fix: address lint issues in keychain checks

Author: salmonumbrella

internal/cmd/auth.go

@@ -266,8 +266,8 @@ func (c *AuthTokensImportCmd) Run(ctx context.Context) error {
 	}
 
 	// Pre-flight: ensure keychain is accessible before storing token
-	if err := ensureKeychainAccess(); err != nil {
-		return fmt.Errorf("keychain access: %w", err)
+	if keychainErr := ensureKeychainAccess(); keychainErr != nil {
+		return fmt.Errorf("keychain access: %w", keychainErr)
 	}
 
 	store, err := openSecretsStore()
@@ -334,8 +334,8 @@ func (c *AuthAddCmd) Run(ctx context.Context) error {
 	}
 
 	// Pre-flight: ensure keychain is accessible before starting OAuth
-	if err := ensureKeychainAccess(); err != nil {
-		return fmt.Errorf("keychain access: %w", err)
+	if keychainErr := ensureKeychainAccess(); keychainErr != nil {
+		return fmt.Errorf("keychain access: %w", keychainErr)
 	}
 
 	refreshToken, err := authorizeGoogle(ctx, googleauth.AuthorizeOptions{

internal/googleauth/accounts_server.go

@@ -294,7 +294,7 @@ func (ms *ManageServer) handleOAuthCallback(w http.ResponseWriter, r *http.Reque
 	}
 
 	// Pre-flight: ensure keychain is accessible before storing token
-	if err := secrets.EnsureKeychainAccess(); err != nil {
+	if err := secrets.EnsureKeychainAccess(); err != nil { //nolint:contextcheck // keychain ops don't use context
 		w.WriteHeader(http.StatusInternalServerError)
 		renderErrorPage(w, "Keychain is locked: "+err.Error())
 

internal/secrets/store.go

@@ -37,13 +37,16 @@ type Token struct {
 	RefreshToken string    `json:"-"`
 }
 
-const keyringPasswordEnv = "GOG_KEYRING_PASSWORD" //nolint:gosec // env var name, not a credential
-const keyringBackendEnv = "GOG_KEYRING_BACKEND"   //nolint:gosec // env var name, not a credential
+const (
+	keyringPasswordEnv = "GOG_KEYRING_PASSWORD" //nolint:gosec // env var name, not a credential
+	keyringBackendEnv  = "GOG_KEYRING_BACKEND"  //nolint:gosec // env var name, not a credential
+)
 
 var (
-	errMissingEmail        = errors.New("missing email")
-	errMissingRefreshToken = errors.New("missing refresh token")
-	errNoTTY               = errors.New("no TTY available for keyring file backend password prompt")
+	errMissingEmail          = errors.New("missing email")
+	errMissingRefreshToken   = errors.New("missing refresh token")
+	errNoTTY                 = errors.New("no TTY available for keyring file backend password prompt")
+	errInvalidKeyringBackend = errors.New("invalid keyring backend")
 )
 
 func allowedBackendsFromEnv() ([]keyring.BackendType, error) {
@@ -55,7 +58,7 @@ func allowedBackendsFromEnv() ([]keyring.BackendType, error) {
 	case "file":
 		return []keyring.BackendType{keyring.FileBackend}, nil
 	default:
-		return nil, fmt.Errorf("invalid %s (expected auto, keychain, or file)", keyringBackendEnv)
+		return nil, fmt.Errorf("%w: %s (expected auto, keychain, or file)", errInvalidKeyringBackend, keyringBackendEnv)
 	}
 }