fix new linter warnings from prealloc linter

internal/concierge/apiserver/apiserver.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apiserver
@@ -79,7 +79,7 @@ func (c completedConfig) New() (*PinnipedServer, error) {
 		GenericAPIServer: genericServer,
 	}
 
-	var errs []error //nolint:prealloc
+	var errs []error
 	for _, f := range []func() (schema.GroupVersionResource, rest.Storage){
 		func() (schema.GroupVersionResource, rest.Storage) {
 			tokenCredReqGVR := c.ExtraConfig.LoginConciergeGroupVersion.WithResource("tokencredentialrequests")

internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package jwtcachefiller implements a controller for filling an authncache.Cache with each
@@ -305,7 +305,7 @@ func (c *jwtCacheFillerController) doExpensiveValidations(
 	okSoFar bool,
 ) (*cachedJWTAuthenticator, []*metav1.Condition, []error) {
 	var conditions []*metav1.Condition
-	var errs []error
+	errs := make([]error, 0, 4)
 
 	client := phttp.Default(caBundle.CertPool())
 	client.Timeout = 30 * time.Second // copied from Kube OIDC code

internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package webhookcachefiller implements a controller for filling an authncache.Cache with each added/updated WebhookAuthenticator.
@@ -256,7 +256,7 @@ func (c *webhookCacheFillerController) doExpensiveValidations(
 ) (*cachedWebhookAuthenticator, []*metav1.Condition, []error) {
 	var newWebhookAuthenticatorForCache *cachedWebhookAuthenticator
 	var conditions []*metav1.Condition
-	var errs []error
+	errs := make([]error, 0, 2)
 
 	conditions, tlsNegotiateErr := c.validateConnection(ctx, caBundle.CertPool(), endpointHostPort, conditions, okSoFar, usingProxyForHost, logger)
 	errs = append(errs, tlsNegotiateErr)

internal/controller/supervisorconfig/federation_domain_watcher.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package supervisorconfig
@@ -682,7 +682,7 @@ func appendIdentityProvidersFoundCondition(
 	conditions []*metav1.Condition,
 ) []*metav1.Condition {
 	if len(idpNotFoundIndices) != 0 {
-		messages := []string{}
+		messages := make([]string, 0, len(idpNotFoundIndices))
 		for _, idpNotFoundIndex := range idpNotFoundIndices {
 			messages = append(messages, fmt.Sprintf("cannot find resource specified by .spec.identityProviders[%d].objectRef (with name %q)",
 				idpNotFoundIndex, federationDomainIdentityProviders[idpNotFoundIndex].ObjectRef.Name))

internal/controller/supervisorconfig/federation_domain_watcher_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package supervisorconfig
@@ -2182,7 +2182,7 @@ func makeFederationDomainIdentityProviderComparable(fdi *federationdomainprovide
 }
 
 func convertToComparableType(fdis []*federationdomainproviders.FederationDomainIssuer) []*comparableFederationDomainIssuer {
-	result := []*comparableFederationDomainIssuer{}
+	result := make([]*comparableFederationDomainIssuer, 0, len(fdis))
 	for _, fdi := range fdis {
 		identityProviders := fdi.IdentityProviders()
 		comparableFDIs := make([]*comparableFederationDomainIdentityProvider, len(identityProviders))
@@ -2217,7 +2217,7 @@ func expectedFederationDomainStatusUpdate(
 }
 
 func getFederationDomainStatusUpdates(t *testing.T, actions []coretesting.Action) []*supervisorconfigv1alpha1.FederationDomain {
-	federationDomains := []*supervisorconfigv1alpha1.FederationDomain{}
+	federationDomains := make([]*supervisorconfigv1alpha1.FederationDomain, 0, len(actions))
 
 	for _, action := range actions {
 		updateAction, ok := action.(coretesting.UpdateAction)
@@ -2320,7 +2320,7 @@ func TestTransformationPipelinesCanBeTestedForEqualityUsingSourceToMakeTestingEa
 	equalPipeline := idtransform.NewTransformationPipeline()
 	differentPipeline1 := idtransform.NewTransformationPipeline()
 	differentPipeline2 := idtransform.NewTransformationPipeline()
-	expectedSourceList := []any{}
+	expectedSourceList := make([]any, 0, len(transforms))
 
 	for i, transform := range transforms {
 		// Compile and append to a pipeline.

internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package githubupstreamwatcher implements a controller which watches GitHubIdentityProviders.
@@ -310,7 +310,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contex
 	*upstreamgithub.Provider, // If validated, returns the config
 	error, // This error will only refer to programmatic errors such as inability to perform a connection probe or dereference a pointer, not configuration errors
 ) {
-	conditions := make([]*metav1.Condition, 0)
+	conditions := make([]*metav1.Condition, 0, 6)
 	applicationErrors := make([]error, 0)
 
 	clientSecretCondition, clientID, clientSecret, clientSecretErr := c.validateClientSecret(upstream.Spec.Client.SecretName)

internal/crypto/ptls/common_test.go

@@ -1,4 +1,4 @@
-// Copyright 2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2024-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package ptls
@@ -74,7 +74,7 @@ func TestSetAllowedCiphersForTLSOneDotTwo(t *testing.T) {
 		err := SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo(userConfiguredAllowedCipherSuites)
 		require.NoError(t, err)
 		stored := getUserConfiguredAllowedCipherSuitesForTLSOneDotTwo()
-		var storedNames []string
+		storedNames := make([]string, 0, len(stored))
 		for _, suite := range stored {
 			storedNames = append(storedNames, suite.Name)
 		}

internal/federationdomain/endpoints/token/token_handler_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package token
@@ -5980,7 +5980,7 @@ func deepCopyRequestForm(r *http.Request) *http.Request {
 }
 
 func getMapKeys(m map[string]any) []string {
-	keys := make([]string, 0)
+	keys := make([]string, 0, len(m))
 	for key := range m {
 		keys = append(keys, key)
 	}

internal/federationdomain/endpointsmanager/manager_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package endpointsmanager
@@ -110,7 +110,7 @@ func TestManager(t *testing.T) {
 			expectedFlowsJSON, err := json.Marshal(expectedFlows)
 			require.NoError(t, err)
 
-			expectedIDPJSONList := []string{}
+			expectedIDPJSONList := make([]string, 0, len(expectedIDPNames))
 			for i := range expectedIDPNames {
 				expectedIDPJSONList = append(expectedIDPJSONList, fmt.Sprintf(`{"name":"%s","type":"%s","flows":%s}`,
 					expectedIDPNames[i], expectedIDPTypes, expectedFlowsJSON))

internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go

@@ -1,4 +1,4 @@
-// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package federationdomainproviders
@@ -74,7 +74,7 @@ func NewFederationDomainIdentityProvidersListerFinder(
 	wrappedLister idplister.UpstreamIdentityProvidersLister,
 ) *FederationDomainIdentityProvidersListerFinder {
 	// Create a copy of the input slice so we won't need to worry about the caller accidentally changing it.
-	copyOfFederationDomainIdentityProviders := []*FederationDomainIdentityProvider{}
+	copyOfFederationDomainIdentityProviders := make([]*FederationDomainIdentityProvider, 0, len(federationDomainIssuer.IdentityProviders()))
 	// Create a map and a set for quick lookups of the same data that was passed in via the
 	// federationDomainIssuer parameter.
 	allowedResourceUIDs := sets.New[types.UID]()

internal/federationdomain/resolvedprovider/resolvedoidc/resolved_oidc_provider.go

@@ -1,4 +1,4 @@
-// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2024-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package resolvedoidc
@@ -106,11 +106,12 @@ func (p *FederationDomainResolvedOIDCIdentityProvider) UpstreamAuthorizeRedirect
 		Scopes:      p.Provider.GetScopes(),
 	}
 
-	authCodeOptions := []oauth2.AuthCodeOption{
+	authCodeOptions := make([]oauth2.AuthCodeOption, 0, 3+len(p.Provider.GetAdditionalAuthcodeParams()))
+	authCodeOptions = append(authCodeOptions,
 		state.Nonce.Param(),
 		state.PKCE.Challenge(),
 		state.PKCE.Method(),
-	}
+	)
 
 	for key, val := range p.Provider.GetAdditionalAuthcodeParams() {
 		authCodeOptions = append(authCodeOptions, oauth2.SetAuthURLParam(key, val))

internal/groupsuffix/groupsuffix.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package groupsuffix
@@ -178,7 +178,7 @@ func Unreplace(baseAPIGroup, apiGroupSuffix string) (string, bool) {
 // makes sure that the provided apiGroupSuffix is a valid DNS-1123 subdomain with at least one dot,
 // to match Kubernetes behavior.
 func Validate(apiGroupSuffix string) error {
-	var errs []error //nolint:prealloc
+	var errs []error
 
 	if len(strings.Split(apiGroupSuffix, ".")) < 2 {
 		errs = append(errs, constable.Error("must contain '.'"))

internal/idtransform/identity_transformations.go

@@ -1,4 +1,4 @@
-// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package idtransform defines upstream-to-downstream identity transformations which could be
@@ -90,7 +90,7 @@ func (p *TransformationPipeline) Evaluate(ctx context.Context, username string,
 }
 
 func (p *TransformationPipeline) Source() []any {
-	result := []any{}
+	result := make([]any, 0, len(p.transforms))
 	for _, transform := range p.transforms {
 		result = append(result, transform.Source())
 	}

internal/idtransform/identity_transformations_test.go

@@ -1,4 +1,4 @@
-// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package idtransform
@@ -44,7 +44,7 @@ func (a fakeNilGroupTransformer) Source() any {
 type fakeAppendStringTransformer struct{}
 
 func (a fakeAppendStringTransformer) Evaluate(_ctx context.Context, username string, groups []string) (*TransformationResult, error) {
-	newGroups := []string{}
+	newGroups := make([]string, 0, len(groups))
 	for _, group := range groups {
 		newGroups = append(newGroups, group+":transformed")
 	}
@@ -78,7 +78,7 @@ func (a fakeDeleteUsernameAndGroupsTransformer) Source() any {
 type fakeAuthenticationDisallowedTransformer struct{}
 
 func (a fakeAuthenticationDisallowedTransformer) Evaluate(_ctx context.Context, username string, groups []string) (*TransformationResult, error) {
-	newGroups := []string{}
+	newGroups := make([]string, 0, len(groups))
 	for _, group := range groups {
 		newGroups = append(newGroups, group+":disallowed")
 	}

internal/supervisor/apiserver/apiserver.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apiserver
@@ -80,7 +80,7 @@ func (c completedConfig) New() (*PinnipedServer, error) {
 		GenericAPIServer: genericServer,
 	}
 
-	var errs []error //nolint:prealloc
+	var errs []error
 	for _, f := range []func() (schema.GroupVersionResource, rest.Storage){
 		func() (schema.GroupVersionResource, rest.Storage) {
 			clientSecretReqGVR := c.ExtraConfig.ClientSecretSupervisorGroupVersion.WithResource("oidcclientsecretrequests")

internal/testutil/fakekubeapi/fakekubeapi.go

@@ -1,4 +1,4 @@
-// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 /*
@@ -113,7 +113,7 @@ func decodeObj(r *http.Request) (runtime.Object, error) {
 	}
 
 	var obj runtime.Object
-	var errs []error //nolint:prealloc
+	var errs []error
 	codecsThatWeUseInOurCode := []runtime.NegotiatedSerializer{
 		kubescheme.Codecs,
 		aggregatorclientscheme.Codecs,

internal/testutil/oidcclient.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package testutil
@@ -36,8 +36,9 @@ const (
 
 // allDynamicClientScopes returns a slice of all scopes that are supported by the Supervisor for dynamic clients.
 func allDynamicClientScopes() []supervisorconfigv1alpha1.Scope {
-	scopes := []supervisorconfigv1alpha1.Scope{}
-	for _, s := range strings.Split(AllDynamicClientScopesSpaceSep, " ") {
+	splitOnSpace := strings.Split(AllDynamicClientScopesSpaceSep, " ")
+	scopes := make([]supervisorconfigv1alpha1.Scope, 0, len(splitOnSpace))
+	for _, s := range splitOnSpace {
 		scopes = append(scopes, supervisorconfigv1alpha1.Scope(s))
 	}
 	return scopes

pkg/oidcclient/login.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 // Package oidcclient implements a CLI OIDC login flow.
@@ -646,7 +646,7 @@ func (h *handlerState) maybePerformPinnipedSupervisorValidations() (idpdiscovery
 
 		if !slices.Contains(supportedIDPTypes, h.upstreamIdentityProviderType) {
 			convertIDPListToQuotedStringList := func() []string {
-				var temp []string
+				temp := make([]string, 0, len(supportedIDPTypes))
 				for _, idpType := range supportedIDPTypes {
 					temp = append(temp, fmt.Sprintf("%q", idpType))
 				}
@@ -706,7 +706,7 @@ func (h *handlerState) maybePerformPinnipedSupervisorValidations() (idpdiscovery
 		loginFlow = foundIDP.Flows[0]
 	}
 
-	var authorizeOptions []oauth2.AuthCodeOption
+	authorizeOptions := make([]oauth2.AuthCodeOption, 0, 2)
 
 	authorizeOptions = append(authorizeOptions,
 		oauth2.SetAuthURLParam(oidcapi.AuthorizeUpstreamIDPNameParamName, h.upstreamIdentityProviderName),

test/integration/concierge_impersonation_proxy_test.go

@@ -1723,7 +1723,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		}
 
 		expectedAnnotations := func(credentialIssuerSpecAnnotations map[string]string, otherAnnotations map[string]string) map[string]string {
-			credentialIssuerSpecAnnotationKeys := []string{}
+			credentialIssuerSpecAnnotationKeys := make([]string, 0, len(credentialIssuerSpecAnnotations))
 			expectedAnnotations := map[string]string{}
 			// Expect the annotations specified on the CredentialIssuer spec to be present.
 			for k, v := range credentialIssuerSpecAnnotations {

test/integration/supervisor_login_test.go

@@ -1,4 +1,4 @@
-// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package integration
@@ -346,7 +346,7 @@ func TestSupervisorLogin_Browser(t *testing.T) {
 		regexp.QuoteMeta("&sub=") + ".+" +
 		"$"
 
-	tests := []*supervisorLoginTestcase{
+	tests := []*supervisorLoginTestcase{ //nolint:prealloc
 		{
 			name:      "oidc with default username and groups claim settings",
 			maybeSkip: skipNever,
@@ -2829,7 +2829,7 @@ func supervisorLoginGithubTestcases(
 
 func wantGroupsInAdditionalClaimsIfGroupsExist(additionalClaims map[string]any, wantGroupsAdditionalClaimName string, wantGroups []string) map[string]any {
 	if len(wantGroups) > 0 {
-		var wantGroupsAnyType []any
+		wantGroupsAnyType := make([]any, 0, len(wantGroups))
 		for _, group := range wantGroups {
 			wantGroupsAnyType = append(wantGroupsAnyType, group)
 		}
@@ -2909,7 +2909,7 @@ func conditionsSummaryFromActualConditions(
 	caBundleConfigured bool,
 	expectedLDAPConnectionValidMessage string,
 ) [][]string {
-	conditionsSummary := [][]string{}
+	conditionsSummary := make([][]string, 0, len(conditions))
 	for _, condition := range conditions {
 		conditionsSummary = append(conditionsSummary, []string{condition.Type, string(condition.Status), condition.Reason})
 		t.Logf("Saw identity provider with Status.Condition Type=%s Status=%s Reason=%s Message=%s",
@@ -3351,7 +3351,7 @@ func verifyTokenResponse(
 	idTokenClaims := map[string]any{}
 	err = idToken.Claims(&idTokenClaims)
 	require.NoError(t, err)
-	idTokenClaimNames := []string{}
+	idTokenClaimNames := make([]string, 0, len(idTokenClaims))
 	for k := range idTokenClaims {
 		idTokenClaimNames = append(idTokenClaimNames, k)
 	}