openshift · bharath-b-rh · Sep 13, 2025
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,47 +1,107 @@
+version: "2"
+
 run:
   timeout: 5m
   allow-parallel-runners: true
 
-issues:
-  # don't skip warning about doc comments
-  # don't exclude the default set of lint
-  exclude-use-default: false
-  # restore some of the defaults
-  # (fill in the rest as needed)
-  exclude-rules:
-    - path: "api/*"
-      linters:
-        - lll
-    - path: "pkg/*"
-      linters:
-        - dupl
-        - lll
 linters:
-  disable-all: true
+  default: none
   enable:
+    - asciicheck
+    - bodyclose
+    - dogsled
     - dupl
     - errcheck
-    - exportloopref
-    - ginkgolinter
+    - errorlint
+    - exhaustive
+    - copyloopvar
+    - goheader
     - goconst
-    - gocyclo
-    - gofmt
-    - goimports
-    - gosimple
+    - gocritic
+    - godot
+    - goprintffuncname
+    - gosec
     - govet
     - ineffassign
-    - lll
     - misspell
     - nakedret
+    - nolintlint
     - prealloc
-    - revive
-    - staticcheck
-    - typecheck
+    - lll
     - unconvert
     - unparam
     - unused
-
-linters-settings:
-  revive:
+    - whitespace
+  settings:
+    goconst:
+      min-len: 3
+      min-occurrences: 3
+    gocritic:
+      enabled-tags:
+        - diagnostic
+        - experimental
+        - opinionated
+        - performance
+        - style
+      disabled-checks:
+        - dupImport
+        - ifElseChain
+        - octalLiteral
+        - whyNoLint
+        - wrapperFunc
+        - importShadow
+        - unnamedResult
+        - unnecessaryBlock
+      settings:
+        rangeValCopy:
+          sizeThreshold: 512
+        hugeParam:
+          sizeThreshold: 512
+    gocyclo:
+      min-complexity: 16
+    goheader:
+      template-path: ./hack/boilerplate.go.txt
+    dupl:
+      threshold: 200
+    govet:
+      disable:
+        - shadow
+    lll:
+      line-length: 300
+    misspell:
+      locale: US
+  exclusions:
     rules:
-      - name: comment-spacings
+      # Exclude some linters from running on tests files.
+      - path: _test(ing)?\.go
+        linters:
+          - gocyclo
+          - errcheck
+          - dupl
+          - gosec
+          - unparam
+          - lll
+
+      # Ease some gocritic warnings on test files.
+      - path: _test\.go
+        text: "(unnamedResult|exitAfterDefer)"
+        linters:
+          - gocritic
+
+      # This is a "potential hardcoded credentials" warning. It's triggered by
+      # any variable with 'secret' in the same, and thus hits a lot of false
+      # positives in Kubernetes land where a Secret is an object type.
+      - text: "G101:"
+        linters:
+          - gosec
+
+      # The header check doesn't correctly parse the header as a code comment and is
+      # triggered by the perceived diff. The header check still correctly detects missing
+      # license headers and is useful for some cases.
+      - text: "Actual:"
+        linters:
+          - goheader
+
+      - path: vendor
+        linters:
+          - all
diff --git a/Makefile b/Makefile
@@ -158,6 +158,13 @@ lint: golangci-lint ## Run golangci-lint linter
 lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 	$(GOLANGCI_LINT) run --fix
 
+# Ignore the exit code of the fix lint, it will always error as there are unfixed issues
+# that cannot be fixed from historic commits.
+.PHONY: verify-lint-fix
+verify-lint-fix:
+	make lint-fix 2>/dev/null || true
+	git diff --exit-code
+
 ##@ Build
 
 build-operator: ## Build operator binary, no additional checks or code generation
@@ -250,6 +257,7 @@ YQ = $(LOCALBIN)/yq
 HELM ?= $(LOCALBIN)/helm
 REFERENCE_DOC_GENERATOR ?= $(LOCALBIN)/crd-ref-docs
 GOVULNCHECK ?= $(LOCALBIN)/govulncheck
+KUBEAPI_LINT = $(LOCALBIN)/kube-api-linter.so
 
 ## Tool Versions
 YQ_VERSION = v4.45.2
@@ -258,41 +266,45 @@ HELM_VERSION ?= v3.17.3
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
 $(KUSTOMIZE): $(LOCALBIN)
-	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5)
+	$(call go-install-tool,$(KUSTOMIZE),./vendor/sigs.k8s.io/kustomize/kustomize/v5)
 
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary.
 $(CONTROLLER_GEN): $(LOCALBIN)
-	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen)
+	$(call go-install-tool,$(CONTROLLER_GEN),./vendor/sigs.k8s.io/controller-tools/cmd/controller-gen)
 
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download setup-envtest locally if necessary.
 $(ENVTEST): $(LOCALBIN)
-	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest)
+	$(call go-install-tool,$(ENVTEST),./vendor/sigs.k8s.io/controller-runtime/tools/setup-envtest)
 
 .PHONY: golangci-lint
 golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint)
+	$(call go-install-tool,$(GOLANGCI_LINT),./vendor/github.com/golangci/golangci-lint/v2/cmd/golangci-lint)
 
 .PHONY: crd-ref-docs
 crd-ref-docs: $(LOCALBIN) ## Download crd-ref-docs locally if necessary.
-	$(call go-install-tool,$(REFERENCE_DOC_GENERATOR),github.com/elastic/crd-ref-docs)
+	$(call go-install-tool,$(REFERENCE_DOC_GENERATOR),./vendor/github.com/elastic/crd-ref-docs)
+
+.PHONY: kube-api-linter
+kube-api-linter: $(LOCALBIN)
+	go build -mod=vendor -buildmode=plugin -o $(KUBEAPI_LINT) ./vendor/sigs.k8s.io/kube-api-linter/pkg/plugin
 
 .PHONY: govulncheck
 govulncheck: $(LOCALBIN) ## Download govulncheck locally if necessary.
 	$(call go-install-tool,$(GOVULNCHECK),golang.org/x/vuln/cmd/govulncheck)
 
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
-# $2 - package url which can be installed
+# $2 - vendor code path of the package
 define go-install-tool
 @[ -f "$(1)" ] || { \
 set -e; \
 package=$(2) ;\
-echo "Downloading $${package}" ;\
+echo "Building $${package}" ;\
 rm -f $(1) || true ;\
-GOBIN=$(LOCALBIN) go install $${package} ;\
+go build -mod=vendor -o $(LOCALBIN) $${package} ;\
 }
 endef
 
@@ -391,7 +403,7 @@ catalog-push: ## Push a catalog image.
 
 ## verify the changes are working as expected.
 .PHONY: verify
-verify: vet fmt golangci-lint verify-bindata verify-bindata-assets verify-generated govulnscan
+verify: vet fmt verify-bindata verify-bindata-assets verify-generated govulnscan
 
 ## update the relevant data based on new changes.
 .PHONY: update