolveGroupIds()
+
+	err := sm.ResolveGroupIDs()
 	if err != nil {
 		t.Errorf(defaultErrorMessage, 0, err.Error(), "")
 	}
 	if !reflect.DeepEqual(sm.store.GroupIDs, []string{"1", "10", "100"}) {
-		t.Errorf("unexpected groupIds: %s, expected %s", sm.store.GroupIDs, []string{"1", "10", "100"})
+		t.Errorf("unexpected groupIDs: %s, expected %s", sm.store.GroupIDs, []string{"1", "10", "100"})
 	}
 }
 

pkg/provider/gitlab/provider.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package gitlab implements a GitLab provider for External Secrets.
 package gitlab
 
 import (
@@ -49,12 +50,13 @@ type gitlabBase struct {
 	groupVariablesClient   GroupVariablesClient
 }
 
-// Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
+// Capabilities returns the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
 func (g *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
-// Method on GitLab Provider to set up projectVariablesClient with credentials, populate projectID and environment.
+// NewClient creates a new GitLab client with the given store configuration.
+// It sets up the project variables client with credentials and populates projectID and environment.
 func (g *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Gitlab == nil {
@@ -150,6 +152,7 @@ func (g *gitlabBase) getVariables(ref esv1.ExternalSecretDataRemoteRef, vopts *g
 	return data, resp, nil
 }
 
+// ValidateStore validates the GitLab store configuration.
 func (g *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	gitlabSpec := storeSpec.Provider.Gitlab

pkg/provider/ibm/provider.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package ibm provides integration with IBM Cloud Secrets Manager
+// for External Secrets Operator.
 package ibm
 
 import (
@@ -70,6 +72,7 @@ var (
 	_ esv1.Provider      = &providerIBM{}
 )
 
+// SecretManagerClient defines the interface for interacting with IBM Cloud Secrets Manager.
 type SecretManagerClient interface {
 	GetSecretWithContext(ctx context.Context, getSecretOptions *sm.GetSecretOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error)
 	GetSecretByNameTypeWithContext(ctx context.Context, getSecretByNameTypeOptions *sm.GetSecretByNameTypeOptions) (result sm.SecretIntf, response *core.DetailedResponse, err error)

pkg/provider/infisical/api/api_fake.go

@@ -35,7 +35,7 @@ func newMockServer(status int, data any) *httptest.Server {
 		panic(err)
 	}
 
-	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(status)
 		_, err := w.Write(body)
@@ -73,6 +73,7 @@ func NewMockClient(status int, data any) (infisicalSdk.InfisicalClientInterface,
 	return infisicalSdk, closeFunc
 }
 
+// NewAPIClient creates a new Infisical API client with the specified base URL and optional certificate.
 func NewAPIClient(baseURL string, certificate *x509.Certificate) (infisicalSdk.InfisicalClientInterface, context.CancelFunc, error) {
 	baseParsedURL, err := url.Parse(baseURL)
 	if err != nil {

pkg/provider/infisical/api/api_models.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package api provides the API client implementation for Infisical.
 package api
 
 import (
@@ -21,10 +22,12 @@ import (
 	"fmt"
 )
 
+// MachineIdentityUniversalAuthRefreshRequest represents the request structure for refreshing universal auth tokens.
 type MachineIdentityUniversalAuthRefreshRequest struct {
 	AccessToken string `json:"accessToken"`
 }
 
+// InfisicalAPIError represents an API error from Infisical.
 type InfisicalAPIError struct {
 	StatusCode int
 	Err        any
@@ -40,6 +43,7 @@ func (e *InfisicalAPIError) Error() string {
 	return fmt.Sprintf("API error (%d): error=%v message=%v", e.StatusCode, e.Err, e.Message)
 }
 
+// MachineIdentityDetailsResponse represents a response containing machine identity details.
 type MachineIdentityDetailsResponse struct {
 	AccessToken       string `json:"accessToken"`
 	ExpiresIn         int    `json:"expiresIn"`
@@ -47,14 +51,17 @@ type MachineIdentityDetailsResponse struct {
 	TokenType         string `json:"tokenType"`
 }
 
+// RevokeMachineIdentityAccessTokenResponse represents a response from revoking a machine identity token.
 type RevokeMachineIdentityAccessTokenResponse struct {
 	Message string `json:"message"`
 }
 
+// GetSecretByKeyV3Response represents a response from getting a secret by key in V3 API.
 type GetSecretByKeyV3Response struct {
 	Secret SecretsV3 `json:"secret"`
 }
 
+// GetSecretsV3Response represents a response from getting secrets in V3 API.
 type GetSecretsV3Response struct {
 	Secrets         []SecretsV3        `json:"secrets"`
 	ImportedSecrets []ImportedSecretV3 `json:"imports,omitempty"`
@@ -62,6 +69,7 @@ type GetSecretsV3Response struct {
 	ETag            string             `json:"ETag,omitempty"`
 }
 
+// SecretsV3 represents secrets in V3 API format.
 type SecretsV3 struct {
 	ID            string `json:"id"`
 	Workspace     string `json:"workspace"`
@@ -73,6 +81,7 @@ type SecretsV3 struct {
 	SecretComment string `json:"secretComment"`
 }
 
+// ImportedSecretV3 represents an imported secret in V3 API format.
 type ImportedSecretV3 struct {
 	Environment string      `json:"environment"`
 	FolderID    string      `json:"folderId"`
@@ -80,6 +89,7 @@ type ImportedSecretV3 struct {
 	Secrets     []SecretsV3 `json:"secrets"`
 }
 
+// InfisicalAPIErrorResponse represents an error response from the Infisical API.
 type InfisicalAPIErrorResponse struct {
 	StatusCode int    `json:"statusCode"`
 	Message    string `json:"message"`

pkg/provider/infisical/client.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package infisical implements a provider for retrieving secrets from Infisical.
 package infisical
 
 import (
@@ -75,9 +76,10 @@ func getSecretAddress(defaultPath, key string) (string, string, error) {
 	return key[:lastIndex], key[lastIndex+1:], nil
 }
 
-// GetSecret if this returns an error with type NoSecretError then the secret entry will be deleted depending on the
+// GetSecret retrieves a secret value from Infisical.
+// If this returns an error with type NoSecretError then the secret entry will be deleted depending on the
 // deletionPolicy.
-func (p *Provider) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (p *Provider) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	path, key, err := getSecretAddress(p.apiScope.SecretPath, ref.Key)
 	if err != nil {
 		return nil, err
@@ -134,8 +136,8 @@ func (p *Provider) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretData
 	return secretData, nil
 }
 
-// GetAllSecrets returns multiple k/v pairs from the provider.
-func (p *Provider) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
+// GetAllSecrets retrieves all secrets matching the given criteria from Infisical.
+func (p *Provider) GetAllSecrets(_ context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 	if ref.Tags != nil {
 		return nil, errTagsNotImplemented
 	}
@@ -202,16 +204,19 @@ func (p *Provider) Validate() (esv1.ValidationResult, error) {
 }
 
 // PushSecret will write a single secret into the provider.
-func (p *Provider) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
+// This is not implemented for this provider.
+func (p *Provider) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
 	return errNotImplemented
 }
 
 // DeleteSecret will delete the secret from a provider.
-func (p *Provider) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
+// This is not implemented for this provider.
+func (p *Provider) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	return errNotImplemented
 }
 
 // SecretExists checks if a secret is already present in the provider at the given location.
-func (p *Provider) SecretExists(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) (bool, error) {
+// This is not implemented for this provider.
+func (p *Provider) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errNotImplemented
 }

pkg/provider/infisical/constants/constants.go

@@ -13,9 +13,14 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
+// Package constants holds constant values used across the Infisical provider.
 package constants
 
 const (
+	// UniversalAuth is the authentication type for universal auth in Infisical.
 	UniversalAuth = "universal-auth"
-	ProviderName  = "infisical"
+
+	// ProviderName is the name of the Infisical provider.
+	ProviderName = "infisical"
 )

pkg/provider/infisical/provider.go

@@ -21,14 +21,14 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/external-secrets/external-secrets/pkg/metrics"
+	"github.com/external-secrets/external-secrets/pkg/provider/infisical/constants"
 	infisicalSdk "github.com/infisical/go-sdk"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-	"github.com/external-secrets/external-secrets/pkg/metrics"
-	"github.com/external-secrets/external-secrets/pkg/provider/infisical/constants"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
@@ -36,7 +36,7 @@ import (
 const (
 	machineIdentityLoginViaUniversalAuth         = "MachineIdentityLoginViaUniversalAuth"
 	machineIdentityLoginViaAzureAuth             = "MachineIdentityLoginViaAzureAuth"
-	machineIdentityLoginViaGcpIdTokenAuth        = "MachineIdentityLoginViaGcpIdTokenAuth"
+	machineIdentityLoginViaGCPIDTokenAuth        = "MachineIdentityLoginViaGcpIdTokenAuth"
 	machineIdentityLoginViaGcpServiceAccountAuth = "MachineIdentityLoginViaGcpServiceAccountAuth"
 	machineIdentityLoginViaJwtAuth               = "MachineIdentityLoginViaJwtAuth"
 	machineIdentityLoginViaLdapAuth              = "MachineIdentityLoginViaLdapAuth"
@@ -49,14 +49,16 @@ const (
 
 const errSecretDataFormat = "failed to get secret data identityId %w"
 
+// Provider implements the Infisical external secrets provider.
 type Provider struct {
 	cancelSdkClient context.CancelFunc
 	sdkClient       infisicalSdk.InfisicalClientInterface
-	apiScope        *InfisicalClientScope
+	apiScope        *ClientScope
 	authMethod      string
 }
 
-type InfisicalClientScope struct {
+// ClientScope represents the scope configuration for an Infisical client.
+type ClientScope struct {
 	EnvironmentSlug        string
 	ProjectSlug            string
 	Recursive              bool
@@ -74,6 +76,7 @@ func init() {
 	}, esv1.MaintenanceStatusMaintained)
 }
 
+// Capabilities returns the provider's supported capabilities.
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
@@ -126,15 +129,15 @@ func performAzureAuthLogin(ctx context.Context, store esv1.GenericStore, infisic
 	return nil
 }
 
-func performGcpIdTokenAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
-	gcpIdTokenAuthCredentials := infisicalSpec.Auth.GcpIdTokenAuthCredentials
-	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, gcpIdTokenAuthCredentials.IdentityID)
+func performGcpIDTokenAuthLogin(ctx context.Context, store esv1.GenericStore, infisicalSpec *esv1.InfisicalProvider, sdkClient infisicalSdk.InfisicalClientInterface, kube kclient.Client, namespace string) error {
+	gcpIDTokenAuthCredentials := infisicalSpec.Auth.GcpIdTokenAuthCredentials
+	identityID, err := GetStoreSecretData(ctx, store, kube, namespace, gcpIDTokenAuthCredentials.IdentityID)
 	if err != nil {
 		return fmt.Errorf(errSecretDataFormat, err)
 	}
 
 	_, err = sdkClient.Auth().GcpIdTokenAuthLogin(identityID)
-	metrics.ObserveAPICall(constants.ProviderName, machineIdentityLoginViaGcpIdTokenAuth, err)
+	metrics.ObserveAPICall(constants.ProviderName, machineIdentityLoginViaGCPIDTokenAuth, err)
 
 	if err != nil {
 		return fmt.Errorf("failed to authenticate via gcp id token auth %w", err)
@@ -226,7 +229,7 @@ func performOciAuthLogin(ctx context.Context, store esv1.GenericStore, infisical
 		return fmt.Errorf("failed to get secret data privateKey %w", err)
 	}
 
-	var privateKeyPassphrase *string = nil
+	var privateKeyPassphrase *string
 	if ociAuthCredentials.PrivateKeyPassphrase.Name != "" {
 		passphrase, err := GetStoreSecretData(ctx, store, kube, namespace, ociAuthCredentials.PrivateKeyPassphrase)
 		if err != nil {
@@ -329,6 +332,7 @@ func performTokenAuthLogin(ctx context.Context, store esv1.GenericStore, infisic
 	return nil
 }
 
+// NewClient creates a new Infisical client.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 
@@ -358,8 +362,8 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 		loginFn = performAzureAuthLogin
 		authMethod = machineIdentityLoginViaAzureAuth
 	case infisicalSpec.Auth.GcpIdTokenAuthCredentials != nil:
-		loginFn = performGcpIdTokenAuthLogin
-		authMethod = machineIdentityLoginViaGcpIdTokenAuth
+		loginFn = performGcpIDTokenAuthLogin
+		authMethod = machineIdentityLoginViaGCPIDTokenAuth
 	case infisicalSpec.Auth.GcpIamAuthCredentials != nil:
 		loginFn = performGcpIamAuthLogin
 		authMethod = machineIdentityLoginViaGcpServiceAccountAuth
@@ -394,7 +398,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return &Provider{
 		cancelSdkClient: cancelSdkClient,
 		sdkClient:       sdkClient,
-		apiScope: &InfisicalClientScope{
+		apiScope: &ClientScope{
 			EnvironmentSlug:        infisicalSpec.SecretsScope.EnvironmentSlug,
 			ProjectSlug:            infisicalSpec.SecretsScope.ProjectSlug,
 			Recursive:              infisicalSpec.SecretsScope.Recursive,
@@ -405,7 +409,8 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	}, nil
 }
 
-func (p *Provider) Close(ctx context.Context) error {
+// Close releases any resources used by the provider.
+func (p *Provider) Close(_ context.Context) error {
 	p.cancelSdkClient()
 
 	// Don't revoke token if token auth was used
@@ -419,6 +424,8 @@ func (p *Provider) Close(ctx context.Context) error {
 	return err
 }
 
+// GetStoreSecretData retrieves secret data from a Kubernetes secret using the provided reference.
+// It handles namespace resolution and returns the secret value as a string.
 func GetStoreSecretData(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string, secret esmeta.SecretKeySelector) (string, error) {
 	secretRef := esmeta.SecretKeySelector{
 		Name: secret.Name,
@@ -435,6 +442,8 @@ func GetStoreSecretData(ctx context.Context, store esv1.GenericStore, kube kclie
 	return secretData, nil
 }
 
+// ValidateStore validates the Infisical SecretStore configuration.
+// It checks for required fields and valid authentication settings.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	infisicalStoreSpec := storeSpec.Provider.Infisical

pkg/provider/infisical/provider_test.go

@@ -35,7 +35,7 @@ import (
 
 type storeModifier func(*esv1.SecretStore) *esv1.SecretStore
 
-var apiScope = InfisicalClientScope{
+var apiScope = ClientScope{
 	SecretPath:      "/",
 	ProjectSlug:     "first-project",
 	EnvironmentSlug: "dev",

pkg/provider/keepersecurity/client.go

@@ -53,18 +53,25 @@ const (
 
 	externalSecretType = "externalSecrets"
 	secretType         = "secret"
-	LoginType          = "login"
-	LoginTypeExpr      = "login|username"
-	PasswordType       = "password"
-	URLTypeExpr        = "url|baseurl"
-	URLType            = "url"
+	// LoginType represents the login field type.
+	LoginType = "login"
+	// LoginTypeExpr is the regex expression for matching login/username fields.
+	LoginTypeExpr = "login|username"
+	// PasswordType represents the password field type.
+	PasswordType = "password"
+	// URLTypeExpr is the regex expression for matching URL/baseurl fields.
+	URLTypeExpr = "url|baseurl"
+	// URLType represents the URL field type.
+	URLType = "url"
 )
 
+// Client represents a KeeperSecurity client that can interact with the KeeperSecurity API.
 type Client struct {
 	ksmClient SecurityClient
 	folderID  string
 }
 
+// SecurityClient defines the interface for interacting with KeeperSecurity's API.
 type SecurityClient interface {
 	GetSecrets(filter []string) ([]*ksm.Record, error)
 	GetSecretByTitle(recordTitle string) (*ksm.Record, error)
@@ -74,22 +81,26 @@ type SecurityClient interface {
 	Save(record *ksm.Record) error
 }
 
+// Field represents a KeeperSecurity field with its type and value.
 type Field struct {
 	Type  string `json:"type"`
 	Value []any  `json:"value"`
 }
 
+// CustomField represents a custom field in KeeperSecurity with its type, label and value.
 type CustomField struct {
 	Type  string `json:"type"`
 	Label string `json:"label"`
 	Value []any  `json:"value"`
 }
 
+// File represents a file stored in KeeperSecurity with its title and content.
 type File struct {
 	Title   string `json:"type"`
 	Content string `json:"content"`
 }
 
+// Secret represents a KeeperSecurity secret with its metadata and content.
 type Secret struct {
 	Title  string        `json:"title"`
 	Type   string        `json:"type"`
@@ -98,10 +109,12 @@ type Secret struct {
 	Files  []File        `json:"files"`
 }
 
+// Validate performs validation of the Keeper Security client configuration.
 func (c *Client) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// GetSecret retrieves a secret from Keeper Security by its ID.
 func (c *Client) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	record, err := c.findSecretByID(ref.Key)
 	if err != nil {
@@ -111,10 +124,13 @@ func (c *Client) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteR
 	if err != nil {
 		return nil, err
 	}
+	// GetSecret retrieves a secret from Keeper Security by its ID.
+	// If ref.Property is specified, it returns only that property's value.
 
 	return secret.getItem(ref)
 }
 
+// GetSecretMap retrieves a secret from Keeper Security and returns it as a map.
 func (c *Client) GetSecretMap(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	record, err := c.findSecretByID(ref.Key)
 	if err != nil {
@@ -124,10 +140,13 @@ func (c *Client) GetSecretMap(_ context.Context, ref esv1.ExternalSecretDataRemo
 	if err != nil {
 		return nil, err
 	}
+	// GetSecretMap retrieves a secret from Keeper Security and returns it as a map.
+	// If ref.Property is specified, it returns only that property as a map entry.
 
 	return secret.getItems(ref)
 }
 
+// GetAllSecrets retrieves all secrets from Keeper Security that match the given criteria.
 func (c *Client) GetAllSecrets(_ context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 	if ref.Tags != nil {
 		return nil, errors.New(errTagsNotImplemented)
@@ -137,6 +156,8 @@ func (c *Client) GetAllSecrets(_ context.Context, ref esv1.ExternalSecretFind) (
 	}
 	secretData := make(map[string][]byte)
 	records, err := c.findSecrets()
+	// GetAllSecrets retrieves all secrets from Keeper Security that match the given criteria.
+	// Currently supports filtering by name pattern only.
 	if err != nil {
 		return nil, err
 	}
@@ -161,19 +182,24 @@ func (c *Client) GetAllSecrets(_ context.Context, ref esv1.ExternalSecretFind) (
 	return secretData, nil
 }
 
+// Close implements cleanup operations for the Keeper Security client.
 func (c *Client) Close(_ context.Context) error {
 	return nil
 }
 
+// PushSecret creates or updates a secret in Keeper Security.
 func (c *Client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
 	if data.GetSecretKey() == "" {
 		return errors.New("pushing the whole secret is not yet implemented")
 	}
 
+	// Close implements cleanup operations for the Keeper Security client
 	value := secret.Data[data.GetSecretKey()]
 	parts, err := c.buildSecretNameAndKey(data)
 	if err != nil {
 		return err
+		// PushSecret creates or updates a secret in Keeper Security.
+		// Currently only supports pushing individual secret values, not entire secrets.
 	}
 
 	record, err := c.findSecretByName(parts[0])
@@ -182,17 +208,17 @@ func (c *Client) PushSecret(_ context.Context, secret *corev1.Secret, data esv1.
 	}
 
 	if record != nil {
-		if record.Type() == externalSecretType {
-			return c.updateSecret(record, parts[1], value)
-		} else {
+		if record.Type() != externalSecretType {
 			return fmt.Errorf(errInvalidSecretType, externalSecretType, record.Title(), record.Type())
 		}
-	} else {
-		_, err = c.createSecret(parts[0], parts[1], value)
-		return err
+		return c.updateSecret(record, parts[1], value)
 	}
+
+	_, err = c.createSecret(parts[0], parts[1], value)
+	return err
 }
 
+// DeleteSecret removes a secret from Keeper Security.
 func (c *Client) DeleteSecret(_ context.Context, remoteRef esv1.PushSecretRemoteRef) error {
 	parts, err := c.buildSecretNameAndKey(remoteRef)
 	if err != nil {
@@ -202,6 +228,8 @@ func (c *Client) DeleteSecret(_ context.Context, remoteRef esv1.PushSecretRemote
 	if err != nil {
 		return err
 	} else if secret == nil {
+		// DeleteSecret removes a secret from Keeper Security.
+		// Returns nil if the secret doesn't exist (already deleted).
 		return nil // not found == already deleted (success)
 	}
 
@@ -212,6 +240,7 @@ func (c *Client) DeleteSecret(_ context.Context, remoteRef esv1.PushSecretRemote
 	return err
 }
 
+// SecretExists checks if a secret exists in Keeper Security.
 func (c *Client) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New("not implemented")
 }
@@ -221,6 +250,8 @@ func (c *Client) buildSecretNameAndKey(remoteRef esv1.PushSecretRemoteRef) ([]st
 	if len(parts) != 2 {
 		return nil, fmt.Errorf(errInvalidRemoteRefKey, remoteRef.GetRemoteKey())
 	}
+	// SecretExists checks if a secret exists in Keeper Security.
+	// This method is not implemented yet.
 
 	return parts, nil
 }
@@ -426,16 +457,16 @@ func (s *Secret) getItems(ref esv1.ExternalSecretDataRemoteRef) (map[string][]by
 func getFieldValue(value []any) []byte {
 	if len(value) < 1 {
 		return []byte{}
-	} else if len(value) == 1 {
+	}
+	if len(value) == 1 {
 		res, _ := json.Marshal(value[0])
 		if str, ok := value[0].(string); ok {
 			res = []byte(str)
 		}
 		return res
-	} else {
-		res, _ := json.Marshal(value)
-		return res
 	}
+	res, _ := json.Marshal(value)
+	return res
 }
 
 func (s *Secret) getField(key string) ([]byte, error) {

pkg/provider/keepersecurity/provider.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package keepersecurity implements a provider for Keeper Security secrets management service
 package keepersecurity
 
 import (
@@ -40,7 +41,7 @@ const (
 	errKeeperSecurityStoreMissingFolderID          = "missing: spec.provider.keepersecurity.folderID"
 )
 
-// Provider implements the necessary NewClient() and ValidateStore() funcs.
+// Provider implements the necessary NewClient() and ValidateStore() funcs for Keeper Security.
 type Provider struct{}
 
 // https://github.com/external-secrets/external-secrets/issues/644
@@ -53,11 +54,12 @@ func init() {
 	}, esv1.MaintenanceStatusMaintained)
 }
 
+// Capabilities returns the provider's supported capabilities (ReadWrite).
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadWrite
 }
 
-// NewClient constructs a GCP Provider.
+// NewClient constructs a new Keeper Security client with the provided store configuration.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.KeeperSecurity == nil {
@@ -83,6 +85,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return client, nil
 }
 
+// ValidateStore validates the Keeper Security SecretStore configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	if store == nil {
 		return nil, fmt.Errorf(errKeeperSecurityStore, store)

pkg/provider/kubernetes/auth.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package kubernetes implements a provider for Kubernetes secrets, allowing
+// External Secrets to read from and write to Kubernetes Secrets
 package kubernetes
 
 import (

pkg/provider/kubernetes/client.go

@@ -44,6 +44,7 @@ const (
 	metaAnnotations = "annotations"
 )
 
+// GetSecret retrieves a secret from the Kubernetes API server by its key.
 func (c *Client) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	secret, err := c.userSecretClient.Get(ctx, ref.Key, metav1.GetOptions{})
 	if err != nil {
@@ -78,6 +79,8 @@ func (c *Client) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemot
 	return getSecret(secret, ref)
 }
 
+// DeleteSecret removes a secret value from Kubernetes.
+// It requires a property to be specified in the RemoteRef.
 func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
 	if remoteRef.GetProperty() == "" {
 		return errors.New("requires property in RemoteRef to delete secret value")
@@ -103,10 +106,13 @@ func (c *Client) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemo
 	return c.fullDelete(ctx, remoteRef.GetRemoteKey())
 }
 
+// SecretExists checks if a secret exists in Kubernetes.
+// This method is not implemented and always returns an error.
 func (c *Client) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New("not implemented")
 }
 
+// PushSecret creates or updates a secret in Kubernetes.
 func (c *Client) PushSecret(ctx context.Context, secret *v1.Secret, data esv1.PushSecretData) error {
 	if data.GetProperty() == "" && data.GetSecretKey() != "" {
 		return errors.New("requires property in RemoteRef to push secret value if secret key is defined")
@@ -232,6 +238,8 @@ func (c *Client) marshalData(secret *v1.Secret) ([]byte, error) {
 	return value, nil
 }
 
+// GetSecretMap retrieves a secret from Kubernetes and returns it as a map.
+// The secret data is converted to a map of key/value pairs.
 func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	secret, err := c.userSecretClient.Get(ctx, ref.Key, metav1.GetOptions{})
 	metrics.ObserveAPICall(constants.ProviderKubernetes, constants.CallKubernetesGetSecret, err)
@@ -331,6 +339,7 @@ func getSecretMetadata(secret *v1.Secret) (map[string][]byte, error) {
 	return tmpMap, nil
 }
 
+// GetAllSecrets retrieves multiple secrets from Kubernetes based on the search criteria.
 func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 	if ref.Tags != nil {
 		return c.findByTags(ctx, ref)
@@ -387,6 +396,7 @@ func (c *Client) findByName(ctx context.Context, ref esv1.ExternalSecretFind) (m
 	return utils.ConvertKeys(ref.ConversionStrategy, data)
 }
 
+// Close implements cleanup operations for the Kubernetes client.
 func (c *Client) Close(_ context.Context) error {
 	return nil
 }

pkg/provider/kubernetes/metadata.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package kubernetes implements a provider for Kubernetes secrets, allowing
+// External Secrets to read from and write to Kubernetes Secrets.
 package kubernetes
 
 import (
@@ -24,6 +26,7 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/metadata"
 )
 
+// PushSecretMetadataSpec defines the metadata configuration for pushing secrets.
 type PushSecretMetadataSpec struct {
 	TargetMergePolicy targetMergePolicy `json:"targetMergePolicy,omitempty"`
 	SourceMergePolicy sourceMergePolicy `json:"sourceMergePolicy,omitempty"`
@@ -35,6 +38,7 @@ type PushSecretMetadataSpec struct {
 
 type targetMergePolicy string
 
+// Target merge policy constants.
 const (
 	targetMergePolicyMerge   targetMergePolicy = "Merge"
 	targetMergePolicyReplace targetMergePolicy = "Replace"
@@ -43,6 +47,7 @@ const (
 
 type sourceMergePolicy string
 
+// Source merge policy constants.
 const (
 	sourceMergePolicyMerge   sourceMergePolicy = "Merge"
 	sourceMergePolicyReplace sourceMergePolicy = "Replace"

pkg/provider/kubernetes/provider.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package kubernetes implements a provider for Kubernetes secrets, allowing
+// External Secrets to read from and write to Kubernetes Secrets.
 package kubernetes
 
 import (
@@ -36,6 +38,7 @@ import (
 var _ esv1.SecretsClient = &Client{}
 var _ esv1.Provider = &Provider{}
 
+// KClient defines the interface for interacting with Kubernetes Secrets.
 type KClient interface {
 	Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Secret, error)
 	List(ctx context.Context, opts metav1.ListOptions) (*v1.SecretList, error)
@@ -44,16 +47,17 @@ type KClient interface {
 	Update(ctx context.Context, secret *v1.Secret, opts metav1.UpdateOptions) (*v1.Secret, error)
 }
 
+// RClient defines the interface for performing self subject rules reviews.
 type RClient interface {
 	Create(ctx context.Context, selfSubjectRulesReview *authv1.SelfSubjectRulesReview, opts metav1.CreateOptions) (*authv1.SelfSubjectRulesReview, error)
 }
 
+// AClient defines the interface for performing self subject access reviews.
 type AClient interface {
 	Create(ctx context.Context, selfSubjectAccessReview *authv1.SelfSubjectAccessReview, opts metav1.CreateOptions) (*authv1.SelfSubjectAccessReview, error)
 }
 
-// Provider implements Secret Provider interface
-// for Kubernetes.
+// Provider implements the SecretStore Provider interface for Kubernetes.
 type Provider struct{}
 
 // Client implements Secret Client interface
@@ -91,6 +95,7 @@ func init() {
 	}, esv1.MaintenanceStatusMaintained)
 }
 
+// Capabilities returns the provider's supported capabilities (ReadWrite).
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadWrite
 }
@@ -169,6 +174,7 @@ func isReferentSpec(prov *esv1.KubernetesProvider) bool {
 	return false
 }
 
+// Close cleans up any resources used by the Kubernetes provider.
 func (p *Provider) Close(_ context.Context) error {
 	return nil
 }

pkg/provider/kubernetes/validate.go

@@ -32,6 +32,7 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
+// ValidateStore validates the Kubernetes SecretStore configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	k8sSpec := storeSpec.Provider.Kubernetes
@@ -78,6 +79,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	return nil, nil
 }
 
+// Validate checks if the client has the necessary permissions to access secrets in the target namespace.
 func (c *Client) Validate() (esv1.ValidationResult, error) {
 	// when using referent namespace we can not validate the token
 	// because the namespace is not known yet when Validate() is called

pkg/provider/onboardbase/client.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package onboardbase implements a client for interacting with Onboardbase secrets management service.
 package onboardbase
 
 import (
@@ -32,7 +33,7 @@ import (
 
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/pkg/find"
-	onboardbaseClient "github.com/external-secrets/external-secrets/pkg/provider/onboardbase/client"
+	obclient "github.com/external-secrets/external-secrets/pkg/provider/onboardbase/client"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
 
@@ -48,6 +49,7 @@ const (
 	errSecretKeyFmt                                         = "cannot find property %s in secret data for key: %q"
 )
 
+// Client implements the Onboardbase secrets client.
 type Client struct {
 	onboardbase         SecretsClientInterface
 	onboardbaseAPIKey   string
@@ -65,9 +67,9 @@ type Client struct {
 type SecretsClientInterface interface {
 	BaseURL() *url.URL
 	Authenticate() error
-	GetSecret(request onboardbaseClient.SecretRequest) (*onboardbaseClient.SecretResponse, error)
-	DeleteSecret(request onboardbaseClient.SecretRequest) error
-	GetSecrets(request onboardbaseClient.SecretsRequest) (*onboardbaseClient.SecretsResponse, error)
+	GetSecret(request obclient.SecretRequest) (*obclient.SecretResponse, error)
+	DeleteSecret(request obclient.SecretRequest) error
+	GetSecrets(request obclient.SecretsRequest) (*obclient.SecretsResponse, error)
 }
 
 func (c *Client) setAuth(ctx context.Context) error {
@@ -109,6 +111,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 	return nil
 }
 
+// Validate performs validation of the Onboardbase client configuration.
 func (c *Client) Validate() (esv1.ValidationResult, error) {
 	timeout := 15 * time.Second
 	clientURL := c.onboardbase.BaseURL().String()
@@ -124,23 +127,27 @@ func (c *Client) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// DeleteSecret removes a secret from Onboardbase.
 func (c *Client) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	// not implemented
 	return nil
 }
 
+// SecretExists checks if a secret exists in Onboardbase.
 func (c *Client) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	// not implemented
 	return false, nil
 }
 
+// PushSecret creates or updates a secret in Onboardbase.
 func (c *Client) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
 	// not implemented
 	return nil
 }
 
+// GetSecret retrieves a secret from Onboardbase by its reference.
 func (c *Client) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
-	request := onboardbaseClient.SecretRequest{
+	request := obclient.SecretRequest{
 		Project:     c.project,
 		Environment: c.environment,
 		Name:        ref.Key,
@@ -164,6 +171,7 @@ func (c *Client) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteR
 	return []byte(value), nil
 }
 
+// GetSecretMap retrieves a secret from Onboardbase and returns it as a map.
 func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	data, err := c.GetSecret(ctx, ref)
 	if err != nil {
@@ -189,6 +197,7 @@ func (c *Client) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRe
 	return secretData, nil
 }
 
+// GetAllSecrets retrieves all secrets from Onboardbase that match the given criteria.
 func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 	if len(ref.Tags) > 0 {
 		return nil, errors.New("find by tags not supported")
@@ -224,12 +233,13 @@ func (c *Client) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind)
 	return selected, nil
 }
 
+// Close implements cleanup operations for the Onboardbase client.
 func (c *Client) Close(_ context.Context) error {
 	return nil
 }
 
 func (c *Client) getSecrets(_ context.Context) (map[string][]byte, error) {
-	request := onboardbaseClient.SecretsRequest{
+	request := obclient.SecretsRequest{
 		Project:     c.project,
 		Environment: c.environment,
 	}
@@ -242,7 +252,7 @@ func (c *Client) getSecrets(_ context.Context) (map[string][]byte, error) {
 	return externalSecretsFormat(response.Secrets), nil
 }
 
-func externalSecretsFormat(secrets onboardbaseClient.Secrets) map[string][]byte {
+func externalSecretsFormat(secrets obclient.Secrets) map[string][]byte {
 	converted := make(map[string][]byte, len(secrets))
 	for key, value := range secrets {
 		converted[key] = []byte(value)

pkg/provider/onboardbase/client/client.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package client implements an HTTP client for interacting with the Onboardbase API,
+// providing functionality to securely retrieve and manage secrets.
 package client
 
 import (
@@ -31,11 +33,17 @@ import (
 	aesdecrypt "github.com/Onboardbase/go-cryptojs-aes-decrypt/decrypt"
 )
 
-const HTTPTimeoutDuration = 20 * time.Second
-const ObbSecretsEndpointPath = "/secrets"
+const (
+	// HTTPTimeoutDuration defines the default timeout for HTTP requests.
+	HTTPTimeoutDuration = 20 * time.Second
 
-const errUnableToDecrtypt = "unable to decrypt secret payload"
+	// ObbSecretsEndpointPath defines the endpoint path for secrets API.
+	ObbSecretsEndpointPath = "/secrets"
 
+	errUnableToDecrtypt = "unable to decrypt secret payload"
+)
+
+// OnboardbaseClient defines the interface for interacting with Onboardbase API.
 type OnboardbaseClient struct {
 	baseURL             *url.URL
 	OnboardbaseAPIKey   string
@@ -48,21 +56,27 @@ type OnboardbaseClient struct {
 type queryParams map[string]string
 
 type headers map[string]string
+
+// DeleteSecretsRequest represents a request to delete secrets from Onboardbase.
 type DeleteSecretsRequest struct {
 	SecretID string `json:"secretId,omitempty"`
 }
 
 type httpRequestBody []byte
 
+// Secrets represents a map of secret key-value pairs.
 type Secrets map[string]string
 
+// RawSecret represents a raw secret from Onboardbase.
 type RawSecret struct {
 	Key   string `json:"key,omitempty"`
 	Value string `json:"value,omitempty"`
 }
 
+// RawSecrets represents a collection of raw secrets.
 type RawSecrets []RawSecret
 
+// APIError represents an error response from the Onboardbase API.
 type APIError struct {
 	Err     error
 	Message string
@@ -79,12 +93,14 @@ type apiErrorResponse struct {
 	Success  bool
 }
 
+// SecretRequest represents a request for a single secret.
 type SecretRequest struct {
 	Environment string
 	Project     string
 	Name        string
 }
 
+// SecretsRequest represents a request for multiple secrets.
 type SecretsRequest struct {
 	Environment string
 	Project     string
@@ -116,16 +132,20 @@ type secretResponseBody struct {
 	Status  string                 `json:"status,omitempty"`
 }
 
+// SecretResponse represents a single secret response from Onboardbase.
 type SecretResponse struct {
 	Name  string
 	Value string
 }
 
+// SecretsResponse represents a collection of secrets from Onboardbase.
 type SecretsResponse struct {
 	Secrets Secrets
 	Body    []byte
 }
 
+// NewOnboardbaseClient creates a new client for interacting with Onboardbase API.
+// It requires an API key and passcode for authentication.
 func NewOnboardbaseClient(onboardbaseAPIKey, onboardbasePasscode string) (*OnboardbaseClient, error) {
 	tlsConfig := &tls.Config{
 		MinVersion: tls.VersionTLS12,
@@ -152,11 +172,13 @@ func NewOnboardbaseClient(onboardbaseAPIKey, onboardbasePasscode string) (*Onboa
 	return client, nil
 }
 
+// BaseURL returns the base URL of the Onboardbase API.
 func (c *OnboardbaseClient) BaseURL() *url.URL {
 	u := *c.baseURL
 	return &u
 }
 
+// SetBaseURL updates the base URL for the Onboardbase API client.
 func (c *OnboardbaseClient) SetBaseURL(urlStr string) error {
 	baseURL, err := url.Parse(strings.TrimSuffix(urlStr, "/"))
 
@@ -167,6 +189,7 @@ func (c *OnboardbaseClient) SetBaseURL(urlStr string) error {
 	return nil
 }
 
+// Authenticate verifies the API credentials with Onboardbase.
 func (c *OnboardbaseClient) Authenticate() error {
 	_, err := c.performRequest(
 		&performRequestConfig{
@@ -214,6 +237,7 @@ func (c *OnboardbaseClient) mapSecretsByPlainKey(data secretResponseBodyData) (m
 	return kv, nil
 }
 
+// GetSecret retrieves a specific secret from Onboardbase.
 func (c *OnboardbaseClient) GetSecret(request SecretRequest) (*SecretResponse, error) {
 	response, err := c.performRequest(
 		&performRequestConfig{
@@ -242,6 +266,7 @@ func (c *OnboardbaseClient) GetSecret(request SecretRequest) (*SecretResponse, e
 	return &SecretResponse{Name: request.Name, Value: secrets[request.Name]}, nil
 }
 
+// DeleteSecret removes a secret from Onboardbase.
 func (c *OnboardbaseClient) DeleteSecret(request SecretRequest) error {
 	secretsrequest := SecretsRequest{
 		Project:     request.Project,
@@ -302,6 +327,7 @@ func (c *OnboardbaseClient) makeGetSecretsRequest(request SecretsRequest) (*secr
 	return data, response, nil
 }
 
+// GetSecrets retrieves multiple secrets from Onboardbase.
 func (c *OnboardbaseClient) GetSecrets(request SecretsRequest) (*SecretsResponse, error) {
 	data, response, err := c.makeGetSecretsRequest(request)
 	if err != nil {

pkg/provider/onboardbase/provider.go

@@ -48,10 +48,12 @@ func init() {
 	}, esv1.MaintenanceStatusMaintained)
 }
 
+// Capabilities returns the provider's supported capabilities.
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
+// NewClient creates a new Onboardbase client with the provided store configuration.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 
@@ -84,6 +86,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return client, nil
 }
 
+// ValidateStore validates the Onboardbase SecretStore configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	onboardbaseStoreSpec := storeSpec.Provider.Onboardbase

pkg/provider/onepassword/onepassword.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package onepassword implements a 1Password provider for External Secrets.
 package onepassword
 
 import (
@@ -95,6 +96,7 @@ type ProviderOnePassword struct {
 	mu     sync.Mutex
 }
 
+// PushSecretMetadataSpec defines metadata for pushing secrets to 1Password.
 type PushSecretMetadataSpec struct {
 	Tags  []string `json:"tags,omitempty"`
 	Vault string   `json:"vault,omitempty"`
@@ -202,6 +204,7 @@ func deleteField(fields []*onepassword.ItemField, label string) ([]*onepassword.
 	return fieldsF, nil
 }
 
+// DeleteSecret removes a secret from 1Password.
 func (provider *ProviderOnePassword) DeleteSecret(_ context.Context, ref esv1.PushSecretRemoteRef) error {
 	provider.mu.Lock()
 	defer provider.mu.Unlock()
@@ -229,6 +232,7 @@ func (provider *ProviderOnePassword) DeleteSecret(_ context.Context, ref esv1.Pu
 	return nil
 }
 
+// SecretExists checks if a secret exists in 1Password.
 func (provider *ProviderOnePassword) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New("not implemented")
 }
@@ -333,6 +337,7 @@ func generateNewItemField(label, newVal string) *onepassword.ItemField {
 	return field
 }
 
+// PushSecret creates or updates a secret in 1Password.
 func (provider *ProviderOnePassword) PushSecret(ctx context.Context, secret *corev1.Secret, ref esv1.PushSecretData) error {
 	provider.mu.Lock()
 	defer provider.mu.Unlock()

pkg/provider/onepasswordsdk/client.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package onepasswordsdk implements a provider for 1Password secrets management service.
 package onepasswordsdk
 
 import (
@@ -40,11 +41,12 @@ const (
 // ErrKeyNotFound is returned when a key is not found in the 1Password Vaults.
 var ErrKeyNotFound = errors.New("key not found")
 
+// PushSecretMetadataSpec defines the metadata configuration for pushing secrets to 1Password.
 type PushSecretMetadataSpec struct {
 	Tags []string `json:"tags,omitempty"`
 }
 
-// GetSecret returns a single secret from the provider.
+// GetSecret returns a single secret from 1Password provider.
 // Follows syntax is used for the ref key: https://developer.1password.com/docs/cli/secret-reference-syntax/
 func (p *Provider) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if ref.Version != "" {
@@ -280,6 +282,7 @@ func generateNewItemField(title, newVal string) onepassword.ItemField {
 	return field
 }
 
+// PushSecret creates or updates a secret in 1Password.
 func (p *Provider) PushSecret(ctx context.Context, secret *corev1.Secret, ref esv1.PushSecretData) error {
 	val, ok := secret.Data[ref.GetSecretKey()]
 	if !ok {
@@ -326,21 +329,22 @@ func (p *Provider) PushSecret(ctx context.Context, secret *corev1.Secret, ref es
 	return nil
 }
 
-func (p *Provider) GetVault(ctx context.Context, titleOrUuid string) (string, error) {
+// GetVault retrieves a vault by its title or UUID from 1Password.
+func (p *Provider) GetVault(ctx context.Context, titleOrUUID string) (string, error) {
 	vaults, err := p.client.VaultsAPI.List(ctx)
 	if err != nil {
 		return "", fmt.Errorf("failed to list vaults: %w", err)
 	}
 
 	for _, v := range vaults {
-		if v.Title == titleOrUuid || v.ID == titleOrUuid {
+		if v.Title == titleOrUUID || v.ID == titleOrUUID {
 			// cache the ID so we don't have to repeat this lookup.
 			p.vaultID = v.ID
 			return v.ID, nil
 		}
 	}
 
-	return "", fmt.Errorf("vault %s not found", titleOrUuid)
+	return "", fmt.Errorf("vault %s not found", titleOrUUID)
 }
 
 func (p *Provider) findItem(ctx context.Context, name string) (onepassword.Item, error) {
@@ -371,8 +375,8 @@ func (p *Provider) findItem(ctx context.Context, name string) (onepassword.Item,
 	return p.client.Items().Get(ctx, p.vaultID, itemUUID)
 }
 
-// SecretExists Not Implemented.
-func (p *Provider) SecretExists(ctx context.Context, ref esv1.PushSecretRemoteRef) (bool, error) {
+// SecretExists checks if a secret exists in 1Password.
+func (p *Provider) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, fmt.Errorf("not implemented")
 }
 

pkg/provider/onepasswordsdk/provider.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package onepasswordsdk implements a provider for 1Password using the official SDK.
+// It allows fetching and managing secrets stored in 1Password using their official Go SDK.
 package onepasswordsdk
 
 import (
@@ -42,12 +44,14 @@ const (
 	errNotImplemented                                   = "not implemented"
 )
 
+// Provider implements the External Secrets provider interface for 1Password SDK.
 type Provider struct {
 	client      *onepassword.Client
 	vaultPrefix string
 	vaultID     string
 }
 
+// NewClient constructs a new secrets client based on the provided store.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
 	config := store.GetSpec().Provider.OnePasswordSDK
 	serviceAccountToken, err := resolvers.SecretKeyRef(
@@ -89,6 +93,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return p, nil
 }
 
+// ValidateStore validates the 1Password SDK SecretStore resource configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil {
@@ -121,6 +126,7 @@ func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, e
 	return nil, nil
 }
 
+// Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadWrite
 }

pkg/provider/oracle/oracle.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package oracle implements a provider for Oracle Cloud Infrastructure Vault.
+// It allows fetching and managing secrets stored in OCI Vault using the OCI SDK.
 package oracle
 
 import (
@@ -67,6 +69,7 @@ const (
 var _ esv1.SecretsClient = &VaultManagementService{}
 var _ esv1.Provider = &VaultManagementService{}
 
+// VaultManagementService implements the External Secrets provider interface for Oracle Cloud Infrastructure Vault.
 type VaultManagementService struct {
 	Client                VMInterface
 	KmsVaultClient        KmsVCInterface
@@ -77,14 +80,17 @@ type VaultManagementService struct {
 	workloadIdentityMutex sync.Mutex
 }
 
+// VMInterface defines the interface for OCI Secrets Management Client operations.
 type VMInterface interface {
 	GetSecretBundleByName(ctx context.Context, request secrets.GetSecretBundleByNameRequest) (secrets.GetSecretBundleByNameResponse, error)
 }
 
+// KmsVCInterface defines the interface for OCI Key Management Service Vault Client operations.
 type KmsVCInterface interface {
 	GetVault(ctx context.Context, request keymanagement.GetVaultRequest) (response keymanagement.GetVaultResponse, err error)
 }
 
+// VaultInterface defines the interface for OCI Vault operations.
 type VaultInterface interface {
 	ListSecrets(ctx context.Context, request vault.ListSecretsRequest) (response vault.ListSecretsResponse, err error)
 	CreateSecret(ctx context.Context, request vault.CreateSecretRequest) (response vault.CreateSecretResponse, err error)
@@ -93,11 +99,15 @@ type VaultInterface interface {
 }
 
 const (
+	// SecretNotFound indicates that the requested secret was not found in the vault.
 	SecretNotFound = iota
+	// SecretExists indicates that the secret exists in the vault.
 	SecretExists
+	// SecretAPIError indicates that an API error occurred while accessing the secret.
 	SecretAPIError
 )
 
+// PushSecret creates or updates a secret in the Oracle Cloud Infrastructure Vault.
 func (vms *VaultManagementService) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
 	if vms.encryptionKey == "" {
 		return errors.New("SecretStore must reference encryption key")
@@ -154,6 +164,7 @@ func (vms *VaultManagementService) PushSecret(ctx context.Context, secret *corev
 	}
 }
 
+// DeleteSecret removes a secret from the Oracle Cloud Infrastructure Vault.
 func (vms *VaultManagementService) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
 	secretName := remoteRef.GetRemoteKey()
 	resp, action, err := vms.getSecretBundleWithCode(ctx, secretName)
@@ -173,10 +184,12 @@ func (vms *VaultManagementService) DeleteSecret(ctx context.Context, remoteRef e
 	}
 }
 
+// SecretExists checks if a secret exists in the Oracle Cloud Infrastructure Vault.
 func (vms *VaultManagementService) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New("not implemented")
 }
 
+// GetAllSecrets retrieves all secrets from the Oracle Cloud Infrastructure Vault that match the given criteria.
 func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 	var page *string
 	var summaries []vault.SecretSummary
@@ -199,6 +212,7 @@ func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1.E
 	return vms.filteredSummaryResult(ctx, summaries, ref)
 }
 
+// GetSecret retrieves a specific secret from the Oracle Cloud Infrastructure Vault.
 func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(vms.Client) {
 		return nil, errors.New(errUninitalizedOracleProvider)
@@ -241,6 +255,7 @@ func decodeBundle(sec secrets.GetSecretBundleByNameResponse) ([]byte, error) {
 	return payload, nil
 }
 
+// GetSecretMap retrieves a secret and returns it as a map of key/value pairs.
 func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	data, err := vms.GetSecret(ctx, ref)
 	if err != nil {
@@ -449,10 +464,12 @@ func getUserAuthConfigurationProvider(ctx context.Context, kube kclient.Client,
 	return common.NewRawConfigurationProvider(store.Auth.Tenancy, store.Auth.User, region, fingerprint, privateKey, nil), nil
 }
 
+// Close releases any resources used by the VaultManagementService.
 func (vms *VaultManagementService) Close(_ context.Context) error {
 	return nil
 }
 
+// Validate performs validation of the Oracle Cloud Infrastructure provider configuration.
 func (vms *VaultManagementService) Validate() (esv1.ValidationResult, error) {
 	_, err := vms.KmsVaultClient.GetVault(
 		context.Background(), keymanagement.GetVaultRequest{
@@ -488,6 +505,7 @@ func (vms *VaultManagementService) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// ValidateStore validates the Oracle Cloud Infrastructure SecretStore resource configuration.
 func (vms *VaultManagementService) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	oracleSpec := storeSpec.Provider.Oracle

pkg/provider/passbolt/passbolt.go

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package passbolt implements a provider for Passbolt password manager.
+// It allows fetching secrets stored in Passbolt using their REST API.
 package passbolt
 
 import (
@@ -46,14 +48,17 @@ const (
 	errNotImplemented                              = "not implemented"
 )
 
+// ProviderPassbolt implements the External Secrets provider interface for Passbolt.
 type ProviderPassbolt struct {
 	client Client
 }
 
+// Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
 func (provider *ProviderPassbolt) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
+// Client defines the interface for interacting with the Passbolt API.
 type Client interface {
 	CheckSession(ctx context.Context) bool
 	Login(ctx context.Context) error
@@ -65,6 +70,7 @@ type Client interface {
 	GetSecret(ctx context.Context, resourceID string) (*api.Secret, error)
 }
 
+// NewClient constructs a new secrets client based on the provided store.
 func (provider *ProviderPassbolt) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	config := store.GetSpec().Provider.Passbolt
 
@@ -99,10 +105,12 @@ func (provider *ProviderPassbolt) NewClient(ctx context.Context, store esv1.Gene
 	return provider, nil
 }
 
+// SecretExists checks if a secret exists in Passbolt.
 func (provider *ProviderPassbolt) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New(errNotImplemented)
 }
 
+// GetSecret retrieves a secret from Passbolt.
 func (provider *ProviderPassbolt) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if err := assureLoggedIn(ctx, provider.client); err != nil {
 		return nil, err
@@ -120,22 +128,27 @@ func (provider *ProviderPassbolt) GetSecret(ctx context.Context, ref esv1.Extern
 	return secret.GetProp(ref.Property)
 }
 
+// PushSecret is not implemented for Passbolt as it is read-only.
 func (provider *ProviderPassbolt) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
 	return errors.New(errNotImplemented)
 }
 
+// DeleteSecret is not implemented for Passbolt as it is read-only.
 func (provider *ProviderPassbolt) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	return errors.New(errNotImplemented)
 }
 
+// Validate performs validation of the Passbolt provider configuration.
 func (provider *ProviderPassbolt) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultUnknown, nil
 }
 
+// GetSecretMap retrieves a secret and returns it as a map of key/value pairs.
 func (provider *ProviderPassbolt) GetSecretMap(_ context.Context, _ esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	return nil, errors.New(errNotImplemented)
 }
 
+// GetAllSecrets retrieves all secrets from Passbolt that match the given criteria.
 func (provider *ProviderPassbolt) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
 	res := make(map[string][]byte)
 
@@ -176,10 +189,12 @@ func (provider *ProviderPassbolt) GetAllSecrets(ctx context.Context, ref esv1.Ex
 	return res, nil
 }
 
+// Close implements cleanup operations for the Passbolt provider.
 func (provider *ProviderPassbolt) Close(ctx context.Context) error {
 	return provider.client.Logout(ctx)
 }
 
+// ValidateStore validates the Passbolt SecretStore resource configuration.
 func (provider *ProviderPassbolt) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	config := store.GetSpec().Provider.Passbolt
 	if config == nil {
@@ -219,6 +234,7 @@ func init() {
 	}, esv1.MaintenanceStatusNotMaintained)
 }
 
+// Secret represents a Passbolt secret with its properties.
 type Secret struct {
 	Name        string `json:"name"`
 	Username    string `json:"username"`
@@ -227,6 +243,7 @@ type Secret struct {
 	Description string `json:"description"`
 }
 
+// GetProp retrieves a specific property from the Passbolt secret.
 func (ps Secret) GetProp(key string) ([]byte, error) {
 	switch key {
 	case "name":

pkg/provider/passworddepot/passworddepot.go

@@ -13,6 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
+// Package passworddepot implements a SecretStore provider for PasswordDepot.
 package passworddepot
 
 import (
@@ -40,6 +42,7 @@ const (
 	errNotImplemented                         = "%s not implemented"
 )
 
+// Client defines the interface for interacting with the PasswordDepot API.
 type Client interface {
 	GetSecret(database, key string) (SecretEntry, error)
 }
@@ -50,10 +53,12 @@ type PasswordDepot struct {
 	database string
 }
 
+// ValidateStore validates the PasswordDepot SecretStore resource configuration.
 func (p *PasswordDepot) ValidateStore(esv1.GenericStore) (admission.Warnings, error) {
 	return nil, nil
 }
 
+// Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
 func (p *PasswordDepot) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
@@ -65,6 +70,8 @@ type passwordDepotClient struct {
 	namespace string
 	storeKind string
 }
+
+// Provider represents the PasswordDepot provider configuration.
 type Provider struct{}
 
 func (c *passwordDepotClient) getAuth(ctx context.Context) (string, string, error) {
@@ -99,7 +106,7 @@ func (c *passwordDepotClient) getAuth(ctx context.Context) (string, string, erro
 	return string(username), string(password), nil
 }
 
-// NewClient Method on PasswordDepot Provider to set up client with credentials and populate projectID.
+// NewClient constructs a new secrets client based on the provided store.
 func (p *PasswordDepot) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.PasswordDepot == nil {
@@ -131,26 +138,33 @@ func (p *PasswordDepot) NewClient(ctx context.Context, store esv1.GenericStore,
 	return p, nil
 }
 
+// SecretExists checks if the secret exists in the PasswordDepot. This method is not implemented
+// as PasswordDepot is read-only.
 func (p *PasswordDepot) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, fmt.Errorf(errNotImplemented, "SecretExists")
 }
 
+// Validate performs validation of the PasswordDepot provider configuration.
 func (p *PasswordDepot) Validate() (esv1.ValidationResult, error) {
-	return 0, nil
+	return esv1.ValidationResultReady, nil
 }
 
+// PushSecret is not implemented for PasswordDepot as it is read-only.
 func (p *PasswordDepot) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
 	return fmt.Errorf(errNotImplemented, "PushSecret")
 }
 
+// GetAllSecrets retrieves all secrets from PasswordDepot that match the given criteria.
 func (p *PasswordDepot) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (map[string][]byte, error) {
 	return nil, fmt.Errorf(errNotImplemented, "GetAllSecrets")
 }
 
+// DeleteSecret is not implemented for PasswordDepot as it is read-only.
 func (p *PasswordDepot) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	return fmt.Errorf(errNotImplemented, "DeleteSecret")
 }
 
+// GetSecret retrieves a secret from PasswordDepot.
 func (p *PasswordDepot) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(p.client) {
 		return nil, errors.New(errUninitalizedPasswordDepotProvider)
@@ -169,6 +183,7 @@ func (p *PasswordDepot) GetSecret(_ context.Context, ref esv1.ExternalSecretData
 	return value, nil
 }
 
+// GetSecretMap retrieves a secret and returns it as a map of key/value pairs.
 func (p *PasswordDepot) GetSecretMap(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	data, err := p.client.GetSecret(p.database, ref.Key)
 	if err != nil {
@@ -178,6 +193,7 @@ func (p *PasswordDepot) GetSecretMap(_ context.Context, ref esv1.ExternalSecretD
 	return data.ToMap(), nil
 }
 
+// Close implements cleanup operations for the PasswordDepot provider.
 func (p *PasswordDepot) Close(_ context.Context) error {
 	return nil
 }

pkg/provider/passworddepot/passworddepot_api.go

@@ -29,18 +29,22 @@ import (
 )
 
 const (
+	// DoRequestError is the error format string for request errors.
 	DoRequestError = "error: do request: %w"
 )
 
+// HTTPClient is an interface representing the ability to perform HTTP requests.
 type HTTPClient interface {
 	Do(*http.Request) (*http.Response, error)
 }
 
+// AccessData represents the access credentials returned by the Password Depot API upon successful login.
 type AccessData struct {
 	ClientID    string `json:"client_id"`
 	AccessToken string `json:"access_token"`
 }
 
+// Databases represents the list of Password Depot databases accessible with the current credentials.
 type Databases struct {
 	Databases []struct {
 		Name         string    `json:"name"`
@@ -57,6 +61,7 @@ type Databases struct {
 	Policyselectedgroups string `json:"policyselectedgroups"`
 }
 
+// DatabaseEntries represents the entries in a Password Depot database.
 type DatabaseEntries struct {
 	Name         string  `json:"name"`
 	Parent       string  `json:"parent"`
@@ -65,6 +70,7 @@ type DatabaseEntries struct {
 	Reasondelete string  `json:"reasondelete"`
 }
 
+// Entry represents a single entry in the Password Depot database.
 type Entry struct {
 	Name        string    `json:"name"`
 	Login       string    `json:"login"`
@@ -79,6 +85,7 @@ type Entry struct {
 	Itemclass   string    `json:"itemclass"`
 }
 
+// API represents a client for the Password Depot API.
 type API struct {
 	client   HTTPClient
 	baseURL  string
@@ -88,6 +95,7 @@ type API struct {
 	username string
 }
 
+// SecretEntry represents a secret entry in Password Depot.
 type SecretEntry struct {
 	Name        string    `json:"name"`
 	Fingerprint string    `json:"fingerprint"`
@@ -118,8 +126,7 @@ type SecretEntry struct {
 var errDBNotFound = errors.New("database not found")
 var errSecretNotFound = errors.New("secret not found")
 
-// load tls certificates
-
+// NewAPI creates a new instance of the PasswordDepot API client and performs login.
 func NewAPI(ctx context.Context, baseURL, username, password, hostPort string) (*API, error) {
 	api := &API{
 		baseURL:  baseURL,
@@ -209,6 +216,7 @@ func (api *API) login(ctx context.Context) error {
 	return nil
 }
 
+// ListSecrets retrieves the list of secrets from the specified database and folder.
 func (api *API) ListSecrets(dbFingerprint, folder string) (DatabaseEntries, error) {
 	endpointURL := api.getendpointURL(fmt.Sprintf("list?db=%s", dbFingerprint))
 	if folder != "" {
@@ -229,6 +237,7 @@ func (api *API) ListSecrets(dbFingerprint, folder string) (DatabaseEntries, erro
 	return dbEntries, err
 }
 
+// ReadAndUnmarshal reads the response body and unmarshals it into the target struct.
 func ReadAndUnmarshal(resp *http.Response, target any) error {
 	var buf bytes.Buffer
 	defer func() {
@@ -244,6 +253,7 @@ func ReadAndUnmarshal(resp *http.Response, target any) error {
 	return json.Unmarshal(buf.Bytes(), target)
 }
 
+// ListDatabases retrieves the list of databases accessible with the current credentials.
 func (api *API) ListDatabases() (Databases, error) {
 	listDBRequest, err := http.NewRequest("GET", api.getendpointURL("list"), http.NoBody)
 	if err != nil {
@@ -260,6 +270,7 @@ func (api *API) ListDatabases() (Databases, error) {
 	return databases, err
 }
 
+// GetSecret retrieves a secret by its name from the specified database.
 func (api *API) GetSecret(database, secretName string) (SecretEntry, error) {
 	dbFingerprint, err := api.getDatabaseFingerprint(database)
 	if err != nil {
@@ -285,7 +296,8 @@ func (api *API) GetSecret(database, secretName string) (SecretEntry, error) {
 	return secretEntry, err
 }
 
-func (s SecretEntry) ToMap() map[string][]byte {
+// ToMap converts the SecretEntry struct to a map[string][]byte.
+func (s *SecretEntry) ToMap() map[string][]byte {
 	m := make(map[string][]byte)
 
 	m["name"] = []byte(s.Name)

pkg/provider/previder/provider.go

@@ -13,6 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
+// Package previder implements a secret store provider for Previder Vault.
 package previder
 
 import (
@@ -35,6 +37,7 @@ const (
 
 var _ esv1.Provider = &SecretManager{}
 
+// SecretManager implements the esv1.Provider interface for Previder Vault.
 type SecretManager struct {
 	VaultClient previderclient.PreviderVaultClient
 }
@@ -45,6 +48,7 @@ func init() {
 	}, esv1.MaintenanceStatusMaintained)
 }
 
+// NewClient creates a new Previder Vault client.
 func (s *SecretManager) NewClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
 	if store == nil {
 		return nil, fmt.Errorf("secret store not found: %v", "nil store")
@@ -65,6 +69,7 @@ func (s *SecretManager) NewClient(ctx context.Context, store esv1.GenericStore,
 	return s, nil
 }
 
+// ValidateStore validates the Previder Vault store configuration.
 func (s *SecretManager) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	storeSpec := store.GetSpec()
 	previderSpec := storeSpec.Provider.Previder
@@ -86,11 +91,13 @@ func (s *SecretManager) ValidateStore(store esv1.GenericStore) (admission.Warnin
 	return nil, nil
 }
 
+// Capabilities returns the capabilities of the Previder Vault provider.
 func (s *SecretManager) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
-func (s *SecretManager) GetSecret(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
+// GetSecret retrieves a secret from Previder Vault.
+func (s *SecretManager) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	secret, err := s.VaultClient.DecryptSecret(ref.Key)
 	if err != nil {
 		return nil, err
@@ -98,18 +105,22 @@ func (s *SecretManager) GetSecret(ctx context.Context, ref esv1.ExternalSecretDa
 	return []byte(secret.Secret), nil
 }
 
-func (s *SecretManager) PushSecret(ctx context.Context, secret *corev1.Secret, data esv1.PushSecretData) error {
+// PushSecret is not implemented for Previder Vault.
+func (s *SecretManager) PushSecret(context.Context, *corev1.Secret, esv1.PushSecretData) error {
 	return errors.New(errNotImplemented)
 }
 
-func (s *SecretManager) DeleteSecret(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) error {
+// DeleteSecret is not implemented for Previder Vault.
+func (s *SecretManager) DeleteSecret(context.Context, esv1.PushSecretRemoteRef) error {
 	return errors.New(errNotImplemented)
 }
 
-func (s *SecretManager) SecretExists(ctx context.Context, remoteRef esv1.PushSecretRemoteRef) (bool, error) {
+// SecretExists is not implemented for Previder Vault.
+func (s *SecretManager) SecretExists(context.Context, esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errors.New(errNotImplemented)
 }
 
+// Validate checks if the Vault client can connect and retrieve secrets.
 func (s *SecretManager) Validate() (esv1.ValidationResult, error) {
 	_, err := s.VaultClient.GetSecrets()
 	if err != nil {
@@ -119,6 +130,7 @@ func (s *SecretManager) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// GetSecretMap retrieves a secret and returns it as a map with a single key-value pair.
 func (s *SecretManager) GetSecretMap(ctx context.Context, ref esv1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	secrets, err := s.GetSecret(ctx, ref)
 	if err != nil {
@@ -129,10 +141,12 @@ func (s *SecretManager) GetSecretMap(ctx context.Context, ref esv1.ExternalSecre
 	return secretData, nil
 }
 
-func (s *SecretManager) GetAllSecrets(ctx context.Context, ref esv1.ExternalSecretFind) (map[string][]byte, error) {
+// GetAllSecrets is not implemented for Previder Vault.
+func (s *SecretManager) GetAllSecrets(context.Context, esv1.ExternalSecretFind) (map[string][]byte, error) {
 	return nil, errors.New(errNotImplemented)
 }
 
-func (s *SecretManager) Close(ctx context.Context) error {
+// Close cleans up any resources held by the client.
+func (s *SecretManager) Close(context.Context) error {
 	return nil
 }

pkg/provider/pulumi/provider.go

@@ -30,6 +30,7 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
+// Provider implements the esv1.Provider interface for Pulumi ESC.
 type Provider struct{}
 
 var _ esv1.Provider = &Provider{}
@@ -46,6 +47,7 @@ const (
 	errSecretRefKeyIsRequired        = "secretRef.key is required"
 )
 
+// NewClient creates a new Pulumi ESC client.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	cfg, err := getConfig(store)
 	if err != nil {
@@ -143,11 +145,13 @@ func validateSecretRef(ref *esv1.PulumiProviderSecretRef) error {
 	return nil
 }
 
+// ValidateStore validates the store's configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	_, err := getConfig(store)
 	return nil, err
 }
 
+// Capabilities returns the provider's esv1.SecretStoreCapabilities.
 func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }

pkg/provider/pulumi/pulumi.go

@@ -123,10 +123,12 @@ func (c *client) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) err
 	return errors.New(errDeleteSecretsNotSupported)
 }
 
+// Validate returns a ready validation result without doing any additional checks.
 func (c *client) Validate() (esv1.ValidationResult, error) {
 	return esv1.ValidationResultReady, nil
 }
 
+// GetMapFromInterface converts an interface{} to a map[string][]byte.
 func GetMapFromInterface(i interface{}) (map[string][]byte, error) {
 	// Assert the interface{} to map[string]interface{}
 	m, ok := i.(map[string]interface{})

pkg/provider/register/register.go

@@ -14,11 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package register imports all provider implementations to register them in the controller schema.
 package register
 
-// packages imported here are registered to the controller schema.
-
 import (
+	// To ensure all providers are registered, we import them here.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/akeyless"
 	_ "github.com/external-secrets/external-secrets/pkg/provider/alibaba"
 	_ "github.com/external-secrets/external-secrets/pkg/provider/aws"

pkg/provider/scaleway/cache.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package scaleway provides functionality to interact with Scaleway Secrets Management service.
 package scaleway
 
 import (

pkg/provider/scaleway/provider.go

@@ -38,6 +38,9 @@ var (
 	log           = ctrl.Log.WithName("provider").WithName("scaleway")
 )
 
+var _ esv1.Provider = &Provider{}
+
+// Provider is a Scaleway provider implementation that satisfies the esv1.Provider interface.
 type Provider struct{}
 
 // Capabilities return the provider supported capabilities (ReadOnly, WriteOnly, ReadWrite).
@@ -45,6 +48,7 @@ func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadWrite
 }
 
+// NewClient creates a new secrets client based on provided store.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kubeClient.Client, namespace string) (esv1.SecretsClient, error) {
 	cfg, err := getConfig(store)
 	if err != nil {
@@ -163,6 +167,7 @@ func getConfig(store esv1.GenericStore) (*esv1.ScalewayProvider, error) {
 	return cfg, nil
 }
 
+// ValidateStore validates the store's configuration.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	_, err := getConfig(store)
 	return nil, err

pkg/provider/secretserver/provider.go

@@ -43,6 +43,7 @@ var (
 	errMissingSecretKey = errors.New("must specify a secret key")
 )
 
+// Provider struct that implements the ESO esv1.Provider.
 type Provider struct{}
 
 var _ esv1.Provider = &Provider{}
@@ -52,6 +53,7 @@ func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
+// NewClient creates a new secrets client based on provided store.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube kubeClient.Client, namespace string) (esv1.SecretsClient, error) {
 	cfg, err := getConfig(store)
 	if err != nil {
@@ -170,6 +172,7 @@ func getConfig(store esv1.GenericStore) (*esv1.SecretServerProvider, error) {
 	return cfg, nil
 }
 
+// ValidateStore validates the store's configuration and returns warnings or error.
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {
 	_, err := getConfig(store)
 	return nil, err

pkg/provider/senhasegura/auth/iso.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package auth provides authentication mechanisms for senhasegura provider in External Secrets Operator
 package auth
 
 import (
@@ -33,6 +34,7 @@ import (
 	"github.com/external-secrets/external-secrets/pkg/utils/resolvers"
 )
 
+// ISOInterface defines methods for senhasegura ISO authentication.
 type ISOInterface interface {
 	IsoSessionFromSecretRef(ctx context.Context, provider *esv1.SenhaseguraProvider, store esv1.GenericStore, kube client.Client, namespace string) (*SenhaseguraIsoSession, error)
 	GetIsoToken(clientID, clientSecret, systemURL string, ignoreSslCertificate bool) (token string, err error)

pkg/provider/senhasegura/dsm/dsm.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package dsm provides functionality to interact with Senhasegura DevOps Secrets Management (DSM) service.
 package dsm
 
 import (
@@ -38,18 +39,14 @@ type clientDSMInterface interface {
 // https://github.com/external-secrets/external-secrets/issues/644
 var _ esv1.SecretsClient = &DSM{}
 
-/*
-DSM service for SenhaseguraProvider.
-*/
+// DSM service for SenhaseguraProvider.
 type DSM struct {
 	isoSession *senhaseguraAuth.SenhaseguraIsoSession
 	dsmClient  clientDSMInterface
 }
 
-/*
-IsoDappResponse is a response object from senhasegura /iso/dapp/response (DevOps Secrets Management API endpoint)
-Contains information about API request and Secrets linked with authorization.
-*/
+// IsoDappResponse is a response object from senhasegura /iso/dapp/response (DevOps Secrets Management API endpoint)
+// Contains information about API request and Secrets linked with authorization.
 type IsoDappResponse struct {
 	Response struct {
 		Status    int    `json:"status"`
@@ -84,9 +81,7 @@ var (
 	errNotImplemented      = errors.New("not implemented")
 )
 
-/*
-New creates an senhasegura DSM client based on ISO session.
-*/
+// New creates a senhasegura DSM client based on ISO session.
 func New(isoSession *senhaseguraAuth.SenhaseguraIsoSession) (*DSM, error) {
 	return &DSM{
 		isoSession: isoSession,
@@ -94,22 +89,25 @@ func New(isoSession *senhaseguraAuth.SenhaseguraIsoSession) (*DSM, error) {
 	}, nil
 }
 
+// DeleteSecret implements ESO interface and delete a single secret from senhasegura provider with DSM service.
+// Not implemented yet.
 func (dsm *DSM) DeleteSecret(_ context.Context, _ esv1.PushSecretRemoteRef) error {
 	return errNotImplemented
 }
 
+// SecretExists implements ESO interface and check if a single secret exists in senhasegura provider with DSM service.
+// Not implemented yet.
 func (dsm *DSM) SecretExists(_ context.Context, _ esv1.PushSecretRemoteRef) (bool, error) {
 	return false, errNotImplemented
 }
 
-// Not Implemented PushSecret.
+// PushSecret implements ESO interface and push a single secret to senhasegura provider with DSM service.
+// Not implemented yet.
 func (dsm *DSM) PushSecret(_ context.Context, _ *corev1.Secret, _ esv1.PushSecretData) error {
 	return errNotImplemented
 }
 
-/*
-GetSecret implements ESO interface and get a single secret from senhasegura provider with DSM service.
-*/
+// GetSecret implements ESO interface and get a single secret from senhasegura provider with DSM service.
 func (dsm *DSM) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) (resp []byte, err error) {
 	appSecrets, err := dsm.FetchSecrets()
 	if err != nil {
@@ -142,9 +140,7 @@ func (dsm *DSM) GetSecret(_ context.Context, ref esv1.ExternalSecretDataRemoteRe
 	return []byte(""), esv1.NoSecretErr
 }
 
-/*
-GetSecretMap implements ESO interface and returns miltiple k/v pairs from senhasegura provider with DSM service.
-*/
+// GetSecretMap implements ESO interface and returns miltiple k/v pairs from senhasegura provider with DSM service.
 func (dsm *DSM) GetSecretMap(_ context.Context, ref esv1.ExternalSecretDataRemoteRef) (secretData map[string][]byte, err error) {
 	secretData = make(map[string][]byte)
 	appSecrets, err := dsm.FetchSecrets()
@@ -164,20 +160,15 @@ func (dsm *DSM) GetSecretMap(_ context.Context, ref esv1.ExternalSecretDataRemot
 	return secretData, nil
 }
 
-/*
-GetAllSecrets implements ESO interface and returns multiple secrets from senhasegura provider with DSM service
-
-TODO: GetAllSecrets functionality is to get secrets from either regexp-matching against the names or via metadata label matching.
-https://github.com/external-secrets/external-secrets/pull/830#discussion_r858657107
-*/
+// GetAllSecrets implements ESO interface and returns multiple secrets from senhasegura provider with DSM service
+// TODO: GetAllSecrets functionality is to get secrets from either regexp-matching against the names or via metadata label matching.
+// https://github.com/external-secrets/external-secrets/pull/830#discussion_r858657107
 func (dsm *DSM) GetAllSecrets(_ context.Context, _ esv1.ExternalSecretFind) (secretData map[string][]byte, err error) {
 	return nil, errNotImplemented
 }
 
-/*
-fetchSecrets calls senhasegura DSM /iso/dapp/application API endpoint
-Return an IsoDappResponse with all related information from senhasegura provider with DSM service and error.
-*/
+// FetchSecrets calls senhasegura DSM /iso/dapp/application API endpoint
+// Return an IsoDappResponse with all related information from senhasegura provider with DSM service and error.
 func (dsm *DSM) FetchSecrets() (respObj IsoDappResponse, err error) {
 	u, _ := url.ParseRequestURI(dsm.isoSession.URL)
 	u.Path = "/iso/dapp/application"
@@ -226,15 +217,15 @@ func (dsm *DSM) FetchSecrets() (respObj IsoDappResponse, err error) {
 	return respObj, nil
 }
 
-/*
-Close implements ESO interface and do nothing in senhasegura.
-*/
+// Close implements ESO interface and do nothing in senhasegura.
 func (dsm *DSM) Close(_ context.Context) error {
 	return nil
 }
 
-// Validate if has valid connection with senhasegura, credentials, authorization using fetchSecrets method
-// fetchSecrets method implement required check about request
+// Validate if it has valid connection with senhasegura, credentials, authorization using fetchSecrets method
+//
+//	implement required check about request.
+//
 // https://github.com/external-secrets/external-secrets/pull/830#discussion_r833275463
 func (dsm *DSM) Validate() (esv1.ValidationResult, error) {
 	_, err := dsm.FetchSecrets()

pkg/provider/senhasegura/provider.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package senhasegura implements Senhasegura provider for External Secrets Operator
 package senhasegura
 
 import (
@@ -52,9 +53,7 @@ func (p *Provider) Capabilities() esv1.SecretStoreCapabilities {
 	return esv1.SecretStoreReadOnly
 }
 
-/*
-Construct a new secrets client based on provided store.
-*/
+// NewClient construct a new secrets client based on provided store.
 func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube client.Client, namespace string) (esv1.SecretsClient, error) {
 	spec := store.GetSpec()
 	provider := spec.Provider.Senhasegura
@@ -71,7 +70,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1.GenericStore, kube
 	return nil, fmt.Errorf(errUnknownProviderService, provider.Module)
 }
 
-// Validate store using Validating webhook during secret store creating
+// ValidateStore validates store using Validating webhook during secret store creating
 // Checks here are usually the best experience for the user, as the SecretStore will not be created until it is a 'valid' one.
 // https://github.com/external-secrets/external-secrets/pull/830#discussion_r833278518
 func (p *Provider) ValidateStore(store esv1.GenericStore) (admission.Warnings, error) {

pkg/provider/util/locks/secret_locks.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package locks provides locking mechanisms to prevent lost updates when accessing secrets.
 package locks
 
 import (
@@ -23,12 +24,16 @@ import (
 )
 
 var (
+	// ErrConflict is returned when a secret is locked and cannot be accessed.
 	ErrConflict = errors.New("unable to access secret since it is locked")
 
 	sharedLocks = &secretLocks{}
 )
 
-func TryLock(providerName, secretName string) (func(), error) {
+// TryLock tries to acquire a lock for a given provider and secret.
+// It returns an unlock function to release the lock and an error if the lock
+// could not be acquired.
+func TryLock(providerName, secretName string) (unlock func(), _ error) {
 	key := fmt.Sprintf("%s#%s", providerName, secretName)
 	unlockFunc, ok := sharedLocks.tryLock(key)
 	if !ok {

pkg/provider/vault/auth_kubernetes.go

@@ -105,19 +105,19 @@ func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1.VaultKube
 			return "", err
 		}
 		return jwt, nil
-	} else {
-		// Kubernetes authentication is specified, but without a referenced
-		// Kubernetes secret. We check if the file path for in-cluster service account
-		// exists and attempt to use the token for Vault Kubernetes auth.
-		if _, err := os.Stat(serviceAccTokenPath); err != nil {
-			return "", fmt.Errorf(errServiceAccount, err)
-		}
-		jwtByte, err := os.ReadFile(serviceAccTokenPath)
-		if err != nil {
-			return "", fmt.Errorf(errServiceAccount, err)
-		}
-		return string(jwtByte), nil
 	}
+
+	// Kubernetes authentication is specified, but without a referenced
+	// Kubernetes secret. We check if the file path for in-cluster service account
+	// exists and attempt to use the token for Vault Kubernetes auth.
+	if _, err := os.Stat(serviceAccTokenPath); err != nil {
+		return "", fmt.Errorf(errServiceAccount, err)
+	}
+	jwtByte, err := os.ReadFile(serviceAccTokenPath)
+	if err != nil {
+		return "", fmt.Errorf(errServiceAccount, err)
+	}
+	return string(jwtByte), nil
 }
 
 func (c *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccountRef *esmeta.ServiceAccountSelector) (string, error) {

pkg/provider/vault/auth_test.go

@@ -199,7 +199,7 @@ func TestCheckTokenErrors(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			token := fake.Token{
-				LookupSelfWithContextFn: func(ctx context.Context) (*vault.Secret, error) {
+				LookupSelfWithContextFn: func(_ context.Context) (*vault.Secret, error) {
 					return tc.secret, tc.err
 				},
 			}
@@ -267,7 +267,7 @@ func TestCheckTokenTtl(t *testing.T) {
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
 			token := fake.Token{
-				LookupSelfWithContextFn: func(ctx context.Context) (*vault.Secret, error) {
+				LookupSelfWithContextFn: func(_ context.Context) (*vault.Secret, error) {
 					return tc.secret, nil
 				},
 			}

pkg/provider/vault/client_get_all_secrets_test.go

@@ -290,7 +290,7 @@ func TestGetAllSecrets(t *testing.T) {
 			args: args{
 				store: makeValidSecretStoreWithVersion(esv1.VaultKVStoreV2).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
-					ListWithContextFn: func(ctx context.Context, path string) (*vault.Secret, error) {
+					ListWithContextFn: func(_ context.Context, _ string) (*vault.Secret, error) {
 						return nil, nil
 					},
 					ReadWithDataWithContextFn: newReadtWithContextFn(map[string]any{}),
@@ -329,7 +329,7 @@ func TestGetAllSecrets(t *testing.T) {
 				store: makeValidSecretStoreWithVersion(esv1.VaultKVStoreV2).Spec.Provider.Vault,
 				vLogical: &fake.Logical{
 					ListWithContextFn: newListWithContextFn(kv2secret),
-					ReadWithDataWithContextFn: func(ctx context.Context, path string, d map[string][]string) (*vault.Secret, error) {
+					ReadWithDataWithContextFn: func(_ context.Context, _ string, _ map[string][]string) (*vault.Secret, error) {
 						return nil, nil
 					},
 				},
@@ -365,7 +365,7 @@ func TestGetAllSecrets(t *testing.T) {
 }
 
 func newListWithContextFn(secrets map[string]any) func(ctx context.Context, path string) (*vault.Secret, error) {
-	return func(ctx context.Context, path string) (*vault.Secret, error) {
+	return func(_ context.Context, path string) (*vault.Secret, error) {
 		path = strings.TrimPrefix(path, "secret/metadata/") // kvv2
 		if path == "" {
 			path = "default"
@@ -387,7 +387,7 @@ func newListWithContextFn(secrets map[string]any) func(ctx context.Context, path
 }
 
 func newListWithContextKvv1Fn(secrets map[string]any) func(ctx context.Context, path string) (*vault.Secret, error) {
-	return func(ctx context.Context, path string) (*vault.Secret, error) {
+	return func(_ context.Context, path string) (*vault.Secret, error) {
 		path = strings.TrimPrefix(path, "secret/")
 
 		keys := make([]any, 0, len(secrets))
@@ -398,7 +398,7 @@ func newListWithContextKvv1Fn(secrets map[string]any) func(ctx context.Context,
 			}
 		}
 		if len(keys) == 0 {
-			return nil, errors.New("Secret not found")
+			return nil, errors.New("secret not found")
 		}
 
 		secret := &vault.Secret{
@@ -411,7 +411,7 @@ func newListWithContextKvv1Fn(secrets map[string]any) func(ctx context.Context,
 }
 
 func newReadtWithContextFn(secrets map[string]any) func(ctx context.Context, path string, data map[string][]string) (*vault.Secret, error) {
-	return func(ctx context.Context, path string, d map[string][]string) (*vault.Secret, error) {
+	return func(_ context.Context, path string, _ map[string][]string) (*vault.Secret, error) {
 		path = strings.TrimPrefix(path, "secret/data/")
 		path = strings.TrimPrefix(path, "secret/metadata/")
 
@@ -433,12 +433,12 @@ func newReadtWithContextFn(secrets map[string]any) func(ctx context.Context, pat
 }
 
 func newReadtWithContextKvv1Fn(secrets map[string]any) func(ctx context.Context, path string, data map[string][]string) (*vault.Secret, error) {
-	return func(ctx context.Context, path string, d map[string][]string) (*vault.Secret, error) {
+	return func(_ context.Context, path string, _ map[string][]string) (*vault.Secret, error) {
 		path = strings.TrimPrefix(path, "secret/")
 
 		data, ok := secrets[path]
 		if !ok {
-			return nil, errors.New("Secret not found")
+			return nil, errors.New("secret not found")
 		}
 
 		dataAsMap := data.(map[string]any)

pkg/provider/vault/client_get_test.go

@@ -241,7 +241,7 @@ func TestGetSecret(t *testing.T) {
 					Property: "access_key",
 				},
 				vLogical: &fake.Logical{
-					ReadWithDataWithContextFn: func(ctx context.Context, path string, data map[string][]string) (*vault.Secret, error) {
+					ReadWithDataWithContextFn: func(_ context.Context, _ string, _ map[string][]string) (*vault.Secret, error) {
 						return nil, nil
 					},
 				},