Upgrade to go1.19

.github/workflows/build.yaml

@@ -39,7 +39,7 @@ jobs:
 
       - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.2.0
         with:
-          go-version: '1.18'
+          go-version: '1.19'
           check-latest: true
 
       # will use the latest release available for ko

.github/workflows/codeql-analysis.yml

@@ -54,7 +54,7 @@ jobs:
     - name: Set correct version of Golang to use during CodeQL run
       uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.1.5
       with:
-        go-version: '1.18'
+        go-version: '1.19'
         check-latest: true
 
     # Initializes the CodeQL tools for scanning.

.github/workflows/cross.yaml

@@ -31,7 +31,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.2.0
         with:
-          go-version: '1.18'
+          go-version: '1.19'
           check-latest: true
       - name: Checkout code
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0

.github/workflows/e2e-with-binary.yml

@@ -41,7 +41,7 @@ jobs:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
       - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.2.0
         with:
-          go-version: '1.18'
+          go-version: '1.19'
           check-latest: true
       - name: build cosign and check
         shell: bash

.github/workflows/e2e_tests.yml

@@ -38,7 +38,7 @@ jobs:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
       - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.2.0
         with:
-          go-version: '1.18'
+          go-version: '1.19'
           check-latest: true
       - name: Set up Cloud SDK
         uses: google-github-actions/setup-gcloud@877d4953d2c70a0ba7ef3290ae968eb24af233bb # v0.5.1

.github/workflows/github-oidc.yaml

@@ -38,7 +38,7 @@ jobs:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
       - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.2.0
         with:
-          go-version: '1.18'
+          go-version: '1.19'
           check-latest: true
           cache: true
 

.github/workflows/kind-verify-attestation.yaml

@@ -47,7 +47,7 @@ jobs:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
     - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.2.0
       with:
-        go-version: '1.18'
+        go-version: '1.19'
         check-latest: true
 
     # will use the latest release available for ko

.github/workflows/tests.yaml

@@ -23,7 +23,7 @@ on:
 permissions: read-all
 
 env:
-  GO_VERSION: 1.18
+  GO_VERSION: 1.19
 
 jobs:
   unit-tests:
@@ -167,11 +167,11 @@ jobs:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
       - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.2.0
         with:
-          go-version: 1.18
+          go-version: 1.19
           check-latest: true
       - name: golangci-lint
         uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc # v3
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.46
+          version: v1.49
           args: --timeout=5m

.github/workflows/validate-release.yml

@@ -39,8 +39,8 @@ jobs:
       statuses: none
 
     env:
-      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5
-      COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.10.1@sha256:9377edd13ae515dcb97c15052e577a2cbce098f36b0361bdb2348e3bdd8fe536
+      CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.0-0@sha256:904f22549b631c34c92fa696aa39144f8b5da3ee1dff095d4e3164fd50090767
+      COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.11.1@sha256:f9fd5a287a67f4b955d08062a966df10f9a600b6b8583fd367bce3f1f000a429
 
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2

.github/workflows/verify-docgen.yaml

@@ -34,6 +34,6 @@ jobs:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
       - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2.2.0
         with:
-          go-version: '1.18'
+          go-version: '1.19'
           check-latest: true
       - run: ./cmd/help/verify.sh

.golangci.yml

@@ -16,7 +16,7 @@
 linters:
   enable:
   - asciicheck
-  - deadcode
+  - unused
   - depguard
   - errcheck
   - errorlint

pkg/policy/eval.go

@@ -51,7 +51,7 @@ func EvaluatePolicyAgainstJSON(ctx context.Context, name, policyType string, pol
 }
 
 // evaluateCue evaluates a cue policy `evaluator` against `attestation`
-func evaluateCue(ctx context.Context, attestation []byte, evaluator string) error {
+func evaluateCue(_ context.Context, attestation []byte, evaluator string) error {
 	log.Printf("Evaluating attestation: %s", string(attestation))
 	log.Printf("Evaluator: %s", evaluator)
 
@@ -72,7 +72,7 @@ func evaluateCue(ctx context.Context, attestation []byte, evaluator string) erro
 }
 
 // evaluateRego evaluates a rego policy `evaluator` against `attestation`
-func evaluateRego(ctx context.Context, attestation []byte, evaluator string) error {
+func evaluateRego(_ context.Context, attestation []byte, evaluator string) error {
 	log.Printf("Evaluating attestation: %s", string(attestation))
 	log.Printf("Evaluating evaluator: %s", evaluator)
 

release/cloudbuild.yaml

@@ -32,17 +32,17 @@ steps:
     echo "Checking out ${_GIT_TAG}"
     git checkout ${_GIT_TAG}
 
-- name: 'gcr.io/projectsigstore/cosign:v1.10.1@sha256:9377edd13ae515dcb97c15052e577a2cbce098f36b0361bdb2348e3bdd8fe536'
+- name: 'gcr.io/projectsigstore/cosign:v1.11.1@sha256:f9fd5a287a67f4b955d08062a966df10f9a600b6b8583fd367bce3f1f000a429'
   dir: "go/src/sigstore/cosign"
   env:
   - COSIGN_EXPERIMENTAL=true
   - TUF_ROOT=/tmp
   args:
   - 'verify'
-  - 'ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5'
+  - 'ghcr.io/gythialy/golang-cross:v1.19.0-0@sha256:904f22549b631c34c92fa696aa39144f8b5da3ee1dff095d4e3164fd50090767'
 
 # maybe we can build our own image and use that to be more in a safe side
-- name: ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5
+- name: ghcr.io/gythialy/golang-cross:v1.19.0-0@sha256:904f22549b631c34c92fa696aa39144f8b5da3ee1dff095d4e3164fd50090767
   entrypoint: /bin/sh
   dir: "go/src/sigstore/cosign"
   env:
@@ -65,7 +65,7 @@ steps:
       gcloud auth configure-docker \
       && make release
 
-- name: ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5
+- name: ghcr.io/gythialy/golang-cross:v1.19.0-0@sha256:904f22549b631c34c92fa696aa39144f8b5da3ee1dff095d4e3164fd50090767
   entrypoint: 'bash'
   dir: "go/src/sigstore/cosign"
   env:

test/cmd/getoidctoken/main.go

@@ -19,6 +19,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/kelseyhightower/envconfig"
 )
@@ -52,7 +53,14 @@ func main() {
 		log.Fatalf("failed to process env var: %s", err)
 	}
 	http.HandleFunc("/", tokenWriter(env.FileName))
-	if err := http.ListenAndServe(":8080", nil); err != nil {
+
+	srv := &http.Server{
+		Addr:         ":8080",
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+	}
+
+	if err := srv.ListenAndServe(); err != nil {
 		panic(err)
 	}
 }