fix: ruleguard and semgrep scans and fixes (#3364)

run semgrep-go ruleguard and semgrep scans

https://github.com/dgryski/semgrep-go

Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>

.github/workflows/build.yml

@@ -15,15 +15,11 @@ permissions:
 
 jobs:
   govulncheck:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
-      - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v3
-        with:
-          go-version: '1.19'
-          cache: true
-      - run: go install golang.org/x/vuln/cmd/govulncheck@latest
-      - run: govulncheck ./...
+    uses: caarlos0/meta/.github/workflows/govulncheck.yml@main
+  semgrep:
+    uses: caarlos0/meta/.github/workflows/semgrep.yml@main
+  ruleguard:
+    uses: caarlos0/meta/.github/workflows/ruleguard.yml@main
   goreleaser-check-pkgs:
     runs-on: ubuntu-latest
     env:

cmd/config.go

@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"errors"
+	"io/fs"
 	"os"
 
 	"github.com/caarlos0/log"
@@ -22,7 +24,7 @@ func loadConfig(path string) (config.Project, error) {
 		"goreleaser.yaml",
 	} {
 		proj, err := config.Load(f)
-		if err != nil && os.IsNotExist(err) {
+		if err != nil && errors.Is(err, fs.ErrNotExist) {
 			continue
 		}
 		return proj, err

internal/builders/golang/build_test.go

@@ -496,7 +496,7 @@ func TestBuild(t *testing.T) {
 		},
 	})
 
-	modTimes := map[time.Time]bool{}
+	modTimes := map[int64]bool{}
 	for _, bin := range ctx.Artifacts.List() {
 		if bin.Type != artifact.Binary {
 			continue
@@ -506,7 +506,7 @@ func TestBuild(t *testing.T) {
 		require.NoError(t, err)
 
 		// make this a suitable map key, per docs: https://golang.org/pkg/time/#Time
-		modTime := fi.ModTime().UTC().Round(0)
+		modTime := fi.ModTime().UTC().Round(0).Unix()
 
 		if modTimes[modTime] {
 			t.Fatal("duplicate modified time found, times should be different by default")

internal/exec/exec_mock.go

@@ -27,9 +27,9 @@ type MockCall struct {
 	ExitCode     int      `json:"exit_code"`
 }
 
-func (m *MockData) MarshalJSON() ([]byte, error) {
+func (m MockData) MarshalJSON() ([]byte, error) {
 	type t MockData
-	return json.Marshal((*t)(m))
+	return json.Marshal((t)(m))
 }
 
 func (m *MockData) UnmarshalJSON(b []byte) error {

internal/gio/safe_test.go

@@ -2,6 +2,7 @@ package gio
 
 import (
 	"bytes"
+	"io"
 	"sync"
 	"testing"
 
@@ -18,7 +19,7 @@ func TestSafe(t *testing.T) {
 	wg.Add(chars)
 	for i := 0; i < chars; i++ {
 		go func() {
-			s, err := w.Write([]byte("a"))
+			s, err := io.WriteString(w, "a")
 			require.Equal(t, 1, s)
 			require.NoError(t, err)
 			wg.Done()

internal/git/config.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+	"path"
 	"strings"
 
 	"github.com/caarlos0/log"
@@ -68,7 +69,7 @@ func ExtractRepoFromURL(rawurl string) (config.Repo, error) {
 	}
 	repo := config.Repo{
 		RawURL: rawurl,
-		Owner:  strings.Join(ss[:len(ss)-1], "/"),
+		Owner:  path.Join(ss[:len(ss)-1]...),
 		Name:   ss[len(ss)-1],
 	}
 	log.WithField("owner", repo.Owner).WithField("name", repo.Name).Debugf("parsed url")

internal/logext/writer_test.go

@@ -2,6 +2,7 @@ package logext
 
 import (
 	"bytes"
+	"io"
 	"os"
 	"strconv"
 	"testing"
@@ -24,7 +25,7 @@ func TestWriter(t *testing.T) {
 				})
 				var b bytes.Buffer
 				log.Log = log.New(&b)
-				l, err := NewWriter(log.Fields{"foo": "bar"}, out).Write([]byte("foo\nbar\n"))
+				l, err := io.WriteString(NewWriter(log.Fields{"foo": "bar"}, out), "foo\nbar\n")
 				require.NoError(t, err)
 				require.Equal(t, 8, l)
 				require.Empty(t, b.String())
@@ -41,7 +42,7 @@ func TestWriter(t *testing.T) {
 				var b bytes.Buffer
 				log.Log = log.New(&b)
 				log.SetLevel(log.DebugLevel)
-				l, err := NewWriter(log.Fields{"foo": "bar"}, out).Write([]byte("foo\nbar\n"))
+				l, err := io.WriteString(NewWriter(log.Fields{"foo": "bar"}, out), "foo\nbar\n")
 				require.NoError(t, err)
 				require.Equal(t, 8, l)
 				golden.RequireEqualTxt(t, b.Bytes())

internal/pipe/archive/archive.go

@@ -6,6 +6,7 @@ package archive
 import (
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
@@ -150,7 +151,7 @@ func doCreate(ctx *context.Context, arch config.Archive, binaries []*artifact.Ar
 		lock.Unlock()
 		return err
 	}
-	if _, err = os.Stat(archivePath); !os.IsNotExist(err) {
+	if _, err = os.Stat(archivePath); !errors.Is(err, fs.ErrNotExist) {
 		lock.Unlock()
 		return fmt.Errorf("archive named %s already exists. Check your archive name template", archivePath)
 	}

internal/pipe/aur/aur.go

@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"sort"
@@ -471,7 +472,7 @@ func keyPath(key string) (string, error) {
 			key += "\n"
 		}
 
-		if _, err := f.Write([]byte(key)); err != nil {
+		if _, err := io.WriteString(f, key); err != nil {
 			return "", fmt.Errorf("failed to store private key: %w", err)
 		}
 		if err := f.Close(); err != nil {

internal/pipe/blob/upload.go

@@ -116,10 +116,7 @@ func doUpload(ctx *context.Context, conf config.Blob) error {
 		fullpath := fullpath
 		g.Go(func() error {
 			uploadFile := path.Join(folder, name)
-
-			err := uploadData(ctx, conf, up, fullpath, uploadFile, bucketURL)
-
-			return err
+			return uploadData(ctx, conf, up, fullpath, uploadFile, bucketURL)
 		})
 	}
 
@@ -132,11 +129,10 @@ func uploadData(ctx *context.Context, conf config.Blob, up uploader, dataFile, u
 		return err
 	}
 
-	err = up.Upload(ctx, uploadFile, data)
-	if err != nil {
+	if err := up.Upload(ctx, uploadFile, data); err != nil {
 		return handleError(err, bucketURL)
 	}
-	return err
+	return nil
 }
 
 // errorContains check if error contains specific string.

internal/pipe/env/env.go

@@ -6,6 +6,7 @@ import (
 	"bufio"
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"strings"
 
@@ -146,7 +147,7 @@ func loadEnv(env, path string) (string, error) {
 		return "", err
 	}
 	f, err := os.Open(path) // #nosec
-	if os.IsNotExist(err) {
+	if errors.Is(err, fs.ErrNotExist) {
 		return "", nil
 	}
 	if err != nil {

internal/pipe/linkedin/client_test.go

@@ -2,6 +2,7 @@ package linkedin
 
 import (
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -56,12 +57,12 @@ func TestCreateLinkedInClient(t *testing.T) {
 
 func TestClient_Share(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		_, _ = rw.Write([]byte(`
+		_, _ = io.WriteString(rw, `
 {
 	"id": "foo",
 	"activity": "123456789"
 }
-`))
+`)
 	}))
 	defer server.Close()
 

internal/pipe/mattermost/mattermost_test.go

@@ -5,7 +5,6 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
-	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -92,8 +91,7 @@ func TestPostWebhook(t *testing.T) {
 	ctx.ReleaseURL = "https://github.com/honk/honk/releases/tag/v1.0.0"
 	ctx.Git.URL = "https://github.com/honk/honk"
 
-	os.Setenv("MATTERMOST_WEBHOOK", ts.URL)
-	defer os.Unsetenv("MATTERMOST_WEBHOOK")
+	t.Setenv("MATTERMOST_WEBHOOK", ts.URL)
 
 	require.NoError(t, Pipe{}.Default(ctx))
 	require.NoError(t, Pipe{}.Announce(ctx))

internal/pipe/release/release.go

@@ -3,6 +3,7 @@ package release
 import (
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"time"
 
@@ -121,7 +122,7 @@ func doPublish(ctx *context.Context, client client.Client) error {
 	}
 
 	for name, path := range extraFiles {
-		if _, err := os.Stat(path); os.IsNotExist(err) {
+		if _, err := os.Stat(path); errors.Is(err, fs.ErrNotExist) {
 			return fmt.Errorf("failed to upload %s: %w", name, err)
 		}
 		ctx.Artifacts.Add(&artifact.Artifact{

internal/pipe/webhook/webhook_test.go

@@ -7,7 +7,6 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
-	"os"
 	"testing"
 
 	"github.com/google/uuid"
@@ -180,8 +179,7 @@ func TestAnnounceBasicAuthWebhook(t *testing.T) {
 			},
 		},
 	})
-	os.Setenv("BASIC_AUTH_HEADER_VALUE", fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("user:pass"))))
-	defer os.Unsetenv("BASIC_AUTH_HEADER_VALUE")
+	t.Setenv("BASIC_AUTH_HEADER_VALUE", fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("user:pass"))))
 	require.NoError(t, Pipe{}.Announce(ctx))
 }
 

internal/testlib/git.go

@@ -84,7 +84,7 @@ func fakeGit(args ...string) (string, error) {
 		"-c", "log.showSignature=false",
 	}
 	allArgs = append(allArgs, args...)
-	return git.Run(context.TODO(), allArgs...)
+	return git.Run(context.Background(), allArgs...)
 }
 
 // GitCheckoutBranch allows us to change the active branch that we're using.

pkg/context/context.go

@@ -126,7 +126,7 @@ func New(config config.Project) *Context {
 
 // NewWithTimeout new context with the given timeout.
 func NewWithTimeout(config config.Project, timeout time.Duration) (*Context, stdctx.CancelFunc) {
-	ctx, cancel := stdctx.WithTimeout(stdctx.Background(), timeout)
+	ctx, cancel := stdctx.WithTimeout(stdctx.Background(), timeout) // nosem
 	return Wrap(ctx, config), cancel
 }