.editorconfig

@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
+root = true
+
+[*]
+insert_final_newline = true
+charset = utf-8
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+
+[{Makefile,go.mod,go.sum,*.go}]
+indent_style = tab
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false
+
+[{LICENSE,LICENSES/*,vendor/**}]
+charset = unset
+end_of_line = unset
+indent_size = unset
+indent_style = unset
+insert_final_newline = unset
+trim_trailing_whitespace = unset

.github/workflows/checks.yaml

@@ -31,7 +31,7 @@ jobs:
           check-latest: true
           go-version: "1.24"
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
           version: latest
       - name: Dependency Licenses Review

.golangci.yaml

@@ -6,127 +6,35 @@
 # Copyright 2024 SAP SE
 # SPDX-License-Identifier: Apache-2.0
 
+version: "2"
 run:
-  timeout: 3m0s # 1m by default
   modules-download-mode: readonly
+  timeout: 3m0s # none by default in v2
 
-output:
-  # Do not print lines of code with issue.
-  print-issued-lines: false
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      # Put local imports after 3rd-party packages
+      local-prefixes:
+        - github.com/sapcc/go-api-declarations
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 
 issues:
-  exclude:
-    # It is idiomatic Go to reuse the name 'err' with ':=' for subsequent errors.
-    # Ref: https://go.dev/doc/effective_go#redeclaration
-    - 'declaration of "err" shadows declaration at'
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - bodyclose
-  # '0' disables the following options.
+  # '0' disables the following options
   max-issues-per-linter: 0
   max-same-issues: 0
 
-linters-settings:
-  errcheck:
-    # Report about assignment of errors to blank identifier.
-    check-blank: true
-    # Do not report about not checking of errors in type assertions.
-    # This is not as dangerous as skipping error values because an unchecked type assertion just immediately panics.
-    # We disable this because it makes a ton of useless noise esp. in test code.
-    check-type-assertions: false
-  forbidigo:
-    analyze-types: true # required for pkg:
-    forbid:
-      # ioutil package has been deprecated: https://github.com/golang/go/issues/42026
-      - ^ioutil\..*$
-      # Using http.DefaultServeMux is discouraged because it's a global variable that some packages silently and magically add handlers to (esp. net/http/pprof).
-      # Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
-      - ^http\.DefaultServeMux$
-      - ^http\.Handle(?:Func)?$
-      # Forbid usage of old and archived square/go-jose
-      - pkg: ^gopkg\.in/square/go-jose\.v2$
-        msg: "gopk.in/square/go-jose is archived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
-      - pkg: ^github.com/coreos/go-oidc$
-        msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
-
-      - pkg: ^github.com/howeyc/gopass$
-        msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
-  goconst:
-    ignore-tests: true
-    min-occurrences: 5
-  gocritic:
-    enabled-checks:
-      - boolExprSimplify
-      - builtinShadow
-      - emptyStringTest
-      - evalOrder
-      - httpNoBody
-      - importShadow
-      - initClause
-      - methodExprCall
-      - paramTypeCombine
-      - preferFilepathJoin
-      - ptrToRefParam
-      - redundantSprint
-      - returnAfterHttpError
-      - stringConcatSimplify
-      - timeExprSimplify
-      - truncateCmp
-      - typeAssertChain
-      - typeUnparen
-      - unnamedResult
-      - unnecessaryBlock
-      - unnecessaryDefer
-      - weakCond
-      - yodaStyleExpr
-  goimports:
-    # Put local imports after 3rd-party packages.
-    local-prefixes: github.com/sapcc/go-api-declarations
-  gomoddirectives:
-    go-version-pattern: '1\.\d+(\.0)?$'
-    replace-allow-list:
-      # for go-pmtud
-      - github.com/mdlayher/arp
-    toolchain-forbidden: true
-  gosec:
-    excludes:
-      # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/)
-      - G112
-      # created file permissions are restricted by umask if necessary
-      - G306
-  govet:
-    enable-all: true
-    disable:
-      - fieldalignment
-  nolintlint:
-    require-specific: true
-  stylecheck:
-    dot-import-whitelist:
-      - github.com/majewsky/gg/option
-      - github.com/onsi/ginkgo/v2
-      - github.com/onsi/gomega
-  usestdlibvars:
-    constant-kind: true
-    crypto-hash: true
-    default-rpc-path: true
-    http-method: true
-    http-status-code: true
-    sql-isolation-level: true
-    time-layout: true
-    time-month: true
-    time-weekday: true
-    tls-signature-scheme: true
-  usetesting:
-    os-temp-dir: true
-  whitespace:
-    # Enforce newlines (or comments) after multi-line function signatures.
-    multi-func: true
-
 linters:
-  # We use 'disable-all' and enable linters explicitly so that a newer version
-  # does not introduce new linters unexpectedly.
-  disable-all: true
+  # Disable all pre-enabled linters and enable them explicitly so that a newer version does not introduce new linters unexpectedly
+  default: none
   enable:
     - bodyclose
     - containedctx
@@ -142,11 +50,8 @@ linters:
     - gocheckcompilerdirectives
     - goconst
     - gocritic
-    - gofmt
-    - goimports
     - gomoddirectives
     - gosec
-    - gosimple
     - govet
     - ineffassign
     - intrange
@@ -160,11 +65,126 @@ linters:
     - rowserrcheck
     - sqlclosecheck
     - staticcheck
-    - stylecheck
-    - typecheck
     - unconvert
     - unparam
     - unused
     - usestdlibvars
     - usetesting
     - whitespace
+  settings:
+    errcheck:
+      check-type-assertions: false
+      # Report about assignment of errors to blank identifier.
+      check-blank: true
+      # Do not report about not checking of errors in type assertions.
+      # This is not as dangerous as skipping error values because an unchecked type assertion just immediately panics.
+      # We disable this because it makes a ton of useless noise esp. in test code.
+    forbidigo:
+      analyze-types: true # required for pkg:
+      forbid:
+        # ioutil package has been deprecated: https://github.com/golang/go/issues/42026
+        - pattern: ^ioutil\..*$
+        # Using http.DefaultServeMux is discouraged because it's a global variable that some packages silently and magically add handlers to (esp. net/http/pprof).
+        # Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
+        - pattern: ^http\.DefaultServeMux$
+        - pattern: ^http\.Handle(?:Func)?$
+        - pkg: ^gopkg\.in/square/go-jose\.v2$
+          msg: gopk.in/square/go-jose is archived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2
+        - pkg: ^github.com/coreos/go-oidc$
+          msg: github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3
+        - pkg: ^github.com/howeyc/gopass$
+          msg: github.com/howeyc/gopass is archived, use golang.org/x/term instead
+    goconst:
+      min-occurrences: 5
+    gocritic:
+      enabled-checks:
+        - boolExprSimplify
+        - builtinShadow
+        - emptyStringTest
+        - evalOrder
+        - httpNoBody
+        - importShadow
+        - initClause
+        - methodExprCall
+        - paramTypeCombine
+        - preferFilepathJoin
+        - ptrToRefParam
+        - redundantSprint
+        - returnAfterHttpError
+        - stringConcatSimplify
+        - timeExprSimplify
+        - truncateCmp
+        - typeAssertChain
+        - typeUnparen
+        - unnamedResult
+        - unnecessaryBlock
+        - unnecessaryDefer
+        - weakCond
+        - yodaStyleExpr
+    gomoddirectives:
+      replace-allow-list:
+        # for go-pmtud
+        - github.com/mdlayher/arp
+      toolchain-forbidden: true
+      go-version-pattern: 1\.\d+(\.0)?$
+    gosec:
+      excludes:
+        # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/
+        - G112
+        # created file permissions are restricted by umask if necessary
+        - G306
+    govet:
+      disable:
+        - fieldalignment
+      enable-all: true
+    nolintlint:
+      require-specific: true
+    staticcheck:
+      dot-import-whitelist:
+        - github.com/majewsky/gg/option
+        - github.com/onsi/ginkgo/v2
+        - github.com/onsi/gomega
+    usestdlibvars:
+      http-method: true
+      http-status-code: true
+      time-weekday: true
+      time-month: true
+      time-layout: true
+      crypto-hash: true
+      default-rpc-path: true
+      sql-isolation-level: true
+      tls-signature-scheme: true
+      constant-kind: true
+    usetesting:
+      os-temp-dir: true
+    whitespace:
+      # Enforce newlines (or comments) after multi-line function signatures.
+      multi-func: true
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - bodyclose
+        path: _test\.go
+      # It is idiomatic Go to reuse the name 'err' with ':=' for subsequent errors.
+      # Ref: https://go.dev/doc/effective_go#redeclaration
+      - path: (.+)\.go$
+        text: declaration of "err" shadows declaration at
+      - linters:
+          - goconst
+        path: (.+)_test\.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+
+output:
+  formats:
+    text:
+      # Do not print lines of code with issue.
+      print-issued-lines: false

.license-scan-overrides.jsonl

@@ -6,3 +6,4 @@
 {"name": "github.com/xeipuuv/gojsonpointer", "licenceType": "Apache-2.0"}
 {"name": "github.com/xeipuuv/gojsonreference", "licenceType": "Apache-2.0"}
 {"name": "github.com/xeipuuv/gojsonschema", "licenceType": "Apache-2.0"}
+{"name": "github.wdf.sap.corp/cc/nxos-gnmi-go", "licenceType": "Apache-2.0"}

Makefile

@@ -22,7 +22,7 @@ install-goimports: FORCE
 	@if ! hash goimports 2>/dev/null; then printf "\e[1;36m>> Installing goimports (this may take a while)...\e[0m\n"; go install golang.org/x/tools/cmd/goimports@latest; fi
 
 install-golangci-lint: FORCE
-	@if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest; fi
+	@if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest; fi
 
 install-go-licence-detector: FORCE
 	@if ! hash go-licence-detector 2>/dev/null; then printf "\e[1;36m>> Installing go-licence-detector (this may take a while)...\e[0m\n"; go install go.elastic.co/go-licence-detector@latest; fi
@@ -54,6 +54,7 @@ check: FORCE static-check build/cover.html
 
 run-golangci-lint: FORCE install-golangci-lint
 	@printf "\e[1;36m>> golangci-lint\e[0m\n"
+	@golangci-lint config verify
 	@golangci-lint run
 
 build/cover.out: FORCE | build