Implement the first part of RFC 20250303-linter-policy (#2577)

Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
2025-12-19 17:59:05 -05:00 · 2025-03-10 13:16:27 -04:00
parent eab41a07c5
commit b2bf39802a
51 changed files with 34 additions and 255 deletions
--- a/.golangci-complexity.yml
+++ b/.golangci-complexity.yml
@@ -1,64 +0,0 @@
-# Copyright (c) The OpenTofu Authors
-# SPDX-License-Identifier: MPL-2.0
-# Copyright (c) 2023 HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
-# This is a temporary variant of .golangci.yml to support our work on improving
-# existing functions to pass the code complexity lint rules:
-#    https://github.com/opentofu/opentofu/issues/2325
-#
-# If you are working on the code complexity improvement project then you can
-# check our progress on the complexity-related lints by running the linters
-# as follows:
-#     golangci-lint run -c .golangci-complexity.yml
-#
-# Many existing functions were failing multiple linters at once at the start
-# of this project, and for as long as that remains true it might be helpful
-# to add the --uniq-by-line=false option to review all of the failures at
-# once.
-#
-# This file should be deleted at the same time as we re-enable the five
-# complexity-related linters in .golangci.yml.
-
-run:
-  timeout: 30m
-
-linters-settings:
-  funlen:
-    lines: 100
-    statements: 50
-    ignore-comments: true
-
-  nolintlint:
-    require-explanation: true
-    require-specific: true
-
-  cyclop:
-    max-complexity: 20
-
-  gocognit:
-    min-complexity: 50
-
-  nestif:
-    min-complexity: 6
-
-issues:
-  exclude-rules:
-    - path: (.+)_test.go
-      linters:
-        - funlen
-        - dupl
-        - revive
-    - path: (.+)_test.go
-      text: "ST1003"
-    - path: (.+)_test.go
-      text: "var-naming: don't use underscores in Go names"
-
-linters:
-  disable-all: true
-  enable:
-    - cyclop
-    - funlen
-    - gocognit
-    - gocyclo
-    - nestif
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -6,119 +6,12 @@
 run:
  timeout: 30m

-linters-settings:
-  errcheck:
-    check-type-assertions: true
-
-  exhaustive:
-    check:
-      - switch
-      - map
-
-  funlen:
-    lines: 100
-    statements: 50
-    ignore-comments: true
-
-  govet:
-    enable-all: true
-    disable:
-      - fieldalignment # rule is too strict
-
-  nolintlint:
-    require-explanation: true
-    require-specific: true
-
-  cyclop:
-    max-complexity: 20
-
-  gocognit:
-    min-complexity: 50
-
-  goconst:
-    ignore-tests: true # Is documented to be the default behaviour, but that doesn't seem to be the case
-
-  gocritic:
-    settings:
-      ifElseChain:
-        minThreshold: 4
-
-  nestif:
-    min-complexity: 6
-
 issues:
-  exclude-rules:
-    - path: (.+)_test.go
-      linters:
-        - funlen
-        - dupl
-        - revive
-        - gocognit
-        - cyclop
-    - path: (.+)_test.go
-      text: "ST1003"
-    - path: (.+)_test.go
-      text: "var-naming: don't use underscores in Go names"
-
-linters:
-  disable-all: true
-  enable:
-    - asasalint
-    - asciicheck
-    - bidichk
-    - bodyclose
-    #- cyclop # (refer to .golangci-complexity.yml)
-    - dupl
-    - durationcheck
-    - errcheck
-    - errname
-    - errorlint
-    - exhaustive
-    - forbidigo
-    #- funlen # (refer to .golangci-complexity.yml)
-    - gocheckcompilerdirectives
-    - gochecknoglobals
-    - gochecknoinits
-    #- gocognit # (refer to .golangci-complexity.yml)
-    - goconst
-    - gocritic
-    #- gocyclo # (refer to .golangci-complexity.yml)
-    - goimports
-    #- gomoddirectives Disabled while we deal with the HCL fork
-    - gomodguard
-    - goprintffuncname
-    - gosec
-    - gosimple
-    - govet
-    - ineffassign
-    - loggercheck
-    - makezero
-    - mirror
-    - mnd
-    - musttag
-    - nakedret
-    #- nestif # (refer to .golangci-complexity.yml)
-    - nilerr
-    - nilnil
-    - noctx
-    - nolintlint
-    - nonamedreturns
-    - nosprintfhostport
-    - predeclared
-    - promlinter
-    - reassign
-    - revive
-    - rowserrcheck
-    - sqlclosecheck
-    - staticcheck
-    - stylecheck
-    - tenv
-    - testableexamples
-    - tparallel
-    - typecheck
-    - unconvert
-    - unparam
-    - unused
-    - usestdlibvars
-    - wastedassign
-    - whitespace
+  exclude-files:
+    # We have a few patterns that are excluded from linting completely because
+    # they contain effectively-frozen code that we're preserving for backward
+    # compatibility, where changes would be risky and that risk isn't warranted
+    # since we don't expect to be doing any significant maintenence on these.
+    - "^internal/ipaddr/"
+    - "^internal/legacy/"
+    - "^internal/states/statefile/version\\d+_upgrade\\.go$"
--- a/internal/addrs/map_test.go
+++ b/internal/addrs/map_test.go
@@ -9,7 +9,6 @@ import (
 	"testing"
 )

-//nolint:cyclop // The complexity of this test naturally scales by the number of test conditions, and would be less readable/maintainable if broken into smaller parts.
 func TestMap(t *testing.T) {
 	variableName := InputVariable{Name: "name"}
 	localHello := LocalValue{Name: "hello"}
--- a/internal/addrs/provider_config.go
+++ b/internal/addrs/provider_config.go
@@ -127,8 +127,6 @@ func ParseAbsProviderConfig(traversal hcl.Traversal) (AbsProviderConfig, tfdiags

 // ParseAbsProviderConfigInstance behaves identically to ParseAbsProviderConfig, but additionally
 // allows an instance key after the alias.
-//
-//nolint:mnd // traversals with specific indices
 func ParseAbsProviderConfigInstance(traversal hcl.Traversal) (AbsProviderConfig, InstanceKey, tfdiags.Diagnostics) {
 	modInst, remain, diags := parseModuleInstancePrefix(traversal)
 	var ret AbsProviderConfig
--- a/internal/addrs/traversal.go
+++ b/internal/addrs/traversal.go
@@ -36,7 +36,6 @@ func TraversalStr(traversal hcl.Traversal) string {
 				buf.WriteString(fmt.Sprintf("%q", tStep.Key.AsString()))
 			case cty.Number:
 				bf := tStep.Key.AsBigFloat()
-				//nolint:mnd // numerical precision
 				buf.WriteString(bf.Text('g', 10))
 			default:
 				buf.WriteString("...")
--- a/internal/backend/remote-state/pg/client.go
+++ b/internal/backend/remote-state/pg/client.go
@@ -94,7 +94,6 @@ func (c *RemoteClient) Lock(info *statemgr.LockInfo) (string, error) {
 	creationLockID := c.composeCreationLockID()

 	// Try to acquire locks for the existing row `id` and the creation lock.
-	//nolint:gosec // we only parameterize user passed values
 	query := fmt.Sprintf(`SELECT %s.id, pg_try_advisory_lock(%s.id), pg_try_advisory_lock(%s) FROM %s.%s WHERE %s.name = $1`,
 		statesTableName, statesTableName, creationLockID, c.SchemaName, statesTableName, statesTableName)

--- a/internal/backend/remote-state/pg/client_test.go
+++ b/internal/backend/remote-state/pg/client_test.go
@@ -165,7 +165,7 @@ func TestConcurrentCreationLocksInDifferentSchemas(t *testing.T) {
 	// during the same session.
 	if _, err = thirdClient.Lock(lock); err == nil {
 		t.Fatal("Expected an error to be thrown on a second lock attempt")
-	} else if lockErr := err.(*statemgr.LockError); lockErr.Info != lock && //nolint:errcheck,errorlint // this is a test, I am fine with panic here
+	} else if lockErr := err.(*statemgr.LockError); lockErr.Info != lock && //nolint:errcheck // this is a test, I am fine with panic here
 		lockErr.Err.Error() != "Already locked for workspace creation: default" {
 		t.Fatalf("Unexpected error thrown on a second lock attempt: %v", err)
 	}
--- a/internal/backend/remote-state/s3/client.go
+++ b/internal/backend/remote-state/s3/client.go
@@ -492,7 +492,6 @@ func (c *RemoteClient) getLockInfoFromS3(ctx context.Context) (*statemgr.LockInf
 	if err != nil {
 		var nb *types.NoSuchBucket
 		if errors.As(err, &nb) {
-			//nolint:stylecheck // error message already used in multiple places. Not recommended to be updated
 			return nil, fmt.Errorf(errS3NoSuchBucket, err)
 		}

--- a/internal/backend/remote/backend_common.go
+++ b/internal/backend/remote/backend_common.go
@@ -340,7 +340,6 @@ func (b *Remote) costEstimate(stopCtx, cancelCtx context.Context, op *backend.Op
 			b.CLI.Output("\n------------------------------------------------------------------------")
 			return nil
 		case tfe.CostEstimateCanceled:
-			//nolint:revive,stylecheck // Caller UI relies on this non-idiomatic error string form
 			return fmt.Errorf("%s canceled.", msgPrefix)
 		default:
 			return fmt.Errorf("Unknown or unexpected cost estimate state: %s", ce.Status)
@@ -418,10 +417,8 @@ func (b *Remote) checkPolicy(stopCtx, cancelCtx context.Context, op *backend.Ope
 			}
 			continue
 		case tfe.PolicyErrored:
-			//nolint:revive,stylecheck // Caller UI relies on this non-idiomatic error string form
 			return fmt.Errorf("%s errored.", msgPrefix)
 		case tfe.PolicyHardFailed:
-			//nolint:revive,stylecheck // Caller UI relies on this non-idiomatic error string form
 			return fmt.Errorf("%s hard failed.", msgPrefix)
 		case tfe.PolicySoftFailed:
 			runUrl := fmt.Sprintf(runHeader, b.hostname, b.organization, op.Workspace, r.ID)
--- a/internal/cloud/backend_common.go
+++ b/internal/cloud/backend_common.go
@@ -312,7 +312,6 @@ func (b *Cloud) costEstimate(stopCtx, cancelCtx context.Context, op *backend.Ope
 			b.CLI.Output("\n------------------------------------------------------------------------")
 			return nil
 		case tfe.CostEstimateCanceled:
-			//nolint:revive,stylecheck // Caller UI relies on this non-idiomatic error string form
 			return fmt.Errorf("%s canceled.", msgPrefix)
 		default:
 			return fmt.Errorf("Unknown or unexpected cost estimate state: %s", ce.Status)
@@ -390,10 +389,8 @@ func (b *Cloud) checkPolicy(stopCtx, cancelCtx context.Context, op *backend.Oper
 			}
 			continue
 		case tfe.PolicyErrored:
-			//nolint:revive,stylecheck // Caller UI relies on this non-idiomatic error string form
 			return fmt.Errorf("%s errored.", msgPrefix)
 		case tfe.PolicyHardFailed:
-			//nolint:revive,stylecheck // Caller UI relies on this non-idiomatic error string form
 			return fmt.Errorf("%s hard failed.", msgPrefix)
 		case tfe.PolicySoftFailed:
 			runUrl := fmt.Sprintf(runHeader, b.hostname, b.organization, op.Workspace, r.ID)
@@ -417,7 +414,6 @@ func (b *Cloud) checkPolicy(stopCtx, cancelCtx context.Context, op *backend.Oper
 				}
 				err = b.confirm(stopCtx, op, opts, r, "override")
 				if err != nil && err != errRunOverridden {
-					//nolint:revive,stylecheck // Caller UI relies on this non-idiomatic error string form
 					return fmt.Errorf("Failed to override: %s\n%s\n", err.Error(), runUrl)
 				}

--- a/internal/cloud/tfe_client_mock.go
+++ b/internal/cloud/tfe_client_mock.go
@@ -5,7 +5,7 @@

 //

-//nolint:revive,staticcheck //Disabling because we want to just stub out some methods
+//nolint:staticcheck //Disabling because we want to just stub out some methods
 package cloud

 import (
--- a/internal/command/console_state.go
+++ b/internal/command/console_state.go
@@ -70,7 +70,7 @@ func (c *consoleBracketState) UpdateState(line string) (string, int) {

 	tokens, _ := hclsyntax.LexConfig([]byte(line), "<console-input>", hcl.Pos{Line: 1, Column: 1})
 	for _, token := range tokens {
-		switch token.Type { //nolint:exhaustive // we only care about these specific types
+		switch token.Type { // we only care about these specific types
 		case hclsyntax.TokenOBrace:
 			c.brace++
 		case hclsyntax.TokenCBrace:
--- a/internal/command/views/json/diagnostic.go
+++ b/internal/command/views/json/diagnostic.go
@@ -186,8 +186,6 @@ func NewDiagnostic(diag tfdiags.Diagnostic, sources map[string]*hcl.File) *Diagn
 // ensure that the whole of an expression gets included in the snippet even if
 // the problem is just one operand of the expression and the expression is wrapped
 // over multiple lines.
-//
-//nolint:nonamedreturns // These names are for documentation purposes, to differentiate two results that have the same type
 func prepareDiagnosticRanges(subject, context *tfdiags.SourceRange) (highlight, snippet *tfdiags.SourceRange) {
 	if subject == nil {
 		// If we don't even have a "subject" then we have no ranges to report at all.
--- a/internal/configs/hcl2shim/mock_value_composer.go
+++ b/internal/configs/hcl2shim/mock_value_composer.go
@@ -21,7 +21,7 @@ type MockValueComposer struct {

 func NewMockValueComposer(seed int64) MockValueComposer {
 	return MockValueComposer{
-		rand: rand.New(rand.NewSource(seed)), //nolint:gosec // It doesn't need to be secure.
+		rand: rand.New(rand.NewSource(seed)),
 	}
 }

--- a/internal/configs/module.go
+++ b/internal/configs/module.go
@@ -136,7 +136,7 @@ func (s SelectiveLoader) filter(input []*File) []*File {
 			Locals:    inFile.Locals,
 		}

-		switch s { //nolint:exhaustive // SelectiveLoadAll handled above
+		switch s {
 		case SelectiveLoadBackend:
 			outFile.Backends = inFile.Backends
 			outFile.CloudConfigs = inFile.CloudConfigs
--- a/internal/configs/test_file.go
+++ b/internal/configs/test_file.go
@@ -1136,7 +1136,6 @@ var testRunModuleBlockSchema = &hcl.BodySchema{
 	},
 }

-//nolint:gochecknoglobals // To follow existing code style.
 var overrideResourceBlockSchema = &hcl.BodySchema{
 	Attributes: []hcl.AttributeSchema{
 		{
@@ -1150,7 +1149,6 @@ var overrideResourceBlockSchema = &hcl.BodySchema{
 	},
 }

-//nolint:gochecknoglobals // To follow existing code style.
 var overrideModuleBlockSchema = &hcl.BodySchema{
 	Attributes: []hcl.AttributeSchema{
 		{
@@ -1164,7 +1162,6 @@ var overrideModuleBlockSchema = &hcl.BodySchema{
 	},
 }

-//nolint:gochecknoglobals // To follow existing code style.
 var mockProviderBlockSchema = &hcl.BodySchema{
 	Attributes: []hcl.AttributeSchema{
 		{
@@ -1190,7 +1187,6 @@ var mockProviderBlockSchema = &hcl.BodySchema{
 	},
 }

-//nolint:gochecknoglobals // To follow existing code style.
 var mockResourceBlockSchema = &hcl.BodySchema{
 	Attributes: []hcl.AttributeSchema{
 		{
--- a/internal/encryption/base.go
+++ b/internal/encryption/base.go
@@ -142,7 +142,6 @@ func (base *baseEncryption) encrypt(data []byte, enhance func(basedata) interfac
 	return jsond, nil
 }

-//nolint:revive // this name is fine
 type EncryptionStatus int

 const (
--- a/internal/encryption/keyprovider.go
+++ b/internal/encryption/keyprovider.go
@@ -64,7 +64,7 @@ func filterKeyProviderReferences(cfg *config.EncryptionConfig, deps []hcl.Traver
 	// Setting up key providers from deps.
 	for _, dep := range deps {
 		// Key Provider references should be in the form key_provider.type.name
-		if len(dep) != 3 { //nolint:mnd // linting
+		if len(dep) != 3 {
 			nonKeyProviderDeps = append(nonKeyProviderDeps, dep)
 			continue
 		}
--- a/internal/encryption/keyprovider/external/provider.go
+++ b/internal/encryption/keyprovider/external/provider.go
@@ -45,7 +45,7 @@ func (k keyProvider) Provide(rawMeta keyprovider.KeyMeta) (keyprovider.Output, k

 	stderr := &bytes.Buffer{}

-	cmd := exec.CommandContext(ctx, k.command[0], k.command[1:]...) //nolint:gosec //Launching external commands here is the entire point.
+	cmd := exec.CommandContext(ctx, k.command[0], k.command[1:]...)

 	handler := &ioHandler{
 		false,
@@ -107,7 +107,7 @@ func (i *ioHandler) Write(p []byte) (int, error) {
 		return n, nil
 	}
 	// Check if the full header is present.
-	parts := strings.SplitN(string(i.output), "\n", 2) //nolint:mnd //This rule is dumb.
+	parts := strings.SplitN(string(i.output), "\n", 2)
 	if len(parts) == 1 {
 		return n, nil
 	}
--- a/internal/encryption/keyprovider/external/testprovider/testprovider.go
+++ b/internal/encryption/keyprovider/external/testprovider/testprovider.go
@@ -34,11 +34,11 @@ go 1.22`)

 	tempDir := t.TempDir()
 	dir := path.Join(tempDir, "testprovider-go")
-	if err := os.MkdirAll(dir, 0700); err != nil { //nolint:mnd // This check is stupid
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		t.Errorf("Failed to create temporary directory (%v)", err)
 	}

-	if err := os.WriteFile(path.Join(dir, "go.mod"), goMod, 0600); err != nil { //nolint:mnd // This check is stupid
+	if err := os.WriteFile(path.Join(dir, "go.mod"), goMod, 0600); err != nil {
 		t.Errorf("%v", err)
 	}
 	if err := ejectFile("testprovider.go", path.Join(dir, "testprovider.go")); err != nil {
@@ -68,7 +68,7 @@ func Python(t *testing.T) []string {

 	tempDir := t.TempDir()
 	dir := path.Join(tempDir, "testprovider-py")
-	if err := os.MkdirAll(dir, 0700); err != nil { //nolint:mnd // This check is stupid
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		t.Errorf("Failed to create temporary directory (%v)", err)
 	}
 	target := path.Join(dir, "testprovider.py")
@@ -86,7 +86,7 @@ func POSIXShell(t *testing.T) []string {

 	tempDir := t.TempDir()
 	dir := path.Join(tempDir, "testprovider-sh")
-	if err := os.MkdirAll(dir, 0700); err != nil { //nolint:mnd // This check is stupid
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		t.Errorf("Failed to create temporary directory (%v)", err)
 	}
 	target := path.Join(dir, "testprovider.sh")
@@ -102,7 +102,7 @@ func ejectFile(file string, target string) error {
 	if err != nil {
 		return fmt.Errorf("failed to read %s file from embedded dataset (%w)", file, err)
 	}
-	if err := os.WriteFile(target, contents, 0600); err != nil { //nolint:mnd // This check is stupid
+	if err := os.WriteFile(target, contents, 0600); err != nil {
 		return fmt.Errorf("failed to create %s file at %s (%w)", file, target, err)
 	}
 	return nil
--- a/internal/encryption/method/external/command.go
+++ b/internal/encryption/method/external/command.go
@@ -83,7 +83,7 @@ func (c command) run(command []string, input any) ([]byte, error) {

 	stderr := &bytes.Buffer{}

-	cmd := exec.CommandContext(ctx, command[0], command[1:]...) //nolint:gosec //Launching external commands here is the entire point.
+	cmd := exec.CommandContext(ctx, command[0], command[1:]...)

 	handler := &ioHandler{
 		false,
@@ -152,7 +152,7 @@ func (i *ioHandler) Write(p []byte) (int, error) {
 		return n, nil
 	}
 	// Check if the full header is present.
-	parts := strings.SplitN(string(i.output), "\n", 2) //nolint:mnd //This rule is dumb.
+	parts := strings.SplitN(string(i.output), "\n", 2)
 	if len(parts) == 1 {
 		return n, nil
 	}
--- a/internal/encryption/method/external/compliance_test.go
+++ b/internal/encryption/method/external/compliance_test.go
@@ -25,8 +25,9 @@ func TestCompliancePython(t *testing.T) {
 }

 func runTest(t *testing.T, cmd []string) {
-	encryptCommand := append(cmd, "--encrypt") //nolint:gocritic //It's intentionally a different slice.
-	decryptCommand := append(cmd, "--decrypt") //nolint:gocritic //It's intentionally a different slice.
+	cmd = slices.Clip(cmd) // Make sure that the following appends are forced to allocate capacity
+	encryptCommand := append(cmd, "--encrypt")
+	decryptCommand := append(cmd, "--decrypt")

 	compliancetest.ComplianceTest(t, compliancetest.TestConfiguration[*descriptor, *Config, *command]{
 		Descriptor: New().(*descriptor), //nolint:errcheck //This is safe.
--- a/internal/encryption/method/external/testmethod/testmethod.go
+++ b/internal/encryption/method/external/testmethod/testmethod.go
@@ -32,11 +32,11 @@ go 1.22`)

 	tempDir := t.TempDir()
 	dir := path.Join(tempDir, "testmethod-go")
-	if err := os.MkdirAll(dir, 0700); err != nil { //nolint:mnd // This check is stupid
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		t.Errorf("Failed to create temporary directory (%v)", err)
 	}

-	if err := os.WriteFile(path.Join(dir, "go.mod"), goMod, 0600); err != nil { //nolint:mnd // This check is stupid
+	if err := os.WriteFile(path.Join(dir, "go.mod"), goMod, 0600); err != nil {
 		t.Errorf("%v", err)
 	}
 	if err := ejectFile("testmethod.go", path.Join(dir, "testmethod.go")); err != nil {
@@ -65,7 +65,7 @@ func Python(t *testing.T) []string {

 	tempDir := t.TempDir()
 	dir := path.Join(tempDir, "testmethod-py")
-	if err := os.MkdirAll(dir, 0700); err != nil { //nolint:mnd // This check is stupid
+	if err := os.MkdirAll(dir, 0700); err != nil {
 		t.Errorf("Failed to create temporary directory (%v)", err)
 	}
 	target := path.Join(dir, "testmethod.py")
@@ -81,7 +81,7 @@ func ejectFile(file string, target string) error {
 	if err != nil {
 		return fmt.Errorf("failed to read %s file from embedded dataset (%w)", file, err)
 	}
-	if err := os.WriteFile(target, contents, 0600); err != nil { //nolint:mnd // This check is stupid
+	if err := os.WriteFile(target, contents, 0600); err != nil {
 		return fmt.Errorf("failed to create %s file at %s (%w)", file, target, err)
 	}
 	return nil
--- a/internal/encryption/targets.go
+++ b/internal/encryption/targets.go
@@ -21,7 +21,7 @@ func methodConfigsFromTarget(cfg *config.EncryptionConfig, target *config.Target
 		traversal, travDiags := hcl.AbsTraversalForExpr(target.Method)
 		diags = diags.Extend(travDiags)
 		if !travDiags.HasErrors() {
-			if len(traversal) != 3 { //nolint:mnd // linting
+			if len(traversal) != 3 {
 				diags = diags.Append(&hcl.Diagnostic{
 					Severity: hcl.DiagError,
 					Summary:  "Invalid encryption method identifier",
--- a/internal/getproviders/package_authentication.go
+++ b/internal/getproviders/package_authentication.go
@@ -516,7 +516,7 @@ func (s signatureAuthentication) findSigningKey() (*SigningKey, string, error) {
 				if entity != nil && entity.PrimaryKey != nil {
 					expiredKeyID = entity.PrimaryKey.KeyIdString()
 				} else {
-					expiredKeyID = "n/a" //nolint:goconst // This is a placeholder value
+					expiredKeyID = "n/a"
 				}
 			}
 			continue
@@ -533,7 +533,6 @@ func (s signatureAuthentication) findSigningKey() (*SigningKey, string, error) {

 	// Warn only once when ALL keys are expired.
 	if expiredKey != nil && !s.shouldEnforceGPGExpiration() {
-		//nolint:forbidigo // This is a warning message and is fine to be handled this way
 		fmt.Printf("[WARN] Provider %s/%s (%v) gpg key expired, this will fail in future versions of OpenTofu\n",
 			s.Meta.Provider.Namespace, s.Meta.Provider.Type, s.Meta.Provider.Hostname)
 		return expiredKey, expiredKeyID, nil
--- a/internal/ipaddr/ip.go
+++ b/internal/ipaddr/ip.go
@@ -10,7 +10,6 @@
 // This library accepts either size of byte slice but always
 // returns 16-byte addresses.

-//nolint:cyclop,funlen,gochecknoglobals,gocritic,nonamedreturns,mnd // This file is copied from the Go codebase and intended to remain close to the original in case we need to backport changes.
 package ipaddr

 import (
--- a/internal/ipaddr/ip_test.go
+++ b/internal/ipaddr/ip_test.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//nolint:gochecknoglobals,gocritic,govet // This file is copied from the Go codebase and intended to remain close to the original in case we need to backport changes.
 package ipaddr

 import (
--- a/internal/ipaddr/parse.go
+++ b/internal/ipaddr/parse.go
@@ -5,7 +5,6 @@
 // Simple file i/o and string manipulation, to avoid
 // depending on strconv and bufio and strings.

-//nolint:nonamedreturns,mnd // This file is copied from the Go codebase and intended to remain close to the original in case we need to backport changes.
 package ipaddr

 // Bigger than we need, not too big to worry about overflow
--- a/internal/lang/functions.go
+++ b/internal/lang/functions.go
@@ -107,8 +107,6 @@ func (s *Scope) experimentalFunction(experiment experiments.Experiment, fn funct
 // This function intentionally always returns a fresh map on each call because the
 // caller is expected to modify it further before storing it as part of a
 // particular [Scope], based on the unique settings of that scope.
-//
-//nolint:funlen // The length of this function naturally scales with the number of functions in the OpenTofu language.
 func makeBaseFunctionTable(baseDir string) map[string]function.Function {
 	// Some of our functions are just directly the cty stdlib functions.
 	// Others are implemented in the subdirectory "funcs" here in this
--- a/internal/lang/functions_test.go
+++ b/internal/lang/functions_test.go
@@ -43,8 +43,6 @@ import (
 // it really is registered correctly) and possibly a small set of additional
 // functions showing real-world use-cases that rely on type conversion
 // behaviors.
-//
-//nolint:gocognit // This test intentionally embraces mainloop complexity so that maintenence can primarily focus on the declarative test table rather than the actual test logic.
 func TestFunctions(t *testing.T) {
 	// used in `pathexpand()` test
 	homePath, err := homedir.Dir()
--- a/internal/legacy/helper/schema/field_reader.go
+++ b/internal/legacy/helper/schema/field_reader.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,funlen,gocognit // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package schema

 import (
--- a/internal/legacy/helper/schema/field_reader_config.go
+++ b/internal/legacy/helper/schema/field_reader_config.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,funlen,nestif // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package schema

 import (
--- a/internal/legacy/helper/schema/resource.go
+++ b/internal/legacy/helper/schema/resource.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,gocyclo,gocognit,nestif // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package schema

 import (
--- a/internal/legacy/helper/schema/resource_data.go
+++ b/internal/legacy/helper/schema/resource_data.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package schema

 import (
--- a/internal/legacy/helper/schema/resource_timeout.go
+++ b/internal/legacy/helper/schema/resource_timeout.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,funlen,nestif // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package schema

 import (
--- a/internal/legacy/helper/schema/schema.go
+++ b/internal/legacy/helper/schema/schema.go
@@ -14,8 +14,6 @@
 // everything else is meant to just work.
 //
 // A good starting point is to view the Provider structure.
-//
-//nolint:cyclop,funlen,gocognit,gocyclo,nestif // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package schema

 import (
--- a/internal/legacy/helper/schema/serialize.go
+++ b/internal/legacy/helper/schema/serialize.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:funlen // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package schema

 import (
--- a/internal/legacy/helper/schema/shims_test.go
+++ b/internal/legacy/helper/schema/shims_test.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,gocognit // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package schema

 import (
--- a/internal/legacy/tofu/diff.go
+++ b/internal/legacy/tofu/diff.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,funlen,gocognit,gocyclo,nestif // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package tofu

 import (
--- a/internal/legacy/tofu/provider_mock.go
+++ b/internal/legacy/tofu/provider_mock.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:nestif // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package tofu

 import (
--- a/internal/legacy/tofu/provisioner_mock.go
+++ b/internal/legacy/tofu/provisioner_mock.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:nestif // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package tofu

 import (
--- a/internal/legacy/tofu/state.go
+++ b/internal/legacy/tofu/state.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,funlen // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package tofu

 import (
--- a/internal/legacy/tofu/state_filter.go
+++ b/internal/legacy/tofu/state_filter.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:gocognit,nestif // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package tofu

 import (
--- a/internal/legacy/tofu/upgrade_state_v2_test.go
+++ b/internal/legacy/tofu/upgrade_state_v2_test.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,gocyclo // This legacy code is frozen from an older version of the codebase and will not be updated to pass any linters.
 package tofu

 import (
--- a/internal/plugin/grpc_provider.go
+++ b/internal/plugin/grpc_provider.go
@@ -657,7 +657,6 @@ func (p *GRPCProvider) MoveResourceState(r providers.MoveResourceStateRequest) p
 	protoReq := &proto.MoveResourceState_Request{
 		SourceProviderAddress: r.SourceProviderAddress,
 		SourceTypeName:        r.SourceTypeName,
-		//nolint:gosec // this will be refactored eventually
 		SourceSchemaVersion:   int64(r.SourceSchemaVersion),
 		SourceState: &proto.RawState{
 			Json:    r.SourceStateJSON,
--- a/internal/plugin6/grpc_provider.go
+++ b/internal/plugin6/grpc_provider.go
@@ -646,7 +646,6 @@ func (p *GRPCProvider) MoveResourceState(r providers.MoveResourceStateRequest) p
 	protoReq := &proto6.MoveResourceState_Request{
 		SourceProviderAddress: r.SourceProviderAddress,
 		SourceTypeName:        r.SourceTypeName,
-		//nolint:gosec // this will be refactored eventually
 		SourceSchemaVersion:   int64(r.SourceSchemaVersion),
 		SourceState: &proto6.RawState{
 			Json:    r.SourceStateJSON,
--- a/internal/providercache/installer.go
+++ b/internal/providercache/installer.go
@@ -675,8 +675,6 @@ func (i *Installer) ensureProviderVersionsInstall(
 // If sourceDir has a package that appears to be for the selected provider
 // version but there are any problems with that package that prevent it from
 // being installed then it returns a non-nil error describing the problem.
-//
-//nolint:nonamedreturns // The "installed" name explains what this bool represents as part of the signature
 func tryInstallPackageFromCacheDir(
 	ctx context.Context,
 	sourceDir *Dir,
--- a/internal/states/statefile/version1_upgrade.go
+++ b/internal/states/statefile/version1_upgrade.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:govet,mnd,nilnil // The functions in this file are effectively frozen to support an older state format version, so they will never be updated to pass lint rules.
 package statefile

 import (
--- a/internal/states/statefile/version2_upgrade.go
+++ b/internal/states/statefile/version2_upgrade.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,errcheck,funlen,gocritic,gocognit,gocyclo,predeclared,revive,unparam // The functions in this file are effectively frozen to support an older state format version, so they will never be updated to pass lint rules.
 package statefile

 import (
--- a/internal/states/statefile/version3_upgrade.go
+++ b/internal/states/statefile/version3_upgrade.go
@@ -3,7 +3,6 @@
 // Copyright (c) 2023 HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

-//nolint:cyclop,exhaustive,funlen,goconst,gocognit,gosec,govet,gocyclo,mnd,nestif,predeclared,revive // The functions in this file are effectively frozen to support an older state format version, so they will never be updated to pass lint rules.
 package statefile

 import (
--- a/internal/tofu/upgrade_resource_state.go
+++ b/internal/tofu/upgrade_resource_state.go
@@ -99,7 +99,6 @@ func upgradeResourceStateTransform(args stateTransformArgs) (cty.Value, []byte,
 		// to all protobuf target languages so in practice we use int64
 		// on the wire. In future we will change all of our internal
 		// representations to int64 too.
-		//nolint:gosec // this will be refactored eventually
 		Version: int64(args.objectSrc.SchemaVersion),
 	}