cloudflare · armfazh · Oct 27, 2025 · Oct 25, 2025 · Oct 25, 2025 · Oct 25, 2025
diff --git a/.github/workflows/ci-actions.yml b/.github/workflows/ci-actions.yml
@@ -10,15 +10,15 @@ on:
 jobs:
   amd64_job:
     name: Go-${{matrix.GOVER}}/amd64
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
-        GOVER: ['1.24', '1.23']
+        GOVER: ['1.25', '1.24']
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup Go-${{ matrix.GOVER }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.GOVER }}
       - name: Linting
@@ -46,11 +46,11 @@ jobs:
     runs-on: ubuntu-24.04-arm
     strategy:
       matrix:
-        GOVER: ['1.24', '1.23']
+        GOVER: ['1.25', '1.24']
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Setup Go-${{ matrix.GOVER }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.GOVER }}
       - name: Building
@@ -59,35 +59,35 @@ jobs:
         run: go test -v -count=1 ./...
   build_modes:
     needs: [amd64_job]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     name: Testing Build Modes
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: Build as Static
         run: make circl_static
       - name: Build as Plugin
         run: make circl_plugin
   coverage_amd64_job:
     needs: [amd64_job]
     if: github.event_name == 'push'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     name: amd64/coverage
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: Produce Coverage
         run: go test -coverprofile=./coverage.txt ./...
       - name: Upload Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           file: ./coverage.txt
         env:
@@ -101,11 +101,11 @@ jobs:
         os: [macos-latest, windows-latest]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: Building
         run: go build -v ./...
       - name: Testing
@@ -120,16 +120,16 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: go
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:go"
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -20,5 +20,5 @@ jobs:
     container:
       image: semgrep/semgrep
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: semgrep ci --verbose
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -53,15 +53,6 @@ linters:
         - -QF1008
   exclusions:
     generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
 issues:
   max-issues-per-linter: 0
   max-same-issues: 0
@@ -70,9 +61,3 @@ formatters:
     - gofmt
     - gofumpt
     - goimports
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
diff --git a/abe/cpabe/tkn20/format_test.go b/abe/cpabe/tkn20/format_test.go
@@ -2,6 +2,7 @@ package tkn20
 
 import (
 	"os"
+	"path/filepath"
 	"testing"
 )
 
@@ -57,7 +58,7 @@ func TestCiphertext(t *testing.T) {
 
 func testCiphertext(t *testing.T, ctName string) {
 	t.Logf("Checking ciphertext: %v\n", ctName)
-	ciphertext, err := os.ReadFile(ctName)
+	ciphertext, err := os.ReadFile(filepath.Clean(ctName))
 	if err != nil {
 		t.Fatalf("Unable to read ciphertext data")
 	}

diff --git a/ecc/bls12381/encoding_test.go b/ecc/bls12381/encoding_test.go
@@ -82,7 +82,12 @@ func TestSerializationVector(t *testing.T) {
 		if err != nil {
 			t.Fatalf("file %v can not be opened: %v", v.fileName, err)
 		}
-		defer file.Close()
+		defer func() {
+			err = file.Close()
+			if err != nil {
+				t.Fatalf("file %v failed to be closed: %v", v.fileName, err)
+			}
+		}()
 
 		t.Run(v.fileName[:7], func(t *testing.T) { testSerialVector(t, file, &v) })
 	}

diff --git a/internal/sha3/xor_unaligned.go b/internal/sha3/xor_unaligned.go
@@ -14,14 +14,14 @@ import "unsafe"
 type storageBuf [maxRate / 8]uint64
 
 func (b *storageBuf) asBytes() *[maxRate]byte {
-	return (*[maxRate]byte)(unsafe.Pointer(b))
+	return (*[maxRate]byte)(unsafe.Pointer(b)) //nolint:gosec
 }
 
 // xorInuses unaligned reads and writes to update d.a to contain d.a
 // XOR buf.
 func xorIn(d *State, buf []byte) {
 	n := len(buf)
-	bw := (*[maxRate / 8]uint64)(unsafe.Pointer(&buf[0]))[: n/8 : n/8]
+	bw := (*[maxRate / 8]uint64)(unsafe.Pointer(&buf[0]))[: n/8 : n/8] //nolint:gosec
 	if n >= 72 {
 		d.a[0] ^= bw[0]
 		d.a[1] ^= bw[1]
@@ -56,6 +56,6 @@ func xorIn(d *State, buf []byte) {
 }
 
 func copyOut(d *State, buf []byte) {
-	ab := (*[maxRate]uint8)(unsafe.Pointer(&d.a[0]))
+	ab := (*[maxRate]uint8)(unsafe.Pointer(&d.a[0])) //nolint:gosec
 	copy(buf, ab[:])
 }
diff --git a/internal/test/test.go b/internal/test/test.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"
 )
@@ -116,7 +117,7 @@ func gunzip(in []byte) ([]byte, error) {
 
 // Like os.ReadFile, but gunzip first.
 func ReadGzip(path string) ([]byte, error) {
-	buf, err := os.ReadFile(path)
+	buf, err := os.ReadFile(filepath.Clean(path))
 	if err != nil {
 		return nil, err
 	}

diff --git a/kem/frodo/kat_test.go b/kem/frodo/kat_test.go
@@ -7,9 +7,11 @@ import (
 	"bytes"
 	"crypto/sha256"
 	"fmt"
+	"io"
 	"testing"
 
 	"github.com/cloudflare/circl/internal/nist"
+	"github.com/cloudflare/circl/internal/test"
 	"github.com/cloudflare/circl/kem/schemes"
 )
 
@@ -43,11 +45,12 @@ func testPQCgenKATKem(t *testing.T, name, expected string) {
 	}
 	f := sha256.New()
 	g := nist.NewDRBG(&seed)
-	fmt.Fprintf(f, "# %s\n\n", name)
+	mustWrite(t, f, "# %s\n\n", name)
 	for i := 0; i < 100; i++ {
 		g.Fill(seed[:])
-		fmt.Fprintf(f, "count = %d\n", i)
-		fmt.Fprintf(f, "seed = %X\n", seed)
+		mustWrite(t, f, "count = %d\n", i)
+		mustWrite(t, f, "seed = %X\n", seed)
+
 		g2 := nist.NewDRBG(&seed)
 
 		g2.Fill(kseed[:])
@@ -65,12 +68,17 @@ func testPQCgenKATKem(t *testing.T, name, expected string) {
 		if !bytes.Equal(ss, ss2) {
 			t.Fatal()
 		}
-		fmt.Fprintf(f, "pk = %X\n", ppk)
-		fmt.Fprintf(f, "sk = %X\n", psk)
-		fmt.Fprintf(f, "ct = %X\n", ct)
-		fmt.Fprintf(f, "ss = %X\n\n", ss)
+		mustWrite(t, f, "pk = %X\n", ppk)
+		mustWrite(t, f, "sk = %X\n", psk)
+		mustWrite(t, f, "ct = %X\n", ct)
+		mustWrite(t, f, "ss = %X\n\n", ss)
 	}
 	if fmt.Sprintf("%x", f.Sum(nil)) != expected {
 		t.Fatal()
 	}
 }
+
+func mustWrite(t *testing.T, f io.Writer, format string, data any) {
+	_, err := fmt.Fprintf(f, format, data)
+	test.CheckNoErr(t, err, "fprintf failed")
+}
diff --git a/kem/kyber/kat_test.go b/kem/kyber/kat_test.go
@@ -7,10 +7,12 @@ import (
 	"bytes"
 	"crypto/sha256"
 	"fmt"
+	"io"
 	"strings"
 	"testing"
 
 	"github.com/cloudflare/circl/internal/nist"
+	"github.com/cloudflare/circl/internal/test"
 	"github.com/cloudflare/circl/kem/schemes"
 )
 
@@ -54,11 +56,11 @@ func testPQCgenKATKem(t *testing.T, name, expected string) {
 
 	// The "standard" branch reference implementation still uses Kyber
 	// as name instead of ML-KEM.
-	fmt.Fprintf(f, "# %s\n\n", strings.ReplaceAll(name, "ML-KEM-", "Kyber"))
+	mustWrite(t, f, "# %s\n\n", strings.ReplaceAll(name, "ML-KEM-", "Kyber"))
 	for i := 0; i < 100; i++ {
 		g.Fill(seed[:])
-		fmt.Fprintf(f, "count = %d\n", i)
-		fmt.Fprintf(f, "seed = %X\n", seed)
+		mustWrite(t, f, "count = %d\n", i)
+		mustWrite(t, f, "seed = %X\n", seed)
 		g2 := nist.NewDRBG(&seed)
 
 		if strings.HasPrefix(name, "ML-KEM") {
@@ -81,12 +83,17 @@ func testPQCgenKATKem(t *testing.T, name, expected string) {
 		if !bytes.Equal(ss, ss2) {
 			t.Fatal()
 		}
-		fmt.Fprintf(f, "pk = %X\n", ppk)
-		fmt.Fprintf(f, "sk = %X\n", psk)
-		fmt.Fprintf(f, "ct = %X\n", ct)
-		fmt.Fprintf(f, "ss = %X\n\n", ss)
+		mustWrite(t, f, "pk = %X\n", ppk)
+		mustWrite(t, f, "sk = %X\n", psk)
+		mustWrite(t, f, "ct = %X\n", ct)
+		mustWrite(t, f, "ss = %X\n\n", ss)
 	}
 	if fmt.Sprintf("%x", f.Sum(nil)) != expected {
 		t.Fatalf("%s %x %s", name, f.Sum(nil), expected)
 	}
 }
+
+func mustWrite(t *testing.T, f io.Writer, format string, data any) {
+	_, err := fmt.Fprintf(f, format, data)
+	test.CheckNoErr(t, err, "fprintf failed")
+}
diff --git a/kem/xwing/xwing_test.go b/kem/xwing/xwing_test.go
@@ -7,17 +7,20 @@ import (
 	"testing"
 
 	"github.com/cloudflare/circl/internal/sha3"
+	"github.com/cloudflare/circl/internal/test"
 )
 
-func writeHex(w io.Writer, prefix string, val interface{}) {
+func writeHex(t *testing.T, w io.Writer, prefix string, val interface{}) {
 	indent := "  "
 	width := 74
 	hex := fmt.Sprintf("%x", val)
 	if len(prefix)+len(hex)+5 < width {
-		fmt.Fprintf(w, "%s     %s\n", prefix, hex)
+		_, err := fmt.Fprintf(w, "%s     %s\n", prefix, hex)
+		test.CheckNoErr(t, err, "fprintf failed")
 		return
 	}
-	fmt.Fprintf(w, "%s\n", prefix)
+	_, err := fmt.Fprintf(w, "%s\n", prefix)
+	test.CheckNoErr(t, err, "fprintf failed")
 	for len(hex) != 0 {
 		var toPrint string
 		if len(hex) < width-len(indent) {
@@ -27,7 +30,8 @@ func writeHex(w io.Writer, prefix string, val interface{}) {
 			toPrint = hex[:width-len(indent)]
 			hex = hex[width-len(indent):]
 		}
-		fmt.Fprintf(w, "%s%s\n", indent, toPrint)
+		_, err = fmt.Fprintf(w, "%s%s\n", indent, toPrint)
+		test.CheckNoErr(t, err, "fprintf failed")
 	}
 }
 
@@ -38,29 +42,30 @@ func TestVectors(t *testing.T) {
 	for i := 0; i < 3; i++ {
 		var seed [SeedSize]byte
 		_, _ = h.Read(seed[:])
-		writeHex(w, "seed", seed)
+		writeHex(t, w, "seed", seed)
 
 		sk, pk := DeriveKeyPairPacked(seed[:])
-		writeHex(w, "sk", sk)
-		writeHex(w, "pk", pk)
+		writeHex(t, w, "sk", sk)
+		writeHex(t, w, "pk", pk)
 
 		var eseed [EncapsulationSeedSize]byte
 		_, _ = h.Read(eseed[:])
-		writeHex(w, "eseed", eseed)
+		writeHex(t, w, "eseed", eseed)
 
 		ss, ct, err := Encapsulate(pk, eseed[:])
 		if err != nil {
 			t.Fatal(err)
 		}
-		writeHex(w, "ct", ct)
-		writeHex(w, "ss", ss)
+		writeHex(t, w, "ct", ct)
+		writeHex(t, w, "ss", ss)
 
 		ss2 := Decapsulate(ct, sk)
 		if !bytes.Equal(ss, ss2) {
 			t.Fatal()
 		}
 
-		fmt.Fprintf(w, "\n")
+		_, err = fmt.Fprintf(w, "\n")
+		test.CheckNoErr(t, err, "fprintf failed")
 	}
 
 	t.Logf("%s", w.String())