upgrade packages & fix lint issues

.golangci.yml

@@ -20,3 +20,8 @@ linters:
     - unconvert
     - unparam
     - usestdlibvars
+
+linters-settings:
+  gosec:
+    excludes:
+      - G101 # Potential hardcoded credentials

cmd/detect-latest-release/update.go

@@ -10,6 +10,8 @@ import (
 )
 
 // keep this function here, this is the example from the README
+//
+//nolint:unused
 func update(version string) error {
 	latest, found, err := selfupdate.DetectLatest(context.Background(), selfupdate.ParseSlug("creativeprojects/resticprofile"))
 	if err != nil {

cmd/get-release/main.go

@@ -54,14 +54,15 @@ func main() {
 		os.Exit(1)
 	}
 
+	ctx := context.Background()
 	updater, err := selfupdate.NewUpdater(selfupdate.Config{
 		Source: source,
 	})
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
-	latest, found, err := updater.DetectLatest(context.Background(), selfupdate.ParseSlug(slug))
+	latest, found, err := updater.DetectLatest(ctx, selfupdate.ParseSlug(slug))
 	if err != nil {
 		fmt.Fprintln(os.Stderr, "Error while detecting the latest version:", err)
 		os.Exit(1)
@@ -75,12 +76,12 @@ func main() {
 	cmdPath := filepath.Join(build.Default.GOPATH, "bin", cmd)
 	if _, err := os.Stat(cmdPath); err != nil {
 		// When executable is not existing yet
-		if err := installFrom(latest.AssetURL, cmd, cmdPath); err != nil {
+		if err := installFrom(ctx, latest.AssetURL, cmd, cmdPath); err != nil {
 			fmt.Fprintf(os.Stderr, "Error while installing the release binary from %s: %s\n", latest.AssetURL, err)
 			os.Exit(1)
 		}
 	} else {
-		if err := updater.UpdateTo(context.Background(), latest, cmdPath); err != nil {
+		if err := updater.UpdateTo(ctx, latest, cmdPath); err != nil {
 			fmt.Fprintf(os.Stderr, "Error while replacing the binary with %s: %s\n", latest.AssetURL, err)
 			os.Exit(1)
 		}
@@ -105,20 +106,22 @@ Flags:`)
 }
 
 func getCommand(pkg string) string {
-	if strings.HasSuffix(pkg, "/") {
-		pkg = strings.TrimSuffix(pkg, "/")
-	}
+	pkg = strings.TrimSuffix(pkg, "/")
 	_, cmd := filepath.Split(pkg)
 	return cmd
 }
 
-func installFrom(url, cmd, path string) error {
-	res, err := http.Get(url)
+func installFrom(ctx context.Context, url, cmd, path string) error {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody)
+	if err != nil {
+		return fmt.Errorf("failed to create request to download release binary from %s: %s", url, err)
+	}
+	res, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to download release binary from %s: %s", url, err)
 	}
 	defer res.Body.Close()
-	if res.StatusCode != 200 {
+	if res.StatusCode != http.StatusOK {
 		return fmt.Errorf("failed to download release binary from %s: Invalid response ", url)
 	}
 	executable, err := selfupdate.DecompressCommand(res.Body, url, cmd, runtime.GOOS, runtime.GOARCH)

gitea_source.go

@@ -68,8 +68,8 @@ func (s *GiteaSource) ListReleases(ctx context.Context, repository Repository) (
 	s.api.SetContext(ctx)
 	rels, res, err := s.api.ListReleases(owner, repo, gitea.ListReleasesOptions{})
 	if err != nil {
-		if res != nil && res.StatusCode == 404 {
-			// 404 means repository not found or release not found. It's not an error here.
+		if res != nil && res.StatusCode == http.StatusNotFound {
+			// repository not found or release not found. It's not an error here.
 			log.Print("Repository or release not found")
 			return nil, nil
 		}

github_source.go

@@ -72,8 +72,8 @@ func (s *GitHubSource) ListReleases(ctx context.Context, repository Repository)
 	}
 	rels, res, err := s.api.Repositories.ListReleases(ctx, owner, repo, nil)
 	if err != nil {
-		if res != nil && res.StatusCode == 404 {
-			// 404 means repository not found or release not found. It's not an error here.
+		if res != nil && res.StatusCode == http.StatusNotFound {
+			// repository not found or release not found. It's not an error here.
 			log.Print("Repository or release not found")
 			return nil, nil
 		}

go.mod

@@ -1,16 +1,17 @@
 module github.com/creativeprojects/go-selfupdate
 
-go 1.18
+go 1.21
 
 require (
-	code.gitea.io/sdk/gitea v0.18.0
-	github.com/Masterminds/semver/v3 v3.2.1
+	code.gitea.io/sdk/gitea v0.19.0
+	github.com/Masterminds/semver/v3 v3.3.0
 	github.com/google/go-github/v30 v30.1.0
 	github.com/stretchr/testify v1.9.0
 	github.com/ulikunitz/xz v0.5.12
-	github.com/xanzy/go-gitlab v0.106.0
-	golang.org/x/crypto v0.24.0
-	golang.org/x/oauth2 v0.21.0
+	github.com/xanzy/go-gitlab v0.112.0
+	golang.org/x/crypto v0.28.0
+	golang.org/x/oauth2 v0.23.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -22,7 +23,6 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
 )

go.sum

@@ -1,17 +1,19 @@
-code.gitea.io/sdk/gitea v0.18.0 h1:+zZrwVmujIrgobt6wVBWCqITz6bn1aBjnCUHmpZrerI=
-code.gitea.io/sdk/gitea v0.18.0/go.mod h1:IG9xZJoltDNeDSW0qiF2Vqx5orMWa7OhVWrjvrd5NpI=
-github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
-github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+code.gitea.io/sdk/gitea v0.19.0 h1:8I6s1s4RHgzxiPHhOQdgim1RWIRcr0LVMbHBjBFXq4Y=
+code.gitea.io/sdk/gitea v0.19.0/go.mod h1:IG9xZJoltDNeDSW0qiF2Vqx5orMWa7OhVWrjvrd5NpI=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davidmz/go-pageant v1.0.2 h1:bPblRCh5jGU+Uptpz6LgMZGD5hJoOt7otgT454WvHn0=
 github.com/davidmz/go-pageant v1.0.2/go.mod h1:P2EDDnMqIwG5Rrp05dTRITj9z2zpGcD9efWSkTNKLIE=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI=
 github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v30 v30.1.0 h1:VLDx+UolQICEOKu2m4uAoMti1SxuEBAl7RSEG16L+Oo=
 github.com/google/go-github/v30 v30.1.0/go.mod h1:n8jBpHl45a/rlBUtRJMOG4GhNADUQFEufcolZ95JfU8=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@@ -20,42 +22,46 @@ github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
 github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
 github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/xanzy/go-gitlab v0.106.0 h1:EDfD03K74cIlQo2EducfiupVrip+Oj02bq9ofw5F8sA=
-github.com/xanzy/go-gitlab v0.106.0/go.mod h1:ETg8tcj4OhrB84UEgeE8dSuV/0h4BBL1uOV/qK0vlyI=
+github.com/xanzy/go-gitlab v0.112.0 h1:6Z0cqEooCvBMfBIHw+CgO4AKGRV8na/9781xOb0+DKw=
+github.com/xanzy/go-gitlab v0.112.0/go.mod h1:wKNKh3GkYDMOsGmnfuX+ITCmDuSDWFO0G+C4AygL9RY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
+golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=

package.go

@@ -10,11 +10,13 @@ import (
 // DetectLatest detects the latest release from the repository.
 // This function is a shortcut version of updater.DetectLatest with the DefaultUpdater.
 func DetectLatest(ctx context.Context, repository Repository) (*Release, bool, error) {
+	//nolint:contextcheck
 	return DefaultUpdater().DetectLatest(ctx, repository)
 }
 
 // DetectVersion detects the given release from the repository.
 func DetectVersion(ctx context.Context, repository Repository, version string) (*Release, bool, error) {
+	//nolint:contextcheck
 	return DefaultUpdater().DetectVersion(ctx, repository, version)
 }
 
@@ -23,6 +25,7 @@ func DetectVersion(ctx context.Context, repository Repository, version string) (
 // this function is not available to update a release for private repositories.
 // cmdPath is a file path to command executable.
 func UpdateTo(ctx context.Context, assetURL, assetFileName, cmdPath string) error {
+	//nolint:contextcheck
 	up := DefaultUpdater()
 	src, err := downloadReleaseAssetFromURL(ctx, assetURL)
 	if err != nil {
@@ -35,18 +38,20 @@ func UpdateTo(ctx context.Context, assetURL, assetFileName, cmdPath string) erro
 // UpdateCommand updates a given command binary to the latest version.
 // This function is a shortcut version of updater.UpdateCommand using a DefaultUpdater()
 func UpdateCommand(ctx context.Context, cmdPath string, current string, repository Repository) (*Release, error) {
+	//nolint:contextcheck
 	return DefaultUpdater().UpdateCommand(ctx, cmdPath, current, repository)
 }
 
 // UpdateSelf updates the running executable itself to the latest version.
 // This function is a shortcut version of updater.UpdateSelf using a DefaultUpdater()
 func UpdateSelf(ctx context.Context, current string, repository Repository) (*Release, error) {
+	//nolint:contextcheck
 	return DefaultUpdater().UpdateSelf(ctx, current, repository)
 }
 
 func downloadReleaseAssetFromURL(ctx context.Context, url string) (rc io.ReadCloser, err error) {
 	client := http.DefaultClient
-	req, err := http.NewRequest("GET", url, nil)
+	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}

update/hide_test.go

@@ -12,7 +12,7 @@ func TestHideFile(t *testing.T) {
 	t.Parallel()
 
 	tempFile := filepath.Join(t.TempDir(), t.Name())
-	err := os.WriteFile(tempFile, []byte("test"), 0o644)
+	err := os.WriteFile(tempFile, []byte("test"), 0o600)
 	assert.NoError(t, err)
 
 	err = hideFile(tempFile)

update_test.go

@@ -22,17 +22,17 @@ func TestUpdateCommandWithWrongVersion(t *testing.T) {
 }
 
 func TestUpdateCommand(t *testing.T) {
-	current := "0.14.0"
-	new := "1.0.0"
+	currentVersion := "0.14.0"
+	newVersion := "1.0.0"
 	source := mockSourceRepository(t)
 	updater, err := NewUpdater(Config{Source: source})
 	require.NoError(t, err)
 
 	filename := setupCurrentVersion(t)
 
-	rel, err := updater.UpdateCommand(context.Background(), filename, current, ParseSlug("creativeprojects/new_version"))
+	rel, err := updater.UpdateCommand(context.Background(), filename, currentVersion, ParseSlug("creativeprojects/new_version"))
 	require.NoError(t, err)
-	assert.Equal(t, new, rel.Version())
+	assert.Equal(t, newVersion, rel.Version())
 
 	assertNewVersion(t, filename)
 }
@@ -42,8 +42,8 @@ func TestUpdateViaSymlink(t *testing.T) {
 		t.Skip("skipping because creating symlink on windows requires admin privilege")
 	}
 
-	current := "0.14.0"
-	new := "1.0.0"
+	currentVersion := "0.14.0"
+	newVersion := "1.0.0"
 	source := mockSourceRepository(t)
 	updater, err := NewUpdater(Config{Source: source})
 	require.NoError(t, err)
@@ -54,9 +54,9 @@ func TestUpdateViaSymlink(t *testing.T) {
 	err = os.Symlink(exePath, symPath)
 	require.NoError(t, err)
 
-	rel, err := updater.UpdateCommand(context.Background(), symPath, current, ParseSlug("creativeprojects/new_version"))
+	rel, err := updater.UpdateCommand(context.Background(), symPath, currentVersion, ParseSlug("creativeprojects/new_version"))
 	require.NoError(t, err)
-	assert.Equal(t, new, rel.Version())
+	assert.Equal(t, newVersion, rel.Version())
 
 	// check actual file (not symlink)
 	assertNewVersion(t, exePath)
@@ -478,7 +478,7 @@ func setupCurrentVersion(t *testing.T) string {
 		filename += ".exe"
 	}
 
-	err := os.WriteFile(filename, []byte("old version"), 0o777)
+	err := os.WriteFile(filename, []byte("old version"), 0o600)
 	require.NoError(t, err)
 
 	return filename

validate.go

@@ -152,7 +152,7 @@ func (v *SHAValidator) Validate(filename string, release, asset []byte) error {
 		return ErrIncorrectChecksumFile
 	}
 
-	hash := fmt.Sprintf("%s", asset[:sha256.BlockSize])
+	hash := string(asset[:sha256.BlockSize])
 	calculatedHash := fmt.Sprintf("%x", sha256.Sum256(release))
 
 	if equal, err := hexStringEquals(sha256.Size, calculatedHash, hash); !equal {

validate_test.go

@@ -7,13 +7,14 @@ import (
 	"encoding/hex"
 	"encoding/pem"
 	"fmt"
-	"golang.org/x/crypto/openpgp"
-	"golang.org/x/crypto/openpgp/armor"
+	"io"
 	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/openpgp"
+	"golang.org/x/crypto/openpgp/armor"
 )
 
 func TestValidatorAssetNames(t *testing.T) {
@@ -321,10 +322,12 @@ func TestPGPValidatorWithArmoredKeyRing(t *testing.T) {
 
 func getTestPGPKeyRing(t *testing.T) (PGPKeyRing []byte, entity *openpgp.Entity) {
 	var err error
+	var armoredWriter io.WriteCloser
 	entity, err = openpgp.NewEntity("go-selfupdate", "", "info@go-selfupdate.local", nil)
+	require.NoError(t, err)
 
 	buffer := &bytes.Buffer{}
-	if armoredWriter, err := armor.Encode(buffer, openpgp.PublicKeyType, nil); err == nil {
+	if armoredWriter, err = armor.Encode(buffer, openpgp.PublicKeyType, nil); err == nil {
 		if err = entity.Serialize(armoredWriter); err == nil {
 			err = armoredWriter.Close()
 		}