🧹 Address review: use sync.Once, revert copyright, add spelling entries

tas50 · claude · tas50 · commit 421faf0554a6 · 2026-04-01T23:42:38.000-07:00
- Replace double-checked locking with sync.Once for race-free fetching
- Revert unintentional copyright header change in os.lr.versions
- Add "efi" and "secureboot" to spell-check expect.txt

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -74,6 +74,7 @@ draid
 dsse
 eas
 Ecmp
+efi
 eip
 ekm
 ekus
@@ -227,6 +228,7 @@ Sas
 sbom
 scim
 scm
+secureboot
 SECRETID
 secretmanager
 SECRETVALUE
diff --git a/providers/os/resources/os.lr.versions b/providers/os/resources/os.lr.versions
@@ -1,4 +1,4 @@
-# Copyright (c) Mondoo, Inc.
+# Copyright Mondoo, Inc. 2024, 2026
 # SPDX-License-Identifier: BUSL-1.1
 
 apache2 11.8.14
diff --git a/providers/os/resources/secureboot.go b/providers/os/resources/secureboot.go
@@ -14,46 +14,35 @@ import (
 const efiGlobalVariable = "8be4df61-93ca-11d2-aa0d-00e098032b8c"
 
 type mqlMachineSecurebootInternal struct {
-	statusFetched  bool
+	once           sync.Once
 	cacheEfi       bool
 	cacheEnabled   bool
 	cacheSetupMode bool
-	lock           sync.Mutex
+	fetchErr       error
 }
 
 func (s *mqlMachineSecureboot) id() (string, error) {
 	return "machine.secureboot", nil
 }
 
 // fetchStatus reads the EFI firmware variables once and caches the result.
-// Uses double-checked locking to avoid redundant filesystem reads.
 func (s *mqlMachineSecureboot) fetchStatus() error {
-	if s.statusFetched {
-		return nil
-	}
-	s.lock.Lock()
-	defer s.lock.Unlock()
-	if s.statusFetched {
-		return nil
-	}
-
-	conn := s.MqlRuntime.Connection.(shared.Connection)
-	fs := conn.FileSystem()
-
-	// Check if the system is booted in EFI mode by looking for /sys/firmware/efi.
-	_, err := fs.Stat("/sys/firmware/efi")
-	if err != nil {
-		// No EFI directory means legacy BIOS boot — no Secure Boot possible.
-		s.statusFetched = true
-		return nil
-	}
-	s.cacheEfi = true
+	s.once.Do(func() {
+		conn := s.MqlRuntime.Connection.(shared.Connection)
+		fs := conn.FileSystem()
 
-	s.cacheEnabled = readEfiVarBool(fs, "SecureBoot-"+efiGlobalVariable)
-	s.cacheSetupMode = readEfiVarBool(fs, "SetupMode-"+efiGlobalVariable)
+		// Check if the system is booted in EFI mode by looking for /sys/firmware/efi.
+		_, err := fs.Stat("/sys/firmware/efi")
+		if err != nil {
+			// No EFI directory means legacy BIOS boot — no Secure Boot possible.
+			return
+		}
+		s.cacheEfi = true
 
-	s.statusFetched = true
-	return nil
+		s.cacheEnabled = readEfiVarBool(fs, "SecureBoot-"+efiGlobalVariable)
+		s.cacheSetupMode = readEfiVarBool(fs, "SetupMode-"+efiGlobalVariable)
+	})
+	return s.fetchErr
 }
 
 // readEfiVarBool reads an EFI variable from /sys/firmware/efi/efivars/ and

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# Copyright (c) Mondoo, Inc.`
	`1`	`+# Copyright Mondoo, Inc. 2024, 2026`
`2`	`2`	`# SPDX-License-Identifier: BUSL-1.1`
`3`	`3`
`4`	`4`	`apache2 11.8.14`