chore(deps): update dependency golangci/golangci-lint to v2.11.3 (#4261)

renovate[bot] · carabasdaniel · actions-user · commit a1b355922f3a · 2026-03-16T15:10:17.000Z
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [golangci/golangci-lint](https://redirect.github.com/golangci/golangci-lint) | minor | `v2.10.1` → `v2.11.3` | | [golangci/golangci-lint](https://redirect.github.com/golangci/golangci-lint) | minor | `2.10.1` → `2.11.3` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>golangci/golangci-lint (golangci/golangci-lint)</summary> ### [`v2.11.3`](https://redirect.github.com/golangci/golangci-lint/blob/HEAD/CHANGELOG.md#v2113) [Compare Source](https://redirect.github.com/golangci/golangci-lint/compare/v2.11.2...v2.11.3) *Released on 2026-03-10* 1. Linters bug fixes - `gosec`: from v2.24.7 to [`619ce21`](https://redirect.github.com/golangci/golangci-lint/commit/619ce2117e08) ### [`v2.11.2`](https://redirect.github.com/golangci/golangci-lint/blob/HEAD/CHANGELOG.md#v2112) [Compare Source](https://redirect.github.com/golangci/golangci-lint/compare/v2.11.1...v2.11.2) *Released on 2026-03-07* 1. Fixes - `fmt`: fix error when using the `fmt` command with explicit paths. ### [`v2.11.1`](https://redirect.github.com/golangci/golangci-lint/blob/HEAD/CHANGELOG.md#v2111) [Compare Source](https://redirect.github.com/golangci/golangci-lint/compare/v2.11.0...v2.11.1) *Released on 2026-03-06* Due to an error related to AUR, some artifacts of the v2.11.0 release have not been published. This release contains the same things as v2.11.0. ### [`v2.11.0`](https://redirect.github.com/golangci/golangci-lint/blob/HEAD/CHANGELOG.md#v2110) [Compare Source](https://redirect.github.com/golangci/golangci-lint/compare/v2.10.1...v2.11.0) *Released on 2026-03-06* 1. Linters new features or changes - `errcheck`: from 1.9.0 to 1.10.0 (exclude `crypto/rand.Read` by default) - `gosec`: from 2.23.0 to 2.24.6 (new rules: `G113`, `G118`, `G119`, `G120`, `G121`, `G122`, `G123`, `G408`, `G707`) - `noctx`: from 0.4.0 to 0.5.0 (new detection: `httptest.NewRequestWithContext`) - `prealloc`: from 1.0.2 to 1.1.0 - `revive`: from 1.14.0 to 1.15.0 (⚠️ Breaking change: package-related checks moved from `var-naming` to a new rule `package-naming`) 2. Linters bug fixes - `gocognit`: from 1.2.0 to 1.2.1 - `gosec`: from 2.24.6 to 2.24.7 - `unqueryvet`: from 1.5.3 to 1.5.4 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace).   --- > [!NOTE] > **Medium Risk** > Mostly a tooling upgrade, but it also changes runtime behavior by enforcing request body size limits on several admin/API handlers, which could reject previously-accepted large submissions. > > **Overview** > Updates `golangci-lint` to `v2.11.3` in both the devcontainer and CI. > > To satisfy new linter rules, this removes/adjusts many `//nolint:gosec` annotations, switches multiple tests to `httptest.NewRequestWithContext`, and adds/updates a few targeted suppressions (e.g. `context.WithCancel`, `context.WithTimeout`). > > Adds explicit `http.MaxBytesReader` limits on various Area51 admin handlers (typically 10MB; 200MB for snapshot/blast-radius uploads), reducing risk of oversized request bodies at the cost of stricter input limits. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit aa6ee6c4ad731a9c1dd0433d3f2abb4402a4ca5f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: carabasdaniel <daniel.carabas@overmind.tech> GitOrigin-RevId: 4cf21c8a7518ea44685543934946dc11213ab426
diff --git a/cmd/changes_submit_plan.go b/cmd/changes_submit_plan.go
@@ -52,7 +52,7 @@ func changeTitle(ctx context.Context, arg string) string {
 		return arg
 	}
 
-	describeBytes, err := exec.CommandContext(ctx, "git", "describe", "--long").Output() //nolint:gosec // G702: all arguments are hardcoded string literals; no user input reaches this command
+	describeBytes, err := exec.CommandContext(ctx, "git", "describe", "--long").Output()
 	describe := strings.TrimSpace(string(describeBytes))
 	if err != nil {
 		log.WithError(err).Trace("failed to run 'git describe' for default title")
diff --git a/cmd/pterm.go b/cmd/pterm.go
@@ -151,7 +151,7 @@ func RunRevlinkWarmup(ctx context.Context, oi sdp.OvermindInstance, postPlanPrin
 }
 
 func RunPlan(ctx context.Context, args []string) error {
-	c := exec.CommandContext(ctx, "terraform", args...) //nolint:gosec // G702: args are CLI arguments from the local user who invoked this command; this tool runs on the user's own machine
+	c := exec.CommandContext(ctx, "terraform", args...)
 
 	// remove go's default process cancel behaviour, so that terraform has a
 	// chance to gracefully shutdown when ^C is pressed. Otherwise the
@@ -180,7 +180,7 @@ func RunPlan(ctx context.Context, args []string) error {
 }
 
 func RunApply(ctx context.Context, args []string) error {
-	c := exec.CommandContext(ctx, "terraform", args...) //nolint:gosec // G702: args are CLI arguments from the local user who invoked this command; this tool runs on the user's own machine
+	c := exec.CommandContext(ctx, "terraform", args...)
 
 	// remove go's default process cancel behaviour, so that terraform has a
 	// chance to gracefully shutdown when ^C is pressed. Otherwise the
diff --git a/cmd/root.go b/cmd/root.go
@@ -522,7 +522,7 @@ func login(ctx context.Context, cmd *cobra.Command, scopes []string, writer io.W
 	}
 
 	// apply a timeout to the main body of processing
-	ctx, _ = context.WithTimeout(ctx, timeout) //nolint:govet // the context will not leak as the command will exit when it is done
+	ctx, _ = context.WithTimeout(ctx, timeout) //nolint:govet,gosec // the context will not leak as the command will exit when it is done
 
 	return ctx, oi, token, nil
 }
diff --git a/cmd/terraform_plan.go b/cmd/terraform_plan.go
@@ -116,7 +116,7 @@ func TerraformPlanImpl(ctx context.Context, cmd *cobra.Command, oi sdp.OvermindI
 	// Convert provided plan into JSON for easier parsing
 	///////////////////////////////////////////////////////////////////
 
-	tfPlanJsonCmd := exec.CommandContext(ctx, "terraform", "show", "-json", planFile) //nolint:gosec // G702: "terraform", "show", "-json" are hardcoded; planFile is from the local user's CLI -out flag
+	tfPlanJsonCmd := exec.CommandContext(ctx, "terraform", "show", "-json", planFile)
 
 	tfPlanJsonCmd.Stderr = multi.NewWriter() // send output through PTerm; is usually empty
 
@@ -182,7 +182,7 @@ func TerraformPlanImpl(ctx context.Context, cmd *cobra.Command, oi sdp.OvermindI
 		}
 
 		line := printer.Sprintf("%v (%v)", mapping.TerraformName, mapping.Message)
-		_, err = fmt.Fprintf(resourceExtractionResults, "   %v\n", line) //nolint:gosec // G203: resourceExtractionResults is a pterm.MultiPrinter writer (terminal UI), not an http.ResponseWriter; no XSS vector
+		_, err = fmt.Fprintf(resourceExtractionResults, "   %v\n", line)
 		if err != nil {
 			return fmt.Errorf("error writing to resource extraction results: %w", err)
 		}
@@ -230,7 +230,7 @@ func TerraformPlanImpl(ctx context.Context, cmd *cobra.Command, oi sdp.OvermindI
 	}
 
 	title := changeTitle(ctx, viper.GetString("title"))
-	tfPlanTextCmd := exec.CommandContext(ctx, "terraform", "show", planFile) //nolint:gosec // G702: "terraform" and "show" are hardcoded; planFile is from the local user's CLI -out flag
+	tfPlanTextCmd := exec.CommandContext(ctx, "terraform", "show", planFile)
 
 	tfPlanTextCmd.Stderr = multi.NewWriter() // send output through PTerm; is usually empty
 
@@ -514,7 +514,7 @@ func osc8Hyperlink(url, text string) string {
 
 // getTicketLinkFromPlan reads the plan file to create a unique hash to identify this change
 func getTicketLinkFromPlan(planFile string) (string, error) {
-	plan, err := os.ReadFile(planFile) //nolint:gosec // G703: planFile is from the local user's CLI args; reading their chosen file is the intended behavior of this CLI tool
+	plan, err := os.ReadFile(planFile)
 	if err != nil {
 		return "", fmt.Errorf("failed to read plan file (%v): %w", planFile, err)
 	}
diff --git a/cmd/version_check.go b/cmd/version_check.go
@@ -55,7 +55,7 @@ func checkVersion(ctx context.Context, currentVersion string) (latestVersion str
 	req.Header.Set("User-Agent", fmt.Sprintf("overmind-cli/%s", currentVersion))
 	req.Header.Set("Accept", "application/vnd.github.v3+json")
 
-	resp, err := client.Do(req) //nolint:gosec // G704: URL is the hardcoded constant githubReleasesURL; no user input reaches the request URL
+	resp, err := client.Do(req)
 	if err != nil {
 		log.WithError(err).Debug("Failed to check for CLI updates")
 		return "", false
diff --git a/go/auth/auth.go b/go/auth/auth.go
@@ -70,7 +70,7 @@ type ClientCredentialsConfig struct {
 	// The ClientID of the application that we'll be authenticating as
 	ClientID string
 	// ClientSecret that corresponds to the ClientID
-	ClientSecret string //nolint:gosec // G101 (hardcoded secret): config field name, not a credential value; never JSON-marshaled into logs or responses
+	ClientSecret string
 }
 
 type TokenSourceOptionsFunc func(*clientcredentials.Config)
@@ -128,7 +128,7 @@ func (flowConfig ClientCredentialsConfig) TokenSource(ctx context.Context, oAuth
 type Auth0Config struct {
 	Domain       string
 	ClientID     string
-	ClientSecret string //nolint:gosec // G101 (hardcoded secret): config field name, not a credential value; populated from env vars and only used in OAuth token exchange
+	ClientSecret string
 	Audience     string
 }
 
@@ -298,7 +298,7 @@ func (n *natsTokenClient) Sign(in []byte) ([]byte, error) {
 // tokens
 type APIKeyTokenSource struct {
 	// The API Key to use to authenticate to the Overmind API
-	ApiKey       string //nolint:gosec // G101 (hardcoded secret): config field name, not a credential value; only passed to API key exchange endpoint
+	ApiKey       string
 	token        *oauth2.Token
 	apiKeyClient sdpconnect.ApiKeyServiceClient
 }
diff --git a/go/auth/middleware_test.go b/go/auth/middleware_test.go
@@ -705,7 +705,7 @@ func TestWithResourceMetadata(t *testing.T) {
 
 		handler := WithResourceMetadata(prmURL, inner)
 		rr := httptest.NewRecorder()
-		req := httptest.NewRequest(http.MethodPost, "/area51/mcp", nil)
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/area51/mcp", nil)
 		handler.ServeHTTP(rr, req)
 
 		if rr.Code != http.StatusUnauthorized {
@@ -727,7 +727,7 @@ func TestWithResourceMetadata(t *testing.T) {
 
 		handler := WithResourceMetadata(prmURL, inner)
 		rr := httptest.NewRecorder()
-		req := httptest.NewRequest(http.MethodPost, "/area51/mcp", nil)
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/area51/mcp", nil)
 		handler.ServeHTTP(rr, req)
 
 		if rr.Code != http.StatusOK {
@@ -747,7 +747,7 @@ func TestWithResourceMetadata(t *testing.T) {
 
 		handler := WithResourceMetadata(prmURL, inner)
 		rr := httptest.NewRecorder()
-		req := httptest.NewRequest(http.MethodPost, "/area51/mcp", nil)
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodPost, "/area51/mcp", nil)
 		handler.ServeHTTP(rr, req)
 
 		if rr.Code != http.StatusForbidden {
@@ -767,7 +767,7 @@ func TestWithResourceMetadata(t *testing.T) {
 
 		handler := WithResourceMetadata(prmURL, inner)
 		rr := httptest.NewRecorder()
-		req := httptest.NewRequest(http.MethodGet, "/area51/mcp", nil)
+		req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "/area51/mcp", nil)
 		handler.ServeHTTP(rr, req)
 
 		if rr.Code != http.StatusOK {
diff --git a/go/discovery/engine.go b/go/discovery/engine.go
@@ -62,7 +62,7 @@ type EngineConfig struct {
 
 	// The 'ovm_*' API key to use to authenticate to the Overmind API.
 	// This and 'SourceAccessToken' are mutually exclusive
-	ApiKey string //nolint:gosec // G101 (hardcoded secret): config field name, not a credential value; populated from CLI flags/env vars
+	ApiKey string
 	// Static token passed to the source to authenticate.
 	SourceAccessToken     string // The access token to use to authenticate to the source
 	SourceAccessTokenType string // The type of token to use to authenticate the source for managed sources
diff --git a/go/sdp-go/instance_detect.go b/go/sdp-go/instance_detect.go
@@ -58,7 +58,7 @@ func NewOvermindInstance(ctx context.Context, app string) (OvermindInstance, err
 	}
 
 	req = req.WithContext(ctx)
-	res, err := tracing.HTTPClient().Do(req) //nolint:gosec // G107 (SSRF): URL is built from the app base URL (CLI config) + hardcoded path /api/public/instance-data
+	res, err := tracing.HTTPClient().Do(req)
 	if err != nil {
 		return OvermindInstance{}, fmt.Errorf("could not fetch instance-data: %w", err)
 	}
diff --git a/sources/gcp/dynamic/shared.go b/sources/gcp/dynamic/shared.go
@@ -154,7 +154,7 @@ func externalCallSingle(ctx context.Context, httpCli *http.Client, url string) (
 		return nil, err
 	}
 
-	resp, err := httpCli.Do(req) //nolint:gosec // G107 (SSRF): URL built from GCP API discovery document endpoints and project config, not user input
+	resp, err := httpCli.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -215,7 +215,7 @@ func externalCallMulti(ctx context.Context, itemsSelector string, httpCli *http.
 			return err
 		}
 
-		resp, err := httpCli.Do(req) //nolint:gosec // G107 (SSRF): URL built from GCP API discovery document endpoints with pagination token from GCP responses
+		resp, err := httpCli.Do(req)
 		if err != nil {
 			return err
 		}
diff --git a/sources/gcp/shared/kms-asset-loader.go b/sources/gcp/shared/kms-asset-loader.go
@@ -231,7 +231,7 @@ func (l *CloudKMSAssetLoader) fetchAssetsPage(ctx context.Context, pageToken str
 	// Cloud Asset API requires quota project header
 	req.Header.Set("X-Goog-User-Project", l.projectID)
 
-	resp, err := l.httpClient.Do(req) //nolint:gosec // G107 (SSRF): URL built from hardcoded https://cloudasset.googleapis.com/v1 base with project ID
+	resp, err := l.httpClient.Do(req)
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to execute request: %w", err)
 	}
diff --git a/sources/snapshot/adapters/loader.go b/sources/snapshot/adapters/loader.go
@@ -74,7 +74,7 @@ func loadSnapshotFromURL(ctx context.Context, url string) ([]byte, error) {
 	}
 
 	client := &http.Client{}
-	resp, err := client.Do(req) //nolint:gosec // G107 (SSRF): URL comes from operator-supplied snapshot source config, not from untrusted network input
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("HTTP request failed: %w", err)
 	}
diff --git a/stdlib-source/adapters/http.go b/stdlib-source/adapters/http.go
@@ -214,7 +214,7 @@ func (s *HTTPAdapter) Get(ctx context.Context, scope string, query string, ignor
 
 	var res *http.Response
 
-	res, err = client.Do(req) //nolint:gosec // G107 (SSRF): URL is the SDP query target; hostname validated by validateHostname() which blocks link-local/metadata IPs
+	res, err = client.Do(req)
 
 	if err != nil {
 		err = &sdp.QueryError{
diff --git a/tfutils/aws_config.go b/tfutils/aws_config.go
@@ -57,7 +57,7 @@ type ProviderFile struct {
 type AWSProvider struct {
 	Name                           string   `hcl:"name,label" yaml:"name,omitempty"`
 	Alias                          string   `hcl:"alias,optional" yaml:"alias,omitempty"`
-	AccessKey                      string   `hcl:"access_key,optional" yaml:"access_key,omitempty"` //nolint:gosec // G101: field name, not a hardcoded credential; deserialized from local Terraform HCL config, never marshaled into logs or HTTP responses
+	AccessKey                      string   `hcl:"access_key,optional" yaml:"access_key,omitempty"`
 	SecretKey                      string   `hcl:"secret_key,optional" yaml:"secret_key,omitempty"`
 	Token                          string   `hcl:"token,optional" yaml:"token,omitempty"`
 	Region                         string   `hcl:"region,optional" yaml:"region,omitempty"`
diff --git a/tfutils/azure_config.go b/tfutils/azure_config.go
@@ -17,7 +17,7 @@ type AzureProvider struct {
 	SubscriptionID string `hcl:"subscription_id,optional" yaml:"subscription_id,omitempty"`
 	TenantID       string `hcl:"tenant_id,optional" yaml:"tenant_id,omitempty"`
 	ClientID       string `hcl:"client_id,optional" yaml:"client_id,omitempty"`
-	ClientSecret   string `hcl:"client_secret,optional" yaml:"client_secret,omitempty"` //nolint:gosec // G101: field name, not a hardcoded credential; deserialized from local Terraform HCL config, never marshaled into logs or HTTP responses
+	ClientSecret   string `hcl:"client_secret,optional" yaml:"client_secret,omitempty"`
 	Environment    string `hcl:"environment,optional" yaml:"environment,omitempty"`
 
 	// Throw any additional stuff into here so it doesn't fail
diff --git a/tfutils/gcp_config.go b/tfutils/gcp_config.go
@@ -15,7 +15,7 @@ type GCPProvider struct {
 	Name                         string            `hcl:"name,label" yaml:"name,omitempty"`
 	Alias                        string            `hcl:"alias,optional" yaml:"alias,omitempty"`
 	Credentials                  string            `hcl:"credentials,optional" yaml:"credentials,omitempty"`
-	AccessToken                  string            `hcl:"access_token,optional" yaml:"access_token,omitempty"` //nolint:gosec // G101: field name, not a hardcoded credential; deserialized from local Terraform HCL config, never marshaled into logs or HTTP responses
+	AccessToken                  string            `hcl:"access_token,optional" yaml:"access_token,omitempty"`
 	ImpersonateServiceAccount    string            `hcl:"impersonate_service_account,optional" yaml:"impersonate_service_account,omitempty"`
 	Project                      string            `hcl:"project,optional" yaml:"project,omitempty"`
 	Region                       string            `hcl:"region,optional" yaml:"region,omitempty"`

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ func changeTitle(ctx context.Context, arg string) string {`
`52`	`52`	`return arg`
`53`	`53`	`}`
`54`	`54`
`55`		`- describeBytes, err := exec.CommandContext(ctx, "git", "describe", "--long").Output() //nolint:gosec // G702: all arguments are hardcoded string literals; no user input reaches this command`
	`55`	`+ describeBytes, err := exec.CommandContext(ctx, "git", "describe", "--long").Output()`
`56`	`56`	`describe := strings.TrimSpace(string(describeBytes))`
`57`	`57`	`if err != nil {`
`58`	`58`	`log.WithError(err).Trace("failed to run 'git describe' for default title")`
Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,7 @@ func RunRevlinkWarmup(ctx context.Context, oi sdp.OvermindInstance, postPlanPrin`
`151`	`151`	`}`
`152`	`152`
`153`	`153`	`func RunPlan(ctx context.Context, args []string) error {`
`154`		`- c := exec.CommandContext(ctx, "terraform", args...) //nolint:gosec // G702: args are CLI arguments from the local user who invoked this command; this tool runs on the user's own machine`
	`154`	`+ c := exec.CommandContext(ctx, "terraform", args...)`
`155`	`155`
`156`	`156`	`// remove go's default process cancel behaviour, so that terraform has a`
`157`	`157`	`// chance to gracefully shutdown when ^C is pressed. Otherwise the`
`@@ -180,7 +180,7 @@ func RunPlan(ctx context.Context, args []string) error {`
`180`	`180`	`}`
`181`	`181`
`182`	`182`	`func RunApply(ctx context.Context, args []string) error {`
`183`		`- c := exec.CommandContext(ctx, "terraform", args...) //nolint:gosec // G702: args are CLI arguments from the local user who invoked this command; this tool runs on the user's own machine`
	`183`	`+ c := exec.CommandContext(ctx, "terraform", args...)`
`184`	`184`
`185`	`185`	`// remove go's default process cancel behaviour, so that terraform has a`
`186`	`186`	`// chance to gracefully shutdown when ^C is pressed. Otherwise the`
Original file line number	Diff line number	Diff line change
`@@ -522,7 +522,7 @@ func login(ctx context.Context, cmd *cobra.Command, scopes []string, writer io.W`
`522`	`522`	`}`
`523`	`523`
`524`	`524`	`// apply a timeout to the main body of processing`
`525`		`- ctx, _ = context.WithTimeout(ctx, timeout) //nolint:govet // the context will not leak as the command will exit when it is done`
	`525`	`+ ctx, _ = context.WithTimeout(ctx, timeout) //nolint:govet,gosec // the context will not leak as the command will exit when it is done`
`526`	`526`
`527`	`527`	`return ctx, oi, token, nil`
`528`	`528`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func NewOvermindInstance(ctx context.Context, app string) (OvermindInstance, err`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`req = req.WithContext(ctx)`
`61`		`- res, err := tracing.HTTPClient().Do(req) //nolint:gosec // G107 (SSRF): URL is built from the app base URL (CLI config) + hardcoded path /api/public/instance-data`
	`61`	`+ res, err := tracing.HTTPClient().Do(req)`
`62`	`62`	`if err != nil {`
`63`	`63`	`return OvermindInstance{}, fmt.Errorf("could not fetch instance-data: %w", err)`
`64`	`64`	`}`
Original file line number	Diff line number	Diff line change
`@@ -154,7 +154,7 @@ func externalCallSingle(ctx context.Context, httpCli *http.Client, url string) (`
`154`	`154`	`return nil, err`
`155`	`155`	`}`
`156`	`156`
`157`		`- resp, err := httpCli.Do(req) //nolint:gosec // G107 (SSRF): URL built from GCP API discovery document endpoints and project config, not user input`
	`157`	`+ resp, err := httpCli.Do(req)`
`158`	`158`	`if err != nil {`
`159`	`159`	`return nil, err`
`160`	`160`	`}`
`@@ -215,7 +215,7 @@ func externalCallMulti(ctx context.Context, itemsSelector string, httpCli *http.`
`215`	`215`	`return err`
`216`	`216`	`}`
`217`	`217`
`218`		`- resp, err := httpCli.Do(req) //nolint:gosec // G107 (SSRF): URL built from GCP API discovery document endpoints with pagination token from GCP responses`
	`218`	`+ resp, err := httpCli.Do(req)`
`219`	`219`	`if err != nil {`
`220`	`220`	`return err`
`221`	`221`	`}`