Makefile: bump GOLANGCI_LINT_VERSION to v1.61

v1.60 seems to have some issues [1] with something in our dependency chain. Update to v1.61 and fix all new issues. New issues are all instances of potential integer overflow from int -> uint conversions. Added guards where appropriate and disabled the check when when it's not needed. [1] https://github.com/osbuild/osbuild-composer/actions/runs/16624417387/job/47037518471
2025-07-30 16:27:59 +02:00 · 2025-07-30 16:27:59 +02:00 · b3d1e4cf13
commit b3d1e4cf13
parent 6497b7520d
7 changed files with 23 additions and 12 deletions
--- a/cmd/osbuild-koji-tests/main_test.go
+++ b/cmd/osbuild-koji-tests/main_test.go
@ -168,11 +168,12 @@ func TestKojiImport(t *testing.T) {
 			RPMs:  []koji.RPM{},
 		},
 	}
+
 	output := []koji.BuildOutput{
 		{
 			BuildRootID:  1,
 			Filename:     filename,
-			FileSize:     uint64(filesize),
+			FileSize:     uint64(filesize), // nolint: gosec
 			Arch:         "noarch",
 			ChecksumType: koji.ChecksumTypeMD5,
 			Checksum:     hash,
@ -190,7 +191,7 @@ func TestKojiImport(t *testing.T) {
 	initResult, err := k.CGInitBuild(build.Name, build.Version, build.Release)
 	require.NoError(t, err)

-	build.BuildID = uint64(initResult.BuildID)
+	build.BuildID = uint64(initResult.BuildID) // nolint: gosec

 	importResult, err := k.CGImport(build, buildRoots, output, uploadDirectory, initResult.Token)
 	require.NoError(t, err)
--- a/cmd/osbuild-worker/jobimpl-koji-finalize.go
+++ b/cmd/osbuild-worker/jobimpl-koji-finalize.go
@ -141,6 +141,10 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 	}

 	for i, buildResult := range osbuildResults {
+		// i is a range index which never get modified, so it's safe to
+		// ignore the sec warning
+		buildRootID := uint64(i) // nolint: gosec
+
 		buildRPMs := make([]koji.RPM, 0)
 		// collect packages from stages in build pipelines
 		for _, plName := range buildResult.PipelineNames.Build {
@ -171,7 +175,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 		kojiTargetOptions := kojiTargetResult.Options.(*target.KojiTargetResultOptions)

 		buildRoots = append(buildRoots, koji.BuildRoot{
-			ID: uint64(i),
+			ID: buildRootID,
 			Host: koji.Host{
 				Os:   buildResult.HostOS,
 				Arch: buildResult.Arch,
@ -224,7 +228,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {

 		// Image output
 		outputs = append(outputs, koji.BuildOutput{
-			BuildRootID:  uint64(i),
+			BuildRootID:  buildRootID,
 			Filename:     imageFilename,
 			FileSize:     kojiTargetOptions.Image.Size,
 			Arch:         buildResult.Arch,
@ -268,7 +272,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 			manifestOutputsExtraInfo[kojiTargetOptions.OSBuildManifest.Filename] = &manifestExtraInfo

 			outputs = append(outputs, koji.BuildOutput{
-				BuildRootID:  uint64(i),
+				BuildRootID:  buildRootID,
 				Filename:     kojiTargetOptions.OSBuildManifest.Filename,
 				FileSize:     kojiTargetOptions.OSBuildManifest.Size,
 				Arch:         buildResult.Arch,
@ -286,7 +290,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 		// TODO: Remove the condition it in the future.
 		if kojiTargetOptions.Log != nil {
 			outputs = append(outputs, koji.BuildOutput{
-				BuildRootID:  uint64(i),
+				BuildRootID:  buildRootID,
 				Filename:     kojiTargetOptions.Log.Filename,
 				FileSize:     kojiTargetOptions.Log.Size,
 				Arch:         "noarch", // log file is not architecture dependent
@ -300,7 +304,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 		if len(kojiTargetOptions.SbomDocs) > 0 {
 			for _, sbomDoc := range kojiTargetOptions.SbomDocs {
 				outputs = append(outputs, koji.BuildOutput{
-					BuildRootID:  uint64(i),
+					BuildRootID:  buildRootID,
 					Filename:     sbomDoc.Filename,
 					FileSize:     sbomDoc.Size,
 					Arch:         buildResult.Arch,
--- a/cmd/osbuild-worker/jobimpl-koji-init.go
+++ b/cmd/osbuild-worker/jobimpl-koji-init.go
@ -44,7 +44,10 @@ func (impl *KojiInitJobImpl) kojiInit(server, name, version, release string) (st
 		return "", 0, err
 	}

-	return buildInfo.Token, uint64(buildInfo.BuildID), nil
+	if buildInfo.BuildID < 0 {
+		return "", 0, fmt.Errorf("invalid koji init job build ID: %d", buildInfo.BuildID)
+	}
+	return buildInfo.Token, uint64(buildInfo.BuildID), nil // nolint: gosec
 }

 func (impl *KojiInitJobImpl) Run(job worker.Job) error {