From 1863b39d1f09034dcc499317247c0fdc6caff6c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ville=20Skytt=C3=A4?= <ville.skytta@upcloud.com>
Date: Wed, 1 Apr 2026 16:21:35 +0300
Subject: [PATCH 1/3] chore: upgrade golangci-lint to v2, address trivial
 findings

---
 .github/workflows/ci.yaml | 2 +-
 .golangci.yml             | 2 ++
 cmd/sshi/root.go          | 2 +-
 internal/auth/cert.go     | 6 +++---
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index bafb4980..31816803 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: golangci/golangci-lint-action@v3
+      - uses: golangci/golangci-lint-action@v9
         with:
           version: latest
   test:
diff --git a/.golangci.yml b/.golangci.yml
index a29af194..ab042ada 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,3 +1,5 @@
+version: "2"
+
 linters:
   enable:
     - gocritic
diff --git a/cmd/sshi/root.go b/cmd/sshi/root.go
index 4d909086..c0e15e11 100644
--- a/cmd/sshi/root.go
+++ b/cmd/sshi/root.go
@@ -51,7 +51,7 @@ func ignoreFlagsAfter(cmds ...string) {
 	}
 
 	// Inject -- after the subcommand to signal Cobra not to try to parse flags
-	var args []string
+	var args []string //nolint:prealloc // insignificant
 	args = append(args, os.Args[:cmdIndex+1]...)
 	args = append(args, "--")
 	args = append(args, os.Args[cmdIndex+1:]...)
diff --git a/internal/auth/cert.go b/internal/auth/cert.go
index bb492904..35627782 100644
--- a/internal/auth/cert.go
+++ b/internal/auth/cert.go
@@ -10,11 +10,11 @@ import (
 
 func MakeCertificates(key ssh.PublicKey, actx *AuthContext, validBefore time.Time, maxPrincipalsPerCert int) []*ssh.Certificate {
 	var kid strings.Builder
-	kid.WriteString(fmt.Sprintf("subject=%q", actx.GetSubjectName()))
+	fmt.Fprintf(&kid, "subject=%q", actx.GetSubjectName())
 	if aid, ok := actx.GetAuthMeta()[MetaAuditID]; ok {
-		kid.WriteString(fmt.Sprintf(" audit_id=%q", aid))
+		fmt.Fprintf(&kid, " audit_id=%q", aid)
 	}
-	kid.WriteString(fmt.Sprintf(" via=%q", strings.Join(actx.GetAuthenticators(), ",")))
+	fmt.Fprintf(&kid, " via=%q", strings.Join(actx.GetAuthenticators(), ","))
 
 	remainingPrincipals := actx.GetPrincipals()
 	if maxPrincipalsPerCert == 0 {

From 84185b90032379500b908871b3f634c501dadb5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ville=20Skytt=C3=A4?= <ville.skytta@upcloud.com>
Date: Wed, 1 Apr 2026 16:25:11 +0300
Subject: [PATCH 2/3] test: simplify authfile temp file bookkeeping

---
 internal/auth/backend/authfile/auth_test.go | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/internal/auth/backend/authfile/auth_test.go b/internal/auth/backend/authfile/auth_test.go
index 2b57877d..2f28ea7e 100644
--- a/internal/auth/backend/authfile/auth_test.go
+++ b/internal/auth/backend/authfile/auth_test.go
@@ -13,16 +13,14 @@ import (
 	"github.com/aakso/ssh-inscribe/internal/logging"
 )
 
-var tmpfiles []string
 var testAuth auth.Authenticator
 
-func makeFile(data string, suffix string) string {
-	file, err := os.CreateTemp("", "test")
+func makeFile(tempDir string, data string, suffix string) string {
+	file, err := os.CreateTemp(tempDir, "test")
 	if err != nil {
 		panic(err)
 	}
 	defer file.Close()
-	tmpfiles = append(tmpfiles, file.Name())
 	_, err = file.WriteString(data)
 	if err != nil {
 		panic(err)
@@ -41,11 +39,7 @@ func makeFile(data string, suffix string) string {
 
 func TestMain(m *testing.M) {
 	logging.SetLevel(logrus.DebugLevel)
-	r := m.Run()
-	for _, file := range tmpfiles {
-		os.Remove(file)
-	}
-	os.Exit(r)
+	os.Exit(m.Run())
 }
 
 func TestAuthFileParse(t *testing.T) {
@@ -64,7 +58,7 @@ users:
   principals:
   - p1
 `
-	loc := makeFile(data, "yaml")
+	loc := makeFile(t.TempDir(), data, "yaml")
 	auth, err := New(&Config{
 		Path:  loc,
 		Realm: "test",

From de7cc54025fc6d46e3149124c2b19258f4900503 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ville=20Skytt=C3=A4?= <ville.skytta@upcloud.com>
Date: Wed, 1 Apr 2026 16:33:40 +0300
Subject: [PATCH 3/3] fix: check errors on connection and file closes and
 removes

---
 internal/auth/backend/authfile/auth_test.go |  4 +++-
 internal/keysigner/keysigner.go             |  4 +++-
 internal/ui/client.go                       | 14 +++++++++++---
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/internal/auth/backend/authfile/auth_test.go b/internal/auth/backend/authfile/auth_test.go
index 2f28ea7e..33abbaeb 100644
--- a/internal/auth/backend/authfile/auth_test.go
+++ b/internal/auth/backend/authfile/auth_test.go
@@ -20,7 +20,9 @@ func makeFile(tempDir string, data string, suffix string) string {
 	if err != nil {
 		panic(err)
 	}
-	defer file.Close()
+	defer func() {
+		_ = file.Close()
+	}()
 	_, err = file.WriteString(data)
 	if err != nil {
 		panic(err)
diff --git a/internal/keysigner/keysigner.go b/internal/keysigner/keysigner.go
index 3028871b..3e4e1632 100644
--- a/internal/keysigner/keysigner.go
+++ b/internal/keysigner/keysigner.go
@@ -361,7 +361,9 @@ func (ks *KeySignerService) KillAgent() bool {
 	}
 	// Ensure socket file is removed, for some reason the cleanup_exit is not called
 	// Need to look into that
-	os.Remove(ks.authSocketLoc)
+	if err := os.Remove(ks.authSocketLoc); err != nil && !errors.Is(err, os.ErrNotExist) {
+		ks.log.WithError(err).Warn("cannot remove auth socket")
+	}
 	ks.log.WithField("agentpid", ks.startedAgentProcess.Pid).Info("killed ssh-agent")
 
 	ks.startedAgentProcess = nil
diff --git a/internal/ui/client.go b/internal/ui/client.go
index cbdb0e32..3f119a6e 100644
--- a/internal/ui/client.go
+++ b/internal/ui/client.go
@@ -494,6 +494,12 @@ func (c *Client) storeInFile() error {
 	log := Log.WithField("action", "storeInFile")
 	// If we have been requested to generate a keypair, save it
 	if c.Config.GenerateKeypair {
+		closeFile := func(f *os.File) {
+			if err := f.Close(); err != nil {
+				log.WithError(err).Warn("failed to close file")
+			}
+		}
+
 		privFile := c.Config.IdentityFile
 		if abs, _ := filepath.Abs(privFile); abs != "" {
 			privFile = abs
@@ -504,7 +510,7 @@ func (c *Client) storeInFile() error {
 		if err != nil {
 			return errors.Wrap(err, "could not save to file")
 		}
-		defer fhPriv.Close()
+		defer closeFile(fhPriv)
 		opts := &sshkeys.MarshalOptions{}
 		switch c.userPrivateKey.(type) {
 		case *ed25519.PrivateKey:
@@ -532,7 +538,7 @@ func (c *Client) storeInFile() error {
 		if err != nil {
 			return errors.Wrap(err, "could not save to file")
 		}
-		defer fhPub.Close()
+		defer closeFile(fhPub)
 		signer, err := ssh.NewSignerFromKey(c.userPrivateKey)
 		if err != nil {
 			return errors.Wrap(err, "unexpected error")
@@ -1192,7 +1198,9 @@ func (c *Client) urlFor(s string) string {
 
 func (c *Client) Close() {
 	if c.agentClient != nil {
-		c.agentConn.Close()
+		if err := c.agentConn.Close(); err != nil {
+			Log.WithError(err).Error("failed to close agent connection")
+		}
 	}
 }