From 2f917958fbf52927a689d2439ff294fff82c0b96 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 09:44:06 +0000 Subject: [PATCH 1/5] ci(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/faadad0cce49287aee09b3a48701e75088a2c6ad...ba7bc0a3fef59531c69a25acd34668d6d3fe6f22) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3163f5f..5537876 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,7 @@ jobs: cache: true - name: Install Cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 - name: Get next version number id: version From 480d3d54d5bec5ac27f06f1f5f2c33646d323baa Mon Sep 17 00:00:00 2001 From: Colin South Date: Tue, 17 Mar 2026 16:22:58 +0000 Subject: [PATCH 2/5] fix: remove redundant nil check flagged by staticcheck SA5011 The nil check on sr after a guarded t.Fatalf caused staticcheck to infer sr could be nil, triggering a false SA5011 on the subsequent dereference. Removing the redundant check resolves the lint error. --- circuit/dispatch_test.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/circuit/dispatch_test.go b/circuit/dispatch_test.go index 8d9abd0..53eb491 100644 --- a/circuit/dispatch_test.go +++ b/circuit/dispatch_test.go @@ -131,9 +131,6 @@ func TestRegisterStream(t *testing.T) { if err != nil { t.Fatalf("RegisterStream: %v", err) } - if sr == nil { - t.Fatal("RegisterStream returned nil") - } if cap(sr.Cells) != 64 { t.Fatalf("channel capacity = %d, want 64", cap(sr.Cells)) } From 724829493c47c3d0bcf60db5c092b0ac59b5dd6e Mon Sep 17 00:00:00 2001 From: Colin South Date: Tue, 17 Mar 2026 16:26:22 +0000 Subject: [PATCH 3/5] fix: remove redundant nil check in bootstrap test (staticcheck SA5011) --- cmd/tor-client/bootstrap_test.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/cmd/tor-client/bootstrap_test.go b/cmd/tor-client/bootstrap_test.go index d972343..b512a06 100644 --- a/cmd/tor-client/bootstrap_test.go +++ b/cmd/tor-client/bootstrap_test.go @@ -75,9 +75,6 @@ func TestLoadFromCacheHitNoCircuit(t *testing.T) { // Load from cache — no circuit should be needed. data := loadFromCache(cache) - if data == nil { - t.Fatal("expected non-nil data from cache") - } if data.consensusText != consensusText { t.Fatalf("consensus text mismatch: got %d bytes, want %d bytes", len(data.consensusText), len(consensusText)) } From 5ea602bbc0be486534a223438de565fcf738fda3 Mon Sep 17 00:00:00 2001 From: Colin South Date: Tue, 17 Mar 2026 16:28:05 +0000 Subject: [PATCH 4/5] fix: add unreachable returns after t.Fatal nil guards (staticcheck SA5011) Staticcheck SA5011 flags dereferences after nil-guard + t.Fatal as possible nil pointer dereferences. Adding explicit return statements after t.Fatal makes the unreachability clear to the analyzer. --- cmd/tor-client/bootstrap_test.go | 2 ++ cmd/tor-client/e2e_test.go | 1 + 2 files changed, 3 insertions(+) diff --git a/cmd/tor-client/bootstrap_test.go b/cmd/tor-client/bootstrap_test.go index b512a06..0c279c7 100644 --- a/cmd/tor-client/bootstrap_test.go +++ b/cmd/tor-client/bootstrap_test.go @@ -372,6 +372,7 @@ func TestE2EBootstrapSequence(t *testing.T) { } if data == nil { t.Fatal("failed to bootstrap from any authority") + return // unreachable; helps staticcheck SA5011 } t.Logf("bootstrapped from authority %s", succeededAuth) @@ -412,6 +413,7 @@ func TestE2EBootstrapSequence(t *testing.T) { cachedData := loadFromCache(cache) if cachedData == nil { t.Fatal("loadFromCache returned nil after saving") + return // unreachable; helps staticcheck SA5011 } if cachedData.consensusText != data.consensusText { t.Fatal("cached consensus text differs from original") diff --git a/cmd/tor-client/e2e_test.go b/cmd/tor-client/e2e_test.go index 5a3ea36..16bf892 100644 --- a/cmd/tor-client/e2e_test.go +++ b/cmd/tor-client/e2e_test.go @@ -78,6 +78,7 @@ func fetchConsensusAndCerts(t *testing.T) (string, *directory.Consensus, []direc } if data == nil { t.Fatal("failed to bootstrap from any authority") + return "", nil, nil // unreachable; helps staticcheck SA5011 } if err := directory.ValidateSignatures(data.consensusText, data.keyCerts); err != nil { From 8753dcb152b7dc7d7a8fef29a68c97c7268bcd2d Mon Sep 17 00:00:00 2001 From: Colin South Date: Tue, 17 Mar 2026 16:32:27 +0000 Subject: [PATCH 5/5] fix: resolve remaining staticcheck SA5011 nil-pointer warnings Remove redundant nil checks where the error path already guards via t.Fatalf, and add explicit return statements after t.Fatal where the nil check is genuinely needed but staticcheck cannot prove termination. --- circuit/circuit_test.go | 3 --- cmd/tor-client/e2e_test.go | 1 + descriptor/descriptor_test.go | 2 ++ link/link_test.go | 3 --- 4 files changed, 3 insertions(+), 6 deletions(-) diff --git a/circuit/circuit_test.go b/circuit/circuit_test.go index dce6c10..192542f 100644 --- a/circuit/circuit_test.go +++ b/circuit/circuit_test.go @@ -181,9 +181,6 @@ func TestBackwardDigest(t *testing.T) { } d1 := circ.BackwardDigest() - if d1 == nil { - t.Fatal("BackwardDigest returned nil") - } if len(d1) != 20 { // SHA-1 output t.Fatalf("digest length = %d, want 20", len(d1)) } diff --git a/cmd/tor-client/e2e_test.go b/cmd/tor-client/e2e_test.go index 16bf892..de2135a 100644 --- a/cmd/tor-client/e2e_test.go +++ b/cmd/tor-client/e2e_test.go @@ -233,6 +233,7 @@ func TestE2EConsensusAndSignatures(t *testing.T) { } if data == nil { t.Fatal("failed to bootstrap from any authority") + return // unreachable; helps staticcheck SA5011 } if len(data.keyCerts) < 5 { diff --git a/descriptor/descriptor_test.go b/descriptor/descriptor_test.go index e1e3548..602fd11 100644 --- a/descriptor/descriptor_test.go +++ b/descriptor/descriptor_test.go @@ -135,6 +135,7 @@ func TestParseDescriptorSigningKeyField(t *testing.T) { // SigningKey must be non-nil and match the key we generated if info.SigningKey == nil { t.Fatal("SigningKey is nil") + return // unreachable; helps staticcheck SA5011 } if info.SigningKey.N.Cmp(privKey.N) != 0 { t.Fatal("SigningKey.N does not match the generated key") @@ -166,6 +167,7 @@ func TestParseDescriptorSignatureBytesField(t *testing.T) { // SignatureBytes must be non-nil and non-empty if info.SignatureBytes == nil { t.Fatal("SignatureBytes is nil") + return // unreachable; helps staticcheck SA5011 } if len(info.SignatureBytes) == 0 { t.Fatal("SignatureBytes is empty") diff --git a/link/link_test.go b/link/link_test.go index 70213bc..89b88b5 100644 --- a/link/link_test.go +++ b/link/link_test.go @@ -47,9 +47,6 @@ func TestLinkRegisterCircuit(t *testing.T) { if err != nil { t.Fatalf("RegisterCircuit: %v", err) } - if cr == nil { - t.Fatal("RegisterCircuit returned nil") - } if cap(cr.Cells) != 32 { t.Fatalf("channel capacity = %d, want 32", cap(cr.Cells)) }