run:
  deadline: 20m

linters-settings:
  dupl:
    threshold: 100
  funlen:
    lines: 100
    statements: 50
  gci:
    local-prefixes: github.com/pomerium
  goconst:
    min-len: 2
    min-occurrences: 2
  gocritic:
    enabled-tags:
      - diagnostic
      - experimental
      - opinionated
      - performance
      - style
    disabled-checks:
      - dupImport # https://github.com/go-critic/go-critic/issues/845
      - ifElseChain
      - octalLiteral
      - whyNoLint
      - wrapperFunc
  gocyclo:
    min-complexity: 15
  goimports:
    local-prefixes: github.com/pomerium
  govet:
    check-shadowing: false
  lll:
    line-length: 160
  maligned:
    suggest-new: true
  misspell:
    locale: US
  nolintlint:
    allow-leading-space: true # don't require machine-readable nolint directives (i.e. with no leading space)
    allow-unused: false # report any unused nolint directives
    require-explanation: false # don't require an explanation for nolint directives
    require-specific: false # don't require nolint directives to be specific about which linter is being skipped

linters:
  disable-all: true
  enable:
    - bodyclose
    - deadcode
    - depguard
    - dogsled
    - errcheck
    - gofmt
    - goimports
    - goprintffuncname
    - gosec
    - gosimple
    - govet
    - ineffassign
    - lll
    - misspell
    - nakedret
    - nolintlint
    - revive
    - rowserrcheck
    - staticcheck
    - structcheck
    - stylecheck
    - typecheck
    - unconvert
    - unused
    - varcheck
    # - asciicheck
    # - dupl
    # - exhaustive
    # - funlen
    # - gochecknoglobals
    # - gochecknoinits
    # - gocognit
    # - goconst
    # - gocritic
    # - gocyclo
    # - godot
    # - godox
    # - goerr113
    # - gomnd
    # - interfacer
    # - maligned
    # - nestif
    # - noctx
    # - prealloc
    # - scopelint
    # - testpackage
    # - whitespace
    # - wsl

issues:
  exclude-use-default: false
  # List of regexps of issue texts to exclude, empty list by default.
  # But independently from this option we use default exclude patterns,
  # it can be disabled by `exclude-use-default: false`. To list all
  # excluded by default patterns execute `golangci-lint run --help`
  exclude:
    ## Defaults we want from golangci-lint
    # errcheck: Almost all programs ignore errors on these functions and in most cases it's ok
    - Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked
    # golint: False positive when tests are defined in package 'test'
    - func name will be used as test\.Test.* by other packages, and that stutters; consider calling this
    # govet: Common false positives
    - (possible misuse of unsafe.Pointer|should have signature)
    # staticcheck: Developers tend to write in C-style with an explicit 'break' in a 'switch', so it's ok to ignore
    - ineffective break statement. Did you mean to break out of the outer loop
    # gosec: Too many false-positives on 'unsafe' usage
    - Use of unsafe calls should be audited
    # gosec: Too many false-positives for parametrized shell calls
    - Subprocess launch(ed with variable|ing should be audited)
    # gosec: Duplicated errcheck checks
    - G104
    # gosec: unsafe close on file errors
    - G307
    # gosec: Too many issues in popular repos
    - (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
    # gosec: False positive is triggered by 'src, err := os.ReadFile(filename)'
    - Potential file inclusion via variable

    ##
    ## Custom
    ##
    # Mostly harmless buffer writes where we skip error checking
    # https://golang.org/pkg/bytes/#Buffer.Write
    - "Error return value of `w.Write` is not checked"
    - "Error return value of `io.WriteString` is not checked"
    - "Error return value of `viper.BindEnv` is not checked"
    - "Error return value of `h.Write` is not checked"
    - "ExecuteTemplate` is not checked"

    # go sec : we want to allow skipping tls auth
    - "TLS InsecureSkipVerify set true."
    - "goroutine calls T.Fatalf, which must be called in the same goroutine as the test"
    # good job Protobuffs!
    - "method XXX"
    - "SA1019"
    # EXC0001 errcheck: Almost all programs ignore errors on these functions and in most cases it's ok
    - Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv). is not checked

  exclude-rules:
    # https://github.com/go-critic/go-critic/issues/926
    - linters:
        - gocritic
      text: "unnecessaryDefer:"
    # Exclude some linters from running on test files.
    - path: _test\.go$|^tests/|^integration/|^samples/|templates\.go$
      linters:
        - bodyclose
        - errcheck
        - gomnd
        - gosec
        - lll
        - maligned
        - staticcheck
        - unparam
        - unused
        - scopelint
        - gosec
        - gosimple
    # Exclude lll issues for long lines with go:generate
    - linters:
        - lll
      source: "^//go:generate "
    # erroneously thinks google api url is a cred
    - path: internal/identity/google.go
      text: "Potential hardcoded credentials"
      linters:
        - gosec
    # deprecated but every example still uses New
    - path: internal/identity/google.go
      text: "please use NewService instead"
      linters:
        - staticcheck
    - path: internal/identity/oauth/github/github.go
      text: "Potential hardcoded credentials"
      linters:
        - gosec
    - linters: [golint]
      text: "should have a package comment"

# golangci.com configuration
# https://github.com/golangci/golangci/wiki/Configuration
service:
  golangci-lint-version: 1.34.x # use the fixed version to not introduce new linters unexpectedly