From 8ccb7c80c49c77b3e49ef5f54e59ba4306133c9f Mon Sep 17 00:00:00 2001
From: Russell Rollins <r.rollins@salesforce.com>
Date: Wed, 16 Apr 2025 16:49:00 -0400
Subject: [PATCH 1/8] Update and pin golangci-lint.

---
 .github/workflows/go.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 6950910..471a971 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -26,6 +26,6 @@ jobs:
       run: make test
 
     - name: Lint
-      uses: golangci/golangci-lint-action@v3
+      uses: golangci/golangci-lint-action@v7
       with:
-        version: latest
+        version: v2.1.2

From 2b533a5674b71ec6ad8e0b51418f42ac88a81436 Mon Sep 17 00:00:00 2001
From: Russell Rollins <r.rollins@salesforce.com>
Date: Wed, 16 Apr 2025 16:58:45 -0400
Subject: [PATCH 2/8] Update to v2 config.

---
 .golangci.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index b6917c9..00144c6 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,8 +1,11 @@
 run:
-  deadline: 5m
+  timeout: 5m
 
 output:
-  format: colored-line-number
+  formats:
+    text:
+      path: stdout
+      colors: true
 
 issues:
   exclude-use-default: false

From 35276bc437dff1ae4900c989463368f2f1860803 Mon Sep 17 00:00:00 2001
From: Russell Rollins <r.rollins@salesforce.com>
Date: Wed, 16 Apr 2025 17:04:26 -0400
Subject: [PATCH 3/8] More golangci-lint hackery.

---
 .golangci.yml | 37 +++++++++++++++++++++++++++----------
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index 00144c6..899589e 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,3 +1,5 @@
+version: "2"
+
 run:
   timeout: 5m
 
@@ -5,23 +7,38 @@ output:
   formats:
     text:
       path: stdout
-      colors: true
-
-issues:
-  exclude-use-default: false
-  exclude:
-    - "exported \\w+ (\\S*['.]*)([a-zA-Z'.*]*) should have comment( \\(or a comment on this block\\))? or be unexported"
-    - "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked"
-    - "package-comments: should have a package comment"
-    - "unused-parameter: parameter '\\w+' seems to be unused, consider removing or renaming it as _"
 
 linters:
   enable:
     - errcheck
     - revive
-    - goimports
     - govet
     - misspell
     - staticcheck
     - unused
     - unparam
+  exclusions:
+    generated: lax
+    rules:
+      - path: (.+)\.go$
+        text: exported \w+ (\S*['.]*)([a-zA-Z'.*]*) should have comment( \(or a comment on this block\))? or be unexported
+      - path: (.+)\.go$
+        text: Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked
+      - path: (.+)\.go$
+        text: 'package-comments: should have a package comment'
+      - path: (.+)\.go$
+        text: 'unused-parameter: parameter ''\w+'' seems to be unused, consider removing or renaming it as _'
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+
+formatters:
+  enable:
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

From 0bcef8ea62c509e268ee414ea24908eaf7ca65ea Mon Sep 17 00:00:00 2001
From: Russell Rollins <r.rollins@salesforce.com>
Date: Wed, 16 Apr 2025 17:06:30 -0400
Subject: [PATCH 4/8] Don't shadow "len".

---
 cmd/oidc-example-rp/server.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmd/oidc-example-rp/server.go b/cmd/oidc-example-rp/server.go
index 492a46f..3760f8e 100644
--- a/cmd/oidc-example-rp/server.go
+++ b/cmd/oidc-example-rp/server.go
@@ -136,9 +136,9 @@ func (s *server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	s.mux.ServeHTTP(w, req)
 }
 
-func mustRandStr(len int) string {
-	b := make([]byte, len)
-	if r, err := rand.Read(b); err != nil || r != len {
+func mustRandStr(l int) string {
+	b := make([]byte, l)
+	if r, err := rand.Read(b); err != nil || r != l {
 		panic("error or underread from rand.Read")
 	}
 	return base64.RawURLEncoding.EncodeToString(b)

From f969a806b73548ceea73fa029583239dc2db2aa5 Mon Sep 17 00:00:00 2001
From: Russell Rollins <r.rollins@salesforce.com>
Date: Wed, 16 Apr 2025 17:10:12 -0400
Subject: [PATCH 5/8] Use tagged switch instead of if/else chain.

---
 core/token.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/core/token.go b/core/token.go
index 9cfb439..081c7d5 100644
--- a/core/token.go
+++ b/core/token.go
@@ -45,14 +45,16 @@ func newToken(sessID string, expires time.Time) (*corev1.UserToken, *accessToken
 // token. if the user token value hashes to the same value on the server.
 func tokensMatch(user *corev1.UserToken, stored *accessToken) (bool, error) {
 	err := bcrypt.CompareHashAndPassword(stored.Bcrypted, user.Token)
-	if err == nil {
+	switch err {
+	case nil:
 		// no error in comparison, they match
 		return true, nil
-	} else if err == bcrypt.ErrMismatchedHashAndPassword {
+	case bcrypt.ErrMismatchedHashAndPassword:
 		// they do not match, this isn't an error per se.
 		return false, nil
+	default:
+		return false, fmt.Errorf("failed comparing tokens: %w", err)
 	}
-	return false, fmt.Errorf("failed comparing tokens: %w", err)
 }
 
 // marshalToken returns a user-friendly version of the token. This is the base64

From 76a9d11382552a9109309fe20fb3b57ba5b93431 Mon Sep 17 00:00:00 2001
From: Russell Rollins <r.rollins@salesforce.com>
Date: Wed, 16 Apr 2025 17:12:23 -0400
Subject: [PATCH 6/8] Use fmt.Fprintf(...) instead of
 Write([]byte(fmt.Sprintf(...)))

---
 middleware/middleware_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/middleware_test.go b/middleware/middleware_test.go
index 67ecbfd..b77f93e 100644
--- a/middleware/middleware_test.go
+++ b/middleware/middleware_test.go
@@ -260,7 +260,7 @@ func (s *mockOIDCServer) handleKeys(w http.ResponseWriter, r *http.Request) {
 
 func TestMiddleware_HappyPath(t *testing.T) {
 	protected := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		_, _ = w.Write([]byte(fmt.Sprintf("sub: %s", ClaimsFromContext(r.Context()).Subject)))
+		_, _ = fmt.Fprintf(w, "sub: %s", ClaimsFromContext(r.Context()).Subject)
 	})
 
 	oidcServer, cleanupOIDCServer := startMockOIDCServer(t)

From d1854233eefb230f109e28a0b5c218ce2e778ccd Mon Sep 17 00:00:00 2001
From: Russell Rollins <r.rollins@salesforce.com>
Date: Wed, 16 Apr 2025 17:13:36 -0400
Subject: [PATCH 7/8] remove embedded field "TokenSource" from selector

---
 transport.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/transport.go b/transport.go
index 9cd8484..666d2a5 100644
--- a/transport.go
+++ b/transport.go
@@ -34,7 +34,7 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 		return nil, errors.New("missing TokenSource")
 	}
 
-	token, err := t.TokenSource.Token(req.Context())
+	token, err := t.Token(req.Context())
 	if err != nil {
 		return nil, err
 	}

From 760de8b5f09f78ae2ef1ad2c363e77fcc568b3eb Mon Sep 17 00:00:00 2001
From: Russell Rollins <r.rollins@salesforce.com>
Date: Wed, 16 Apr 2025 17:16:14 -0400
Subject: [PATCH 8/8] Remove nolint directives for no-longer-extant linters.

---
 core/oauth2_errors.go | 6 +++---
 core/oidc_test.go     | 2 +-
 oauth2/errors.go      | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/core/oauth2_errors.go b/core/oauth2_errors.go
index 6a0c804..fb2f0a0 100644
--- a/core/oauth2_errors.go
+++ b/core/oauth2_errors.go
@@ -118,7 +118,7 @@ func writeHTTPError(w http.ResponseWriter, req *http.Request, code int, message
 type authErrorCode string
 
 // https://tools.ietf.org/html/rfc6749#section-4.1.2.1
-// nolint:unused,varcheck,deadcode
+// nolint:unused
 const (
 	authErrorCodeInvalidRequest           authErrorCode = "invalid_request"
 	authErrorCodeUnauthorizedClient       authErrorCode = "unauthorized_client"
@@ -168,7 +168,7 @@ func writeAuthError(w http.ResponseWriter, req *http.Request, redirectURI *url.U
 // but useful when the redirect URI is configured at the client only, and not
 // passed in the authorization request. If the error cannot make use of this, it
 // will be ignored and the original error returned
-func addRedirectToError(err error, redirectURI string) error { //nolint:unparam,unused,deadcode
+func addRedirectToError(err error, redirectURI string) error { //nolint:unparam,unused
 	if err, ok := err.(*authError); ok {
 		err.RedirectURI = redirectURI
 		return err
@@ -179,7 +179,7 @@ func addRedirectToError(err error, redirectURI string) error { //nolint:unparam,
 type bearerErrorCode string
 
 // https://tools.ietf.org/html/rfc6750#section-3.1
-// nolint:unused,varcheck,deadcode
+// nolint:unused
 const (
 	// The request is missing a required parameter, includes an unsupported
 	// parameter or parameter value, repeats the same parameter, uses more than
diff --git a/core/oidc_test.go b/core/oidc_test.go
index 117fe01..7e16ffa 100644
--- a/core/oidc_test.go
+++ b/core/oidc_test.go
@@ -1063,7 +1063,7 @@ func matchHTTPErrStatus(code int) func(error) bool {
 	}
 }
 
-func matchAnyErr() func(error) bool { // nolint:unused,varcheck,deadcode
+func matchAnyErr() func(error) bool { // nolint:unused
 	return func(err error) bool {
 		return err != nil
 	}
diff --git a/oauth2/errors.go b/oauth2/errors.go
index 87fa0cc..072a513 100644
--- a/oauth2/errors.go
+++ b/oauth2/errors.go
@@ -6,7 +6,7 @@ import "fmt"
 type TokenErrorCode string
 
 // https://tools.ietf.org/html/rfc6749#section-5.2
-// nolint:unused,varcheck,deadcode
+// nolint:unused
 const (
 	// TokenErrorCodeInvalidRequest: The request is missing a required
 	// parameter, includes an unsupported parameter value (other than grant