feat(TFP): Upgrade TFP linter to golangci-lint v2

docs/resources/sfs_share.md

@@ -37,13 +37,13 @@ import {
 ### Required
 
 - `export_policy` (String) Name of the Share Export Policy to use in the Share.
-Note that if this is set to an empty string, the Share can only be mounted in read only by 
-clients with IPs matching the IP ACL of the Resource Pool hosting this Share. 
+Note that if this is set to an empty string, the Share can only be mounted in read only by
+clients with IPs matching the IP ACL of the Resource Pool hosting this Share.
 You can also assign a Share Export Policy after creating the Share
 - `name` (String) Name of the share.
 - `project_id` (String) STACKIT project ID to which the share is associated.
 - `resource_pool_id` (String) The ID of the resource pool for the SFS share.
-- `space_hard_limit_gigabytes` (Number) Space hard limit for the Share. 
+- `space_hard_limit_gigabytes` (Number) Space hard limit for the Share.
 				If zero, the Share will have access to the full space of the Resource Pool it lives in.
 				(unit: gigabytes)
 

golang-ci.yaml

@@ -1,15 +1,11 @@
-# This file contains all available configuration options
-# with their default values.
-
 version: "2"
 # options for analysis running
 run:
   # default concurrency is a available CPU number
   concurrency: 4
 
-  # timeout for analysis, e.g. 30s, 5m, default is 1m
-  timeout: 5m
 linters:
+  # https://golangci-lint.run/usage/linters/
   enable:
     - bodyclose
     - depguard
@@ -48,11 +44,26 @@ linters:
     gosec:
       excludes:
         # Suppressions: (see https://github.com/securego/gosec#available-rules for details)
-        - G101 # "Look for hardcoded credentials" -> a lot of false positives in descriptions for resources like mariadb/credential
         - G104 # "Audit errors not checked" -> which we don't need and is a badly implemented version of errcheck
         - G102 # "Bind to all interfaces" -> since this is normal in k8s
         - G304 # "File path provided as taint input" -> too many false positives
         - G307 # "Deferring unsafe method "Close" on type "io.ReadCloser" -> false positive when calling defer resp.Body.Close()
+    staticcheck:
+      checks:
+        # Default: (from https://golangci-lint.run/docs/linters/configuration/#staticcheck)
+        - all
+        - "-ST1000" # Incorrect or missing package comment.
+        - "-ST1003" # Poorly chosen identifier.
+        - "-ST1016" # Use consistent method receiver names.
+        - "-ST1020" # The documentation of an exported function should start with the function's name.
+        - "-ST1021" # The documentation of an exported function should start with the function's name.
+        - "-ST1022" # The documentation of an exported variable or constant should start with variable's name.
+        # Custom:
+        - "-QF1001" # disable 'could apply De Morgan's law': readability of boolean expressions is subjective and should be decided on a case-by-case basis
+        - "-SA1019" # disable deprecation errors while we switch over to the SDK structure with multi API version support
+        - "-QF1012" # disable 'use fmt.Fprintf instead' Fprintf returns bytes written and an error, which we'd have to handle/ignore to appease some other linter
+        - "-ST1005" # Incorrectly formatted error string.
+        - "-QF1003" # Convert if/else-if chain to tagged switch.
     misspell:
       # Correct spellings using locale preferences for US or UK.
       # Default is to use a neutral variety of English.
@@ -75,27 +86,8 @@ linters:
         - name: atomic
         - name: empty-lines
         - name: early-return
-    staticcheck:
-      checks:
-        # default from https://golangci-lint.run/docs/linters/configuration/#staticcheck
-        - all
-        - "-ST1000"
-        - "-ST1003"
-        - "-ST1016"
-        - "-ST1020"
-        - "-ST1021"
-        - "-ST1022"
-        # customizations
-        - "-SA1019" # disable deprecation errors while we switch over to the SDK structure with multi API version support
-        - "-QF1001" # disable 'could apply De Morgan's law': readability of boolean expressions is subjective and should be decided on a case-by-case basis
-        - "-QF1012" # disable 'use fmt.Fprintf instead' Fprintf returns bytes written and an error, which we'd have to handle/ignore to appease some other linter
   exclusions:
     generated: lax
-    rules:
-      - linters:
-          - gocritic
-        text: 'dupOption'
-        path: _acc_test\.go
     paths:
       - third_party$
       - builtin$

scripts/project.sh

@@ -16,6 +16,7 @@ elif [ "$action" = "tools" ]; then
 
     go mod download
 
+    go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.2
     go install github.com/hashicorp/terraform-plugin-docs/cmd/tfplugindocs@v0.21.0
 else
     echo "Invalid action: '$action', please use $0 help for help"

stackit/internal/services/access_token/ephemeral_resource_test.go

@@ -30,7 +30,7 @@ func startMockTokenServer() *httptest.Server {
 			Scope:       "mock_scope",
 		}
 		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(resp) // nolint:gosec // mock_access_token is not sensitive information
+		_ = json.NewEncoder(w).Encode(resp) //nolint:gosec // no secret, just a mock
 	})
 	return httptest.NewServer(handler)
 }
@@ -64,7 +64,7 @@ func writeTempPEMFile(t *testing.T, pemContent string) string {
 	}
 
 	t.Cleanup(func() {
-		_ = os.Remove(tmpFile.Name())
+		_ = os.Remove(tmpFile.Name()) //nolint:gosec // Filename safely generated through os.CreateTemp
 	})
 
 	return tmpFile.Name()

stackit/internal/services/cdn/distribution/resource.go

@@ -107,7 +107,7 @@ type backend struct {
 }
 
 type backendCredentials struct {
-	AccessKey *string `tfsdk:"access_key_id"`
+	AccessKey *string `tfsdk:"access_key_id"` //nolint:gosec // AccessKey should be exported from this struct
 	SecretKey *string `tfsdk:"secret_access_key"`
 }
 

stackit/internal/services/dns/dns_acc_test.go

@@ -117,12 +117,9 @@ func TestAccDnsMinResource(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_dns_zone.zone", "project_id", testutil.ProjectId),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "zone_id"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "state"),
-
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "primary_name_server"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "serial_number"),
-					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "state"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "visibility"),
-					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "zone_id"),
 					// Record set data
 					resource.TestCheckResourceAttrPair(
 						"stackit_dns_record_set.record_set", "project_id",
@@ -242,9 +239,7 @@ func TestAccDnsMinResource(t *testing.T) {
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "state"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "primary_name_server"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "serial_number"),
-					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "state"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "visibility"),
-					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "zone_id"),
 					// Record set data
 					resource.TestCheckResourceAttrPair(
 						"stackit_dns_record_set.record_set", "project_id",
@@ -306,9 +301,7 @@ func TestAccDnsMaxResource(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_dns_zone.zone", "type", testutil.ConvertConfigVariable(testConfigVarsMax["type"])),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "primary_name_server"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "serial_number"),
-					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "state"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "visibility"),
-					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "zone_id"),
 
 					resource.TestCheckResourceAttrSet("stackit_dns_record_set.record_set", "record_set_id"),
 					resource.TestCheckResourceAttr("stackit_dns_record_set.record_set", "name", testutil.ConvertConfigVariable(testConfigVarsMax["record_name"])),
@@ -480,9 +473,7 @@ func TestAccDnsMaxResource(t *testing.T) {
 					resource.TestCheckResourceAttr("stackit_dns_zone.zone", "type", testutil.ConvertConfigVariable(testConfigVarsMax["type"])),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "primary_name_server"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "serial_number"),
-					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "state"),
 					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "visibility"),
-					resource.TestCheckResourceAttrSet("stackit_dns_zone.zone", "zone_id"),
 					// Record set data
 					resource.TestCheckResourceAttrPair(
 						"stackit_dns_record_set.record_set", "project_id",