cli/.golangci.yml

version: "2"

run:
  # prevent golangci-lint from deducting the go version to lint for through go.mod,
  # which causes it to fallback to go1.17 semantics.
  #
  # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24
  go: "1.23.8"

  timeout: 5m

issues:
  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
  max-issues-per-linter: 0

  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
  max-same-issues: 0

formatters:
  enable:
    - gofumpt       # Detects whether code was gofumpt-ed.
    - goimports

  exclusions:
    generated: strict

linters:
  enable:
    - bodyclose
    - copyloopvar   # Detects places where loop variables are copied.
    - depguard
    - dogsled
    - dupword       # Detects duplicate words.
    - durationcheck
    - errcheck
    - errchkjson
    - forbidigo
    - gocritic      # Metalinter; detects bugs, performance, and styling issues.
    - gocyclo
    - gosec         # Detects security problems.
    - govet
    - ineffassign
    - misspell      # Detects commonly misspelled English words in comments.
    - nakedret      # Detects uses of naked returns.
    - nilerr        # Detects code that returns nil even if it checks that the error is not nil.
    - nolintlint    # Detects ill-formed or insufficient nolint directives.
    - perfsprint    # Detects fmt.Sprintf uses that can be replaced with a faster alternative.
    - prealloc      # Detects slice declarations that could potentially be pre-allocated.
    - predeclared   # Detects code that shadows one of Go's predeclared identifiers
    - reassign
    - revive        # Metalinter; drop-in replacement for golint.
    - staticcheck
    - thelper       # Detects test helpers without t.Helper().
    - tparallel     # Detects inappropriate usage of t.Parallel().
    - unconvert     # Detects unnecessary type conversions.
    - unparam
    - unused
    - usestdlibvars
    - usetesting    # Reports uses of functions with replacement inside the testing package.
    - wastedassign

  disable:
    - errcheck

  settings:
    depguard:
      rules:
        main:
          deny:
            - pkg: "github.com/containerd/containerd/errdefs"
              desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
            - pkg: "github.com/containerd/containerd/log"
              desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
            - pkg: "github.com/containerd/containerd/pkg/userns"
              desc: Use github.com/moby/sys/userns instead.
            - pkg: "github.com/containerd/containerd/platforms"
              desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
            - pkg: "github.com/docker/docker/pkg/system"
              desc: This package should not be used unless strictly necessary.
            - pkg: "github.com/docker/distribution/uuid"
              desc: Use github.com/google/uuid instead.
            - pkg: "io/ioutil"
              desc: The io/ioutil package has been deprecated, see https://go.dev/doc/go1.16#ioutil

    forbidigo:
      forbid:
        - pkg: ^regexp$
          pattern: ^regexp\.MustCompile
          msg: Use internal/lazyregexp.New instead.

    gocyclo:
      min-complexity: 16

    gosec:
      excludes:
        - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
        - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
        - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
        - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")

    govet:
      enable:
        - shadow
      settings:
        shadow:
          strict: true

    lll:
      line-length: 200

    nakedret:
      # Disallow naked returns if func has more lines of code than this setting.
      # Default: 30
      max-func-lines: 0

    staticcheck:
      checks:
        - all
        - -QF1008 # Omit embedded fields from selector expression
        - -ST1020 # The documentation of an exported function should start with the function’s name
        - -ST1022 # The documentation of an exported variable or constant should start with variable’s name

    revive:
      rules:
        - name: empty-block       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-block
        - name: empty-lines       # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#empty-lines
        - name: import-shadowing  # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#import-shadowing
        - name: line-length-limit # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#line-length-limit
          arguments: [200]
        - name: unused-receiver   # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#unused-receiver
        - name: use-any           # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#use-any

    usetesting:
      os-chdir: false           # FIXME(thaJeztah): Disable `os.Chdir()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
      context-background: false # FIXME(thaJeztah): Disable `context.Background()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478
      context-todo: false       # FIXME(thaJeztah): Disable `context.TODO()` detections; should be automatically disabled on Go < 1.24; see https://github.com/docker/cli/pull/5835#issuecomment-2665302478

  exclusions:
    # We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
    # automatically inherited. We can decide whether or not to follow upstream
    # defaults when updating golang-ci-lint versions.
    # Unfortunately, this means we have to copy the whole exclusion pattern, as
    # (unlike the "include" option), the "exclude" option does not take exclusion
    # ID's.
    #
    # These exclusion patterns are copied from the default excluses at:
    # https://github.com/golangci/golangci-lint/blob/v1.44.0/pkg/config/issues.go#L10-L104
    #
    # The default list of exclusions can be found at:
    # https://golangci-lint.run/usage/false-positives/#default-exclusions
    generated: strict

    rules:
        # EXC0003
      - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
        linters:
          - revive

        # EXC0007
      - text: "Subprocess launch(ed with variable|ing should be audited)"
        linters:
          - gosec

        # EXC0009
      - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
        linters:
          - gosec

        # EXC0010
      - text: "Potential file inclusion via variable"
        linters:
          - gosec

        # TODO: make sure all packages have a description. Currently, there's 67 packages without.
      - text: "package-comments: should have a package comment"
        linters:
          - revive

        # Exclude some linters from running on tests files.
      - path: _test\.go
        linters:
          - errcheck
          - gosec

      - text: "ST1000: at least one file in a package should have a package comment"
        linters:
          - staticcheck

        # Allow "err" and "ok" vars to shadow existing declarations, otherwise we get too many false positives.
      - text: '^shadow: declaration of "(err|ok)" shadows declaration'
        linters:
          - govet

    # Log a warning if an exclusion rule is unused.
    # Default: false
    warn-unused: true