From 4860cdd810e6a44659be1157fcd9e091743cc7ef Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Tue, 17 Feb 2026 13:22:25 +0300
Subject: [PATCH 1/4] fix: add golangci-lint config migrate step for v2
 compatibility

---
 scripts/go_linter.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scripts/go_linter.sh b/scripts/go_linter.sh
index f90000c..e83ac5e 100644
--- a/scripts/go_linter.sh
+++ b/scripts/go_linter.sh
@@ -39,6 +39,14 @@ section_start "install_linter" "Installing golangci-lint@$linter_version"
 curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b . $linter_version
 section_end "install_linter"
 
+# Migrate .golangci config to v2 format if needed (golangci-lint v2 requires version: "2")
+for config in .golangci.yaml .golangci.yml; do
+    if [ -f "$config" ] && ! grep -q 'version:.*"2"' "$config" 2>/dev/null; then
+        echo "Migrating $config to golangci-lint v2 format..."
+        ./golangci-lint migrate -c "$config" --skip-validation 2>/dev/null || true
+    fi
+done
+
 basedir=$(pwd)
 failed='false'
 

From e176c897dd8bdae35540b2e989ef5018f35aaee3 Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Tue, 17 Feb 2026 14:17:50 +0300
Subject: [PATCH 2/4] fix: use GOTOOLCHAIN=auto for go.mod version
 compatibility

---
 scripts/go_test_coverage.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/go_test_coverage.sh b/scripts/go_test_coverage.sh
index 8457666..e7d1efa 100644
--- a/scripts/go_test_coverage.sh
+++ b/scripts/go_test_coverage.sh
@@ -14,6 +14,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Fix covdata tool lookup with Go 1.25 toolchain switching
+export GOTOOLCHAIN=auto
+
 if [ ! -d "images" ]; then
     echo "No images/ directory found. Please run this script from the root of the repository."
     exit 1

From 2c920f867aadad3637798c5edd9709bf0b83b642 Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Thu, 26 Feb 2026 17:21:19 +0300
Subject: [PATCH 3/4] gitleaks: add storage modules allowlist paths to base
 config

---
 gitleaks/config/gitleaks.base.toml | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml
index 99ed3d7..7f9e341 100644
--- a/gitleaks/config/gitleaks.base.toml
+++ b/gitleaks/config/gitleaks.base.toml
@@ -1,29 +1,32 @@
 # Centralized Gitleaks configuration for all Deckhouse repositories
 # This file is distributed via modules-actions/gitleaks action
-# 
-# Repositories can extend this config by creating local .gitleaks.toml:
+#
+# CI downloads this to /tmp/gitleaks.base.toml. Repositories can extend it:
 #   [extend]
 #   useDefault = false
 #   path = "/tmp/gitleaks.base.toml"
+#
+# If no local .gitleaks.toml exists, CI uses this base config only.
 
 # Use default Gitleaks rules
 [extend]
 useDefault = true
 
-# Global allowlists
+# Global allowlists (merged with default config)
 [allowlist]
 
 # === Safe files/directories ===
-# NOTE: Use exact paths, NOT glob patterns like **/go.mod
-
 paths = [
     # Go dependencies - public hashes
     "go.mod",
     "go.sum",
-    
-    # Specific files with known false positives
-    # "modules/101-cert-manager/docs/USAGE.md",
-    # "modules/101-cert-manager/docs/USAGE_RU.md",
+
+    # Storage modules - common allowlist
+    '''(?:^|/)images/.*patches.*\.patch$''',
+    '''(?:^|/)docs/.*\.md$''',
+    '''(?:^|/)test-secret\.txt$''',
+    '''(?:^|/)e2e/.*''',
+    '''(?:^|/).*_test\.go$''',
 ]
 
 # === Safe patterns ===

From 26f9d9296f2b001c3150d67e646587042c9547a6 Mon Sep 17 00:00:00 2001
From: "v.oleynikov" <vasily.oleynikov@flant.com>
Date: Thu, 26 Feb 2026 17:56:09 +0300
Subject: [PATCH 4/4] gitleaks: remove UUID regex allowlist (use stopword in
 docs instead)

---
 gitleaks/config/gitleaks.base.toml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/gitleaks/config/gitleaks.base.toml b/gitleaks/config/gitleaks.base.toml
index 7f9e341..818b12f 100644
--- a/gitleaks/config/gitleaks.base.toml
+++ b/gitleaks/config/gitleaks.base.toml
@@ -23,7 +23,6 @@ paths = [
 
     # Storage modules - common allowlist
     '''(?:^|/)images/.*patches.*\.patch$''',
-    '''(?:^|/)docs/.*\.md$''',
     '''(?:^|/)test-secret\.txt$''',
     '''(?:^|/)e2e/.*''',
     '''(?:^|/).*_test\.go$''',
@@ -33,7 +32,7 @@ paths = [
 regexes = [
     # Go module checksums - always public
     '''h1:[A-Za-z0-9+/=]{40,}''',
-    
+
     # Public certificates (only ca.crt, NOT private keys!)
     '''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''',