Makefile: bump GOLANGCI_LINT_VERSION to v1.61

v1.60 seems to have some issues [1] with something in our dependency
chain.  Update to v1.61 and fix all new issues.

New issues are all instances of potential integer overflow from int ->
uint conversions.  Added guards where appropriate and disabled the check
when when it's not needed.

[1] https://github.com/osbuild/osbuild-composer/actions/runs/16624417387/job/47037518471

Makefile

@@ -29,7 +29,7 @@ SHELL := /bin/bash
 # v1.56 to get golang 1.22 (1.22.0)
 # v1.55 to get golang 1.21 (1.21.3)
 # v1.53 to get golang 1.20 (1.20.5)
-GOLANGCI_LINT_VERSION=v1.60
+GOLANGCI_LINT_VERSION=v1.61
 GOLANGCI_LINT_CACHE_DIR=$(HOME)/.cache/golangci-lint/$(GOLANGCI_LINT_VERSION)
 GOLANGCI_COMPOSER_IMAGE=composer_golangci
 #

cmd/osbuild-koji-tests/main_test.go

@@ -168,11 +168,12 @@ func TestKojiImport(t *testing.T) {
 			RPMs:  []koji.RPM{},
 		},
 	}
+
 	output := []koji.BuildOutput{
 		{
 			BuildRootID:  1,
 			Filename:     filename,
-			FileSize:     uint64(filesize),
+			FileSize:     uint64(filesize), // nolint: gosec
 			Arch:         "noarch",
 			ChecksumType: koji.ChecksumTypeMD5,
 			Checksum:     hash,
@@ -190,7 +191,7 @@ func TestKojiImport(t *testing.T) {
 	initResult, err := k.CGInitBuild(build.Name, build.Version, build.Release)
 	require.NoError(t, err)
 
-	build.BuildID = uint64(initResult.BuildID)
+	build.BuildID = uint64(initResult.BuildID) // nolint: gosec
 
 	importResult, err := k.CGImport(build, buildRoots, output, uploadDirectory, initResult.Token)
 	require.NoError(t, err)

cmd/osbuild-worker/jobimpl-koji-finalize.go

@@ -141,6 +141,10 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 	}
 
 	for i, buildResult := range osbuildResults {
+		// i is a range index which never get modified, so it's safe to
+		// ignore the sec warning
+		buildRootID := uint64(i) // nolint: gosec
+
 		buildRPMs := make([]koji.RPM, 0)
 		// collect packages from stages in build pipelines
 		for _, plName := range buildResult.PipelineNames.Build {
@@ -171,7 +175,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 		kojiTargetOptions := kojiTargetResult.Options.(*target.KojiTargetResultOptions)
 
 		buildRoots = append(buildRoots, koji.BuildRoot{
-			ID: uint64(i),
+			ID: buildRootID,
 			Host: koji.Host{
 				Os:   buildResult.HostOS,
 				Arch: buildResult.Arch,
@@ -224,7 +228,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 
 		// Image output
 		outputs = append(outputs, koji.BuildOutput{
-			BuildRootID:  uint64(i),
+			BuildRootID:  buildRootID,
 			Filename:     imageFilename,
 			FileSize:     kojiTargetOptions.Image.Size,
 			Arch:         buildResult.Arch,
@@ -268,7 +272,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 			manifestOutputsExtraInfo[kojiTargetOptions.OSBuildManifest.Filename] = &manifestExtraInfo
 
 			outputs = append(outputs, koji.BuildOutput{
-				BuildRootID:  uint64(i),
+				BuildRootID:  buildRootID,
 				Filename:     kojiTargetOptions.OSBuildManifest.Filename,
 				FileSize:     kojiTargetOptions.OSBuildManifest.Size,
 				Arch:         buildResult.Arch,
@@ -286,7 +290,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 		// TODO: Remove the condition it in the future.
 		if kojiTargetOptions.Log != nil {
 			outputs = append(outputs, koji.BuildOutput{
-				BuildRootID:  uint64(i),
+				BuildRootID:  buildRootID,
 				Filename:     kojiTargetOptions.Log.Filename,
 				FileSize:     kojiTargetOptions.Log.Size,
 				Arch:         "noarch", // log file is not architecture dependent
@@ -300,7 +304,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error {
 		if len(kojiTargetOptions.SbomDocs) > 0 {
 			for _, sbomDoc := range kojiTargetOptions.SbomDocs {
 				outputs = append(outputs, koji.BuildOutput{
-					BuildRootID:  uint64(i),
+					BuildRootID:  buildRootID,
 					Filename:     sbomDoc.Filename,
 					FileSize:     sbomDoc.Size,
 					Arch:         buildResult.Arch,

cmd/osbuild-worker/jobimpl-koji-init.go

@@ -44,7 +44,10 @@ func (impl *KojiInitJobImpl) kojiInit(server, name, version, release string) (st
 		return "", 0, err
 	}
 
-	return buildInfo.Token, uint64(buildInfo.BuildID), nil
+	if buildInfo.BuildID < 0 {
+		return "", 0, fmt.Errorf("invalid koji init job build ID: %d", buildInfo.BuildID)
+	}
+	return buildInfo.Token, uint64(buildInfo.BuildID), nil // nolint: gosec
 }
 
 func (impl *KojiInitJobImpl) Run(job worker.Job) error {

internal/cloudapi/v2/handler.go

@@ -140,7 +140,10 @@ func (h *apiHandlers) PostCompose(ctx echo.Context) error {
 
 	var id uuid.UUID
 	if request.Koji != nil {
-		id, err = h.server.enqueueKojiCompose(uint64(request.Koji.TaskId), request.Koji.Server, request.Koji.Name, request.Koji.Version, request.Koji.Release, irs, channel)
+		if request.Koji.TaskId < 0 {
+			return fmt.Errorf("invalid Koji task ID: %d", request.Koji.TaskId)
+		}
+		id, err = h.server.enqueueKojiCompose(uint64(request.Koji.TaskId), request.Koji.Server, request.Koji.Name, request.Koji.Version, request.Koji.Release, irs, channel) // nolint: gosec
 		if err != nil {
 			return err
 		}

internal/cloudapi/v2/server.go

@@ -440,7 +440,7 @@ func (s *Server) enqueueKojiCompose(taskID uint64, server, name, version, releas
 		KojiFilenames: kojiFilenames,
 		KojiDirectory: kojiDirectory,
 		TaskID:        taskID,
-		StartTime:     uint64(time.Now().Unix()),
+		StartTime:     uint64(time.Now().Unix()), // nolint: gosec
 	}, initID, buildIDs, channel)
 	if err != nil {
 		return id, HTTPErrorWithInternal(ErrorEnqueueingJob, err)

internal/cloudapi/v2/v2_koji_test.go

@@ -611,7 +611,7 @@ func TestKojiJobTypeValidation(t *testing.T) {
 		KojiFilenames: filenames,
 		KojiDirectory: "koji-server-test-dir",
 		TaskID:        0,
-		StartTime:     uint64(time.Now().Unix()),
+		StartTime:     uint64(time.Now().Unix()), // nolint: gosec
 	}
 	finalizeID, err := workers.EnqueueKojiFinalize(&finalizeJob, initID, buildJobIDs, "")
 	require.NoError(t, err)