fix: Add nolint comments for gosec/errcheck/unparam warnings
Fixes CI lint failures by adding appropriate nolint directives for: - G204 (subprocess with variable) - git commands with trusted inputs - G304 (file inclusion via variable) - paths from internal helpers - G302/G306 (file permissions) - .gitignore needs 0644 - errcheck (unchecked return values) - fmt.Fprint* to stdout/stderr - unparam (unused parameters) - reserved for future use
This commit is contained in:
Steve Yegge
@@ -284,7 +284,7 @@ func purgeTombstonesByDependency(dryRun bool) (*PurgeTombstonesResult, error) {
|
||||
}
|
||||
|
||||
// Read all issues
|
||||
file, err := os.Open(issuesPath)
|
||||
file, err := os.Open(issuesPath) //nolint:gosec // G304: issuesPath from beads.FindBeadsDir()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to open issues.jsonl: %w", err)
|
||||
}
|
||||
|
||||
@@ -11,6 +11,8 @@ import (
|
||||
|
||||
// runPollutionCheck runs detailed test pollution detection
|
||||
// This integrates the detect-pollution command functionality into doctor.
|
||||
//
|
||||
//nolint:unparam // path reserved for future use
|
||||
func runPollutionCheck(_ string, clean bool, yes bool) {
|
||||
// Ensure we have a store initialized (uses direct mode, no daemon support yet)
|
||||
if err := ensureDirectMode("pollution check requires direct mode"); err != nil {
|
||||
|
||||
@@ -131,8 +131,7 @@ Examples:
|
||||
_ = tmpFile.Close()
|
||||
|
||||
// Open the editor
|
||||
// #nosec G204 -- editor comes from trusted $EDITOR/$VISUAL env or known defaults
|
||||
editorCmd := exec.Command(editor, tmpPath)
|
||||
editorCmd := exec.Command(editor, tmpPath) //nolint:gosec // G204: editor from trusted $EDITOR/$VISUAL env or known defaults
|
||||
editorCmd.Stdin = os.Stdin
|
||||
editorCmd.Stdout = os.Stdout
|
||||
editorCmd.Stderr = os.Stderr
|
||||
|
||||
@@ -132,14 +132,14 @@ func InstallFactory() {
|
||||
}
|
||||
|
||||
func installFactory(env factoryEnv) error {
|
||||
fmt.Fprintln(env.stdout, "Installing Factory.ai (Droid) integration...")
|
||||
_, _ = fmt.Fprintln(env.stdout, "Installing Factory.ai (Droid) integration...")
|
||||
|
||||
var currentContent string
|
||||
data, err := os.ReadFile(env.agentsPath)
|
||||
if err == nil {
|
||||
currentContent = string(data)
|
||||
} else if !os.IsNotExist(err) {
|
||||
fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
|
||||
_, _ = fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -147,31 +147,31 @@ func installFactory(env factoryEnv) error {
|
||||
if strings.Contains(currentContent, factoryBeginMarker) {
|
||||
newContent := updateBeadsSection(currentContent)
|
||||
if err := atomicWriteFile(env.agentsPath, []byte(newContent)); err != nil {
|
||||
fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
|
||||
_, _ = fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
|
||||
return err
|
||||
}
|
||||
fmt.Fprintln(env.stdout, "✓ Updated existing beads section in AGENTS.md")
|
||||
_, _ = fmt.Fprintln(env.stdout, "✓ Updated existing beads section in AGENTS.md")
|
||||
} else {
|
||||
newContent := currentContent + "\n\n" + factoryBeadsSection
|
||||
if err := atomicWriteFile(env.agentsPath, []byte(newContent)); err != nil {
|
||||
fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
|
||||
_, _ = fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
|
||||
return err
|
||||
}
|
||||
fmt.Fprintln(env.stdout, "✓ Added beads section to existing AGENTS.md")
|
||||
_, _ = fmt.Fprintln(env.stdout, "✓ Added beads section to existing AGENTS.md")
|
||||
}
|
||||
} else {
|
||||
newContent := createNewAgentsFile()
|
||||
if err := atomicWriteFile(env.agentsPath, []byte(newContent)); err != nil {
|
||||
fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
|
||||
_, _ = fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
|
||||
return err
|
||||
}
|
||||
fmt.Fprintln(env.stdout, "✓ Created new AGENTS.md with beads integration")
|
||||
_, _ = fmt.Fprintln(env.stdout, "✓ Created new AGENTS.md with beads integration")
|
||||
}
|
||||
|
||||
fmt.Fprintln(env.stdout, "\n✓ Factory.ai (Droid) integration installed")
|
||||
fmt.Fprintf(env.stdout, " File: %s\n", env.agentsPath)
|
||||
fmt.Fprintln(env.stdout, "\nFactory Droid will automatically read AGENTS.md on session start.")
|
||||
fmt.Fprintln(env.stdout, "No additional configuration needed!")
|
||||
_, _ = fmt.Fprintln(env.stdout, "\n✓ Factory.ai (Droid) integration installed")
|
||||
_, _ = fmt.Fprintf(env.stdout, " File: %s\n", env.agentsPath)
|
||||
_, _ = fmt.Fprintln(env.stdout, "\nFactory Droid will automatically read AGENTS.md on session start.")
|
||||
_, _ = fmt.Fprintln(env.stdout, "No additional configuration needed!")
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -186,23 +186,23 @@ func CheckFactory() {
|
||||
func checkFactory(env factoryEnv) error {
|
||||
data, err := os.ReadFile(env.agentsPath)
|
||||
if os.IsNotExist(err) {
|
||||
fmt.Fprintln(env.stdout, "✗ AGENTS.md not found")
|
||||
fmt.Fprintln(env.stdout, " Run: bd setup factory")
|
||||
_, _ = fmt.Fprintln(env.stdout, "✗ AGENTS.md not found")
|
||||
_, _ = fmt.Fprintln(env.stdout, " Run: bd setup factory")
|
||||
return errAgentsFileMissing
|
||||
} else if err != nil {
|
||||
fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
|
||||
_, _ = fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
|
||||
return err
|
||||
}
|
||||
|
||||
content := string(data)
|
||||
if strings.Contains(content, factoryBeginMarker) {
|
||||
fmt.Fprintf(env.stdout, "✓ Factory.ai integration installed: %s\n", env.agentsPath)
|
||||
fmt.Fprintln(env.stdout, " Beads section found in AGENTS.md")
|
||||
_, _ = fmt.Fprintf(env.stdout, "✓ Factory.ai integration installed: %s\n", env.agentsPath)
|
||||
_, _ = fmt.Fprintln(env.stdout, " Beads section found in AGENTS.md")
|
||||
return nil
|
||||
}
|
||||
|
||||
fmt.Fprintln(env.stdout, "⚠ AGENTS.md exists but no beads section found")
|
||||
fmt.Fprintln(env.stdout, " Run: bd setup factory (to add beads section)")
|
||||
_, _ = fmt.Fprintln(env.stdout, "⚠ AGENTS.md exists but no beads section found")
|
||||
_, _ = fmt.Fprintln(env.stdout, " Run: bd setup factory (to add beads section)")
|
||||
return errBeadsSectionMissing
|
||||
}
|
||||
|
||||
@@ -215,19 +215,19 @@ func RemoveFactory() {
|
||||
}
|
||||
|
||||
func removeFactory(env factoryEnv) error {
|
||||
fmt.Fprintln(env.stdout, "Removing Factory.ai (Droid) integration...")
|
||||
_, _ = fmt.Fprintln(env.stdout, "Removing Factory.ai (Droid) integration...")
|
||||
data, err := os.ReadFile(env.agentsPath)
|
||||
if os.IsNotExist(err) {
|
||||
fmt.Fprintln(env.stdout, "No AGENTS.md file found")
|
||||
_, _ = fmt.Fprintln(env.stdout, "No AGENTS.md file found")
|
||||
return nil
|
||||
} else if err != nil {
|
||||
fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
|
||||
_, _ = fmt.Fprintf(env.stderr, "Error: failed to read %s: %v\n", env.agentsPath, err)
|
||||
return err
|
||||
}
|
||||
|
||||
content := string(data)
|
||||
if !strings.Contains(content, factoryBeginMarker) {
|
||||
fmt.Fprintln(env.stdout, "No beads section found in AGENTS.md")
|
||||
_, _ = fmt.Fprintln(env.stdout, "No beads section found in AGENTS.md")
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -235,18 +235,18 @@ func removeFactory(env factoryEnv) error {
|
||||
trimmed := strings.TrimSpace(newContent)
|
||||
if trimmed == "" {
|
||||
if err := os.Remove(env.agentsPath); err != nil {
|
||||
fmt.Fprintf(env.stderr, "Error: failed to remove %s: %v\n", env.agentsPath, err)
|
||||
_, _ = fmt.Fprintf(env.stderr, "Error: failed to remove %s: %v\n", env.agentsPath, err)
|
||||
return err
|
||||
}
|
||||
fmt.Fprintf(env.stdout, "✓ Removed %s (file was empty after removing beads section)\n", env.agentsPath)
|
||||
_, _ = fmt.Fprintf(env.stdout, "✓ Removed %s (file was empty after removing beads section)\n", env.agentsPath)
|
||||
return nil
|
||||
}
|
||||
|
||||
if err := atomicWriteFile(env.agentsPath, []byte(newContent)); err != nil {
|
||||
fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
|
||||
_, _ = fmt.Fprintf(env.stderr, "Error: write %s: %v\n", env.agentsPath, err)
|
||||
return err
|
||||
}
|
||||
fmt.Fprintln(env.stdout, "✓ Removed beads section from AGENTS.md")
|
||||
_, _ = fmt.Fprintln(env.stdout, "✓ Removed beads section from AGENTS.md")
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -315,7 +315,9 @@ func analyzeEpicForSwarm(ctx context.Context, s SwarmStorage, epic *types.Issue)
|
||||
}
|
||||
|
||||
// detectStructuralIssues looks for common problems in the dependency graph.
|
||||
func detectStructuralIssues(analysis *SwarmAnalysis, issues []*types.Issue) {
|
||||
//
|
||||
//nolint:unparam // issues reserved for future use
|
||||
func detectStructuralIssues(analysis *SwarmAnalysis, _ []*types.Issue) {
|
||||
// 1. Find roots (issues with no dependencies within the epic)
|
||||
// These are the starting points. Having multiple roots is normal.
|
||||
var roots []string
|
||||
|
||||
@@ -58,10 +58,8 @@ func gitHasUpstream() bool {
|
||||
branch := strings.TrimSpace(string(branchOutput))
|
||||
|
||||
// Check if remote and merge refs are configured
|
||||
// #nosec G204 -- branch name comes from git symbolic-ref output
|
||||
remoteCmd := exec.Command("git", "config", "--get", fmt.Sprintf("branch.%s.remote", branch))
|
||||
// #nosec G204 -- branch name comes from git symbolic-ref output
|
||||
mergeCmd := exec.Command("git", "config", "--get", fmt.Sprintf("branch.%s.merge", branch))
|
||||
remoteCmd := exec.Command("git", "config", "--get", fmt.Sprintf("branch.%s.remote", branch)) //nolint:gosec // G204: branch from git symbolic-ref
|
||||
mergeCmd := exec.Command("git", "config", "--get", fmt.Sprintf("branch.%s.merge", branch)) //nolint:gosec // G204: branch from git symbolic-ref
|
||||
|
||||
remoteErr := remoteCmd.Run()
|
||||
mergeErr := mergeCmd.Run()
|
||||
@@ -108,8 +106,7 @@ func gitHasBeadsChanges(ctx context.Context) (bool, error) {
|
||||
relPath, err := filepath.Rel(repoRoot, beadsDir)
|
||||
if err != nil {
|
||||
// Fall back to absolute path if relative path fails
|
||||
// #nosec G204 -- beadsDir comes from beads.FindBeadsDir()
|
||||
statusCmd := exec.CommandContext(ctx, "git", "status", "--porcelain", beadsDir)
|
||||
statusCmd := exec.CommandContext(ctx, "git", "status", "--porcelain", beadsDir) //nolint:gosec // G204: beadsDir from beads.FindBeadsDir()
|
||||
statusOutput, err := statusCmd.Output()
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("git status failed: %w", err)
|
||||
@@ -118,8 +115,7 @@ func gitHasBeadsChanges(ctx context.Context) (bool, error) {
|
||||
}
|
||||
|
||||
// Run git status with relative path from repo root
|
||||
// #nosec G204 -- repoRoot and relPath come from internal git helpers
|
||||
statusCmd := exec.CommandContext(ctx, "git", "-C", repoRoot, "status", "--porcelain", relPath)
|
||||
statusCmd := exec.CommandContext(ctx, "git", "-C", repoRoot, "status", "--porcelain", relPath) //nolint:gosec // G204: paths from internal git helpers
|
||||
statusOutput, err := statusCmd.Output()
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("git status failed: %w", err)
|
||||
@@ -166,7 +162,7 @@ func gitCommit(ctx context.Context, filePath string, message string) error {
|
||||
}
|
||||
|
||||
// Stage the file from repo root context
|
||||
addCmd := exec.CommandContext(ctx, "git", "-C", repoRoot, "add", relPath)
|
||||
addCmd := exec.CommandContext(ctx, "git", "-C", repoRoot, "add", relPath) //nolint:gosec // G204: paths from internal git helpers
|
||||
if err := addCmd.Run(); err != nil {
|
||||
return fmt.Errorf("git add failed: %w", err)
|
||||
}
|
||||
@@ -180,7 +176,7 @@ func gitCommit(ctx context.Context, filePath string, message string) error {
|
||||
// Use pathspec to commit ONLY this file
|
||||
// This prevents accidentally committing other staged files
|
||||
commitArgs := buildGitCommitArgs(repoRoot, message, "--", relPath)
|
||||
commitCmd := exec.CommandContext(ctx, "git", commitArgs...)
|
||||
commitCmd := exec.CommandContext(ctx, "git", commitArgs...) //nolint:gosec // G204: args from buildGitCommitArgs
|
||||
output, err := commitCmd.CombinedOutput()
|
||||
if err != nil {
|
||||
return fmt.Errorf("git commit failed: %w\n%s", err, output)
|
||||
@@ -235,7 +231,7 @@ func gitCommitBeadsDir(ctx context.Context, message string) error {
|
||||
|
||||
// Stage only the sync files from repo root context (worktree-aware)
|
||||
args := append([]string{"-C", repoRoot, "add"}, filesToAdd...)
|
||||
addCmd := exec.CommandContext(ctx, "git", args...)
|
||||
addCmd := exec.CommandContext(ctx, "git", args...) //nolint:gosec // G204: paths from internal git helpers
|
||||
if err := addCmd.Run(); err != nil {
|
||||
return fmt.Errorf("git add failed: %w", err)
|
||||
}
|
||||
@@ -256,7 +252,7 @@ func gitCommitBeadsDir(ctx context.Context, message string) error {
|
||||
|
||||
// Use config-based author and signing options with pathspec
|
||||
commitArgs := buildGitCommitArgs(repoRoot, message, "--", relBeadsDir)
|
||||
commitCmd := exec.CommandContext(ctx, "git", commitArgs...)
|
||||
commitCmd := exec.CommandContext(ctx, "git", commitArgs...) //nolint:gosec // G204: args from buildGitCommitArgs
|
||||
output, err := commitCmd.CombinedOutput()
|
||||
if err != nil {
|
||||
return fmt.Errorf("git commit failed: %w\n%s", err, output)
|
||||
@@ -382,8 +378,7 @@ func gitPull(ctx context.Context) error {
|
||||
branch := strings.TrimSpace(string(branchOutput))
|
||||
|
||||
// Get remote name for current branch (usually "origin")
|
||||
// #nosec G204 -- branch name comes from git symbolic-ref output
|
||||
remoteCmd := exec.CommandContext(ctx, "git", "config", "--get", fmt.Sprintf("branch.%s.remote", branch))
|
||||
remoteCmd := exec.CommandContext(ctx, "git", "config", "--get", fmt.Sprintf("branch.%s.remote", branch)) //nolint:gosec // G204: branch from git symbolic-ref
|
||||
remoteOutput, err := remoteCmd.Output()
|
||||
if err != nil {
|
||||
// If no remote configured, default to "origin"
|
||||
@@ -445,7 +440,7 @@ func getDefaultBranch(ctx context.Context) string {
|
||||
// Checks remote HEAD first, then falls back to checking if main/master exist
|
||||
func getDefaultBranchForRemote(ctx context.Context, remote string) string {
|
||||
// Try to get default branch from remote
|
||||
cmd := exec.CommandContext(ctx, "git", "symbolic-ref", fmt.Sprintf("refs/remotes/%s/HEAD", remote))
|
||||
cmd := exec.CommandContext(ctx, "git", "symbolic-ref", fmt.Sprintf("refs/remotes/%s/HEAD", remote)) //nolint:gosec // G204: remote from git config
|
||||
output, err := cmd.Output()
|
||||
if err == nil {
|
||||
ref := strings.TrimSpace(string(output))
|
||||
@@ -457,12 +452,12 @@ func getDefaultBranchForRemote(ctx context.Context, remote string) string {
|
||||
}
|
||||
|
||||
// Fallback: check if <remote>/main exists
|
||||
if exec.CommandContext(ctx, "git", "rev-parse", "--verify", fmt.Sprintf("%s/main", remote)).Run() == nil {
|
||||
if exec.CommandContext(ctx, "git", "rev-parse", "--verify", fmt.Sprintf("%s/main", remote)).Run() == nil { //nolint:gosec // G204: remote from git config
|
||||
return "main"
|
||||
}
|
||||
|
||||
// Fallback: check if <remote>/master exists
|
||||
if exec.CommandContext(ctx, "git", "rev-parse", "--verify", fmt.Sprintf("%s/master", remote)).Run() == nil {
|
||||
if exec.CommandContext(ctx, "git", "rev-parse", "--verify", fmt.Sprintf("%s/master", remote)).Run() == nil { //nolint:gosec // G204: remote from git config
|
||||
return "master"
|
||||
}
|
||||
|
||||
|
||||
@@ -565,8 +565,7 @@ func addToGitignore(repoRoot, entry string) error {
|
||||
gitignorePath := filepath.Join(repoRoot, ".gitignore")
|
||||
|
||||
// Read existing content
|
||||
// #nosec G304 -- gitignorePath is constructed from known repoRoot
|
||||
content, err := os.ReadFile(gitignorePath)
|
||||
content, err := os.ReadFile(gitignorePath) //nolint:gosec // G304: gitignorePath from known repoRoot
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
return err
|
||||
}
|
||||
@@ -580,8 +579,7 @@ func addToGitignore(repoRoot, entry string) error {
|
||||
}
|
||||
|
||||
// Append entry
|
||||
// #nosec G304 -- gitignorePath is constructed from known repoRoot
|
||||
f, err := os.OpenFile(gitignorePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
|
||||
f, err := os.OpenFile(gitignorePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) //nolint:gosec // G302: .gitignore should be world-readable
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -605,8 +603,7 @@ func addToGitignore(repoRoot, entry string) error {
|
||||
func removeFromGitignore(repoRoot, entry string) error {
|
||||
gitignorePath := filepath.Join(repoRoot, ".gitignore")
|
||||
|
||||
// #nosec G304 -- gitignorePath is constructed from known repoRoot
|
||||
content, err := os.ReadFile(gitignorePath)
|
||||
content, err := os.ReadFile(gitignorePath) //nolint:gosec // G304: gitignorePath from known repoRoot
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return nil
|
||||
@@ -632,8 +629,7 @@ func removeFromGitignore(repoRoot, entry string) error {
|
||||
newLines = append(newLines, line)
|
||||
}
|
||||
|
||||
// #nosec G306 -- .gitignore should be world-readable
|
||||
return os.WriteFile(gitignorePath, []byte(strings.Join(newLines, "\n")), 0644)
|
||||
return os.WriteFile(gitignorePath, []byte(strings.Join(newLines, "\n")), 0644) //nolint:gosec // G306: .gitignore should be world-readable
|
||||
}
|
||||
|
||||
func truncate(s string, maxLen int) string {
|
||||
|
||||
Reference in New Issue
Block a user