Azure · weikanglim · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
@@ -46,7 +46,7 @@ jobs:
           node-version: "20"
 
       - name: Install golangci-lint
-        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.10.1
+        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.11.4
 
       - name: Install cspell
         run: npm install -g cspell@8.13.1

@@ -16,7 +16,7 @@ on:
         description: "GolangCI-Lint version to use"
         required: false
         type: string
-        default: "v2.10.1"
+        default: "v2.11.4"
 
 permissions:
   contents: read

@@ -39,6 +39,7 @@ linters:
         - G304 # TODO: Potential file inclusion via variable
         - G104 # TODO: Errors unhandled
         - G117 # Exported struct fields matching secret patterns (false positives on field names)
+        - G122 # TODO: Filesystem operation in filepath.Walk/WalkDir callback uses race-prone path
 formatters:
   enable:
     - gofmt
@@ -802,6 +802,7 @@ func createLocalTemplateDir(t *testing.T, sourceTestData string) string {
 		if err != nil {
 			return err
 		}
+		//nolint:gosec // G703: test paths are controlled
 		return os.WriteFile(filepath.Join(dir, relTarget), content, 0600)
 	})
 	require.NoError(t, err)

@@ -90,7 +90,7 @@ func (s *Server) Serve(l net.Listener) error {
 	}
 
 	// Run upload periodically in the background while the server is running.
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(context.Background()) //nolint:gosec // G118: cancel stored in s.cancelTelemetryUpload
 	ts := telemetry.GetTelemetrySystem()
 	backgroundTelemetry := func() {
 		ticker := time.NewTicker(5 * time.Second)
@@ -213,6 +213,7 @@ func serveRpc(w http.ResponseWriter, r *http.Request, handlers map[string]Handle
 			call, isCall := req.(*jsonrpc2.Call)
 			if isCall {
 				span.SetAttributes(fields.JsonRpcId.String(fmt.Sprint(call.ID())))
+				//nolint:gosec // G118: cancel stored in cancelers map and called on completion
 				ctx, cancel := context.WithCancel(ctx)
 				childCtx = ctx
 				cancelersMu.Lock()

@@ -158,7 +158,7 @@ func Preflight() error {
 
 	// Check required tools are installed before running anything.
 	if err := requireTool("golangci-lint",
-		"go install github.com/golangci/golangci-lint/cmd/golangci-lint@v2.10.1"); err != nil {
+		"go install github.com/golangci/golangci-lint/cmd/golangci-lint@v2.11.4"); err != nil {
 		return err
 	}
 	if err := requireTool("cspell", "npm install -g cspell@8.13.1"); err != nil {

@@ -748,6 +748,7 @@ func (t *TerraformProvider) createInputParametersFile(
 	}
 
 	log.Printf("Writing parameters file to: %s", inputFilePath)
+	//nolint:gosec // G703: path derived from infra config, not user input
 	err = os.WriteFile(inputFilePath, []byte(replaced), 0600)
 	if err != nil {
 		return fmt.Errorf("writing parameter file: %w", err)

@@ -305,6 +305,7 @@ func TestIsRemoteBackendConfig(t *testing.T) {
 			require.NoError(t, err)
 
 			// #nosec G306 -- test file permissions are intentionally readable
+			//nolint:gosec // G703: test paths are controlled
 			err = os.WriteFile(filepath.Join(infraDir, "main.tf"), testContent, 0644)
 			require.NoError(t, err)
 

@@ -163,7 +163,7 @@ func (cli *Cli) PublishAppHostManifest(
 			)
 		}
 
-		return os.WriteFile(manifestPath, m, osutil.PermissionFile)
+		return os.WriteFile(manifestPath, m, osutil.PermissionFile) //nolint:gosec // G703: path from known project structure
 	}
 
 	// For single-file apphost, we need to use the .cs file directly

@@ -641,7 +641,10 @@ type urlRewriteTransport struct {
 func (t *urlRewriteTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	// Rewrite the request URL to the test server, preserving path
 	newURL := t.targetURL + req.URL.Path
-	newReq, err := http.NewRequestWithContext(req.Context(), req.Method, newURL, req.Body)
+	//nolint:gosec // G704: URL from test server, not user input
+	newReq, err := http.NewRequestWithContext(
+		req.Context(), req.Method, newURL, req.Body,
+	)
 	if err != nil {
 		return nil, err
 	}

@@ -76,7 +76,7 @@ func (s *Spinner) Start(ctx context.Context) error {
 	}
 
 	// Use a context to determine when to stop the spinner
-	cancelCtx, cancel := context.WithCancel(ctx)
+	cancelCtx, cancel := context.WithCancel(ctx) //nolint:gosec // G118: cancel stored in s.cancel and called in Stop()
 	s.cancel = cancel
 
 	s.clear = false

@@ -170,13 +170,15 @@ func fetchOIDCToken(ctx context.Context) (string, error) {
 		return "", err
 	}
 
+	//nolint:gosec // G704: URL is constructed from a trusted OIDC endpoint
 	tokenReq, err := http.NewRequestWithContext(ctx, http.MethodPost, url, nil)
 	if err != nil {
 		return "", err
 	}
 
 	tokenReq.Header.Set("Authorization", "Bearer "+os.Getenv("SYSTEM_ACCESSTOKEN"))
-	tokenRes, err := http.DefaultClient.Do(tokenReq) //nolint:gosec // G704: URL is constructed from a trusted OIDC endpoint
+	//nolint:gosec // G704: URL is constructed from a trusted OIDC endpoint
+	tokenRes, err := http.DefaultClient.Do(tokenReq)
 	if err != nil {
 		return "", err
 	}
-Original file line number
+Diff line change
@@ Expand Up / @@ -163,7 +163,7 @@ func (cli *Cli) PublishAppHostManifest( @@
     			)
     		}
-    		return os.WriteFile(manifestPath, m, osutil.PermissionFile)
+    		return os.WriteFile(manifestPath, m, osutil.PermissionFile) //nolint:gosec // G703: path from known project structure
     	}
     	// For single-file apphost, we need to use the .cs file directly
@@ Expand Down @@