From 72af65504011d0959c88ca5562ba603c435fa11d Mon Sep 17 00:00:00 2001
From: Sebastien Tardif <sebtardif@ncf.ca>
Date: Sun, 17 May 2026 13:51:04 -0700
Subject: [PATCH 1/2] pkg/trust: fix directory handle leak in
 loadAndMergeConfig

The os.Open(dirPath) call opens a directory handle used for
Readdirnames() but never closes it, leaking one file descriptor
per call to loadAndMergeConfig().

Add defer dir.Close() after the error check.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
---
 pkg/trust/registries.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/trust/registries.go b/pkg/trust/registries.go
index 717ffa372b..85870df566 100644
--- a/pkg/trust/registries.go
+++ b/pkg/trust/registries.go
@@ -63,6 +63,7 @@ func loadAndMergeConfig(dirPath string) (*registryConfiguration, error) {
 		}
 		return nil, err
 	}
+	defer dir.Close()
 	configNames, err := dir.Readdirnames(0)
 	if err != nil {
 		return nil, err

From 39e5a0a0b94905e096f6ee4007d7e7a0c8006607 Mon Sep 17 00:00:00 2001
From: Sebastien Tardif <sebtardif@ncf.ca>
Date: Sun, 17 May 2026 16:07:48 -0700
Subject: [PATCH 2/2] Add unit tests for loadAndMergeConfig

Cover non-existent directory, empty directory, and existing testdata
directory paths to verify config merging and directory handle cleanup.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
---
 pkg/trust/registries_test.go | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 pkg/trust/registries_test.go

diff --git a/pkg/trust/registries_test.go b/pkg/trust/registries_test.go
new file mode 100644
index 0000000000..0150eb8eb2
--- /dev/null
+++ b/pkg/trust/registries_test.go
@@ -0,0 +1,29 @@
+package trust
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLoadAndMergeConfig(t *testing.T) {
+	// Non-existent directory returns empty config without error.
+	config, err := loadAndMergeConfig(filepath.Join(t.TempDir(), "nonexistent"))
+	require.NoError(t, err)
+	assert.Empty(t, config.Docker)
+	assert.Nil(t, config.DefaultDocker)
+
+	// Empty directory returns empty config.
+	emptyDir := t.TempDir()
+	config, err = loadAndMergeConfig(emptyDir)
+	require.NoError(t, err)
+	assert.Empty(t, config.Docker)
+	assert.Nil(t, config.DefaultDocker)
+
+	// Existing testdata directory returns valid config.
+	config, err = loadAndMergeConfig("./testdata")
+	require.NoError(t, err)
+	assert.NotEmpty(t, config.Docker)
+}