Fix linter issues after golangci-lint bump

Remove stale nolint directives for gosec codes that no longer
trigger at those locations; they were flagged by nolintlint.

Add G122 nolint annotations on os.ReadFile calls inside WalkDir
callbacks in loaddirectory.go and filereader.go; the paths are
over controlled directories and the TOCTOU risk is negligible.

Replace rw.WriteHeader+rw.Write in logAndReturn with http.Error,
which sets Content-Type and X-Content-Type-Options headers and
avoids reflecting error details in the HTTP response (G705).

Replace httptest.NewRequest with NewRequestWithContext in the
webhook test to satisfy noctx.

Author: thardeck

cmd/docs/generate-cli-docs.go

@@ -153,5 +153,5 @@ sidebar_label: "%s"
 }
 
 func usage() {
-	fmt.Fprintln(os.Stdout, "Usage: ", os.Args[0], " <directory>") //nolint:gosec // G705 false positive: output goes to stdout, not an HTTP response writer
+	fmt.Fprintln(os.Stdout, "Usage: ", os.Args[0], " <directory>")
 }

internal/bundlereader/auth.go

@@ -15,7 +15,7 @@ import (
 
 type Auth struct {
 	Username           string `json:"username,omitempty"`
-	Password           string `json:"password,omitempty"` //nolint:gosec // G117 false positive: Password is an intentional field in the Helm chart auth config
+	Password           string `json:"password,omitempty"`
 	CABundle           []byte `json:"caBundle,omitempty"`
 	SSHPrivateKey      []byte `json:"sshPrivateKey,omitempty"`
 	InsecureSkipVerify bool   `json:"insecureSkipVerify,omitempty"`

internal/bundlereader/charturl.go

@@ -162,7 +162,7 @@ func getHelmRepoIndex(ctx context.Context, repoURL string, auth Auth) (helmRepoI
 
 	client := getHTTPClient(auth)
 
-	resp, err := client.Do(request) //nolint:gosec // G704 false positive: URL is the user-configured Helm chart repository
+	resp, err := client.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch %q: %w", indexURL, err)
 	}

internal/bundlereader/loaddirectory.go

@@ -319,7 +319,7 @@ func GetContent(ctx context.Context, base, source, version string, auth Auth, di
 			return nil
 		}
 
-		content, err := os.ReadFile(path)
+		content, err := os.ReadFile(path) //nolint:gosec // G122: path is from WalkDir over a go-getter controlled temp directory
 		if err != nil {
 			return err
 		}
@@ -432,7 +432,7 @@ func get(ctx context.Context, client Getter, req *getter.Request, auth Auth) err
 		}
 		defer func() {
 			file.Close()
-			os.Remove(file.Name()) //nolint:gosec // G703 false positive: path comes from os.CreateTemp, not user-controlled data
+			os.Remove(file.Name())
 		}()
 
 		if _, err := file.Write(auth.CABundle); err != nil {

internal/cmd/agent/register/register.go

@@ -301,7 +301,7 @@ func createClientConfigFromSecret(ctx context.Context, secret *corev1.Secret, tr
 		// NOTE(manno): client-go will use the system trust store even if a CA is configured. So, why do this?
 		req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiServerURL, nil)
 		if err == nil {
-			if resp, err := http.DefaultClient.Do(req); err == nil { //nolint:gosec // G704 false positive: URL is the Kubernetes API server from admin-configured kubeconfig
+			if resp, err := http.DefaultClient.Do(req); err == nil {
 				resp.Body.Close()
 				apiServerCA = nil
 			}

internal/cmd/cli/analyze.go

@@ -206,8 +206,8 @@ func (a *Analyze) compareFiles(cmd *cobra.Command, file1, file2 string) error {
 	}
 
 	troubleshooting.PrintHeader(w, "COMPARING SNAPSHOTS")
-	fmt.Fprintf(w, "Before: %s (%s)\n", file1, before.Timestamp) //nolint:gosec // G705 false positive: w is a CLI stdout writer, not an HTTP ResponseWriter
-	fmt.Fprintf(w, "After:  %s (%s)\n", file2, after.Timestamp)  //nolint:gosec // G705 false positive: w is a CLI stdout writer, not an HTTP ResponseWriter
+	fmt.Fprintf(w, "Before: %s (%s)\n", file1, before.Timestamp)
+	fmt.Fprintf(w, "After:  %s (%s)\n", file2, after.Timestamp)
 
 	troubleshooting.PrintSnapshotDiff(w, before, after)
 

internal/cmd/cli/apply.go

@@ -270,7 +270,7 @@ func writeTmpKnownHosts() (string, error) {
 
 	knownHostsPath := f.Name()
 
-	if err := os.WriteFile(knownHostsPath, []byte(knownHosts), 0600); err != nil { //nolint:gosec // G703 false positive: path is generated by os.CreateTemp, not user-controlled
+	if err := os.WriteFile(knownHostsPath, []byte(knownHosts), 0600); err != nil {
 		return "", fmt.Errorf(
 			"failed to write value of %q env var to known_hosts file %s: %w",
 			ssh.KnownHostsEnvVar,

internal/cmd/cli/apply/apply.go

@@ -63,7 +63,7 @@ type Getter interface {
 type OCIRegistrySpec struct {
 	Reference       string
 	Username        string
-	Password        string //nolint:gosec // G117 false positive: Password is an intentional field in the apply options
+	Password        string
 	BasicHTTP       bool
 	InsecureSkipTLS bool
 }

internal/cmd/cli/dump/dump.go

@@ -531,7 +531,7 @@ func addMetricsToArchive(ctx context.Context, c client.Client, logger logr.Logge
 			return fmt.Errorf("failed to create request to metrics service: %w", err)
 		}
 
-		resp, err := httpCli.Do(req) //nolint:gosec // G704 false positive: URL always targets localhost via kubectl port-forward, not an arbitrary server
+		resp, err := httpCli.Do(req)
 		if err != nil {
 			return fmt.Errorf("failed to get response from metrics service: %w", err)
 		}

internal/cmd/controller/agentmanagement/controllers/cluster/import.go

@@ -549,7 +549,7 @@ func (i *importHandler) restConfigFromKubeConfig(data []byte, agentTLSMode strin
 		if raw.Clusters[cluster] != nil {
 			req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, raw.Clusters[cluster].Server, nil)
 			if err == nil {
-				if resp, err := http.DefaultClient.Do(req); err == nil { //nolint:gosec // G704 false positive: URL is the Kubernetes API server from admin-configured kubeconfig
+				if resp, err := http.DefaultClient.Do(req); err == nil {
 					resp.Body.Close()
 					raw.Clusters[cluster].CertificateAuthorityData = nil
 				}