diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 6950910..471a971 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -26,6 +26,6 @@ jobs:
       run: make test
 
     - name: Lint
-      uses: golangci/golangci-lint-action@v3
+      uses: golangci/golangci-lint-action@v7
       with:
-        version: latest
+        version: v2.1.2
diff --git a/.golangci.yml b/.golangci.yml
index b6917c9..899589e 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,24 +1,44 @@
+version: "2"
+
 run:
-  deadline: 5m
+  timeout: 5m
 
 output:
-  format: colored-line-number
-
-issues:
-  exclude-use-default: false
-  exclude:
-    - "exported \\w+ (\\S*['.]*)([a-zA-Z'.*]*) should have comment( \\(or a comment on this block\\))? or be unexported"
-    - "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked"
-    - "package-comments: should have a package comment"
-    - "unused-parameter: parameter '\\w+' seems to be unused, consider removing or renaming it as _"
+  formats:
+    text:
+      path: stdout
 
 linters:
   enable:
     - errcheck
     - revive
-    - goimports
     - govet
     - misspell
     - staticcheck
     - unused
     - unparam
+  exclusions:
+    generated: lax
+    rules:
+      - path: (.+)\.go$
+        text: exported \w+ (\S*['.]*)([a-zA-Z'.*]*) should have comment( \(or a comment on this block\))? or be unexported
+      - path: (.+)\.go$
+        text: Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked
+      - path: (.+)\.go$
+        text: 'package-comments: should have a package comment'
+      - path: (.+)\.go$
+        text: 'unused-parameter: parameter ''\w+'' seems to be unused, consider removing or renaming it as _'
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+
+formatters:
+  enable:
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/cmd/oidc-example-rp/server.go b/cmd/oidc-example-rp/server.go
index 492a46f..3760f8e 100644
--- a/cmd/oidc-example-rp/server.go
+++ b/cmd/oidc-example-rp/server.go
@@ -136,9 +136,9 @@ func (s *server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	s.mux.ServeHTTP(w, req)
 }
 
-func mustRandStr(len int) string {
-	b := make([]byte, len)
-	if r, err := rand.Read(b); err != nil || r != len {
+func mustRandStr(l int) string {
+	b := make([]byte, l)
+	if r, err := rand.Read(b); err != nil || r != l {
 		panic("error or underread from rand.Read")
 	}
 	return base64.RawURLEncoding.EncodeToString(b)
diff --git a/core/oauth2_errors.go b/core/oauth2_errors.go
index 6a0c804..fb2f0a0 100644
--- a/core/oauth2_errors.go
+++ b/core/oauth2_errors.go
@@ -118,7 +118,7 @@ func writeHTTPError(w http.ResponseWriter, req *http.Request, code int, message
 type authErrorCode string
 
 // https://tools.ietf.org/html/rfc6749#section-4.1.2.1
-// nolint:unused,varcheck,deadcode
+// nolint:unused
 const (
 	authErrorCodeInvalidRequest           authErrorCode = "invalid_request"
 	authErrorCodeUnauthorizedClient       authErrorCode = "unauthorized_client"
@@ -168,7 +168,7 @@ func writeAuthError(w http.ResponseWriter, req *http.Request, redirectURI *url.U
 // but useful when the redirect URI is configured at the client only, and not
 // passed in the authorization request. If the error cannot make use of this, it
 // will be ignored and the original error returned
-func addRedirectToError(err error, redirectURI string) error { //nolint:unparam,unused,deadcode
+func addRedirectToError(err error, redirectURI string) error { //nolint:unparam,unused
 	if err, ok := err.(*authError); ok {
 		err.RedirectURI = redirectURI
 		return err
@@ -179,7 +179,7 @@ func addRedirectToError(err error, redirectURI string) error { //nolint:unparam,
 type bearerErrorCode string
 
 // https://tools.ietf.org/html/rfc6750#section-3.1
-// nolint:unused,varcheck,deadcode
+// nolint:unused
 const (
 	// The request is missing a required parameter, includes an unsupported
 	// parameter or parameter value, repeats the same parameter, uses more than
diff --git a/core/oidc_test.go b/core/oidc_test.go
index 117fe01..7e16ffa 100644
--- a/core/oidc_test.go
+++ b/core/oidc_test.go
@@ -1063,7 +1063,7 @@ func matchHTTPErrStatus(code int) func(error) bool {
 	}
 }
 
-func matchAnyErr() func(error) bool { // nolint:unused,varcheck,deadcode
+func matchAnyErr() func(error) bool { // nolint:unused
 	return func(err error) bool {
 		return err != nil
 	}
diff --git a/core/token.go b/core/token.go
index 9cfb439..081c7d5 100644
--- a/core/token.go
+++ b/core/token.go
@@ -45,14 +45,16 @@ func newToken(sessID string, expires time.Time) (*corev1.UserToken, *accessToken
 // token. if the user token value hashes to the same value on the server.
 func tokensMatch(user *corev1.UserToken, stored *accessToken) (bool, error) {
 	err := bcrypt.CompareHashAndPassword(stored.Bcrypted, user.Token)
-	if err == nil {
+	switch err {
+	case nil:
 		// no error in comparison, they match
 		return true, nil
-	} else if err == bcrypt.ErrMismatchedHashAndPassword {
+	case bcrypt.ErrMismatchedHashAndPassword:
 		// they do not match, this isn't an error per se.
 		return false, nil
+	default:
+		return false, fmt.Errorf("failed comparing tokens: %w", err)
 	}
-	return false, fmt.Errorf("failed comparing tokens: %w", err)
 }
 
 // marshalToken returns a user-friendly version of the token. This is the base64
diff --git a/middleware/middleware_test.go b/middleware/middleware_test.go
index 67ecbfd..b77f93e 100644
--- a/middleware/middleware_test.go
+++ b/middleware/middleware_test.go
@@ -260,7 +260,7 @@ func (s *mockOIDCServer) handleKeys(w http.ResponseWriter, r *http.Request) {
 
 func TestMiddleware_HappyPath(t *testing.T) {
 	protected := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		_, _ = w.Write([]byte(fmt.Sprintf("sub: %s", ClaimsFromContext(r.Context()).Subject)))
+		_, _ = fmt.Fprintf(w, "sub: %s", ClaimsFromContext(r.Context()).Subject)
 	})
 
 	oidcServer, cleanupOIDCServer := startMockOIDCServer(t)
diff --git a/oauth2/errors.go b/oauth2/errors.go
index 87fa0cc..072a513 100644
--- a/oauth2/errors.go
+++ b/oauth2/errors.go
@@ -6,7 +6,7 @@ import "fmt"
 type TokenErrorCode string
 
 // https://tools.ietf.org/html/rfc6749#section-5.2
-// nolint:unused,varcheck,deadcode
+// nolint:unused
 const (
 	// TokenErrorCodeInvalidRequest: The request is missing a required
 	// parameter, includes an unsupported parameter value (other than grant
diff --git a/transport.go b/transport.go
index 9cd8484..666d2a5 100644
--- a/transport.go
+++ b/transport.go
@@ -34,7 +34,7 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 		return nil, errors.New("missing TokenSource")
 	}
 
-	token, err := t.TokenSource.Token(req.Context())
+	token, err := t.Token(req.Context())
 	if err != nil {
 		return nil, err
 	}