fix: linting errors

Signed-off-by: Samuel K <skevetter@pm.me>

Author: skevetter

cmd/agent/workspace/up.go

@@ -229,7 +229,7 @@ func contentFolderExists(path string, log log.Logger) (bool, error) {
 
 func createContentFolder(path string, log log.Logger) error {
 	log.WithFields(logrus.Fields{"path": path}).Debug("create content folder")
-	if err := os.MkdirAll(path, 0o750); err != nil {
+	if err := os.MkdirAll(path, 0o755); err != nil {
 		return fmt.Errorf("make workspace folder: %w", err)
 	}
 	return nil
@@ -713,30 +713,49 @@ func tryMergeRootDockerConfig() error {
 }
 
 func mergeContainerdSnapshotterConfig(configPath string) error {
+	existingConfig, err := readExistingConfig(configPath)
+	if err != nil {
+		return err
+	}
+
+	features := ensureFeaturesMap(existingConfig)
+	features["containerd-snapshotter"] = true
+
+	return writeConfig(configPath, existingConfig)
+}
+
+func readExistingConfig(configPath string) (map[string]any, error) {
 	existingConfig := make(map[string]any)
+	// #nosec G304 -- configPath is controlled by the application
 	data, err := os.ReadFile(configPath)
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
-		return fmt.Errorf("read existing config: %w", err)
+		return nil, fmt.Errorf("read existing config: %w", err)
 	}
 
 	if len(data) > 0 {
 		if err := json.Unmarshal(data, &existingConfig); err != nil {
-			return fmt.Errorf("parse existing config: %w", err)
+			return nil, fmt.Errorf("parse existing config: %w", err)
 		}
 	}
+	return existingConfig, nil
+}
 
-	features, ok := existingConfig["features"].(map[string]any)
+func ensureFeaturesMap(config map[string]any) map[string]any {
+	features, ok := config["features"].(map[string]any)
 	if !ok {
 		features = make(map[string]any)
-		existingConfig["features"] = features
+		config["features"] = features
 	}
-	features["containerd-snapshotter"] = true
+	return features
+}
 
-	mergedData, err := json.MarshalIndent(existingConfig, "", "  ")
+func writeConfig(configPath string, config map[string]any) error {
+	mergedData, err := json.MarshalIndent(config, "", "  ")
 	if err != nil {
 		return fmt.Errorf("marshal config: %w", err)
 	}
 
+	// #nosec G301 -- directory needs to be accessible by docker daemon
 	if err := os.MkdirAll(filepath.Dir(configPath), 0755); err != nil {
 		return fmt.Errorf("create config directory: %w", err)
 	}

e2e/tests/integration/integration.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/skevetter/devpod/e2e/framework"
@@ -27,28 +28,36 @@ var _ = ginkgo.Describe("[integration]: devpod provider ssh test suite", ginkgo.
 				framework.ExpectNoError(err)
 			}
 
-			_, err := os.Stat(os.Getenv("HOME") + "/.ssh/id_rsa")
+			homeDir := os.Getenv("HOME")
+			sshKeyPath := filepath.Join(homeDir, ".ssh", "id_rsa")
+			sshPubKeyPath := filepath.Join(homeDir, ".ssh", "id_rsa.pub")
+
+			_, err := os.Stat(sshKeyPath)
 			if err != nil {
 				fmt.Println("generating ssh keys")
-				cmd := exec.CommandContext(ctx, "ssh-keygen", "-q", "-t", "rsa", "-N", "", "-f", os.Getenv("HOME")+"/.ssh/id_rsa")
+				// #nosec G204 -- ssh-keygen with fixed arguments for test setup
+				cmd := exec.CommandContext(ctx, "ssh-keygen", "-q", "-t", "rsa", "-N", "", "-f", sshKeyPath)
 				err = cmd.Run()
 				framework.ExpectNoError(err)
 
-				cmd = exec.CommandContext(ctx, "ssh-keygen", "-y", "-f", os.Getenv("HOME")+"/.ssh/id_rsa")
+				// #nosec G204 -- ssh-keygen with fixed arguments for test setup
+				cmd = exec.CommandContext(ctx, "ssh-keygen", "-y", "-f", sshKeyPath)
 				output, err := cmd.Output()
 				framework.ExpectNoError(err)
 
-				err = os.WriteFile(os.Getenv("HOME")+"/.ssh/id_rsa.pub", output, 0600)
+				err = os.WriteFile(sshPubKeyPath, output, 0600)
 				framework.ExpectNoError(err)
 			}
 
-			cmd := exec.CommandContext(ctx, "ssh-keygen", "-y", "-f", os.Getenv("HOME")+"/.ssh/id_rsa")
+			// #nosec G204 -- ssh-keygen with fixed arguments for test setup
+			cmd := exec.CommandContext(ctx, "ssh-keygen", "-y", "-f", sshKeyPath)
 			publicKey, err := cmd.Output()
 			framework.ExpectNoError(err)
 
-			_, err = os.Stat(os.Getenv("HOME") + "/.ssh/authorized_keys")
+			authorizedKeysPath := filepath.Join(homeDir, ".ssh", "authorized_keys")
+			_, err = os.Stat(authorizedKeysPath)
 			if err != nil {
-				err = os.WriteFile(os.Getenv("HOME")+"/.ssh/authorized_keys", publicKey, 0600)
+				err = os.WriteFile(authorizedKeysPath, publicKey, 0600)
 				framework.ExpectNoError(err)
 			} else {
 				f, err := os.OpenFile(os.Getenv("HOME")+"/.ssh/authorized_keys",

pkg/client/clientimplementation/workspace_client.go

@@ -521,23 +521,6 @@ func (s *workspaceClient) Command(ctx context.Context, commandOptions client.Com
 	})
 }
 
-func (s *workspaceClient) buildEnvironment(command string) ([]string, error) {
-	s.m.Lock()
-	defer s.m.Unlock()
-
-	return provider.ToEnvironmentWithBinaries(provider.EnvironmentOptions{
-		Context:   s.workspace.Context,
-		Workspace: s.workspace,
-		Machine:   s.machine,
-		Options:   s.devPodConfig.ProviderOptions(s.config.Name),
-		Config:    s.config,
-		ExtraEnv: map[string]string{
-			provider.CommandEnv: command,
-		},
-		Log: s.log,
-	})
-}
-
 func (s *workspaceClient) Status(ctx context.Context, options client.StatusOptions) (client.Status, error) {
 	s.m.Lock()
 	defer s.m.Unlock()
@@ -650,6 +633,23 @@ type CommandOptions struct {
 	Log       log.Logger
 }
 
+func (s *workspaceClient) buildEnvironment(command string) ([]string, error) {
+	s.m.Lock()
+	defer s.m.Unlock()
+
+	return provider.ToEnvironmentWithBinaries(provider.EnvironmentOptions{
+		Context:   s.workspace.Context,
+		Workspace: s.workspace,
+		Machine:   s.machine,
+		Options:   s.devPodConfig.ProviderOptions(s.config.Name),
+		Config:    s.config,
+		ExtraEnv: map[string]string{
+			provider.CommandEnv: command,
+		},
+		Log: s.log,
+	})
+}
+
 func RunCommandWithBinaries(opts CommandOptions) error {
 	environ, err := provider.ToEnvironmentWithBinaries(provider.EnvironmentOptions{
 		Context:   opts.Context,

pkg/workspace/provider.go

@@ -233,18 +233,12 @@ func ResolveProvider(providerSource string, log log.Logger) ([]byte, *provider.P
 		return out, retSource, nil
 	}
 
-	if out, ok, err := resolveURLProvider(providerSource, retSource, log); ok {
-		if err != nil {
-			return nil, nil, err
-		}
-		return out, retSource, nil
+	if out, err := tryResolveURLProvider(providerSource, retSource, log); out != nil || err != nil {
+		return out, retSource, err
 	}
 
-	if out, ok, err := resolveFileProvider(providerSource, retSource); ok {
-		if err != nil {
-			return nil, nil, err
-		}
-		return out, retSource, nil
+	if out, err := tryResolveFileProvider(providerSource, retSource); out != nil || err != nil {
+		return out, retSource, err
 	}
 
 	out, source, err := downloadProviderGithub(providerSource, log)
@@ -258,6 +252,22 @@ func ResolveProvider(providerSource string, log log.Logger) ([]byte, *provider.P
 	return nil, nil, fmt.Errorf("provider type not recognized: specify a local file, url, or github repository")
 }
 
+func tryResolveURLProvider(providerSource string, retSource *provider.ProviderSource, log log.Logger) ([]byte, error) {
+	out, ok, err := resolveURLProvider(providerSource, retSource, log)
+	if !ok {
+		return nil, nil
+	}
+	return out, err
+}
+
+func tryResolveFileProvider(providerSource string, retSource *provider.ProviderSource) ([]byte, error) {
+	out, ok, err := resolveFileProvider(providerSource, retSource)
+	if !ok {
+		return nil, nil
+	}
+	return out, err
+}
+
 func downloadProviderGithub(originalPath string, log log.Logger) ([]byte, *provider.ProviderSource, error) {
 	path := strings.TrimPrefix(originalPath, githubPrefix)
 
@@ -272,8 +282,10 @@ func downloadProviderGithub(originalPath string, log log.Logger) ([]byte, *provi
 	if len(splitted) == 1 {
 		path = providerPrefix + path
 	} else if len(splitted) != 2 {
-		// Invalid GitHub path format - expected 'owner/repo' or 'provider-name'
-		return nil, nil, fmt.Errorf("invalid github path format: expected 'owner/repo' or 'provider-name', got %q", originalPath)
+		return nil, nil, fmt.Errorf(
+			"invalid github path format: expected 'owner/repo' or 'provider-name', got %q",
+			originalPath,
+		)
 	}
 
 	requestURL := buildGithubURL(path, release)
@@ -403,35 +415,40 @@ func installProvider(
 }
 
 func updateProvider(p ProviderParams) (*provider.ProviderConfig, error) {
-	providerConfig, err := provider.ParseProvider(bytes.NewReader(p.Raw))
+	providerConfig, err := parseAndValidateProvider(p)
 	if err != nil {
 		return nil, err
 	}
-	if p.Source == nil {
-		return nil, fmt.Errorf("provider source is required")
-	}
-
-	providerConfig.Source = *p.Source
-	if p.ProviderName != "" {
-		providerConfig.Name = p.ProviderName
-	}
-	if providerConfig.Options == nil {
-		providerConfig.Options = map[string]*types.Option{}
-	}
 
 	cleanupOldOptions(p.DevPodConfig, providerConfig)
 
 	if err := config.SaveConfig(p.DevPodConfig); err != nil {
 		return nil, err
 	}
 
-	if err := downloadProviderBinaries(p, providerConfig); err != nil {
+	if err := downloadAndSaveProvider(p, providerConfig); err != nil {
 		return nil, err
 	}
 
-	if err := provider.SaveProviderConfig(p.DevPodConfig.DefaultContext, providerConfig); err != nil {
+	return providerConfig, nil
+}
+
+func parseAndValidateProvider(p ProviderParams) (*provider.ProviderConfig, error) {
+	providerConfig, err := provider.ParseProvider(bytes.NewReader(p.Raw))
+	if err != nil {
 		return nil, err
 	}
+	if p.Source == nil {
+		return nil, fmt.Errorf("provider source is required")
+	}
+
+	providerConfig.Source = *p.Source
+	if p.ProviderName != "" {
+		providerConfig.Name = p.ProviderName
+	}
+	if providerConfig.Options == nil {
+		providerConfig.Options = map[string]*types.Option{}
+	}
 
 	return providerConfig, nil
 }