chore: update linter and fix lints

Makefile

@@ -11,7 +11,7 @@ GO_BUILD_FLAGS_LINUX_CROSS :=-tags 'include_gcs include_oss containers_image_ope
 
 GO_VERSION=go1.25.3+auto
 
-GOLANGCI_LINT_VERSION=v2.5.0
+GOLANGCI_LINT_VERSION=v2.12.2
 GORELEASER_VERSION=v2.15.3
 GOVULNCHECK_VERSION=v1.1.4
 
@@ -69,7 +69,7 @@ test-in-container: build-image
 getlint:
 	@mkdir -p $(GOPATH)/bin
 	@echo "Installing golangci-lint $(GOLANGCI_LINT_VERSION)..."
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOPATH)/bin $(GOLANGCI_LINT_VERSION)
+	curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b $(GOPATH)/bin $(GOLANGCI_LINT_VERSION)
 .PHONY: lint
 lint: getlint
 	$(GOPATH)/bin/golangci-lint run --timeout 5m

pkg/awsutil/sts.go

@@ -240,7 +240,7 @@ func GetSigninToken(awsCredentials aws.Credentials, region string) (*AWSSigninTo
 		SessionToken: awsCredentials.SessionToken,
 	}
 
-	data, err := json.Marshal(sessionData)
+	data, err := json.Marshal(sessionData) //#nosec G117 -- SessionKey contains AWS credentials for federated signin
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal session data: %w", err)
 	}

pkg/elevate/elevate_test.go

@@ -16,15 +16,15 @@ import (
 func fakeExecCommandError(command string, args ...string) *exec.Cmd {
 	cs := []string{"-test.run=TestHelperProcessError", "--", command}
 	cs = append(cs, args...)
-	cmd := exec.Command(os.Args[0], cs...) //#nosec: G204
+	cmd := exec.Command(os.Args[0], cs...) //#nosec G204,G702 -- test helper uses os.Args[0] intentionally
 	cmd.Env = []string{"GO_WANT_HELPER_PROCESS=1"}
 	return cmd
 }
 
 func fakeExecCommandSuccess(command string, args ...string) *exec.Cmd {
 	cs := []string{"-test.run=TestHelperProcessSuccess", "--", command}
 	cs = append(cs, args...)
-	cmd := exec.Command(os.Args[0], cs...) //#nosec: G204
+	cmd := exec.Command(os.Args[0], cs...) //#nosec G204,G702 -- test helper uses os.Args[0] intentionally
 	cmd.Env = []string{"GO_WANT_HELPER_PROCESS=1"}
 	return cmd
 }

pkg/utils/jwt_test.go

@@ -15,25 +15,25 @@ func TestGetFieldFromJWT(t *testing.T) {
 	tests := []testCase{
 		{
 			name:  "Get string field",
-			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", // notsecret
+			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", //#nosec G101 -- test JWT
 			field: "sub",
 			want:  "1234567890",
 		},
 		{
 			name:    "Get number field",
-			token:   "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjAsImV4cCI6MTcxNjY1MDA3MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSJ9._CyJxncO4NBOH6a-Q_2oIVelCRZKJh9YiPBm4XEBZgI", // notsecret
+			token:   "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjAsImV4cCI6MTcxNjY1MDA3MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSJ9._CyJxncO4NBOH6a-Q_2oIVelCRZKJh9YiPBm4XEBZgI", //#nosec G101 -- test JWT
 			field:   "iat",
 			wantErr: true,
 		},
 		{
 			name:    "Get field that doesn't exist",
-			token:   "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", // notsecret
+			token:   "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c", //#nosec G101 -- test JWT
 			field:   "foo",
 			wantErr: true,
 		},
 		{
 			name:    "Invalid token",
-			token:   "abcdefg", // notsecret
+			token:   "abcdefg",
 			field:   "foo",
 			wantErr: true,
 		},
@@ -62,17 +62,17 @@ func TestGetUsernameFromJWT(t *testing.T) {
 	tests := []testCase{
 		{
 			name:  "Get username",
-			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJyZWRoYXQuY29tIiwiZXhwIjoxMTIwODI4MzQ0LCJ1c2VybmFtZSI6InRlc3R1c2VyIn0.2uBp-c/dIUtipUsnT1J6zjkJNVlIE640ZbuCvWevWRQ", // notsecret
+			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJyZWRoYXQuY29tIiwiZXhwIjoxMTIwODI4MzQ0LCJ1c2VybmFtZSI6InRlc3R1c2VyIn0.2uBp-c/dIUtipUsnT1J6zjkJNVlIE640ZbuCvWevWRQ", //#nosec G101 -- test JWT
 			want:  "testuser",
 		},
 		{
 			name:  "Get username when username field is missing",
-			token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjAsImV4cCI6MTcxNjY1MDA3MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSJ9._CyJxncO4NBOH6a-Q_2oIVelCRZKJh9YiPBm4XEBZgI", // notsecret
+			token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjAsImV4cCI6MTcxNjY1MDA3MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSJ9._CyJxncO4NBOH6a-Q_2oIVelCRZKJh9YiPBm4XEBZgI", //#nosec G101 -- test JWT
 			want:  "anonymous",
 		},
 		{
 			name:  "Invalid token",
-			token: "abcdefg", // notsecret
+			token: "abcdefg",
 			want:  "anonymous",
 		},
 	}