feat(ci): migrate to golangci-lint v2

relates to #7279

Author: rubenhoenle

core/clients/continuous_refresh_test.go

@@ -212,7 +212,7 @@ func TestContinuousRefreshTokenConcurrency(t *testing.T) {
 						AccessToken:  newAccessToken,
 						RefreshToken: refreshToken,
 					}
-					responseBody, err := json.Marshal(responseBodyStruct)
+					responseBody, err := json.Marshal(responseBodyStruct) //nolint:gosec // G117: access_token is a standard field name
 					if err != nil {
 						t.Fatalf("Do call: failed to marshal additional response: %v", err)
 					}
@@ -259,7 +259,7 @@ func TestContinuousRefreshTokenConcurrency(t *testing.T) {
 					AccessToken:  accessTokenSecond,
 					RefreshToken: refreshToken,
 				}
-				responseBody, err := json.Marshal(responseBodyStruct)
+				responseBody, err := json.Marshal(responseBodyStruct) //nolint:gosec // G117: access_token is a standard field name
 				if err != nil {
 					t.Fatalf("Do call: failed request to refresh token: marshal access token response: %v", err)
 				}

core/clients/key_flow.go

@@ -183,7 +183,7 @@ func (c *KeyFlow) SetToken(accessToken, refreshToken string) error {
 	c.tokenMutex.Lock()
 	c.token = &TokenResponseBody{
 		AccessToken:  accessToken,
-		ExpiresIn:    int(exp.Time.Unix()),
+		ExpiresIn:    int(exp.Unix()),
 		RefreshToken: refreshToken,
 		Scope:        defaultScope,
 		TokenType:    defaultTokenType,
@@ -334,6 +334,7 @@ func (c *KeyFlow) createAccessToken() (err error) {
 
 // createAccessTokenWithRefreshToken creates an access token using
 // an existing pre-validated refresh token
+//
 // Deprecated: This method will be removed in future versions. Access tokens are going to be refreshed without refresh token.
 // This will be removed after 2026-07-01.
 func (c *KeyFlow) createAccessTokenWithRefreshToken() (err error) {
@@ -391,11 +392,11 @@ func (c *KeyFlow) requestToken(grant, assertion string) (*http.Response, error)
 	}
 
 	payload := strings.NewReader(body.Encode())
-	req, err := http.NewRequest(http.MethodPost, c.config.TokenUrl, payload)
+	req, err := http.NewRequest(http.MethodPost, c.config.TokenUrl, payload) //nolint:gosec // G704: Tainted URL is expected here
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 
-	return c.authClient.Do(req)
+	return c.authClient.Do(req) //nolint:gosec // G704: Tainted URL is expected here
 }

core/clients/key_flow_test.go

@@ -104,6 +104,7 @@ func TestKeyFlowInit(t *testing.T) {
 			invalidPrivateKey: true,
 			wantErr:           true,
 		},
+		//nolint:gosec // G101: These are only test values
 		{
 			name: "ok-custom-token-endpoint",
 			serviceAccountKey: fixtureServiceAccountKey(func(s *ServiceAccountKeyResponse) {
@@ -462,7 +463,7 @@ func TestKeyFlow_Do(t *testing.T) {
 								TokenType:   "Bearer",
 							}
 
-							if err := json.NewEncoder(res.Body).Encode(token); err != nil {
+							if err := json.NewEncoder(res.Body).Encode(token); err != nil { //nolint:gosec // G117: access_token is a standard field name
 								t.Logf("no error is expected, but got %v", err)
 							}
 

core/clients/workload_identity_flow.go

@@ -213,11 +213,11 @@ func (c *WorkloadIdentityFederationFlow) requestToken(clientID, assertion string
 	body.Set("client_id", clientID)
 
 	payload := strings.NewReader(body.Encode())
-	req, err := http.NewRequest(http.MethodPost, c.config.TokenUrl, payload)
+	req, err := http.NewRequest(http.MethodPost, c.config.TokenUrl, payload) //nolint:gosec // G704: Tainted URL is expected here
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 
-	return c.authClient.Do(req)
+	return c.authClient.Do(req) //nolint:gosec // G704: Tainted URL is expected here
 }

core/clients/workload_identity_flow_test.go

@@ -181,7 +181,7 @@ func TestWorkloadIdentityFlowRoundTrip(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			authServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				err := r.ParseForm()
+				err := r.ParseForm() //nolint:gosec // G120: Safe to bypass inside unit tests
 				if err != nil {
 					t.Fatalf("failed to parse form: %v", err)
 				}
@@ -217,7 +217,7 @@ func TestWorkloadIdentityFlowRoundTrip(t *testing.T) {
 					TokenType:   "Bearer",
 				}
 
-				payload, err := json.Marshal(tokenResponse)
+				payload, err := json.Marshal(tokenResponse) //nolint:gosec // G117: access_token is a standard field name
 				if err != nil {
 					t.Fatalf("failed to create token payload: %v", err)
 				}

core/config/config.go

@@ -430,9 +430,9 @@ func (sc ServerConfigurations) URL(index int, variables map[string]string) (stri
 			if !found {
 				return "", fmt.Errorf("the variable %s in the server URL has invalid value %v. Must be %v", name, value, variable.EnumValues)
 			}
-			serverUrl = strings.Replace(serverUrl, "{"+name+"}", value, -1)
+			serverUrl = strings.ReplaceAll(serverUrl, "{"+name+"}", value)
 		} else {
-			serverUrl = strings.Replace(serverUrl, "{"+name+"}", variable.DefaultValue, -1)
+			serverUrl = strings.ReplaceAll(serverUrl, "{"+name+"}", variable.DefaultValue)
 		}
 	}
 	return serverUrl, nil
@@ -554,7 +554,7 @@ func ConfigureRegion(cfg *Configuration) error {
 		}
 		// API is regional (not global)
 		if containsCaseSensitive(availableRegions, cfg.Region) {
-			cfgUrl := strings.Replace(servers[0].URL, "{region}", fmt.Sprintf("%s.", cfg.Region), -1)
+			cfgUrl := strings.ReplaceAll(servers[0].URL, "{region}", fmt.Sprintf("%s.", cfg.Region))
 			cfg.Servers = ServerConfigurations{
 				{
 					URL:         cfgUrl,
@@ -574,7 +574,7 @@ func ConfigureRegion(cfg *Configuration) error {
 	}
 	// If the url is a template, generated using deprecated config.json, the region variable is replaced
 	// If the url is already configured, there is no region variable and it remains the same
-	cfgUrl := strings.Replace(servers[0].URL, "{region}", "", -1)
+	cfgUrl := strings.ReplaceAll(servers[0].URL, "{region}", "")
 	cfg.Servers = ServerConfigurations{
 		{
 			URL:         cfgUrl,

golang-ci.yaml

@@ -1,102 +1,99 @@
 # This file contains all available configuration options
 # with their default values.
 
+version: "2"
+
 # options for analysis running
 run:
   # default concurrency is a available CPU number
   concurrency: 4
-
-  # timeout for analysis, e.g. 30s, 5m, default is 1m
-  timeout: 5m
-linters-settings:
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: github.com/stackitcloud/stackit-sdk-go
-  depguard:
-    rules:
-        main:
-          list-mode: lax # Everything is allowed unless it is denied
-          deny:
-            - pkg: "github.com/stretchr/testify"
-              desc: Do not use a testing framework
-  misspell:
-    # Correct spellings using locale preferences for US or UK.
-    # Default is to use a neutral variety of English.
-    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
-    locale: US
-  golint:
-    min-confidence: 0.8
-  gosec:
-    excludes:
-    # Suppressions: (see https://github.com/securego/gosec#available-rules for details)
-      - G104 # "Audit errors not checked" -> which we don't need and is a badly implemented version of errcheck
-      - G102 # "Bind to all interfaces" -> since this is normal in k8s
-      - G304 # "File path provided as taint input" -> too many false positives
-      - G307 # "Deferring unsafe method "Close" on type "io.ReadCloser" -> false positive when calling defer resp.Body.Close()
-  nakedret:
-    max-func-lines: 0
-  revive:
-    ignore-generated-header: true
-    severity: error
-    # https://github.com/mgechev/revive
-    rules:
-      - name: errorf
-      - name: context-as-argument
-      - name: error-return
-      - name: increment-decrement
-      - name: indent-error-flow
-      - name: superfluous-else
-      - name: unused-parameter
-      - name: unreachable-code
-      - name: atomic
-      - name: empty-lines
-      - name: early-return
-  gocritic:
-    enabled-tags:
-      - performance
-      - style
-      - experimental
-    disabled-checks:
-      - wrapperFunc
-      - typeDefFirst
-      - ifElseChain
-      - dupImport # https://github.com/go-critic/go-critic/issues/845
 linters:
   enable:
-    # https://golangci-lint.run/usage/linters/
-    # default linters
-    - gosimple
-    - govet
-    - ineffassign
-    - staticcheck
-    - typecheck
-    - unused
-    # additional linters
+    - bodyclose
+    - depguard
     - errorlint
+    - forcetypeassert
     - gochecknoinits
     - gocritic
-    - gofmt
-    - goimports
     - gosec
     - misspell
     - nakedret
     - revive
-    - depguard
-    - bodyclose
     - sqlclosecheck
     - wastedassign
-    - forcetypeassert
-    - errcheck
   disable:
     - noctx # false positive: finds errors with http.NewRequest that dont make sense
     - unparam # false positives
-issues:
-  exclude-use-default: false
-  exclude-rules:
-    # This ignores all deprecation warnings in the old wait packages while we have the compatibilty layer in place
-    - path: ^wait/[^/]+\.go$
-      linters:
-        - staticcheck
-      text: "SA1019:" 
-go: 1.25
+  settings:
+    depguard:
+      rules:
+        main:
+          list-mode: lax # Everything is allowed unless it is denied
+          deny:
+            - pkg: github.com/stretchr/testify
+              desc: Do not use a testing framework
+    gocritic:
+      disabled-checks:
+        - wrapperFunc
+        - typeDefFirst
+        - ifElseChain
+        - dupImport # https://github.com/go-critic/go-critic/issues/845
+      enabled-tags:
+        - performance
+        - style
+        - experimental
+    gosec:
+      excludes:
+      # Suppressions: (see https://github.com/securego/gosec#available-rules for details)
+        - G104 # "Audit errors not checked" -> which we don't need and is a badly implemented version of errcheck
+        - G102 # "Bind to all interfaces" -> since this is normal in k8s
+        - G304 # "File path provided as taint input" -> too many false positives
+        - G307 # "Deferring unsafe method "Close" on type "io.ReadCloser" -> false positive when calling defer resp.Body.Close()
+    misspell:
+      # Correct spellings using locale preferences for US or UK.
+      # Default is to use a neutral variety of English.
+      # Setting locale to US will correct the British spelling of 'colour' to 'color'.
+      locale: US
+    nakedret:
+      max-func-lines: 0
+    revive:
+      severity: error
+      # https://github.com/mgechev/revive
+      rules:
+        - name: errorf
+        - name: context-as-argument
+        - name: error-return
+        - name: increment-decrement
+        - name: indent-error-flow
+        - name: superfluous-else
+        - name: unused-parameter
+        - name: unreachable-code
+        - name: atomic
+        - name: empty-lines
+        - name: early-return
+  exclusions:
+    generated: lax
+    rules:
+      - linters:
+          - staticcheck
+        # This ignores all deprecation warnings in the old wait packages while we have the compatibilty layer in place
+        path: wait/[^/]+\.go$
+        text: "SA1019:"
+    paths:
+      - third_party$
+      - builtin$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      # put imports beginning with prefix after 3rd-party packages;
+      # it's a comma-separated list of prefixes
+      local-prefixes:
+        - github.com/stackitcloud/stackit-sdk-go
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$

scripts/project.sh

@@ -16,7 +16,7 @@ elif [ "$action" = "tools" ]; then
 
     go mod download
 
-    go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.62.0
+    go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
 else
     echo "Invalid action: '$action', please use $0 help for help"
 fi

services/cdn/wait/wait.go

@@ -26,6 +26,7 @@ const (
 )
 
 // Interfaces needed for tests
+//
 // Deprecated: Will be removed after 2026-09-30. Move to the packages generated for each available API version instead
 type APIClientInterface interface {
 	GetDistributionExecute(ctx context.Context, projectId string, distributionId string) (*cdn.GetDistributionResponse, error)

services/dns/wait/wait.go

@@ -25,13 +25,15 @@ const (
 )
 
 // Interfaces needed for tests
+//
 // Deprecated: Will be removed after 2026-09-30. Move to the packages generated for each available API version instead
 type APIClientInterface interface {
 	GetZoneExecute(ctx context.Context, projectId, zoneId string) (*dns.ZoneResponse, error)
 	GetRecordSetExecute(ctx context.Context, projectId, zoneId, rrSetId string) (*dns.RecordSetResponse, error)
 }
 
 // CreateZoneWaitHandler will wait for zone creation
+//
 // Deprecated: Will be removed after 2026-09-30. Move to the packages generated for each available API version instead
 func CreateZoneWaitHandler(ctx context.Context, a APIClientInterface, projectId, instanceId string) *wait.AsyncActionHandler[dns.ZoneResponse] {
 	handler := wait.New(func() (waitFinished bool, response *dns.ZoneResponse, err error) {
@@ -55,6 +57,7 @@ func CreateZoneWaitHandler(ctx context.Context, a APIClientInterface, projectId,
 }
 
 // PartialUpdateZoneWaitHandler will wait for zone update
+//
 // Deprecated: Will be removed after 2026-09-30. Move to the packages generated for each available API version instead
 func PartialUpdateZoneWaitHandler(ctx context.Context, a APIClientInterface, projectId, instanceId string) *wait.AsyncActionHandler[dns.ZoneResponse] {
 	handler := wait.New(func() (waitFinished bool, response *dns.ZoneResponse, err error) {
@@ -79,6 +82,7 @@ func PartialUpdateZoneWaitHandler(ctx context.Context, a APIClientInterface, pro
 
 // DeleteZoneWaitHandler will wait for zone deletion
 // returned interface is nil or *ZoneResponseZone
+//
 // Deprecated: Will be removed after 2026-09-30. Move to the packages generated for each available API version instead
 func DeleteZoneWaitHandler(ctx context.Context, a APIClientInterface, projectId, instanceId string) *wait.AsyncActionHandler[dns.ZoneResponse] {
 	handler := wait.New(func() (waitFinished bool, response *dns.ZoneResponse, err error) {
@@ -102,6 +106,7 @@ func DeleteZoneWaitHandler(ctx context.Context, a APIClientInterface, projectId,
 }
 
 // CreateRecordWaitHandler will wait for recordset creation
+//
 // Deprecated: Will be removed after 2026-09-30. Move to the packages generated for each available API version instead
 func CreateRecordSetWaitHandler(ctx context.Context, a APIClientInterface, projectId, instanceId, rrSetId string) *wait.AsyncActionHandler[dns.RecordSetResponse] {
 	handler := wait.New(func() (waitFinished bool, response *dns.RecordSetResponse, err error) {
@@ -125,6 +130,7 @@ func CreateRecordSetWaitHandler(ctx context.Context, a APIClientInterface, proje
 }
 
 // UpdateRecordWaitHandler will wait for recordset update
+//
 // Deprecated: Will be removed after 2026-09-30. Move to the packages generated for each available API version instead
 func PartialUpdateRecordSetWaitHandler(ctx context.Context, a APIClientInterface, projectId, instanceId, rrSetId string) *wait.AsyncActionHandler[dns.RecordSetResponse] {
 	handler := wait.New(func() (waitFinished bool, response *dns.RecordSetResponse, err error) {
@@ -149,6 +155,7 @@ func PartialUpdateRecordSetWaitHandler(ctx context.Context, a APIClientInterface
 
 // DeleteRecordWaitHandler will wait for deletion
 // returned interface is nil or *RecordSetResponse
+//
 // Deprecated: Will be removed after 2026-09-30. Move to the packages generated for each available API version instead
 func DeleteRecordSetWaitHandler(ctx context.Context, a APIClientInterface, projectId, instanceId, rrSetId string) *wait.AsyncActionHandler[dns.RecordSetResponse] {
 	handler := wait.New(func() (waitFinished bool, response *dns.RecordSetResponse, err error) {