Merge pull request #2744 from Luap99/gofumpt

golangci-lint: enable gofumpt formatter
2025-12-24 07:53:37 +00:00 · 2025-11-18 23:35:18 +01:00
parent 655f2b977b b625905314
commit c844ecb70c
19 changed files with 129 additions and 122 deletions
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,4 +1,9 @@
 version: "2"
+
+formatters:
+  enable:
+    - gofumpt
+
 linters:
  settings:
    staticcheck:
--- a/5
+++ b/5
@@ -242,10 +242,13 @@ validate:
 # This target is only intended for development, e.g. executing it from an IDE. Use (make test) for CI or pre-release testing.
 test-all-local: validate-local validate-docs test-unit-local

+.PHONY: fmt
+fmt: tools
+	$(GOBIN)/golangci-lint fmt
+
 .PHONY: validate-local
 validate-local: tools
 	hack/validate-git-marks.sh
-	hack/validate-gofmt.sh
 	$(GOBIN)/golangci-lint run --build-tags "${BUILDTAGS}"
 	# An extra run with --tests=false allows detecting code unused outside of tests;
 	# ideally the linter should be able to find this automatically.
--- a/cmd/skopeo/copy.go
+++ b/cmd/skopeo/copy.go
@@ -45,7 +45,8 @@ func copyCmd(global *globalOptions) *cobra.Command {
 	destFlags, destOpts := imageDestFlags(global, sharedOpts, deprecatedTLSVerifyOpt, "dest-", "dcreds")
 	retryFlags, retryOpts := retryFlags()
 	copyFlags, copyOpts := sharedCopyFlags()
-	opts := copyOptions{global: global,
+	opts := copyOptions{
+		global:              global,
 		deprecatedTLSVerify: deprecatedTLSVerifyOpt,
 		srcImage:            srcOpts,
 		destImage:           destOpts,
@@ -251,7 +252,7 @@ func (opts *copyOptions) run(args []string, stdout io.Writer) (retErr error) {
 			if err != nil {
 				return err
 			}
-			if err = os.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0644); err != nil {
+			if err = os.WriteFile(opts.digestFile, []byte(manifestDigest.String()), 0o644); err != nil {
 				return fmt.Errorf("Failed to write digest to file %q: %w", opts.digestFile, err)
 			}
 		}
--- a/cmd/skopeo/generate_sigstore_key.go
+++ b/cmd/skopeo/generate_sigstore_key.go
@@ -79,10 +79,10 @@ func (opts *generateSigstoreKeyOptions) run(args []string, stdout io.Writer) err
 		return fmt.Errorf("Error generating key pair: %w", err)
 	}

-	if err := os.WriteFile(privateKeyPath, keys.PrivateKey, 0600); err != nil {
+	if err := os.WriteFile(privateKeyPath, keys.PrivateKey, 0o600); err != nil {
 		return fmt.Errorf("Error writing private key to %q: %w", privateKeyPath, err)
 	}
-	if err := os.WriteFile(pubKeyPath, keys.PublicKey, 0644); err != nil {
+	if err := os.WriteFile(pubKeyPath, keys.PublicKey, 0o644); err != nil {
 		return fmt.Errorf("Error writing private key to %q: %w", pubKeyPath, err)
 	}
 	fmt.Fprintf(stdout, "Key written to %q and %q\n", privateKeyPath, pubKeyPath)
--- a/cmd/skopeo/generate_sigstore_key_test.go
+++ b/cmd/skopeo/generate_sigstore_key_test.go
@@ -24,7 +24,7 @@ func TestGenerateSigstoreKey(t *testing.T) {
 	for _, suffix := range outputSuffixes {
 		dir := t.TempDir()
 		prefix := filepath.Join(dir, "prefix")
-		err := os.WriteFile(prefix+suffix, []byte{}, 0600)
+		err := os.WriteFile(prefix+suffix, []byte{}, 0o600)
 		require.NoError(t, err)
 		out, err := runSkopeo("generate-sigstore-key",
 			"--output-prefix", prefix, "--passphrase-file", "/dev/null",
@@ -37,7 +37,7 @@ func TestGenerateSigstoreKey(t *testing.T) {
 	for _, suffix := range outputSuffixes {
 		dir := t.TempDir()
 		nonDirectory := filepath.Join(dir, "nondirectory")
-		err := os.WriteFile(nonDirectory, []byte{}, 0600)
+		err := os.WriteFile(nonDirectory, []byte{}, 0o600)
 		require.NoError(t, err)
 		prefix := filepath.Join(dir, "prefix")
 		err = os.Symlink(filepath.Join(nonDirectory, "unaccessible"), prefix+suffix)
@@ -66,7 +66,7 @@ func TestGenerateSigstoreKey(t *testing.T) {
 	dir := t.TempDir()
 	prefix := filepath.Join(dir, "prefix")
 	passphraseFile := filepath.Join(dir, "passphrase")
-	err = os.WriteFile(passphraseFile, []byte("some passphrase"), 0600)
+	err = os.WriteFile(passphraseFile, []byte("some passphrase"), 0o600)
 	require.NoError(t, err)
 	out, err = runSkopeo("generate-sigstore-key",
 		"--output-prefix", prefix, "--passphrase-file", passphraseFile,
@@ -75,5 +75,4 @@ func TestGenerateSigstoreKey(t *testing.T) {
 	for _, suffix := range outputSuffixes {
 		assert.Contains(t, out, prefix+suffix)
 	}
-
 }
--- a/cmd/skopeo/list_tags_test.go
+++ b/cmd/skopeo/list_tags_test.go
@@ -11,8 +11,8 @@ import (
 // Tests the kinds of inputs allowed and expected to the command
 func TestDockerRepositoryReferenceParser(t *testing.T) {
 	for _, test := range [][]string{
-		{"docker://myhost.com:1000/nginx"}, //no tag
-		{"docker://myhost.com/nginx"},      //no port or tag
+		{"docker://myhost.com:1000/nginx"}, // no tag
+		{"docker://myhost.com/nginx"},      // no port or tag
 		{"docker://somehost.com"},          // Valid default expansion
 		{"docker://nginx"},                 // Valid default expansion
 	} {
@@ -31,8 +31,8 @@ func TestDockerRepositoryReferenceParser(t *testing.T) {
 		{"docker-daemon:myhost.com/someimage"},
 		{"docker://myhost.com:1000/nginx:foobar:foobar"},           // Invalid repository ref
 		{"docker://somehost.com:5000/"},                            // no repo
-		{"docker://myhost.com:1000/nginx:latest"},                  //tag not allowed
-		{"docker://myhost.com:1000/nginx@sha256:abcdef1234567890"}, //digest not allowed
+		{"docker://myhost.com:1000/nginx:latest"},                  // tag not allowed
+		{"docker://myhost.com:1000/nginx@sha256:abcdef1234567890"}, // digest not allowed
 	} {
 		_, err := parseDockerRepositoryReference(test[0])
 		assert.Error(t, err, test[0])
@@ -41,8 +41,8 @@ func TestDockerRepositoryReferenceParser(t *testing.T) {

 func TestDockerRepositoryReferenceParserDrift(t *testing.T) {
 	for _, test := range [][]string{
-		{"docker://myhost.com:1000/nginx", "myhost.com:1000/nginx"}, //no tag
-		{"docker://myhost.com/nginx", "myhost.com/nginx"},           //no port or tag
+		{"docker://myhost.com:1000/nginx", "myhost.com:1000/nginx"}, // no tag
+		{"docker://myhost.com/nginx", "myhost.com/nginx"},           // no port or tag
 		{"docker://somehost.com", "docker.io/library/somehost.com"}, // Valid default expansion
 		{"docker://nginx", "docker.io/library/nginx"},               // Valid default expansion
 	} {
--- a/cmd/skopeo/manifest.go
+++ b/cmd/skopeo/manifest.go
@@ -10,8 +10,7 @@ import (
 	"go.podman.io/image/v5/manifest"
 )

-type manifestDigestOptions struct {
-}
+type manifestDigestOptions struct{}

 func manifestDigestCmd() *cobra.Command {
 	var opts manifestDigestOptions
--- a/cmd/skopeo/signing.go
+++ b/cmd/skopeo/signing.go
@@ -61,7 +61,7 @@ func (opts *standaloneSignOptions) run(args []string, stdout io.Writer) error {
 		return fmt.Errorf("Error creating signature: %w", err)
 	}

-	if err := os.WriteFile(opts.output, signature, 0644); err != nil {
+	if err := os.WriteFile(opts.output, signature, 0o644); err != nil {
 		return fmt.Errorf("Error writing signature to %s: %w", opts.output, err)
 	}
 	return nil
@@ -118,7 +118,6 @@ func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error
 		mech, publicKeyfingerprints, err = signature.NewEphemeralGPGSigningMechanism(publicKeys)
 		if err != nil {
 			return fmt.Errorf("Error initializing GPG: %w", err)
-
 		}
 	} else {
 		mech, err = signature.NewGPGSigningMechanism()
@@ -147,8 +146,7 @@ func (opts *standaloneVerifyOptions) run(args []string, stdout io.Writer) error
 // (including things like “✅ Verified by $authority”)
 //
 // The subcommand is undocumented, and it may be renamed or entirely disappear in the future.
-type untrustedSignatureDumpOptions struct {
-}
+type untrustedSignatureDumpOptions struct{}

 func untrustedSignatureDumpCmd() *cobra.Command {
 	opts := untrustedSignatureDumpOptions{}
--- a/cmd/skopeo/sync.go
+++ b/cmd/skopeo/sync.go
@@ -182,7 +182,7 @@ func destinationReference(destination string, transport string) (types.ImageRefe
 			return nil, fmt.Errorf("Destination directory could not be used: %w", err)
 		}
 		// the directory holding the image must be created here
-		if err = os.MkdirAll(destination, 0755); err != nil {
+		if err = os.MkdirAll(destination, 0o755); err != nil {
 			return nil, fmt.Errorf("Error creating directory for image %s: %w", destination, err)
 		}
 		imageTransport = directory.Transport
@@ -270,7 +270,6 @@ func imagesToCopyFromDir(dirPath string) ([]types.ImageReference, error) {
 		}
 		return nil
 	})
-
 	if err != nil {
 		return sourceReferences,
 			fmt.Errorf("Error walking the path %q: %w", dirPath, err)
@@ -367,7 +366,8 @@ func imagesToCopyFromRegistry(registryName string, cfg registrySyncConfig, sourc
 		}
 		repoDescList = append(repoDescList, repoDescriptor{
 			ImageRefs: sourceReferences,
-			Context:   serverCtx})
+			Context:   serverCtx,
+		})
 	}

 	// include repository descriptors for cfg.ImagesByTagRegex
@@ -667,7 +667,7 @@ func (opts *syncOptions) run(args []string, stdout io.Writer) (retErr error) {

 	var digestFile *os.File
 	if opts.digestFile != "" && !opts.dryRun {
-		digestFile, err = os.OpenFile(opts.digestFile, os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0644)
+		digestFile, err = os.OpenFile(opts.digestFile, os.O_TRUNC|os.O_CREATE|os.O_WRONLY, 0o644)
 		if err != nil {
 			return fmt.Errorf("Error creating digest file: %w", err)
 		}
--- a/cmd/skopeo/utils_test.go
+++ b/cmd/skopeo/utils_test.go
@@ -49,7 +49,8 @@ func fakeGlobalOptions(t *testing.T, flags []string) (*globalOptions, *cobra.Com

 // fakeImageOptions creates imageOptions and sets it according to globalFlags/cmdFlags.
 func fakeImageOptions(t *testing.T, flagPrefix string, useDeprecatedTLSVerify bool,
-	globalFlags []string, cmdFlags []string) *imageOptions {
+	globalFlags []string, cmdFlags []string,
+) *imageOptions {
 	globalOpts, cmd := fakeGlobalOptions(t, globalFlags)
 	sharedFlags, sharedOpts := sharedImageFlags()
 	var deprecatedTLSVerifyFlag pflag.FlagSet
@@ -124,7 +125,8 @@ func TestImageOptionsNewSystemContext(t *testing.T) {

 // fakeImageDestOptions creates imageDestOptions and sets it according to globalFlags/cmdFlags.
 func fakeImageDestOptions(t *testing.T, flagPrefix string, useDeprecatedTLSVerify bool,
-	globalFlags []string, cmdFlags []string) *imageDestOptions {
+	globalFlags []string, cmdFlags []string,
+) *imageDestOptions {
 	globalOpts, cmd := fakeGlobalOptions(t, globalFlags)
 	sharedFlags, sharedOpts := sharedImageFlags()
 	var deprecatedTLSVerifyFlag pflag.FlagSet
@@ -389,7 +391,8 @@ func TestSharedCopyOptionsCopyOptions(t *testing.T) {
 		// to create test keys for that.
 		// This does not test --sign-by-sq-fingerprint, because that needs to be conditional based on buildWithSequoia.
 		{
-			options: []string{"--remove-signatures",
+			options: []string{
+				"--remove-signatures",
 				"--sign-by", "gpgFingerprint",
 				"--format", "oci",
 				"--preserve-digests",
@@ -488,21 +491,31 @@ func TestParseManifestFormat(t *testing.T) {
 		expectedManifestType string
 		expectErr            bool
 	}{
-		{"oci",
+		{
+			"oci",
 			imgspecv1.MediaTypeImageManifest,
-			false},
-		{"v2s1",
+			false,
+		},
+		{
+			"v2s1",
 			manifest.DockerV2Schema1SignedMediaType,
-			false},
-		{"v2s2",
+			false,
+		},
+		{
+			"v2s2",
 			manifest.DockerV2Schema2MediaType,
-			false},
-		{"",
+			false,
+		},
+		{
 			"",
-			true},
-		{"badValue",
 			"",
-			true},
+			true,
+		},
+		{
+			"badValue",
+			"",
+			true,
+		},
 	} {
 		manifestType, err := parseManifestFormat(testCase.formatParam)
 		if testCase.expectErr {
@@ -523,28 +536,37 @@ func TestImageOptionsAuthfileOverride(t *testing.T) {
 		expectedAuthfilePath string
 	}{
 		// if there is no prefix, only authfile is allowed.
-		{"",
+		{
+			"",
 			[]string{
 				"--authfile", "/srv/authfile",
-			}, "/srv/authfile"},
+			},
+			"/srv/authfile",
+		},
 		// if authfile and dest-authfile is provided, dest-authfile wins
-		{"dest-",
+		{
+			"dest-",
 			[]string{
 				"--authfile", "/srv/authfile",
 				"--dest-authfile", "/srv/dest-authfile",
-			}, "/srv/dest-authfile",
+			},
+			"/srv/dest-authfile",
 		},
 		// if only the shared authfile is provided, authfile must be present in system context
-		{"dest-",
+		{
+			"dest-",
 			[]string{
 				"--authfile", "/srv/authfile",
-			}, "/srv/authfile",
+			},
+			"/srv/authfile",
 		},
 		// if only the dest authfile is provided, dest-authfile must be present in system context
-		{"dest-",
+		{
+			"dest-",
 			[]string{
 				"--dest-authfile", "/srv/dest-authfile",
-			}, "/srv/dest-authfile",
+			},
+			"/srv/dest-authfile",
 		},
 	} {
 		opts := fakeImageOptions(t, testCase.flagPrefix, false, []string{}, testCase.cmdFlags)
--- a/hack/validate-gofmt.sh
+++ b/hack/validate-gofmt.sh
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-IFS=$'\n'
-files=( $(find . -name '*.go' | grep -v '^./vendor/' | sort || true) )
-unset IFS
-
-badFiles=()
-for f in "${files[@]}"; do
-	if [ "$(gofmt -s -l < $f)" ]; then
-		badFiles+=( "$f" )
-	fi
-done
-
-if [ ${#badFiles[@]} -eq 0 ]; then
-	echo 'Congratulations!  All Go source files are properly formatted.'
-else
-	{
-		echo "These files are not properly gofmt'd:"
-		for f in "${badFiles[@]}"; do
-			echo " - $f"
-		done
-		echo
-		echo 'Please reformat the above files using "gofmt -s -w" and commit the result.'
-		echo
-	} >&2
-	exit 1
-fi
--- a/integration/blocked_test.go
+++ b/integration/blocked_test.go
@@ -1,7 +1,9 @@
 package main

-const blockedRegistriesConf = "./fixtures/blocked-registries.conf"
-const blockedErrorRegex = `.*registry registry-blocked.com is blocked in .*`
+const (
+	blockedRegistriesConf = "./fixtures/blocked-registries.conf"
+	blockedErrorRegex     = `.*registry registry-blocked.com is blocked in .*`
+)

 func (s *skopeoSuite) TestCopyBlockedSource() {
 	t := s.T()
--- a/integration/check_test.go
+++ b/integration/check_test.go
@@ -26,8 +26,10 @@ type skopeoSuite struct {
 	regV2WithAuth *testRegistryV2
 }

-var _ = suite.SetupAllSuite(&skopeoSuite{})
-var _ = suite.TearDownAllSuite(&skopeoSuite{})
+var (
+	_ = suite.SetupAllSuite(&skopeoSuite{})
+	_ = suite.TearDownAllSuite(&skopeoSuite{})
+)

 func (s *skopeoSuite) SetupSuite() {
 	t := s.T()
--- a/integration/copy_test.go
+++ b/integration/copy_test.go
@@ -48,8 +48,10 @@ type copySuite struct {
 	gpgHome    string
 }

-var _ = suite.SetupAllSuite(&copySuite{})
-var _ = suite.TearDownAllSuite(&copySuite{})
+var (
+	_ = suite.SetupAllSuite(&copySuite{})
+	_ = suite.TearDownAllSuite(&copySuite{})
+)

 func (s *copySuite) SetupSuite() {
 	t := s.T()
@@ -85,7 +87,7 @@ func (s *copySuite) SetupSuite() {

 		out := combinedOutputOfCommand(t, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
 		err := os.WriteFile(filepath.Join(s.gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
-			[]byte(out), 0600)
+			[]byte(out), 0o600)
 		require.NoError(t, err)
 	}
 }
@@ -541,9 +543,9 @@ func (s *copySuite) TestCopyEncryption() {
 	privateKeyBytes := x509.MarshalPKCS1PrivateKey(privateKey)
 	publicKeyBytes, err := x509.MarshalPKIXPublicKey(publicKey)
 	require.NoError(t, err)
-	err = os.WriteFile(keysDir+"/private.key", privateKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/private.key", privateKeyBytes, 0o644)
 	require.NoError(t, err)
-	err = os.WriteFile(keysDir+"/public.key", publicKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/public.key", publicKeyBytes, 0o644)
 	require.NoError(t, err)

 	// We can either perform encryption or decryption on the image.
@@ -568,7 +570,7 @@ func (s *copySuite) TestCopyEncryption() {
 	invalidPrivateKey, err := rsa.GenerateKey(rand.Reader, 4096)
 	require.NoError(t, err)
 	invalidPrivateKeyBytes := x509.MarshalPKCS1PrivateKey(invalidPrivateKey)
-	err = os.WriteFile(keysDir+"/invalid_private.key", invalidPrivateKeyBytes, 0644)
+	err = os.WriteFile(keysDir+"/invalid_private.key", invalidPrivateKeyBytes, 0o644)
 	require.NoError(t, err)
 	assertSkopeoFails(t, ".*no suitable key unwrapper found or none of the private keys could be used for decryption.*",
 		"copy", "--decryption-key", keysDir+"/invalid_private.key",
@@ -604,7 +606,6 @@ func (s *copySuite) TestCopyEncryption() {

 	// After successful decryption we should find the gzipped layers from the nginx image
 	matchLayerBlobBinaryType(t, partiallyDecryptedImgDir+"/blobs/sha256", "application/x-gzip", 3)
-
 }

 func matchLayerBlobBinaryType(t *testing.T, ociImageDirPath string, contentType string, matchCount int) {
@@ -818,7 +819,7 @@ func (s *copySuite) TestCopyDirSignatures() {
 	topDirDest := "dir:" + topDir

 	for _, suffix := range []string{"/dir1", "/dir2", "/restricted/personal", "/restricted/official", "/restricted/badidentity", "/dest"} {
-		err := os.MkdirAll(topDir+suffix, 0755)
+		err := os.MkdirAll(topDir+suffix, 0o755)
 		require.NoError(t, err)
 	}

@@ -900,7 +901,7 @@ func (s *copySuite) TestCopyCompression() {
 		{"uncompressed-image-s2", "atomic:localhost:5000/myns/compression:s2"},
 	} {
 		dir := filepath.Join(topDir, fmt.Sprintf("case%d", i))
-		err := os.MkdirAll(dir, 0755)
+		err := os.MkdirAll(dir, 0o755)
 		require.NoError(t, err)

 		assertSkopeoSucceeds(t, "", "--tls-verify=false", "copy", "dir:fixtures/"+c.fixture, c.remote)
@@ -953,7 +954,7 @@ func (s *copySuite) TestCopyDockerLookaside() {

 	tmpDir := t.TempDir()
 	copyDest := filepath.Join(tmpDir, "dest")
-	err = os.Mkdir(copyDest, 0755)
+	err = os.Mkdir(copyDest, 0o755)
 	require.NoError(t, err)
 	dirDest := "dir:" + copyDest
 	plainLookaside := filepath.Join(tmpDir, "lookaside")
@@ -967,7 +968,7 @@ func (s *copySuite) TestCopyDockerLookaside() {

 	policy := s.policyFixture(nil)
 	registriesDir := filepath.Join(tmpDir, "registries.d")
-	err = os.Mkdir(registriesDir, 0755)
+	err = os.Mkdir(registriesDir, 0o755)
 	require.NoError(t, err)
 	registriesFile := fileFromFixture(t, "fixtures/registries.yaml",
 		map[string]string{"@lookaside@": plainLookaside, "@split-staging@": splitLookasideStaging, "@split-read@": splitLookasideReadServer.URL})
@@ -1020,7 +1021,7 @@ func (s *copySuite) TestCopyAtomicExtension() {

 	topDir := t.TempDir()
 	for _, subdir := range []string{"dirAA", "dirAD", "dirDA", "dirDD", "registries.d"} {
-		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
+		err := os.MkdirAll(filepath.Join(topDir, subdir), 0o755)
 		require.NoError(t, err)
 	}
 	registriesDir := filepath.Join(topDir, "registries.d")
@@ -1213,7 +1214,7 @@ func (s *copySuite) TestCopyPreserveDigests() {
 func (s *copySuite) testCopySchemaConversionRegistries(t *testing.T, schema1Registry, schema2Registry string) {
 	topDir := t.TempDir()
 	for _, subdir := range []string{"input1", "input2", "dest2"} {
-		err := os.MkdirAll(filepath.Join(topDir, subdir), 0755)
+		err := os.MkdirAll(filepath.Join(topDir, subdir), 0o755)
 		require.NoError(t, err)
 	}
 	input1Dir := filepath.Join(topDir, "input1")
--- a/integration/openshift_test.go
+++ b/integration/openshift_test.go
@@ -223,7 +223,7 @@ func (cluster *openshiftCluster) ocLoginToProject(t *testing.T) {
 // We do not run (docker login) directly, because that requires a running daemon and a docker package.
 func (cluster *openshiftCluster) dockerLogin(t *testing.T) {
 	cluster.dockerDir = filepath.Join(homedir.Get(), ".docker")
-	err := os.MkdirAll(cluster.dockerDir, 0700)
+	err := os.MkdirAll(cluster.dockerDir, 0o700)
 	require.NoError(t, err)

 	out := combinedOutputOfCommand(t, "oc", "config", "view", "-o", "json", "-o", "jsonpath={.users[*].user.token}")
@@ -237,7 +237,7 @@ func (cluster *openshiftCluster) dockerLogin(t *testing.T) {
 			}`, port, authValue))
 	}
 	configJSON := `{"auths": {` + strings.Join(auths, ",") + `}}`
-	err = os.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0600)
+	err = os.WriteFile(filepath.Join(cluster.dockerDir, "config.json"), []byte(configJSON), 0o600)
 	require.NoError(t, err)
 }

--- a/integration/proxy_test.go
+++ b/integration/proxy_test.go
@@ -224,7 +224,6 @@ func (p *proxy) callGetRawBlob(args []any) (rval any, buf []byte, err error) {
 			content: buf,
 			err:     err,
 		}
-
 	}()
 	wg.Add(1)
 	go func() {
--- a/integration/registry_test.go
+++ b/integration/registry_test.go
@@ -70,7 +70,7 @@ compatibility:
 		username = "testuser"
 		password = "testpassword"
 		email = "test@test.org"
-		if err := os.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0644)); err != nil {
+		if err := os.WriteFile(htpasswdPath, []byte(userpasswd), os.FileMode(0o644)); err != nil {
 			return nil, err
 		}
 		htpasswd = fmt.Sprintf(`auth:
--- a/integration/sync_test.go
+++ b/integration/sync_test.go
@@ -46,8 +46,10 @@ type syncSuite struct {
 	registry *testRegistryV2
 }

-var _ = suite.SetupAllSuite(&syncSuite{})
-var _ = suite.TearDownAllSuite(&syncSuite{})
+var (
+	_ = suite.SetupAllSuite(&syncSuite{})
+	_ = suite.TearDownAllSuite(&syncSuite{})
+)

 func (s *syncSuite) SetupSuite() {
 	t := s.T()
@@ -92,7 +94,7 @@ func (s *syncSuite) SetupSuite() {

 		out := combinedOutputOfCommand(t, gpgBinary, "--armor", "--export", fmt.Sprintf("%s@example.com", key))
 		err := os.WriteFile(filepath.Join(gpgHome, fmt.Sprintf("%s-pubkey.gpg", key)),
-			[]byte(out), 0600)
+			[]byte(out), 0o600)
 		require.NoError(t, err)
 	}
 }
@@ -226,16 +228,16 @@ func (s *syncSuite) TestDirIsNotOverwritten() {
 	// make a copy of the image in the local registry
 	assertSkopeoSucceeds(t, "", "copy", "--retry-times", "3", "--dest-tls-verify=false", "docker://"+image, "docker://"+path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())))

-	//sync upstream image to dir, not scoped
+	// sync upstream image to dir, not scoped
 	dir1 := t.TempDir()
 	assertSkopeoSucceeds(t, "", "sync", "--src", "docker", "--dest", "dir", image, dir1)
 	_, err = os.Stat(path.Join(dir1, path.Base(imagePath), "manifest.json"))
 	require.NoError(t, err)

-	//sync local registry image to dir, not scoped
+	// sync local registry image to dir, not scoped
 	assertSkopeoFails(t, ".*Refusing to overwrite destination directory.*", "sync", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference())), dir1)

-	//sync local registry image to dir, scoped
+	// sync local registry image to dir, scoped
 	imageRef, err = docker.ParseReference(fmt.Sprintf("//%s", path.Join(v2DockerRegistryURL, reference.Path(imageRef.DockerReference()))))
 	require.NoError(t, err)
 	imagePath = imageRef.DockerReference().String()
@@ -290,7 +292,7 @@ func (s *syncSuite) TestYamlUntagged() {

 	// sync to the local registry
 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0o644)
 	require.NoError(t, err)
 	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "docker", "--dest-tls-verify=false", yamlFile, v2DockerRegistryURL)
 	// sync back from local registry to a folder
@@ -302,7 +304,7 @@ func (s *syncSuite) TestYamlUntagged() {
    %s: []
 `, v2DockerRegistryURL, imagePath)

-	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err = os.WriteFile(yamlFile, []byte(yamlConfig), 0o644)
 	require.NoError(t, err)
 	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)

@@ -329,11 +331,11 @@ registry.k8s.io:
    pause: ^[12]\.0$  # regex string test
 `
 	// the       ↑    regex strings always matches only 2 images
-	var nTags = 2
+	nTags := 2
 	assert.NotZero(t, nTags)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0o644)
 	require.NoError(t, err)
 	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
 	assertNumberOfManifestsInSubdirs(t, dir1, nTags)
@@ -351,7 +353,7 @@ registry.k8s.io:
    - sha256:59eec8837a4d942cc19a52b8c09ea75121acc38114a2c68b98983ce9356b8610
 `
 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0o644)
 	require.NoError(t, err)
 	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
 	assertNumberOfManifestsInSubdirs(t, dir1, 1)
@@ -390,7 +392,7 @@ quay.io:
 	assert.NotZero(t, nTags)

 	yamlFile := path.Join(tmpDir, "registries.yaml")
-	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+	err := os.WriteFile(yamlFile, []byte(yamlConfig), 0o644)
 	require.NoError(t, err)
 	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
 	assertNumberOfManifestsInSubdirs(t, dir1, nTags)
@@ -441,14 +443,13 @@ func (s *syncSuite) TestYamlTLSVerify() {
 	for _, cfg := range testCfg {
 		yamlConfig := fmt.Sprintf(yamlTemplate, v2DockerRegistryURL, cfg.tlsVerify, image, tag)
 		yamlFile := path.Join(tmpDir, "registries.yaml")
-		err := os.WriteFile(yamlFile, []byte(yamlConfig), 0644)
+		err := os.WriteFile(yamlFile, []byte(yamlConfig), 0o644)
 		require.NoError(t, err)

 		cfg.checker(t, cfg.msg, "sync", "--scoped", "--src", "yaml", "--dest", "dir", yamlFile, dir1)
 		os.Remove(yamlFile)
 		os.RemoveAll(dir1)
 	}
-
 }

 func (s *syncSuite) TestSyncManifestOutput() {
@@ -459,7 +460,7 @@ func (s *syncSuite) TestSyncManifestOutput() {
 	destDir2 := filepath.Join(tmpDir, "dest2")
 	destDir3 := filepath.Join(tmpDir, "dest3")

-	//Split image:tag path from image URI for manifest comparison
+	// Split image:tag path from image URI for manifest comparison
 	imageDir := pullableTaggedImage[strings.LastIndex(pullableTaggedImage, "/")+1:]

 	assertSkopeoSucceeds(t, "", "sync", "--format=oci", "--all", "--src", "docker", "--dest", "dir", pullableTaggedImage, destDir1)
@@ -512,14 +513,14 @@ func (s *syncSuite) TestDir2DockerTagged() {
 	image := pullableRepoWithLatestTag

 	dir1 := path.Join(tmpDir, "dir1")
-	err := os.Mkdir(dir1, 0755)
+	err := os.Mkdir(dir1, 0o755)
 	require.NoError(t, err)
 	dir2 := path.Join(tmpDir, "dir2")
-	err = os.Mkdir(dir2, 0755)
+	err = os.Mkdir(dir2, 0o755)
 	require.NoError(t, err)

 	// create leading dirs
-	err = os.MkdirAll(path.Dir(path.Join(dir1, image)), 0755)
+	err = os.MkdirAll(path.Dir(path.Join(dir1, image)), 0o755)
 	require.NoError(t, err)

 	// copy docker => dir
@@ -531,7 +532,7 @@ func (s *syncSuite) TestDir2DockerTagged() {
 	assertSkopeoSucceeds(t, "", "sync", "--scoped", "--dest-tls-verify=false", "--src", "dir", "--dest", "docker", dir1, v2DockerRegistryURL)

 	// create leading dirs
-	err = os.MkdirAll(path.Dir(path.Join(dir2, image)), 0755)
+	err = os.MkdirAll(path.Dir(path.Join(dir2, image)), 0o755)
 	require.NoError(t, err)

 	// copy docker => dir
@@ -571,11 +572,11 @@ func (s *syncSuite) TestFailsWithDockerSourceNoRegistry() {

 	tmpDir := t.TempDir()

-	//untagged
+	// untagged
 	assertSkopeoFails(t, ".*StatusCode: 404.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL, tmpDir)

-	//tagged
+	// tagged
 	assertSkopeoFails(t, ".*StatusCode: 404.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", regURL+":thetag", tmpDir)
 }
@@ -585,11 +586,11 @@ func (s *syncSuite) TestFailsWithDockerSourceUnauthorized() {
 	const repo = "privateimagenamethatshouldnotbepublic"
 	tmpDir := t.TempDir()

-	//untagged
+	// untagged
 	assertSkopeoFails(t, ".*requested access to the resource is denied.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo, tmpDir)

-	//tagged
+	// tagged
 	assertSkopeoFails(t, ".*requested access to the resource is denied.*",
 		"sync", "--scoped", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
 }
@@ -599,11 +600,11 @@ func (s *syncSuite) TestFailsWithDockerSourceNotExisting() {
 	repo := path.Join(v2DockerRegistryURL, "imagedoesnotexist")
 	tmpDir := t.TempDir()

-	//untagged
+	// untagged
 	assertSkopeoFails(t, ".*repository name not known to registry.*",
 		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo, tmpDir)

-	//tagged
+	// tagged
 	assertSkopeoFails(t, ".*reading manifest.*",
 		"sync", "--scoped", "--src-tls-verify=false", "--src", "docker", "--dest", "dir", repo+":thetag", tmpDir)
 }
--- a/integration/utils_test.go
+++ b/integration/utils_test.go
@@ -29,9 +29,11 @@ var skopeoBinary = func() string {
 	return "skopeo"
 }()

-const testFQIN = "docker://quay.io/libpod/busybox" // tag left off on purpose, some tests need to add a special one
-const testFQIN64 = "docker://quay.io/libpod/busybox:amd64"
-const testFQINMultiLayer = "docker://quay.io/libpod/alpine_nginx:latest" // multi-layer
+const (
+	testFQIN           = "docker://quay.io/libpod/busybox" // tag left off on purpose, some tests need to add a special one
+	testFQIN64         = "docker://quay.io/libpod/busybox:amd64"
+	testFQINMultiLayer = "docker://quay.io/libpod/alpine_nginx:latest" // multi-layer
+)

 // consumeAndLogOutputStream takes (f, err) from an exec.*Pipe(), and causes all output to it to be logged to t.
 func consumeAndLogOutputStream(t *testing.T, id string, f io.ReadCloser, err error) {