fix lint errors

Signed-off-by: Bob Callaway <bcallaway@google.com>

cmd/api-docs/main.go

@@ -165,7 +165,7 @@ func astFrom(filePath string) *doc.Package {
 	}
 
 	m[filePath] = f
-	apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:errcheck
+	apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:staticcheck
 
 	return doc.New(apkg, "", 0)
 }

pkg/tuf/repo.go

@@ -129,7 +129,10 @@ func Uncompress(src io.Reader, dst string) error {
 			}
 		// Write out files
 		case tar.TypeReg:
-			fileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
+			if header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115
+				return errors.New("invalid mode value in tar header")
+			}
+			fileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode)) //nolint:gosec // disable G115
 			if err != nil {
 				return err
 			}
@@ -213,9 +216,12 @@ func UncompressMemFS(src io.Reader, stripPrefix string) (fs.FS, error) {
 			if err != nil && err != io.EOF {
 				return nil, fmt.Errorf("reading file %s : %w", header.Name, err)
 			}
+			if header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115
+				return nil, errors.New("invalid mode value in tar header")
+			}
 			testFS[target] = &fstest.MapFile{
 				Data:    data,
-				Mode:    os.FileMode(header.Mode),
+				Mode:    os.FileMode(header.Mode), //nolint:gosec // disable G115
 				ModTime: header.ModTime,
 			}
 		}

pkg/webhook/validator.go

@@ -517,7 +517,7 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c
 			switch {
 			case authority.Static != nil:
 				if authority.Static.Action == "fail" {
-					result.err = cosign.NewVerificationError("disallowed by static policy: " + authority.Static.Message)
+					result.err = cosign.NewVerificationError("disallowed by static policy: %s", authority.Static.Message)
 					results <- result
 					return
 				}