ci: bump golangci-lint to v2.5

.github/workflows/validate.yml

@@ -41,7 +41,7 @@ jobs:
           sudo apt -qy install libseccomp-dev
       - uses: golangci/golangci-lint-action@v8
         with:
-          version: v2.4
+          version: v2.5
       # Extra linters, only checking new code from a pull request.
       - name: lint-extra
         if: github.event_name == 'pull_request'

libcontainer/exeseal/cloned_binary_linux.go

@@ -125,7 +125,7 @@ func getSealableFile(comment, tmpDir string) (file *os.File, sealFn SealFunc, er
 	// First, try an executable memfd (supported since Linux 3.17).
 	file, sealFn, err = Memfd(comment)
 	if err == nil {
-		return
+		return file, sealFn, err
 	}
 	logrus.Debugf("memfd cloned binary failed, falling back to O_TMPFILE: %v", err)
 
@@ -154,7 +154,7 @@ func getSealableFile(comment, tmpDir string) (file *os.File, sealFn SealFunc, er
 			file.Close()
 			continue
 		}
-		return
+		return file, sealFn, err
 	}
 	logrus.Debugf("O_TMPFILE cloned binary failed, falling back to mktemp(): %v", err)
 	// Finally, try a classic unlinked temporary file.
@@ -168,7 +168,7 @@ func getSealableFile(comment, tmpDir string) (file *os.File, sealFn SealFunc, er
 			file.Close()
 			continue
 		}
-		return
+		return file, sealFn, err
 	}
 	return nil, nil, fmt.Errorf("could not create sealable file for cloned binary: %w", err)
 }

libcontainer/integration/utils_test.go

@@ -210,7 +210,7 @@ func runContainer(t testing.TB, config *configs.Config, args ...string) (buffers
 	} else {
 		return buffers, -1, err
 	}
-	return
+	return buffers, exitCode, err
 }
 
 // runContainerOk is a wrapper for runContainer, simplifying its use for cases

libcontainer/internal/userns/usernsfd_linux.go

@@ -34,7 +34,7 @@ func (m Mapping) toSys() (uids, gids []syscall.SysProcIDMap) {
 			Size:        int(gid.Size),
 		})
 	}
-	return
+	return uids, gids
 }
 
 // id returns a unique identifier for this mapping, agnostic of the order of

libcontainer/mount_linux.go

@@ -236,7 +236,7 @@ func syscallMode(i fs.FileMode) (o uint32) {
 		o |= unix.S_ISVTX
 	}
 	// No mapping for Go's ModeTemporary (plan9 only).
-	return
+	return o
 }
 
 // mountFd creates a "mount source fd" (either through open_tree(2) or just

libcontainer/nsenter/nsenter_test.go

@@ -199,7 +199,7 @@ func newPipe(t *testing.T) (parent *os.File, child *os.File) {
 		parent.Close()
 		child.Close()
 	})
-	return
+	return parent, child
 }
 
 func reapChildren(t *testing.T, parent *os.File) {

libcontainer/rootfs_linux.go

@@ -1155,7 +1155,7 @@ func msMoveRoot(rootfs string) error {
 			strings.HasPrefix(info.Mountpoint, rootfs) {
 			skip = true
 		}
-		return
+		return skip, stop
 	})
 	if err != nil {
 		return err

libcontainer/seccomp/patchbpf/enosys_linux.go

@@ -676,7 +676,7 @@ func filterFlags(config *configs.Seccomp, filter *libseccomp.ScmpFilter) (flags
 		}
 	}
 
-	return
+	return flags, noNewPrivs, err
 }
 
 func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (fd int, err error) {
@@ -706,7 +706,7 @@ func sysSeccompSetFilter(flags uint, filter []unix.SockFilter) (fd int, err erro
 	}
 	runtime.KeepAlive(filter)
 	runtime.KeepAlive(fprog)
-	return
+	return fd, err
 }
 
 // PatchAndLoad takes a seccomp configuration and a libseccomp filter which has

libcontainer/utils/utils.go

@@ -112,5 +112,5 @@ func Annotations(labels []string) (bundle string, userAnnotations map[string]str
 			userAnnotations[name] = value
 		}
 	}
-	return
+	return bundle, userAnnotations
 }