chore(deps): Bump sigs.k8s.io/release-utils from 0.8.4 to 0.8.5 (#1622)

* chore(deps): Bump sigs.k8s.io/release-utils from 0.8.4 to 0.8.5 Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.8.4 to 0.8.5. - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](kubernetes-sigs/release-utils@v0.8.4...v0.8.5) --- updated-dependencies: - dependency-name: sigs.k8s.io/release-utils dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * move to go 1.23 Signed-off-by: Bob Callaway <bcallaway@google.com> * move to golangci-lint 1.61 Signed-off-by: Bob Callaway <bcallaway@google.com> * fix lint errors Signed-off-by: Bob Callaway <bcallaway@google.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Bob Callaway <bcallaway@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Bob Callaway <bcallaway@google.com>
sigstore · Oct 7, 2024 · 89da4fb · 89da4fb
1 parent 5c281b2
commit 89da4fb
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 10 deletions.
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -92,5 +92,5 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
-          version: v1.59
+          version: v1.61
           args: --timeout=15m
diff --git a/Makefile b/Makefile
@@ -105,7 +105,7 @@ local-dev:
 golangci-lint:
 	rm -f $(GOLANGCI_LINT_BIN) || :
 	set -e ;\
-	GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1 ;\
+	GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0 ;\
 
 lint: golangci-lint ## Run golangci-lint linter
 	$(GOLANGCI_LINT_BIN) run -n

diff --git a/cmd/api-docs/main.go b/cmd/api-docs/main.go
@@ -165,7 +165,7 @@ func astFrom(filePath string) *doc.Package {
 	}
 
 	m[filePath] = f
-	apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:errcheck
+	apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:staticcheck
 
 	return doc.New(apkg, "", 0)
 }

diff --git a/go.mod b/go.mod
@@ -1,6 +1,8 @@
 module github.com/sigstore/policy-controller
 
-go 1.22.6
+go 1.23
+
+toolchain go1.23.1
 
 require (
 	github.com/aws/aws-sdk-go v1.55.5
@@ -47,7 +49,7 @@ require (
 	k8s.io/code-generator v0.31.0
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
 	knative.dev/hack v0.0.0-20240111013919-e89096d74d85
-	sigs.k8s.io/release-utils v0.8.4
+	sigs.k8s.io/release-utils v0.8.5
 	sigs.k8s.io/yaml v1.4.0
 )
 

diff --git a/go.sum b/go.sum
@@ -1333,8 +1333,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw=
-sigs.k8s.io/release-utils v0.8.4/go.mod h1:m1bHfscTemQp+z+pLCZnkXih9n0+WukIUU70n6nFnU0=
+sigs.k8s.io/release-utils v0.8.5 h1:FUtFqEAN621gSXv0L7kHyWruBeS7TUU9aWf76olX7uQ=
+sigs.k8s.io/release-utils v0.8.5/go.mod h1:qsm5bdxdgoHkD8HsXpgme2/c3mdsNaiV53Sz2HmKeJA=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
@@ -129,7 +129,10 @@ func Uncompress(src io.Reader, dst string) error {
 			}
 		// Write out files
 		case tar.TypeReg:
-			fileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
+			if header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115
+				return errors.New("invalid mode value in tar header")
+			}
+			fileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode)) //nolint:gosec // disable G115
 			if err != nil {
 				return err
 			}
@@ -213,9 +216,12 @@ func UncompressMemFS(src io.Reader, stripPrefix string) (fs.FS, error) {
 			if err != nil && err != io.EOF {
 				return nil, fmt.Errorf("reading file %s : %w", header.Name, err)
 			}
+			if header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115
+				return nil, errors.New("invalid mode value in tar header")
+			}
 			testFS[target] = &fstest.MapFile{
 				Data:    data,
-				Mode:    os.FileMode(header.Mode),
+				Mode:    os.FileMode(header.Mode), //nolint:gosec // disable G115
 				ModTime: header.ModTime,
 			}
 		}

diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go
@@ -517,7 +517,7 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c
 			switch {
 			case authority.Static != nil:
 				if authority.Static.Action == "fail" {
-					result.err = cosign.NewVerificationError("disallowed by static policy: " + authority.Static.Message)
+					result.err = cosign.NewVerificationError("disallowed by static policy: %s", authority.Static.Message)
 					results <- result
 					return
 				}