chore(deps): Bump sigs.k8s.io/release-utils from 0.8.4 to 0.8.5 (#1622)

* chore(deps): Bump sigs.k8s.io/release-utils from 0.8.4 to 0.8.5

Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.8.4 to 0.8.5.
- [Release notes](https://github.com/kubernetes-sigs/release-utils/releases)
- [Commits](kubernetes-sigs/release-utils@v0.8.4...v0.8.5)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/release-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* move to go 1.23

Signed-off-by: Bob Callaway <[email protected]>

* move to golangci-lint 1.61

Signed-off-by: Bob Callaway <[email protected]>

* fix lint errors

Signed-off-by: Bob Callaway <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Bob Callaway <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Bob Callaway <[email protected]>

Author: dependabot[bot]

.github/workflows/tests.yaml

@@ -92,5 +92,5 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
-          version: v1.59
+          version: v1.61
           args: --timeout=15m

Makefile

@@ -105,7 +105,7 @@ local-dev:
 golangci-lint:
 	rm -f $(GOLANGCI_LINT_BIN) || :
 	set -e ;\
-	GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1 ;\
+	GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0 ;\
 
 lint: golangci-lint ## Run golangci-lint linter
 	$(GOLANGCI_LINT_BIN) run -n

cmd/api-docs/main.go

@@ -165,7 +165,7 @@ func astFrom(filePath string) *doc.Package {
 	}
 
 	m[filePath] = f
-	apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:errcheck
+	apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:staticcheck
 
 	return doc.New(apkg, "", 0)
 }

go.mod

@@ -1,6 +1,8 @@
 module github.com/sigstore/policy-controller
 
-go 1.22.6
+go 1.23
+
+toolchain go1.23.1
 
 require (
 	github.com/aws/aws-sdk-go v1.55.5
@@ -47,7 +49,7 @@ require (
 	k8s.io/code-generator v0.31.0
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
 	knative.dev/hack v0.0.0-20240111013919-e89096d74d85
-	sigs.k8s.io/release-utils v0.8.4
+	sigs.k8s.io/release-utils v0.8.5
 	sigs.k8s.io/yaml v1.4.0
 )
 

go.sum

@@ -1333,8 +1333,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw=
-sigs.k8s.io/release-utils v0.8.4/go.mod h1:m1bHfscTemQp+z+pLCZnkXih9n0+WukIUU70n6nFnU0=
+sigs.k8s.io/release-utils v0.8.5 h1:FUtFqEAN621gSXv0L7kHyWruBeS7TUU9aWf76olX7uQ=
+sigs.k8s.io/release-utils v0.8.5/go.mod h1:qsm5bdxdgoHkD8HsXpgme2/c3mdsNaiV53Sz2HmKeJA=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

pkg/tuf/repo.go

@@ -129,7 +129,10 @@ func Uncompress(src io.Reader, dst string) error {
 			}
 		// Write out files
 		case tar.TypeReg:
-			fileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
+			if header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115
+				return errors.New("invalid mode value in tar header")
+			}
+			fileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode)) //nolint:gosec // disable G115
 			if err != nil {
 				return err
 			}
@@ -213,9 +216,12 @@ func UncompressMemFS(src io.Reader, stripPrefix string) (fs.FS, error) {
 			if err != nil && err != io.EOF {
 				return nil, fmt.Errorf("reading file %s : %w", header.Name, err)
 			}
+			if header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115
+				return nil, errors.New("invalid mode value in tar header")
+			}
 			testFS[target] = &fstest.MapFile{
 				Data:    data,
-				Mode:    os.FileMode(header.Mode),
+				Mode:    os.FileMode(header.Mode), //nolint:gosec // disable G115
 				ModTime: header.ModTime,
 			}
 		}

pkg/webhook/validator.go

@@ -517,7 +517,7 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c
 			switch {
 			case authority.Static != nil:
 				if authority.Static.Action == "fail" {
-					result.err = cosign.NewVerificationError("disallowed by static policy: " + authority.Static.Message)
+					result.err = cosign.NewVerificationError("disallowed by static policy: %s", authority.Static.Message)
 					results <- result
 					return
 				}