add golangci action

.github/workflows/golangci-lint.yml

@@ -0,0 +1,29 @@
+name: golangci-lint
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+env:
+  GO_VERSION: 1.21
+  GOLANGCI_LINT_VERSION: v1.60.2
+
+permissions:
+  contents: read
+  pull-requests: read
+  checks: write
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: ${{ env.GOLANGCI_LINT_VERSION }}

.golangci.yaml

@@ -0,0 +1,162 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
+# SPDX-License-Identifier: Apache-2.0
+
+run:
+  timeout: 3m # 1m by default
+  modules-download-mode: readonly
+
+output:
+  # Do not print lines of code with issue.
+  print-issued-lines: false
+
+issues:
+  exclude:
+    # It is idiomatic Go to reuse the name 'err' with ':=' for subsequent errors.
+    # Ref: https://go.dev/doc/effective_go#redeclaration
+    - 'declaration of "err" shadows declaration at'
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - bodyclose
+        - dupl
+  # '0' disables the following options.
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+linters-settings:
+  dupl:
+    # Tokens count to trigger issue, 150 by default.
+    threshold: 100
+  errcheck:
+    # Report about assignment of errors to blank identifier.
+    check-blank: true
+    # Report about not checking of errors in type assertions.
+    check-type-assertions: true
+    exclude-functions:
+      - encoding/json.Marshal
+  forbidigo:
+    analyze-types: true # required for pkg:
+    forbid:
+      # ioutil package has been deprecated: https://github.com/golang/go/issues/42026
+      - ^ioutil\..*$
+      # Using http.DefaultServeMux is discouraged because it's a global variable that some packages silently and magically add handlers to (esp. net/http/pprof).
+      # Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
+      - ^http\.DefaultServeMux$
+      - ^http\.Handle(?:Func)?$
+      # Forbid usage of old and archived square/go-jose
+      - pkg: ^gopkg\.in/square/go-jose\.v2$
+        msg: "gopk.in/square/go-jose is arcived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
+      - pkg: ^github.com/coreos/go-oidc$
+        msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
+
+      - pkg: ^github.com/howeyc/gopass$
+        msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
+  goconst:
+    ignore-tests: true
+    min-occurrences: 5
+  gocritic:
+    enabled-checks:
+      - boolExprSimplify
+      - builtinShadow
+      - emptyStringTest
+      - evalOrder
+      - httpNoBody
+      - importShadow
+      - initClause
+      - methodExprCall
+      - paramTypeCombine
+      - preferFilepathJoin
+      - ptrToRefParam
+      - redundantSprint
+      - returnAfterHttpError
+      - stringConcatSimplify
+      - timeExprSimplify
+      - truncateCmp
+      - typeAssertChain
+      - typeUnparen
+      - unnamedResult
+      - unnecessaryBlock
+      - unnecessaryDefer
+      - weakCond
+      - yodaStyleExpr
+  goimports:
+    # Put local imports after 3rd-party packages.
+    local-prefixes: github.com/sapcc/git-cert-shim
+  gosec:
+    excludes:
+      # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/)
+      - G112
+      # created file permissions are restricted by umask if necessary
+      - G306
+  govet:
+    enable-all: true
+    disable:
+      - fieldalignment
+  nolintlint:
+    require-specific: true
+  misspell:
+    ignore-words:
+      - metis
+  stylecheck:
+    dot-import-whitelist:
+      - github.com/onsi/ginkgo/v2
+      - github.com/onsi/gomega
+  usestdlibvars:
+    constant-kind: true
+    crypto-hash: true
+    default-rpc-path: true
+    http-method: true
+    http-status-code: true
+    sql-isolation-level: true
+    time-layout: true
+    time-month: true
+    time-weekday: true
+    tls-signature-scheme: true
+  whitespace:
+    # Enforce newlines (or comments) after multi-line function signatures.
+    multi-func: true
+
+linters:
+  # We use 'disable-all' and enable linters explicitly so that a newer version
+  # does not introduce new linters unexpectedly.
+  disable-all: true
+  enable:
+    - bodyclose
+    - containedctx
+    - copyloopvar
+    # - dupl
+    - dupword
+    - durationcheck
+    - errcheck
+    - errname
+    - errorlint
+    - forbidigo
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - goconst
+    - gocritic
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - intrange
+    - misspell
+    - nilerr
+    - noctx
+    - nolintlint
+    - nosprintfhostport
+    - perfsprint
+    - predeclared
+    - rowserrcheck
+    - sqlclosecheck
+    - staticcheck
+    - stylecheck
+    - tenv
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - whitespace

Makefile

@@ -10,6 +10,16 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
+## Location to install dependencies an GO binaries
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+## Tool Binaries
+GOLINT ?= $(LOCALBIN)/golangci-lint
+## Tool Versions
+GOLINT_VERSION ?= v1.60.2
+GINKGOLINTER_VERSION ?= v0.16.2
+
 all: build
 
 # Run tests
@@ -97,3 +107,13 @@ CONTROLLER_GEN=$(GOBIN)/controller-gen
 else
 CONTROLLER_GEN=$(shell which controller-gen)
 endif
+
+.PHONY: lint
+lint: golint
+	$(GOLINT) run -v --timeout 5m
+
+.PHONY: golint
+golint: $(GOLINT)
+$(GOLINT): $(LOCALBIN)
+	GOBIN=$(LOCALBIN) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLINT_VERSION)
+	GOBIN=$(LOCALBIN) go install github.com/nunnatsa/ginkgolinter/cmd/ginkgolinter@$(GINKGOLINTER_VERSION)