Add golangci-lint with CI integration and fix all lint issues

Add .golangci.yml (v2 format) with pragmatic linter config and
golangci-lint-action step to CI workflow. Fix 70 lint issues across
the codebase: errcheck for unchecked returns, errorlint for proper
error wrapping, octal literal modernization, misspellings, prealloc
suggestions, if-else to switch conversions, and removal of unused
color variables.

Author: fenio

.github/workflows/ci.yml

@@ -17,6 +17,11 @@ jobs:
         with:
           go-version-file: go.mod
 
+      - name: Lint
+        uses: golangci/golangci-lint-action@v7
+        with:
+          version: latest
+
       - name: Build
         run: go build ./cmd/netalchemy
 

.golangci.yml

@@ -0,0 +1,44 @@
+version: "2"
+
+run:
+  timeout: 5m
+
+linters:
+  enable:
+    - misspell
+    - gocritic
+    - bodyclose
+    - nilerr
+    - errorlint
+    - prealloc
+
+  settings:
+    gocritic:
+      enabled-tags:
+        - diagnostic
+        - style
+      disabled-checks:
+        - unnamedResult
+        - nestingReduce
+        - sprintfQuotedString
+
+    misspell:
+      locale: US
+
+    prealloc:
+      simple: true
+      for-loops: true
+
+  exclusions:
+    rules:
+      - path: _test\.go
+        linters:
+          - gocritic
+          - prealloc
+          - errorlint
+          - errcheck
+
+formatters:
+  enable:
+    - gofmt
+    - goimports

pkg/build/checker.go

@@ -322,7 +322,7 @@ func expressionMatches(podLabels map[string]string, expr *policy.LabelExpression
 
 // formatLabels formats a label map as {key=value, ...} for display.
 func formatLabels(labels map[string]string) string {
-	var parts []string
+	parts := make([]string, 0, len(labels))
 	for k, v := range labels {
 		parts = append(parts, fmt.Sprintf("%s=%s", k, v))
 	}

pkg/build/generator.go

@@ -204,7 +204,6 @@ func (g *Generator) Generate() (*GenerateResult, error) {
 	}, nil
 }
 
-
 // mergePolicies merges ingress and egress policies that target the same pod
 // selector in the same namespace. This reduces the number of NetworkPolicy
 // resources in clusters with many interconnected services.
@@ -254,7 +253,7 @@ func mergeKey(gp *GeneratedPolicy) string {
 	}
 	sort.Strings(keys)
 
-	var parts []string
+	parts := make([]string, 0, len(keys))
 	for _, k := range keys {
 		parts = append(parts, k+"="+labels[k])
 	}
@@ -393,18 +392,19 @@ func (g *Generator) createEgressNetworkPolicy(namespace, from string, fromSelect
 	}
 
 	// Set name and pod selector based on source selector
-	if fromSelector != nil && fromSelector.Type == policy.SelectorTypeLabelSelector && len(fromSelector.Labels) > 0 {
+	switch {
+	case fromSelector != nil && fromSelector.Type == policy.SelectorTypeLabelSelector && len(fromSelector.Labels) > 0:
 		for _, v := range fromSelector.Labels {
 			np.Name = fmt.Sprintf("egress-from-%s", util.SanitizeK8sName(v))
 			break
 		}
 		np.Spec.PodSelector = metav1.LabelSelector{
 			MatchLabels: fromSelector.Labels,
 		}
-	} else if fromSelector != nil && fromSelector.Type == policy.SelectorTypeNamespace {
+	case fromSelector != nil && fromSelector.Type == policy.SelectorTypeNamespace:
 		np.Name = fmt.Sprintf("egress-from-ns-%s", util.SanitizeK8sName(fromSelector.Namespace))
 		np.Spec.PodSelector = metav1.LabelSelector{}
-	} else {
+	default:
 		np.Name = "egress-allow"
 		np.Spec.PodSelector = metav1.LabelSelector{}
 	}
@@ -481,7 +481,8 @@ func (g *Generator) createBaseNetworkPolicy(namespace, to string, toSelector *po
 	}
 
 	// Set name and pod selector based on target selector
-	if toSelector != nil && toSelector.Type == policy.SelectorTypeLabelSelector && len(toSelector.Labels) > 0 {
+	switch {
+	case toSelector != nil && toSelector.Type == policy.SelectorTypeLabelSelector && len(toSelector.Labels) > 0:
 		// Use the labels for pod selection (works for both same-namespace and cross-namespace)
 		// Use the first label value for naming
 		for _, v := range toSelector.Labels {
@@ -491,11 +492,11 @@ func (g *Generator) createBaseNetworkPolicy(namespace, to string, toSelector *po
 		np.Spec.PodSelector = metav1.LabelSelector{
 			MatchLabels: toSelector.Labels,
 		}
-	} else if toSelector != nil && toSelector.Type == policy.SelectorTypeNamespace {
+	case toSelector != nil && toSelector.Type == policy.SelectorTypeNamespace:
 		np.Name = fmt.Sprintf("allow-to-ns-%s", util.SanitizeK8sName(toSelector.Namespace))
 		// Empty pod selector means all pods in namespace
 		np.Spec.PodSelector = metav1.LabelSelector{}
-	} else {
+	default:
 		np.Name = "allow-traffic"
 		np.Spec.PodSelector = metav1.LabelSelector{}
 	}
@@ -632,7 +633,6 @@ func protocolToK8s(p policy.Protocol) corev1.Protocol {
 	}
 }
 
-
 // ToYAML converts a GeneratedPolicy to YAML
 func (gp *GeneratedPolicy) ToYAML() ([]byte, error) {
 	return yaml.Marshal(gp.NetworkPolicy)
@@ -654,5 +654,5 @@ func (gp *GeneratedPolicy) WriteToFile(dir string) (string, error) {
 	header += fmt.Sprintf("# Source rules: %s\n", strings.Join(gp.SourceRules, ", "))
 	header += "---\n"
 
-	return path, os.WriteFile(path, []byte(header+string(data)), 0600)
+	return path, os.WriteFile(path, []byte(header+string(data)), 0o600)
 }

pkg/cli/build.go

@@ -42,12 +42,12 @@ Examples:
 }
 
 var (
-	buildPolicyFile  string
-	buildOutput      string
-	buildNamespace   string
-	buildDryRun          bool
-	buildDefaultDeny     bool
-	buildCheckSelectors  bool
+	buildPolicyFile     string
+	buildOutput         string
+	buildNamespace      string
+	buildDryRun         bool
+	buildDefaultDeny    bool
+	buildCheckSelectors bool
 )
 
 func init() {
@@ -58,7 +58,7 @@ func init() {
 	buildCmd.Flags().BoolVar(&buildDefaultDeny, "default-deny", true, "Generate default-deny policy for each namespace (recommended)")
 	buildCmd.Flags().BoolVar(&buildCheckSelectors, "check-selectors", false, "Query cluster to warn about selectors that don't match running pods/namespaces")
 
-	buildCmd.MarkFlagRequired("policy")
+	_ = buildCmd.MarkFlagRequired("policy")
 }
 
 func runBuild(cmd *cobra.Command, args []string) error {
@@ -179,7 +179,7 @@ func runBuild(cmd *cobra.Command, args []string) error {
 		fmt.Printf("Run without --dry-run to write to: %s\n", colorBold(buildOutput))
 	} else {
 		// Create output directory
-		if err := os.MkdirAll(buildOutput, 0755); err != nil {
+		if err := os.MkdirAll(buildOutput, 0o755); err != nil {
 			return fmt.Errorf("failed to create output directory: %w", err)
 		}
 

pkg/cli/colors.go

@@ -17,17 +17,9 @@ var (
 	colorDeny  = color.New(color.FgRed).SprintFunc()
 
 	// Diff colors
-	colorAdded    = color.New(color.FgGreen).SprintFunc()
-	colorRemoved  = color.New(color.FgRed).SprintFunc()
-	colorModified = color.New(color.FgYellow).SprintFunc()
+	colorAdded = color.New(color.FgGreen).SprintFunc()
 
 	// Emphasis
 	colorBold = color.New(color.Bold).SprintFunc()
 	colorDim  = color.New(color.Faint).SprintFunc()
-
-	// Printers for full-line colored output
-	printSuccess = color.New(color.FgGreen).PrintlnFunc()
-	printError   = color.New(color.FgRed).PrintlnFunc()
-	printWarning = color.New(color.FgYellow).PrintlnFunc()
-	printInfo    = color.New(color.FgCyan).PrintlnFunc()
 )

pkg/cli/define.go

@@ -2,6 +2,7 @@ package cli
 
 import (
 	"bufio"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -17,7 +18,7 @@ import (
 // Returns the trimmed input and any error (EOF is returned as-is for caller to handle).
 func readLine(reader *bufio.Reader) (string, error) {
 	input, err := reader.ReadString('\n')
-	if err != nil && err != io.EOF {
+	if err != nil && !errors.Is(err, io.EOF) {
 		return "", fmt.Errorf("failed to read input: %w", err)
 	}
 	return strings.TrimSpace(input), err
@@ -26,7 +27,7 @@ func readLine(reader *bufio.Reader) (string, error) {
 // readLineOrDefault reads a line, returning defaultVal on EOF or empty input.
 func readLineOrDefault(reader *bufio.Reader, defaultVal string) (string, error) {
 	input, err := readLine(reader)
-	if err == io.EOF || input == "" {
+	if errors.Is(err, io.EOF) || input == "" {
 		return defaultVal, nil
 	}
 	if err != nil {
@@ -403,7 +404,6 @@ func formatRuleSummary(r policy.Rule) string {
 	return fmt.Sprintf("%s → %s%s", from, to, port)
 }
 
-
 // generateRuleName creates a unique name for a rule
 func generateRuleName(r policy.Rule, existing map[string]bool) string {
 	from := util.ShortenSelector(r.From)
@@ -534,7 +534,7 @@ func defineFromObserved(from, output string, interactive bool) error {
 		return fmt.Errorf("failed to generate YAML: %w", err)
 	}
 
-	if err := os.WriteFile(output, []byte(header+string(yamlData)), 0600); err != nil {
+	if err := os.WriteFile(output, []byte(header+string(yamlData)), 0o600); err != nil {
 		return fmt.Errorf("failed to write output file: %w", err)
 	}
 
@@ -647,7 +647,7 @@ func defineInteractively(output string) error {
 		// Name
 		fmt.Print("Rule name (or 'done' to finish): ")
 		name, err := readLine(reader)
-		if err == io.EOF || name == "done" || name == "" {
+		if errors.Is(err, io.EOF) || name == "done" || name == "" {
 			break
 		}
 		if err != nil {
@@ -659,23 +659,23 @@ func defineInteractively(output string) error {
 		// Description
 		fmt.Print("Description: ")
 		desc, err := readLine(reader)
-		if err != nil && err != io.EOF {
+		if err != nil && !errors.Is(err, io.EOF) {
 			return err
 		}
 		rule.Description = desc
 
 		// From
 		fmt.Print("From (e.g., app=grafana, namespace=o11y, 10.0.0.0/8, or empty): ")
 		from, err := readLine(reader)
-		if err != nil && err != io.EOF {
+		if err != nil && !errors.Is(err, io.EOF) {
 			return err
 		}
 		rule.From = from
 
 		// To
 		fmt.Print("To (e.g., app=postgres, namespace=db, or empty): ")
 		to, err := readLine(reader)
-		if err != nil && err != io.EOF {
+		if err != nil && !errors.Is(err, io.EOF) {
 			return err
 		}
 		rule.To = to
@@ -691,7 +691,7 @@ func defineInteractively(output string) error {
 		// Port
 		fmt.Print("Port (e.g., 80 or 80-443, or empty): ")
 		port, err := readLine(reader)
-		if err != nil && err != io.EOF {
+		if err != nil && !errors.Is(err, io.EOF) {
 			return err
 		}
 		if port != "" {
@@ -717,10 +717,10 @@ func defineInteractively(output string) error {
 		}
 
 		// Validate
-		errors := policy.ValidateRule(&rule)
-		if len(errors) > 0 {
+		validationErrs := policy.ValidateRule(&rule)
+		if len(validationErrs) > 0 {
 			fmt.Println("Warning: Rule has validation errors:")
-			for _, e := range errors {
+			for _, e := range validationErrs {
 				fmt.Printf("  - %s\n", e.Error())
 			}
 			fmt.Print("Add anyway? (y/n): ")
@@ -753,7 +753,7 @@ func defineInteractively(output string) error {
 		return fmt.Errorf("failed to generate YAML: %w", err)
 	}
 
-	if err := os.WriteFile(output, []byte(header+string(yamlData)), 0600); err != nil {
+	if err := os.WriteFile(output, []byte(header+string(yamlData)), 0o600); err != nil {
 		return fmt.Errorf("failed to write output file: %w", err)
 	}
 
@@ -763,7 +763,7 @@ func defineInteractively(output string) error {
 
 // parsePortRange parses a port or port range string (e.g., "80" or "80-443").
 // Returns portMin, portMax, and any error.
-func parsePortRange(s string) (int, int, error) {
+func parsePortRange(s string) (portMin, portMax int, err error) {
 	s = strings.TrimSpace(s)
 	if s == "" {
 		return 0, 0, nil
@@ -775,27 +775,27 @@ func parsePortRange(s string) (int, int, error) {
 			return 0, 0, fmt.Errorf("invalid port range format: %s", s)
 		}
 
-		min, err := strconv.Atoi(strings.TrimSpace(parts[0]))
-		if err != nil {
-			return 0, 0, fmt.Errorf("invalid port number %q: %w", parts[0], err)
+		lo, parseErr := strconv.Atoi(strings.TrimSpace(parts[0]))
+		if parseErr != nil {
+			return 0, 0, fmt.Errorf("invalid port number %q: %w", parts[0], parseErr)
 		}
 
-		max, err := strconv.Atoi(strings.TrimSpace(parts[1]))
-		if err != nil {
-			return 0, 0, fmt.Errorf("invalid port number %q: %w", parts[1], err)
+		hi, parseErr := strconv.Atoi(strings.TrimSpace(parts[1]))
+		if parseErr != nil {
+			return 0, 0, fmt.Errorf("invalid port number %q: %w", parts[1], parseErr)
 		}
 
-		if min < 0 || min > 65535 {
-			return 0, 0, fmt.Errorf("port %d out of range (0-65535)", min)
+		if lo < 0 || lo > 65535 {
+			return 0, 0, fmt.Errorf("port %d out of range (0-65535)", lo)
 		}
-		if max < 0 || max > 65535 {
-			return 0, 0, fmt.Errorf("port %d out of range (0-65535)", max)
+		if hi < 0 || hi > 65535 {
+			return 0, 0, fmt.Errorf("port %d out of range (0-65535)", hi)
 		}
-		if min > max {
-			return 0, 0, fmt.Errorf("port range start %d is greater than end %d", min, max)
+		if lo > hi {
+			return 0, 0, fmt.Errorf("port range start %d is greater than end %d", lo, hi)
 		}
 
-		return min, max, nil
+		return lo, hi, nil
 	}
 
 	// Single port