Merge pull request #297 from thaJeztah/update_go_1.20.6

update go to go1.20.6, debian bullseye
update go to go1.20.6
2026-06-28 15:21:29 +05:30 · 2023-07-17 02:13:55 +02:00 · 2023-07-17 00:40:48 +02:00 · 2023-07-17 00:40:29 +02:00 · 2023-06-27 13:48:45 +02:00 · 2023-06-26 13:59:01 +02:00
49 changed files with 1590 additions and 886 deletions
@@ -0,0 +1,4 @@
 # Code of conduct
 - [Moby community guidelines](https://github.com/moby/moby/blob/master/CONTRIBUTING.md#moby-community-guidelines)
 - [Docker Code of Conduct](https://github.com/docker/code-of-conduct)
@@ -0,0 +1,289 @@
 # Contribute to this repository
 This page contains information about reporting issues as well as some tips and
 guidelines useful to experienced open source contributors.
 ## Reporting security issues
 The project maintainers take security seriously. If you discover a security
 issue, please bring it to their attention right away!
 **Please _DO NOT_ file a public issue**, instead send your report privately to
 [security@docker.com](mailto:security@docker.com).
 Security reports are greatly appreciated and we will publicly thank you for it.
 We also like to send gifts&mdash;if you're into schwag, make sure to let
 us know. We currently do not offer a paid security bounty program, but are not
 ruling it out in the future.
 ## Reporting other issues
 A great way to contribute to the project is to send a detailed report when you
 encounter an issue. We always appreciate a well-written, thorough bug report,
 and will thank you for it!
 Check that [the issue database](https://github.com/docker/docker-credential-helpers/issues)
 doesn't already include that problem or suggestion before submitting an issue.
 If you find a match, you can use the "subscribe" button to get notified on
 updates. Do *not* leave random "+1" or "I have this too" comments, as they
 only clutter the discussion, and don't help resolving it. However, if you
 have ways to reproduce the issue or have additional information that may help
 resolving the issue, please leave a comment.
 Include the steps required to reproduce the problem if possible and applicable.
 This information will help us review and fix your issue faster. When sending
 lengthy log-files, consider posting them as an attachment, instead of posting
 inline.
 **Do not forget to remove sensitive data from your logfiles before submitting**
 (you can replace those parts with "REDACTED").
 ### Pull requests are always welcome
 Not sure if that typo is worth a pull request? Found a bug and know how to fix
 it? Do it! We will appreciate it.
 If your pull request is not accepted on the first try, don't be discouraged! If
 there's a problem with the implementation, hopefully you received feedback on
 what to improve.
 We're trying very hard to keep this project lean and focused. We don't want it to
 do everything for everybody. This means that we might decide against
 incorporating a new feature. However, there might be a way to implement that
 feature *on top of* code in this project.
 ### Design and cleanup proposals
 You can propose new designs for existing features. You can also design
 entirely new features. We really appreciate contributors who want to refactor or
 otherwise cleanup our project.
 ### Sign your work
 The sign-off is a simple line at the end of the explanation for the patch. Your
 signature certifies that you wrote the patch or otherwise have the right to pass
 it on as an open-source patch. The rules are pretty simple: if you can certify
 the below (from [developercertificate.org](https://developercertificate.org)):
 ```
 Developer Certificate of Origin
 Version 1.1
 Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
 Everyone is permitted to copy and distribute verbatim copies of this
 license document, but changing it is not allowed.
 Developer's Certificate of Origin 1.1
 By making a contribution to this project, I certify that:
 (a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or
 (b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or
 (c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.
 (d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.
 ```
 Then you just add a line to every git commit message:
    Signed-off-by: Joe Smith <joe.smith@email.com>
 **Use your real name** (sorry, no pseudonyms or anonymous contributions.)
 If you set your `user.name` and `user.email` git configs, you can sign your
 commit automatically with `git commit -s`.
 ### Run the unit- and integration-tests
 To validate PRs before submitting them you should run:
 ```bash
 $ make validate
 ```
 To run the tests:
 ```bash
 $ make test
 ```
 To generate new vendored files with go modules run:
 ```bash
 $ make vendor
 ```
 ### Conventions
 - Fork the repository and make changes on your fork in a feature branch
 - Submit tests for your changes. See [run the unit- and integration-tests](#run-the-unit--and-integration-tests)
  for details.
 - [Sign your work](#sign-your-work)
 Write clean code. Universally formatted code promotes ease of writing, reading,
 and maintenance. Always run `gofmt -s -w file.go` on each changed file before
 committing your changes. Most editors have plug-ins that do this automatically.
 Pull request descriptions should be as clear as possible and include a
 reference to all the issues that they address. Be sure that the [commit
 messages](#commit-messages) also contain the relevant information.
 ### Successful Changes
 Before contributing large or high impact changes, make the effort to coordinate
 with the maintainers of the project before submitting a pull request. This
 prevents you from doing extra work that may or may not be merged.
 Large PRs that are just submitted without any prior communication are unlikely
 to be successful.
 While pull requests are the methodology for submitting changes to code, changes
 are much more likely to be accepted if they are accompanied by additional
 engineering work. While we don't define this explicitly, most of these goals
 are accomplished through communication of the design goals and subsequent
 solutions. Often times, it helps to first state the problem before presenting
 solutions.
 Typically, the best methods of accomplishing this are to submit an issue,
 stating the problem. This issue can include a problem statement and a
 checklist with requirements. If solutions are proposed, alternatives should be
 listed and eliminated. Even if the criteria for elimination of a solution is
 frivolous, say so.
 Larger changes typically work best with design documents. These are focused on
 providing context to the design at the time the feature was conceived and can
 inform future documentation contributions.
 ### Commit Messages
 Commit messages must start with a capitalized and short summary (max. 50 chars)
 written in the imperative, followed by an optional, more detailed explanatory
 text which is separated from the summary by an empty line.
 Commit messages should follow best practices, including explaining the context
 of the problem and how it was solved, including in caveats or follow up changes
 required. They should tell the story of the change and provide readers
 understanding of what led to it.
 If you're lost about what this even means, please see [How to Write a Git
 Commit Message](http://chris.beams.io/posts/git-commit/) for a start.
 In practice, the best approach to maintaining a nice commit message is to
 leverage a `git add -p` and `git commit --amend` to formulate a solid
 changeset. This allows one to piece together a change, as information becomes
 available.
 If you squash a series of commits, don't just submit that. Re-write the commit
 message, as if the series of commits was a single stroke of brilliance.
 That said, there is no requirement to have a single commit for a PR, as long as
 each commit tells the story. For example, if there is a feature that requires a
 package, it might make sense to have the package in a separate commit then have
 a subsequent commit that uses it.
 Remember, you're telling part of the story with the commit message. Don't make
 your chapter weird.
 ### Review
 Code review comments may be added to your pull request. Discuss, then make the
 suggested modifications and push additional commits to your feature branch. Post
 a comment after pushing. New commits show up in the pull request automatically,
 but the reviewers are notified only when you comment.
 Pull requests must be cleanly rebased on top of master without multiple branches
 mixed into the PR.
 > **Git tip**: If your PR no longer merges cleanly, use `rebase master` in your
 > feature branch to update your pull request rather than `merge master`.
 Before you make a pull request, squash your commits into logical units of work
 using `git rebase -i` and `git push -f`. A logical unit of work is a consistent
 set of patches that should be reviewed together: for example, upgrading the
 version of a vendored dependency and taking advantage of its now available new
 feature constitute two separate units of work. Implementing a new function and
 calling it in another file constitute a single logical unit of work. The very
 high majority of submissions should have a single commit, so if in doubt: squash
 down to one.
 - After every commit, [make sure the test suite passes](#run-the-unit--and-integration-tests).
  Include documentation changes in the same pull request so that a revert would
  remove all traces of the feature or fix.
 - Include an issue reference like `closes #XXXX` or `fixes #XXXX` in the PR
  description that close an issue. Including references automatically closes
  the issue on a merge.
 - Do not add yourself to the `AUTHORS` file, as it is regenerated regularly
  from the Git history.
 - See the [Coding Style](#coding-style) for further guidelines.
 ### Merge approval
 Project maintainers use LGTM (Looks Good To Me) in comments on the code review to
 indicate acceptance, or use the Github review approval feature.
 ## Coding Style
 Unless explicitly stated, we follow all coding guidelines from the Go
 community. While some of these standards may seem arbitrary, they somehow seem
 to result in a solid, consistent codebase.
 It is possible that the code base does not currently comply with these
 guidelines. We are not looking for a massive PR that fixes this, since that
 goes against the spirit of the guidelines. All new contributions should make a
 best effort to clean up and make the code base better than they left it.
 Obviously, apply your best judgement. Remember, the goal here is to make the
 code base easier for humans to navigate and understand. Always keep that in
 mind when nudging others to comply.
 The rules:
 1. All code should be formatted with `gofmt -s`.
 2. All code should pass the default levels of
   [`golint`](https://github.com/golang/lint).
 3. All code should follow the guidelines covered in [Effective Go](http://golang.org/doc/effective_go.html)
   and [Go Code Review Comments](https://github.com/golang/go/wiki/CodeReviewComments).
 4. Comment the code. Tell us the why, the history and the context.
 5. Document _all_ declarations and methods, even private ones. Declare
   expectations, caveats and anything else that may be important. If a type
   gets exported, having the comments already there will ensure it's ready.
 6. Variable name length should be proportional to its context and no longer.
   `noCommaALongVariableNameLikeThisIsNotMoreClearWhenASimpleCommentWouldDo`.
   In practice, short methods will have short variable names and globals will
   have longer names.
 7. No underscores in package names. If you need a compound name, step back,
   and re-examine why you need a compound name. If you still think you need a
   compound name, lose the underscore.
 8. No utils or helpers packages. If a function is not general enough to
   warrant its own package, it has not been written generally enough to be a
   part of a util package. Just leave it unexported and well-documented.
 9. All tests should run with `go test` and outside tooling should not be
   required. No, we don't need another unit testing framework. Assertion
   packages are acceptable if they provide _real_ incremental value.
 10. Even though we call these "rules" above, they are actually just
    guidelines. Since you've read all the rules, you now know that.
 If you are having trouble getting into the mood of idiomatic Go, we recommend
 reading through [Effective Go](https://golang.org/doc/effective_go.html). The
 [Go Blog](https://blog.golang.org) is also a great resource.
@@ -0,0 +1,12 @@
 # Reporting security issues
 The project maintainers take security seriously. If you discover a security
 issue, please bring it to their attention right away!
 **Please _DO NOT_ file a public issue**, instead send your report privately to
 [security@docker.com](mailto:security@docker.com).
 Security reports are greatly appreciated, and we will publicly thank you for it.
 We also like to send gifts&mdash;if you're into schwag, make sure to let
 us know. We currently do not offer a paid security bounty program, but are not
 ruling it out in the future.
@@ -15,11 +15,11 @@ on:
 env:
  DESTDIR: ./bin
-  GO_VERSION: 1.18.5
+  GO_VERSION: 1.20.6
 jobs:
  validate:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
@@ -44,6 +44,7 @@ jobs:
      fail-fast: false
      matrix:
        os:
          - ubuntu-22.04
          - ubuntu-20.04
          - macOS-11
          - windows-2022
@@ -58,14 +59,19 @@ jobs:
          go-version: ${{ env.GO_VERSION }}
          cache: true
      -
-        name: Install deps
+        name: Install deps (ubuntu)
-        if: ${{ matrix.os == 'ubuntu-20.04' }}
+        if: startsWith(matrix.os, 'ubuntu-')
        run: |
          sudo apt-get update
          sudo apt-get install -y dbus-x11 gnome-keyring libsecret-1-dev pass
      -
        name: Install deps (macOS)
        if: startsWith(matrix.os, 'macOS-')
        run: |
          brew install pass
      -
        name: GPG conf
-        if: ${{ matrix.os == 'ubuntu-20.04' }}
+        if: ${{ !startsWith(matrix.os, 'windows-') }}
        uses: actions/github-script@v6
        id: gpg
        with:
@@ -82,29 +88,31 @@ jobs:
            core.setOutput('passphrase', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.pass', {encoding: 'utf8'}));
      -
        name: Import GPG key
-        if: ${{ matrix.os == 'ubuntu-20.04' }}
+        if: ${{ !startsWith(matrix.os, 'windows-') }}
        uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ steps.gpg.outputs.key }}
          passphrase: ${{ steps.gpg.outputs.passphrase }}
          trust_level: 5
      -
        name: Init pass
        if: ${{ !startsWith(matrix.os, 'windows-') }}
        run: |
          pass init 7D851EB72D73BDA0
        shell: bash
      -
        name: Test
        run: |
-          if [ "${{ matrix.os }}" = "ubuntu-20.04" ]; then
+          make test COVERAGEDIR=${{ env.DESTDIR }}
            echo -e "trust\n5\ny" | gpg --batch --no-tty --command-fd 0 --edit-key 7D851EB72D73BDA0
            pass init 7D851EB72D73BDA0
          fi
          go test -short -v -coverprofile=./coverage.txt -covermode=atomic ./...
          go tool cover -func=./coverage.txt
        shell: bash
      -
        name: Upload coverage
        uses: codecov/codecov-action@v3
        with:
-          file: ./coverage.txt
+          file: ${{ env.DESTDIR }}/coverage.txt
  test-sandboxed:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
      -
        name: Checkout
@@ -127,7 +135,7 @@ jobs:
          file: ${{ env.DESTDIR }}//coverage.txt
  build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
      -
        name: Checkout
@@ -173,7 +181,7 @@ jobs:
          files: ${{ env.DESTDIR }}/*
  build-deb:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
    steps:
      -
        name: Checkout
@@ -6,17 +6,14 @@ linters:
  enable:
    - gofmt
    - govet
    - deadcode
    - depguard
    - goimports
    - ineffassign
    - misspell
    - unused
    - varcheck
    - revive
    - staticcheck
    - typecheck
    - structcheck
  disable-all: true
 linters-settings:
@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-ARG GO_VERSION=1.18.5
+ARG GO_VERSION=1.20.6
-ARG XX_VERSION=1.1.2
+ARG XX_VERSION=1.2.1
 ARG OSXCROSS_VERSION=11.3-r7-debian
-ARG GOLANGCI_LINT_VERSION=v1.47.3
+ARG GOLANGCI_LINT_VERSION=v1.51.1
 ARG DEBIAN_FRONTEND=noninteractive
 ARG PACKAGE=github.com/docker/docker-credential-helpers
@@ -38,7 +38,8 @@ FROM scratch AS vendor-update
 COPY --from=vendored /out /
 FROM vendored AS vendor-validate
-RUN --mount=type=bind,target=.,rw <<EOT
+RUN --mount=target=/context \
    --mount=target=.,type=tmpfs <<EOT
  set -e
  rsync -a /context/. .
  git add -A
@@ -85,8 +86,8 @@ RUN --mount=type=bind,target=. \
  gpg -k
  mkdir /out
-  xx-go test -short -v -coverprofile=/out/coverage.txt -covermode=atomic ./...
+  xx-go --wrap
-  xx-go tool cover -func=/out/coverage.txt
+  make test COVERAGEDIR=/out
 EOT
 FROM scratch AS test-coverage
@@ -119,6 +120,7 @@ RUN --mount=type=bind,target=. \
    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
  set -ex
  export MACOSX_VERSION_MIN=$(make print-MACOSX_DEPLOYMENT_TARGET)
  xx-go --wrap
  go install std
  make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
@@ -7,6 +7,13 @@ GO_LDFLAGS = -s -w -X ${GO_PKG}/credentials.Version=${VERSION} -X ${GO_PKG}/cred
 BUILDX_CMD ?= docker buildx
 DESTDIR ?= ./bin/build
 COVERAGEDIR ?= ./bin/coverage
 # 10.11 is the minimum supported version for osxkeychain
 export MACOSX_DEPLOYMENT_TARGET = 10.11
 ifeq "$(shell go env GOOS)" "darwin"
 	export CGO_CFLAGS = -mmacosx-version-min=$(MACOSX_DEPLOYMENT_TARGET)
 endif
 .PHONY: all
 all: cross
@@ -35,8 +42,10 @@ release: # create release
 	./hack/release
 .PHONY: test
-test: # tests all packages except vendor
+test:
-	go test -v `go list ./... | grep -v /vendor/`
+	mkdir -p $(COVERAGEDIR)
 	go test -short -v -coverprofile=$(COVERAGEDIR)/coverage.txt -covermode=atomic ./...
 	go tool cover -func=$(COVERAGEDIR)/coverage.txt
 .PHONY: lint
 lint:
@@ -72,3 +81,6 @@ vendor:
 	rm -rf ./vendor
 	cp -R "$($@_TMP_OUT)"/* .
 	rm -rf "$($@_TMP_OUT)"
 .PHONY: print-%
 print-%: ; @echo $($*)
@@ -1,6 +1,6 @@
 [![GitHub release](https://img.shields.io/github/release/docker/docker-credential-helpers.svg?style=flat-square)](https://github.com/docker/docker-credential-helpers/releases/latest)
 [![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?style=flat-square&logo=go&logoColor=white)](https://pkg.go.dev/github.com/docker/docker-credential-helpers)
-[![Build Status](https://img.shields.io/github/workflow/status/docker/docker-credential-helpers/build?label=build&logo=github&style=flat-square)](https://github.com/docker/docker-credential-helpers/actions?query=workflow%3Abuild)
+[![Build Status](https://img.shields.io/github/actions/workflow/status/docker/docker-credential-helpers/build.yml?label=build&logo=github&style=flat-square)](https://github.com/docker/docker-credential-helpers/actions?query=workflow%3Abuild)
 [![Codecov](https://img.shields.io/codecov/c/github/docker/docker-credential-helpers?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/docker-credential-helpers)
 [![Go Report Card](https://goreportcard.com/badge/github.com/docker/docker-credential-helpers?style=flat-square)](https://goreportcard.com/report/github.com/docker/docker-credential-helpers)
@@ -17,6 +17,9 @@ Go to the [Releases](https://github.com/docker/docker-credential-helpers/release
 You can build the credential helpers using Docker:
 ```shell
 # install emulators
 $ docker run --privileged --rm tonistiigi/binfmt --install all
 # create builder
 $ docker buildx create --use
@@ -26,7 +26,7 @@ func isValidCredsMessage(msg string) error {
 // Store uses an external program to save credentials.
 func Store(program ProgramFunc, creds *credentials.Credentials) error {
-	cmd := program("store")
+	cmd := program(credentials.ActionStore)
 	buffer := new(bytes.Buffer)
 	if err := json.NewEncoder(buffer).Encode(creds); err != nil {
@@ -50,7 +50,7 @@ func Store(program ProgramFunc, creds *credentials.Credentials) error {
 // Get executes an external program to get the credentials from a native store.
 func Get(program ProgramFunc, serverURL string) (*credentials.Credentials, error) {
-	cmd := program("get")
+	cmd := program(credentials.ActionGet)
 	cmd.Input(strings.NewReader(serverURL))
 	out, err := cmd.Output()
@@ -81,7 +81,7 @@ func Get(program ProgramFunc, serverURL string) (*credentials.Credentials, error
 // Erase executes a program to remove the server credentials from the native store.
 func Erase(program ProgramFunc, serverURL string) error {
-	cmd := program("erase")
+	cmd := program(credentials.ActionErase)
 	cmd.Input(strings.NewReader(serverURL))
 	out, err := cmd.Output()
 	if err != nil {
@@ -99,7 +99,7 @@ func Erase(program ProgramFunc, serverURL string) error {
 // List executes a program to list server credentials in the native store.
 func List(program ProgramFunc) (map[string]string, error) {
-	cmd := program("list")
+	cmd := program(credentials.ActionList)
 	cmd.Input(strings.NewReader("unused"))
 	out, err := cmd.Output()
 	if err != nil {
@@ -11,24 +11,24 @@ import (
 )
 const (
-	validServerAddress   = "https://index.docker.io/v1"
+	validServerAddress   = "https://registry.example.com/v1"
 	validUsername        = "linus"
 	validServerAddress2  = "https://example.com:5002"
 	invalidServerAddress = "https://foobar.example.com"
-	missingCredsAddress  = "https://missing.docker.io/v1"
+	missingCredsAddress  = "https://missing.example.com/v1"
 )
 var errProgramExited = fmt.Errorf("exited 1")
 // mockProgram simulates interactions between the docker client and a remote
-// credentials helper.
+// credentials-helper.
 // Unit tests inject this mocked command into the remote to control execution.
 type mockProgram struct {
 	arg   string
 	input io.Reader
 }
-// Output returns responses from the remote credentials helper.
+// Output returns responses from the remote credentials-helper.
 // It mocks those responses based in the input in the mock.
 func (m *mockProgram) Output() ([]byte, error) {
 	in, err := io.ReadAll(m.input)
@@ -80,7 +80,7 @@ func (m *mockProgram) Output() ([]byte, error) {
 	return []byte(fmt.Sprintf("unknown argument %q with %q", m.arg, inS)), errProgramExited
 }
-// Input sets the input to send to a remote credentials helper.
+// Input sets the input to send to a remote credentials-helper.
 func (m *mockProgram) Input(in io.Reader) {
 	m.input = in
 }
@@ -92,16 +92,16 @@ func mockProgramFn(args ...string) Program {
 }
 func ExampleStore() {
-	p := NewShellProgramFunc("docker-credential-secretservice")
+	p := NewShellProgramFunc("docker-credential-pass")
 	c := &credentials.Credentials{
-		ServerURL: "https://example.com",
+		ServerURL: "https://registry.example.com",
-		Username:  "calavera",
+		Username:  "exampleuser",
 		Secret:    "my super secret token",
 	}
 	if err := Store(p, c); err != nil {
-		fmt.Println(err)
+		_, _ = fmt.Println(err)
 	}
 }
@@ -113,7 +113,7 @@ func TestStore(t *testing.T) {
 	for _, v := range valid {
 		if err := Store(mockProgramFn, &v); err != nil {
-			t.Fatal(err)
+			t.Error(err)
 		}
 	}
@@ -123,20 +123,20 @@ func TestStore(t *testing.T) {
 	for _, v := range invalid {
 		if err := Store(mockProgramFn, &v); err == nil {
-			t.Fatalf("Expected error for server %s, got nil", v.ServerURL)
+			t.Errorf("Expected error for server %s, got nil", v.ServerURL)
 		}
 	}
 }
 func ExampleGet() {
-	p := NewShellProgramFunc("docker-credential-secretservice")
+	p := NewShellProgramFunc("docker-credential-pass")
-	creds, err := Get(p, "https://example.com")
+	creds, err := Get(p, "https://registry.example.com")
 	if err != nil {
-		fmt.Println(err)
+		_, _ = fmt.Println(err)
 	}
-	fmt.Printf("Got credentials for user `%s` in `%s`\n", creds.Username, creds.ServerURL)
+	_, _ = fmt.Printf("Got credentials for user `%s` in `%s`\n", creds.Username, creds.ServerURL)
 }
 func TestGet(t *testing.T) {
@@ -152,10 +152,10 @@ func TestGet(t *testing.T) {
 		}
 		if c.Username != v.Username {
-			t.Fatalf("expected username `%s`, got %s", v.Username, c.Username)
+			t.Errorf("expected username `%s`, got %s", v.Username, c.Username)
 		}
 		if c.Secret != v.Secret {
-			t.Fatalf("expected secret `%s`, got %s", v.Secret, c.Secret)
+			t.Errorf("expected secret `%s`, got %s", v.Secret, c.Secret)
 		}
 	}
@@ -165,10 +165,17 @@ func TestGet(t *testing.T) {
 		serverURL string
 		err       string
 	}{
-		{missingCredsAddress, credentials.NewErrCredentialsNotFound().Error()},
+		{
-		{invalidServerAddress, "error getting credentials - err: exited 1, out: `program failed`"},
+			serverURL: missingCredsAddress,
-		{"", fmt.Sprintf("error getting credentials - err: %s, out: `%s`",
+			err:       credentials.NewErrCredentialsNotFound().Error(),
-			missingServerURLErr.Error(), missingServerURLErr.Error())},
+		},
 		{
 			serverURL: invalidServerAddress,
 			err:       "error getting credentials - err: exited 1, out: `program failed`",
 		},
 		{
 			err: fmt.Sprintf("error getting credentials - err: %s, out: `%s`", missingServerURLErr.Error(), missingServerURLErr.Error()),
 		},
 	}
 	for _, v := range invalid {
@@ -177,26 +184,26 @@ func TestGet(t *testing.T) {
 			t.Fatalf("Expected error for server %s, got nil", v.serverURL)
 		}
 		if err.Error() != v.err {
-			t.Fatalf("Expected error `%s`, got `%v`", v.err, err)
+			t.Errorf("Expected error `%s`, got `%v`", v.err, err)
 		}
 	}
 }
 func ExampleErase() {
-	p := NewShellProgramFunc("docker-credential-secretservice")
+	p := NewShellProgramFunc("docker-credential-pass")
-	if err := Erase(p, "https://example.com"); err != nil {
+	if err := Erase(p, "https://registry.example.com"); err != nil {
-		fmt.Println(err)
+		_, _ = fmt.Println(err)
 	}
 }
 func TestErase(t *testing.T) {
 	if err := Erase(mockProgramFn, validServerAddress); err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	if err := Erase(mockProgramFn, invalidServerAddress); err == nil {
-		t.Fatalf("Expected error for server %s, got nil", invalidServerAddress)
+		t.Errorf("Expected error for server %s, got nil", invalidServerAddress)
 	}
 }
@@ -207,6 +214,6 @@ func TestList(t *testing.T) {
 	}
 	if username, exists := auths[validServerAddress]; !exists || username != validUsername {
-		t.Fatalf("auths[%s] returned %s, %t; expected %s, %t", validServerAddress, username, exists, validUsername, true)
+		t.Errorf("auths[%s] returned %s, %t; expected %s, %t", validServerAddress, username, exists, validUsername, true)
 	}
 }
@@ -1,11 +1,9 @@
 package client
 import (
 	"fmt"
 	"io"
 	"os"
-
+	"os/exec"
 	exec "golang.org/x/sys/execabs"
 )
 // Program is an interface to execute external programs.
@@ -31,27 +29,26 @@ func NewShellProgramFuncWithEnv(name string, env *map[string]string) ProgramFunc
 func createProgramCmdRedirectErr(commandName string, args []string, env *map[string]string) *exec.Cmd {
 	programCmd := exec.Command(commandName, args...)
 	programCmd.Env = os.Environ()
 	if env != nil {
 		for k, v := range *env {
-			programCmd.Env = append(programCmd.Env, fmt.Sprintf("%s=%s", k, v))
+			programCmd.Env = append(programCmd.Environ(), k+"="+v)
 		}
 	}
 	programCmd.Stderr = os.Stderr
 	return programCmd
 }
-// Shell invokes shell commands to talk with a remote credentials helper.
+// Shell invokes shell commands to talk with a remote credentials-helper.
 type Shell struct {
 	cmd *exec.Cmd
 }
-// Output returns responses from the remote credentials helper.
+// Output returns responses from the remote credentials-helper.
 func (s *Shell) Output() ([]byte, error) {
 	return s.cmd.Output()
 }
-// Input sets the input to send to a remote credentials helper.
+// Input sets the input to send to a remote credentials-helper.
 func (s *Shell) Input(in io.Reader) {
 	s.cmd.Stdin = in
 }
@@ -10,6 +10,20 @@ import (
 	"strings"
 )
 // Action defines the name of an action (sub-command) supported by a
 // credential-helper binary. It is an alias for "string", and mostly
 // for convenience.
 type Action = string
 // List of actions (sub-commands) supported by credential-helper binaries.
 const (
 	ActionStore   Action = "store"
 	ActionGet     Action = "get"
 	ActionErase   Action = "erase"
 	ActionList    Action = "list"
 	ActionVersion Action = "version"
 )
 // Credentials holds the information shared between docker and the credentials store.
 type Credentials struct {
 	ServerURL string
@@ -43,42 +57,52 @@ func SetCredsLabel(label string) {
 	CredsLabel = label
 }
-// Serve initializes the credentials helper and parses the action argument.
+// Serve initializes the credentials-helper and parses the action argument.
 // This function is designed to be called from a command line interface.
 // It uses os.Args[1] as the key for the action.
 // It uses os.Stdin as input and os.Stdout as output.
 // This function terminates the program with os.Exit(1) if there is an error.
 func Serve(helper Helper) {
 	var err error
 	if len(os.Args) != 2 {
-		err = fmt.Errorf("Usage: %s <store|get|erase|list|version>", os.Args[0])
+		_, _ = fmt.Fprintln(os.Stdout, usage())
 		os.Exit(1)
 	}
-	if err == nil {
+	switch os.Args[1] {
-		err = HandleCommand(helper, os.Args[1], os.Stdin, os.Stdout)
+	case "--version", "-v":
 		_ = PrintVersion(os.Stdout)
 		os.Exit(0)
 	case "--help", "-h":
 		_, _ = fmt.Fprintln(os.Stdout, usage())
 		os.Exit(0)
 	}
-	if err != nil {
+	if err := HandleCommand(helper, os.Args[1], os.Stdin, os.Stdout); err != nil {
-		fmt.Fprintf(os.Stdout, "%v\n", err)
+		_, _ = fmt.Fprintln(os.Stdout, err)
 		os.Exit(1)
 	}
 }
-// HandleCommand uses a helper and a key to run a credential action.
+func usage() string {
-func HandleCommand(helper Helper, key string, in io.Reader, out io.Writer) error {
+	return fmt.Sprintf("Usage: %s <store|get|erase|list|version>", Name)
-	switch key {
+}
-	case "store":
+
 // HandleCommand runs a helper to execute a credential action.
 func HandleCommand(helper Helper, action Action, in io.Reader, out io.Writer) error {
 	switch action {
 	case ActionStore:
 		return Store(helper, in)
-	case "get":
+	case ActionGet:
 		return Get(helper, in, out)
-	case "erase":
+	case ActionErase:
 		return Erase(helper, in)
-	case "list":
+	case ActionList:
 		return List(helper, out)
-	case "version":
+	case ActionVersion:
 		return PrintVersion(out)
 	default:
 		return fmt.Errorf("%s: unknown action: %s", Name, action)
 	}
 	return fmt.Errorf("Unknown credential action `%s`", key)
 }
 // Store uses a helper and an input reader to save credentials.
@@ -132,18 +156,17 @@ func Get(helper Helper, reader io.Reader, writer io.Writer) error {
 		return err
 	}
-	resp := Credentials{
+	buffer.Reset()
 	err = json.NewEncoder(buffer).Encode(Credentials{
 		ServerURL: serverURL,
 		Username:  username,
 		Secret:    secret,
-	}
+	})
-
+	if err != nil {
 	buffer.Reset()
 	if err := json.NewEncoder(buffer).Encode(resp); err != nil {
 		return err
 	}
-	fmt.Fprint(writer, buffer.String())
+	_, _ = fmt.Fprint(writer, buffer.String())
 	return nil
 }
@@ -181,6 +204,6 @@ func List(helper Helper, writer io.Writer) error {
 // PrintVersion outputs the current version.
 func PrintVersion(writer io.Writer) error {
-	fmt.Fprintf(writer, "%s (%s) %s\n", Name, Package, Version)
+	_, _ = fmt.Fprintf(writer, "%s (%s) %s\n", Name, Package, Version)
 	return nil
 }
@@ -37,12 +37,12 @@ func (m *memoryStore) Get(serverURL string) (string, string, error) {
 }
 func (m *memoryStore) List() (map[string]string, error) {
-	//Simply a placeholder to let memoryStore be a valid implementation of Helper interface
+	// Simply a placeholder to let memoryStore be a valid implementation of Helper interface
 	return nil, nil
 }
 func TestStore(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -65,11 +65,11 @@ func TestStore(t *testing.T) {
 	}
 	if c.Username != "foo" {
-		t.Fatalf("expected username foo, got %s\n", c.Username)
+		t.Errorf("expected username foo, got %s\n", c.Username)
 	}
 	if c.Secret != "bar" {
-		t.Fatalf("expected username bar, got %s\n", c.Secret)
+		t.Errorf("expected username bar, got %s\n", c.Secret)
 	}
 }
@@ -88,14 +88,14 @@ func TestStoreMissingServerURL(t *testing.T) {
 	h := newMemoryStore()
-	if err := Store(h, in); IsCredentialsMissingServerURL(err) == false {
+	if err := Store(h, in); !IsCredentialsMissingServerURL(err) {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
 func TestStoreMissingUsername(t *testing.T) {
 	creds := &Credentials{
-		ServerURL: "https://index.docker.io/v1/",
+		ServerURL: "https://registry.example.com/v1/",
 		Username:  "",
 		Secret:    "bar",
 	}
@@ -108,13 +108,13 @@ func TestStoreMissingUsername(t *testing.T) {
 	h := newMemoryStore()
-	if err := Store(h, in); IsCredentialsMissingUsername(err) == false {
+	if err := Store(h, in); !IsCredentialsMissingUsername(err) {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
 func TestGet(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -147,16 +147,16 @@ func TestGet(t *testing.T) {
 	}
 	if c.Username != "foo" {
-		t.Fatalf("expected username foo, got %s\n", c.Username)
+		t.Errorf("expected username foo, got %s\n", c.Username)
 	}
 	if c.Secret != "bar" {
-		t.Fatalf("expected username bar, got %s\n", c.Secret)
+		t.Errorf("expected username bar, got %s\n", c.Secret)
 	}
 }
 func TestGetMissingServerURL(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -176,13 +176,13 @@ func TestGetMissingServerURL(t *testing.T) {
 	buf := strings.NewReader("")
 	w := new(bytes.Buffer)
-	if err := Get(h, buf, w); IsCredentialsMissingServerURL(err) == false {
+	if err := Get(h, buf, w); !IsCredentialsMissingServerURL(err) {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
 func TestErase(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -206,12 +206,12 @@ func TestErase(t *testing.T) {
 	w := new(bytes.Buffer)
 	if err := Get(h, buf, w); err == nil {
-		t.Fatal("expected error getting missing creds, got empty")
+		t.Error("expected error getting missing creds, got empty")
 	}
 }
 func TestEraseMissingServerURL(t *testing.T) {
-	serverURL := "https://index.docker.io/v1/"
+	const serverURL = "https://registry.example.com/v1/"
 	creds := &Credentials{
 		ServerURL: serverURL,
 		Username:  "foo",
@@ -229,21 +229,21 @@ func TestEraseMissingServerURL(t *testing.T) {
 	}
 	buf := strings.NewReader("")
-	if err := Erase(h, buf); IsCredentialsMissingServerURL(err) == false {
+	if err := Erase(h, buf); !IsCredentialsMissingServerURL(err) {
-		t.Fatal(err)
+		t.Error(err)
 	}
 }
 func TestList(t *testing.T) {
-	//This tests that there is proper input an output into the byte stream
+	// This tests that there is proper input an output into the byte stream
-	//Individual stores are very OS specific and have been tested in osxkeychain and secretservice respectively
+	// Individual stores are very OS specific and have been tested in osxkeychain and secretservice respectively
 	out := new(bytes.Buffer)
 	h := newMemoryStore()
 	if err := List(h, out); err != nil {
 		t.Fatal(err)
 	}
-	//testing that there is an output
+	// testing that there is an output
 	if out.Len() == 0 {
-		t.Fatalf("expected output in the writer, got %d", 0)
+		t.Error("expected output in the writer, got 0")
 	}
 }
@@ -1,5 +1,7 @@
 package credentials
 import "errors"
 const (
 	// ErrCredentialsNotFound standardizes the not found error, so every helper returns
 	// the same message and docker can handle it properly.
@@ -21,6 +23,11 @@ func (errCredentialsNotFound) Error() string {
 	return errCredentialsNotFoundMessage
 }
 // NotFound implements the [ErrNotFound][errdefs.ErrNotFound] interface.
 //
 // [errdefs.ErrNotFound]: https://pkg.go.dev/github.com/docker/docker@v24.0.1+incompatible/errdefs#ErrNotFound
 func (errCredentialsNotFound) NotFound() {}
 // NewErrCredentialsNotFound creates a new error
 // for when the credentials are not in the store.
 func NewErrCredentialsNotFound() error {
@@ -30,8 +37,8 @@ func NewErrCredentialsNotFound() error {
 // IsErrCredentialsNotFound returns true if the error
 // was caused by not having a set of credentials in a store.
 func IsErrCredentialsNotFound(err error) bool {
-	_, ok := err.(errCredentialsNotFound)
+	var target errCredentialsNotFound
-	return ok
+	return errors.As(err, &target)
 }
 // IsErrCredentialsNotFoundMessage returns true if the error
@@ -53,6 +60,12 @@ func (errCredentialsMissingServerURL) Error() string {
 	return errCredentialsMissingServerURLMessage
 }
 // InvalidParameter implements the [ErrInvalidParameter][errdefs.ErrInvalidParameter]
 // interface.
 //
 // [errdefs.ErrInvalidParameter]: https://pkg.go.dev/github.com/docker/docker@v24.0.1+incompatible/errdefs#ErrInvalidParameter
 func (errCredentialsMissingServerURL) InvalidParameter() {}
 // errCredentialsMissingUsername represents an error raised
 // when the credentials object has no username or when no
 // username is provided to a credentials operation requiring
@@ -63,6 +76,12 @@ func (errCredentialsMissingUsername) Error() string {
 	return errCredentialsMissingUsernameMessage
 }
 // InvalidParameter implements the [ErrInvalidParameter][errdefs.ErrInvalidParameter]
 // interface.
 //
 // [errdefs.ErrInvalidParameter]: https://pkg.go.dev/github.com/docker/docker@v24.0.1+incompatible/errdefs#ErrInvalidParameter
 func (errCredentialsMissingUsername) InvalidParameter() {}
 // NewErrCredentialsMissingServerURL creates a new error for
 // errCredentialsMissingServerURL.
 func NewErrCredentialsMissingServerURL() error {
@@ -78,8 +97,8 @@ func NewErrCredentialsMissingUsername() error {
 // IsCredentialsMissingServerURL returns true if the error
 // was an errCredentialsMissingServerURL.
 func IsCredentialsMissingServerURL(err error) bool {
-	_, ok := err.(errCredentialsMissingServerURL)
+	var target errCredentialsMissingServerURL
-	return ok
+	return errors.As(err, &target)
 }
 // IsCredentialsMissingServerURLMessage checks for an
@@ -91,8 +110,8 @@ func IsCredentialsMissingServerURLMessage(err string) bool {
 // IsCredentialsMissingUsername returns true if the error
 // was an errCredentialsMissingUsername.
 func IsCredentialsMissingUsername(err error) bool {
-	_, ok := err.(errCredentialsMissingUsername)
+	var target errCredentialsMissingUsername
-	return ok
+	return errors.As(err, &target)
 }
 // IsCredentialsMissingUsernameMessage checks for an
@@ -1,8 +1,10 @@
-ARG GO_VERSION=1.18.5
+# syntax=docker/dockerfile:1
 ARG GO_VERSION=1.20.6
 ARG DISTRO=ubuntu
 ARG SUITE=focal
-FROM golang:${GO_VERSION}-buster AS golang
+FROM golang:${GO_VERSION}-bullseye AS golang
 FROM ${DISTRO}:${SUITE}
@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-  default = "1.18.5"
+  default = "1.20.6"
 }
 # Defines the output folder
@@ -62,7 +62,8 @@ target "binaries" {
    "linux/arm/v6",
    "linux/ppc64le",
    "linux/s390x",
-    "windows/amd64"
+    "windows/amd64",
    "windows/arm64"
  ]
 }
@@ -1,8 +1,7 @@
 module github.com/docker/docker-credential-helpers
-go 1.18
+go 1.19
-require (
+require github.com/danieljoos/wincred v1.2.0
-	github.com/danieljoos/wincred v1.1.2
+
-	golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64
+require golang.org/x/sys v0.8.0 // indirect
 )
@@ -1,16 +1,9 @@
-github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
+github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE=
-github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
+github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec=
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
-github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64 h1:UiNENfZ8gDvpiWw7IpOMQ27spWmThO1RwwdQVbJahJM=
 golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -1,3 +1,5 @@
 //go:build darwin && cgo
 package main
 import (
@@ -1,4 +1,4 @@
-#include "osxkeychain_darwin.h"
+#include "osxkeychain.h"
 #include <CoreFoundation/CoreFoundation.h>
 #include <Foundation/NSValue.h>
 #include <stdio.h>
@@ -1,13 +1,16 @@
 //go:build darwin && cgo
 package osxkeychain
 /*
-#cgo CFLAGS: -x objective-c -mmacosx-version-min=10.11
+#cgo CFLAGS: -x objective-c
-#cgo LDFLAGS: -framework Security -framework Foundation -mmacosx-version-min=10.11
+#cgo LDFLAGS: -framework Security -framework Foundation
-#include "osxkeychain_darwin.h"
+#include "osxkeychain.h"
 #include <stdlib.h>
 */
 import "C"
 import (
 	"errors"
 	"strconv"
@@ -33,7 +36,7 @@ type Osxkeychain struct{}
 // Add adds new credentials to the keychain.
 func (h Osxkeychain) Add(creds *credentials.Credentials) error {
-	h.Delete(creds.ServerURL)
+	_ = h.Delete(creds.ServerURL) // ignore errors as existing credential may not exist.
 	s, err := splitServer(creds.ServerURL)
 	if err != nil {
@@ -65,10 +68,16 @@ func (h Osxkeychain) Delete(serverURL string) error {
 	}
 	defer freeServer(s)
-	errMsg := C.keychain_delete(s)
+	if errMsg := C.keychain_delete(s); errMsg != nil {
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
-		return errors.New(C.GoString(errMsg))
+		switch goMsg := C.GoString(errMsg); goMsg {
 		case errCredentialsNotFound:
 			return credentials.NewErrCredentialsNotFound()
 		case errInteractionNotAllowed:
 			return ErrInteractionNotAllowed
 		default:
 			return errors.New(goMsg)
 		}
 	}
 	return nil
@@ -92,15 +101,14 @@ func (h Osxkeychain) Get(serverURL string) (string, string, error) {
 	errMsg := C.keychain_get(s, &usernameLen, &username, &secretLen, &secret)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
-		goMsg := C.GoString(errMsg)
+		switch goMsg := C.GoString(errMsg); goMsg {
-		if goMsg == errCredentialsNotFound {
+		case errCredentialsNotFound:
 			return "", "", credentials.NewErrCredentialsNotFound()
-		}
+		case errInteractionNotAllowed:
 		if goMsg == errInteractionNotAllowed {
 			return "", "", ErrInteractionNotAllowed
 		default:
 			return "", "", errors.New(goMsg)
 		}
 		return "", "", errors.New(goMsg)
 	}
 	user := C.GoStringN(username, C.int(usernameLen))
@@ -123,15 +131,14 @@ func (h Osxkeychain) List() (map[string]string, error) {
 	defer C.freeListData(&acctsC, listLenC)
 	if errMsg != nil {
 		defer C.free(unsafe.Pointer(errMsg))
-		goMsg := C.GoString(errMsg)
+		switch goMsg := C.GoString(errMsg); goMsg {
-		if goMsg == errCredentialsNotFound {
+		case errCredentialsNotFound:
 			return make(map[string]string), nil
-		}
+		case errInteractionNotAllowed:
 		if goMsg == errInteractionNotAllowed {
 			return nil, ErrInteractionNotAllowed
 		default:
 			return nil, errors.New(goMsg)
 		}
 		return nil, errors.New(goMsg)
 	}
 	var listLen int
@@ -1,213 +0,0 @@
 package osxkeychain
 import (
 	"fmt"
 	"testing"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 func TestOSXKeychainHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v1",
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
 	creds1 := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v2",
 		Username:  "foobarbaz",
 		Secret:    "foobar",
 	}
 	helper := Osxkeychain{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if username != "foobar" {
 		t.Fatalf("expected %s, got %s\n", "foobar", username)
 	}
 	if secret != "foobarbaz" {
 		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 	auths, err := helper.List()
 	if err != nil || len(auths) == 0 {
 		t.Fatal(err)
 	}
 	helper.Add(creds1)
 	defer helper.Delete(creds1.ServerURL)
 	newauths, err := helper.List()
 	if len(newauths)-len(auths) != 1 {
 		if err == nil {
 			t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
 		}
 		t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
 	}
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
 }
 // TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
 // through variations on the URL
 func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
 	tests := []struct {
 		storeURL string
 		readURL  string
 	}{
 		// stored with port, retrieved without
 		{"https://foobar.docker.io:2376", "https://foobar.docker.io"},
 		// stored as https, retrieved without scheme
 		{"https://foobar.docker.io:2376", "foobar.docker.io"},
 		// stored with path, retrieved without
 		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234"},
 	}
 	helper := Osxkeychain{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.storeURL)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.storeURL)
 	}
 	for _, te := range tests {
 		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
 			continue
 		}
 		if _, _, err := helper.Get(te.readURL); err != nil {
 			t.Errorf("Error: failed to read secret for URL %q using %q", te.storeURL, te.readURL)
 		}
 		helper.Delete(te.storeURL)
 	}
 }
 // TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {
 	tests := []struct {
 		storeURL string
 		readURL  string
 	}{
 		// stored as https, retrieved using http
 		{"https://foobar.docker.io:2376", "http://foobar.docker.io:2376"},
 		// stored as http, retrieved using https
 		{"http://foobar.docker.io:2376", "https://foobar.docker.io:2376"},
 		// same: stored as http, retrieved without a scheme specified (hence, using the default https://)
 		{"http://foobar.docker.io", "foobar.docker.io:5678"},
 		// non-matching ports
 		{"https://foobar.docker.io:1234", "https://foobar.docker.io:5678"},
 		// non-matching ports TODO is this desired behavior? The other way round does work
 		//{"https://foobar.docker.io", "https://foobar.docker.io:5678"},
 		// non-matching paths
 		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234/five/six"},
 	}
 	helper := Osxkeychain{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.storeURL)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.storeURL)
 	}
 	for _, te := range tests {
 		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
 			continue
 		}
 		if _, _, err := helper.Get(te.readURL); err == nil {
 			t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", te.storeURL, te.readURL)
 		}
 		helper.Delete(te.storeURL)
 	}
 }
 // TestOSXKeychainHelperStoreRetrieve verifies that secrets stored in the
 // the keychain can be read back using the URL that was used to store them.
 func TestOSXKeychainHelperStoreRetrieve(t *testing.T) {
 	tests := []struct {
 		url string
 	}{
 		{url: "foobar.docker.io"},
 		{url: "foobar.docker.io:2376"},
 		{url: "//foobar.docker.io:2376"},
 		{url: "https://foobar.docker.io:2376"},
 		{url: "http://foobar.docker.io:2376"},
 		{url: "https://foobar.docker.io:2376/some/path"},
 		{url: "https://foobar.docker.io:2376/some/other/path"},
 		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar"},
 	}
 	helper := Osxkeychain{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.url)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.url)
 	}
 	// Note that we don't delete between individual tests here, to verify that
 	// subsequent stores/overwrites don't affect storing / retrieving secrets.
 	for i, te := range tests {
 		c := &credentials.Credentials{
 			ServerURL: te.url,
 			Username:  fmt.Sprintf("user-%d", i),
 			Secret:    fmt.Sprintf("secret-%d", i),
 		}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL: %s: %s", te.url, err)
 			continue
 		}
 		user, secret, err := helper.Get(te.url)
 		if err != nil {
 			t.Errorf("Error: failed to read secret for URL %q: %s", te.url, err)
 			continue
 		}
 		if user != c.Username {
 			t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, te.url)
 		}
 		if secret != c.Secret {
 			t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, te.url)
 		}
 	}
 }
 func TestMissingCredentials(t *testing.T) {
 	helper := Osxkeychain{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Fatalf("expected ErrCredentialsNotFound, got %v", err)
 	}
 }
@@ -0,0 +1,265 @@
 //go:build darwin && cgo
 package osxkeychain
 import (
 	"fmt"
 	"testing"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 func TestOSXKeychainHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.example.com:2376/v1",
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
 	creds1 := &credentials.Credentials{
 		ServerURL: "https://foobar.example.com:2376/v2",
 		Username:  "foobarbaz",
 		Secret:    "foobar",
 	}
 	helper := Osxkeychain{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if username != "foobar" {
 		t.Fatalf("expected %s, got %s\n", "foobar", username)
 	}
 	if secret != "foobarbaz" {
 		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 	auths, err := helper.List()
 	if err != nil || len(auths) == 0 {
 		t.Fatal(err)
 	}
 	helper.Add(creds1)
 	defer helper.Delete(creds1.ServerURL)
 	newauths, err := helper.List()
 	if len(newauths)-len(auths) != 1 {
 		if err == nil {
 			t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
 		}
 		t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
 	}
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
 }
 // TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
 // through variations on the URL
 func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
 	tests := []struct {
 		doc      string
 		storeURL string
 		readURL  string
 	}{
 		{
 			doc:      "stored with port, retrieved without",
 			storeURL: "https://foobar.example.com:2376",
 			readURL:  "https://foobar.example.com",
 		},
 		{
 			doc:      "stored as https, retrieved without scheme",
 			storeURL: "https://foobar.example.com:2376",
 			readURL:  "foobar.example.com",
 		},
 		{
 			doc:      "stored with path, retrieved without",
 			storeURL: "https://foobar.example.com:1234/one/two",
 			readURL:  "https://foobar.example.com:1234",
 		},
 	}
 	helper := Osxkeychain{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.storeURL, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.storeURL, err)
 		}
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			c := &credentials.Credentials{ServerURL: tc.storeURL, Username: "hello", Secret: "world"}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL %q: %s", tc.storeURL, err)
 			}
 			if _, _, err := helper.Get(tc.readURL); err != nil {
 				t.Errorf("Error: failed to read secret for URL %q using %q", tc.storeURL, tc.readURL)
 			}
 			if err := helper.Delete(tc.storeURL); err != nil {
 				t.Error(err)
 			}
 		})
 	}
 }
 // TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {
 	tests := []struct {
 		doc      string
 		storeURL string
 		readURL  string
 	}{
 		{
 			doc:      "stored as https, retrieved using http",
 			storeURL: "https://foobar.example.com:2376",
 			readURL:  "http://foobar.example.com:2376",
 		},
 		{
 			doc:      "stored as http, retrieved using https",
 			storeURL: "http://foobar.example.com:2376",
 			readURL:  "https://foobar.example.com:2376",
 		},
 		{
 			// stored as http, retrieved without a scheme specified (hence, using the default https://)
 			doc:      "stored as http, retrieved without scheme",
 			storeURL: "http://foobar.example.com",
 			readURL:  "foobar.example.com:5678",
 		},
 		{
 			doc:      "non-matching ports",
 			storeURL: "https://foobar.example.com:1234",
 			readURL:  "https://foobar.example.com:5678",
 		},
 		// TODO: is this desired behavior? The other way round does work
 		// {
 		// 	doc:      "non-matching ports (stored without port)",
 		// 	storeURL: "https://foobar.example.com",
 		// 	readURL:  "https://foobar.example.com:5678",
 		// },
 		{
 			doc:      "non-matching paths",
 			storeURL: "https://foobar.example.com:1234/one/two",
 			readURL:  "https://foobar.example.com:1234/five/six",
 		},
 	}
 	helper := Osxkeychain{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.storeURL, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.storeURL, err)
 		}
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			c := &credentials.Credentials{ServerURL: tc.storeURL, Username: "hello", Secret: "world"}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL %q: %s", tc.storeURL, err)
 			}
 			if _, _, err := helper.Get(tc.readURL); err == nil {
 				t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", tc.storeURL, tc.readURL)
 			}
 			if err := helper.Delete(tc.storeURL); err != nil {
 				t.Error(err)
 			}
 		})
 	}
 }
 // TestOSXKeychainHelperStoreRetrieve verifies that secrets stored in the
 // the keychain can be read back using the URL that was used to store them.
 func TestOSXKeychainHelperStoreRetrieve(t *testing.T) {
 	tests := []struct {
 		url string
 	}{
 		{url: "foobar.example.com"},
 		{url: "foobar.example.com:2376"},
 		{url: "//foobar.example.com:2376"},
 		{url: "https://foobar.example.com:2376"},
 		{url: "http://foobar.example.com:2376"},
 		{url: "https://foobar.example.com:2376/some/path"},
 		{url: "https://foobar.example.com:2376/some/other/path"},
 		{url: "https://foobar.example.com:2376/some/other/path?foo=bar"},
 	}
 	helper := Osxkeychain{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.url); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.url, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.url); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.url, err)
 		}
 	}
 	// Note that we don't delete between individual tests here, to verify that
 	// subsequent stores/overwrites don't affect storing / retrieving secrets.
 	for i, tc := range tests {
 		tc := tc
 		t.Run(tc.url, func(t *testing.T) {
 			c := &credentials.Credentials{
 				ServerURL: tc.url,
 				Username:  fmt.Sprintf("user-%d", i),
 				Secret:    fmt.Sprintf("secret-%d", i),
 			}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL: %s: %s", tc.url, err)
 			}
 			user, secret, err := helper.Get(tc.url)
 			if err != nil {
 				t.Fatalf("Error: failed to read secret for URL %q: %s", tc.url, err)
 			}
 			if user != c.Username {
 				t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, tc.url)
 			}
 			if secret != c.Secret {
 				t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, tc.url)
 			}
 		})
 	}
 }
 func TestMissingCredentials(t *testing.T) {
 	const nonExistingCred = "https://adsfasdf.invalid/asdfsdddd"
 	helper := Osxkeychain{}
 	_, _, err := helper.Get(nonExistingCred)
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Errorf("expected ErrCredentialsNotFound, got %v", err)
 	}
 	err = helper.Delete(nonExistingCred)
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Errorf("expected ErrCredentialsNotFound, got %v", err)
 	}
 }
@@ -13,6 +13,7 @@ import (
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -28,11 +29,12 @@ type Pass struct{}
 // Ideally these would be stored as members of Pass, but since all of Pass's
 // methods have value receivers, not pointer receivers, and changing that is
 // backwards incompatible, we assume that all Pass instances share the same configuration
-
+var (
-// initializationMutex is held while initializing so that only one 'pass'
+	// initializationMutex is held while initializing so that only one 'pass'
-// round-tripping is done to check pass is functioning.
+	// round-tripping is done to check pass is functioning.
-var initializationMutex sync.Mutex
+	initializationMutex sync.Mutex
-var passInitialized bool
+	passInitialized     bool
 )
 // CheckInitialized checks whether the password helper can be used. It
 // internally caches and so may be safely called multiple times with no impact
@@ -103,11 +105,11 @@ func (p Pass) Delete(serverURL string) error {
 }
 func getPassDir() string {
-	passDir := "$HOME/.password-store"
+	if passDir := os.Getenv("PASSWORD_STORE_DIR"); passDir != "" {
-	if envDir := os.Getenv("PASSWORD_STORE_DIR"); envDir != "" {
+		return passDir
 		passDir = envDir
 	}
-	return os.ExpandEnv(passDir)
+	home, _ := os.UserHomeDir()
 	return filepath.Join(home, ".password-store")
 }
 // listPassDir lists all the contents of a directory in the password store.
@@ -1,3 +1,5 @@
 //go:build !windows
 package pass
 import (
@@ -8,75 +10,115 @@ import (
 )
 func TestPassHelper(t *testing.T) {
 	helper := Pass{}
 	creds := &credentials.Credentials{
-		ServerURL: "https://foobar.docker.io:2376/v1",
+		ServerURL: "https://foobar.example.com:2376/v1",
 		Username:  "nothing",
 		Secret:    "isthebestmeshuggahalbum",
 	}
-	_ = helper.CheckInitialized()
+	helper := Pass{}
 	if err := helper.checkInitialized(); err != nil {
 		t.Error(err)
 	}
-	helper.Add(creds)
+	if err := helper.Add(creds); err != nil {
 		t.Error(err)
 	}
-	creds.ServerURL = "https://foobar.docker.io:9999/v2"
+	u, s, err := helper.Get(creds.ServerURL)
-	helper.Add(creds)
+	if err != nil {
 		t.Error(err)
 	}
 	if u != creds.Username {
 		t.Errorf("invalid username %s", u)
 	}
 	if s != creds.Secret {
 		t.Errorf("invalid secret: %s", s)
 	}
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Error(err)
 	}
 	if _, _, err := helper.Get(creds.ServerURL); !credentials.IsErrCredentialsNotFound(err) {
 		t.Errorf("expected credentials not found, actual: %v", err)
 	}
 }
 func TestPassHelperCheckInit(t *testing.T) {
 	helper := Pass{}
 	if v := helper.CheckInitialized(); !v {
 		t.Errorf("expected true, actual: %v", v)
 	}
 }
 func TestPassHelperList(t *testing.T) {
 	creds := []*credentials.Credentials{
 		{
 			ServerURL: "https://foobar.example.com:2376/v1",
 			Username:  "foo",
 			Secret:    "isthebestmeshuggahalbum",
 		},
 		{
 			ServerURL: "https://foobar.example.com:2375/v1",
 			Username:  "bar",
 			Secret:    "isthebestmeshuggahalbum",
 		},
 	}
 	helper := Pass{}
 	if err := helper.checkInitialized(); err != nil {
 		t.Error(err)
 	}
 	for _, cred := range creds {
 		if err := helper.Add(cred); err != nil {
 			t.Error(err)
 		}
 	}
 	credsList, err := helper.List()
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	for server, username := range credsList {
-		if !(strings.Contains(server, "2376") ||
+		if !(strings.HasSuffix(server, "2376/v1") || strings.HasSuffix(server, "2375/v1")) {
-			strings.Contains(server, "9999")) {
+			t.Errorf("invalid url: %s", server)
 			t.Fatalf("invalid url: %s", creds.ServerURL)
 		}
-
+		if !(username == "foo" || username == "bar") {
-		if username != "nothing" {
+			t.Errorf("invalid username: %v", username)
 			t.Fatalf("invalid username: %v", username)
 		}
 		u, s, err := helper.Get(server)
 		if err != nil {
-			t.Fatal(err)
+			t.Error(err)
 		}
 		if u != username {
-			t.Fatalf("invalid username %s", u)
+			t.Errorf("invalid username %s", u)
 		}
 		if s != "isthebestmeshuggahalbum" {
-			t.Fatalf("invalid secret: %s", s)
+			t.Errorf("invalid secret: %s", s)
 		}
-		err = helper.Delete(server)
+		if err := helper.Delete(server); err != nil {
-		if err != nil {
+			t.Error(err)
 			t.Fatal(err)
 		}
-
+		if _, _, err := helper.Get(server); !credentials.IsErrCredentialsNotFound(err) {
-		_, _, err = helper.Get(server)
+			t.Errorf("expected credentials not found, actual: %v", err)
 		if !credentials.IsErrCredentialsNotFound(err) {
 			t.Fatalf("expected credentials not found, actual: %v", err)
 		}
 	}
 	credsList, err = helper.List()
 	if err != nil {
-		t.Fatal(err)
+		t.Error(err)
 	}
 	if len(credsList) != 0 {
-		t.Fatal("didn't delete all creds?")
+		t.Error("didn't delete all creds?")
 	}
 }
 func TestMissingCred(t *testing.T) {
 	helper := Pass{}
-
+	if _, _, err := helper.Get("garbage"); !credentials.IsErrCredentialsNotFound(err) {
-	_, _, err := helper.Get("garbage")
+		t.Errorf("expected credentials not found, actual: %v", err)
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Fatalf("expected credentials not found, actual: %v", err)
 	}
 }
@@ -13,34 +13,61 @@ func TestHelperParseURL(t *testing.T) {
 		expectedURL string
 		err         error
 	}{
-		{url: "foobar.docker.io", expectedURL: "//foobar.docker.io"},
+		{
-		{url: "foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
+			url:         "foobar.example.com",
-		{url: "//foobar.docker.io:2376", expectedURL: "//foobar.docker.io:2376"},
+			expectedURL: "//foobar.example.com",
-		{url: "http://foobar.docker.io:2376", expectedURL: "http://foobar.docker.io:2376"},
+		},
-		{url: "https://foobar.docker.io:2376", expectedURL: "https://foobar.docker.io:2376"},
+		{
-		{url: "https://foobar.docker.io:2376/some/path", expectedURL: "https://foobar.docker.io:2376/some/path"},
+			url:         "foobar.example.com:2376",
-		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar", expectedURL: "https://foobar.docker.io:2376/some/other/path"},
+			expectedURL: "//foobar.example.com:2376",
-		{url: "/foobar.docker.io", err: errors.New("no hostname in URL")},
+		},
-		{url: "ftp://foobar.docker.io:2376", err: errors.New("unsupported scheme: ftp")},
+		{
 			url:         "//foobar.example.com:2376",
 			expectedURL: "//foobar.example.com:2376",
 		},
 		{
 			url:         "http://foobar.example.com:2376",
 			expectedURL: "http://foobar.example.com:2376",
 		},
 		{
 			url:         "https://foobar.example.com:2376",
 			expectedURL: "https://foobar.example.com:2376",
 		},
 		{
 			url:         "https://foobar.example.com:2376/some/path",
 			expectedURL: "https://foobar.example.com:2376/some/path",
 		},
 		{
 			url:         "https://foobar.example.com:2376/some/other/path?foo=bar",
 			expectedURL: "https://foobar.example.com:2376/some/other/path",
 		},
 		{
 			url: "/foobar.example.com",
 			err: errors.New("no hostname in URL"),
 		},
 		{
 			url: "ftp://foobar.example.com:2376",
 			err: errors.New("unsupported scheme: ftp"),
 		},
 	}
-	for _, te := range tests {
+	for _, tc := range tests {
-		u, err := Parse(te.url)
+		tc := tc
 		t.Run(tc.url, func(t *testing.T) {
 			u, err := Parse(tc.url)
-		if te.err == nil && err != nil {
+			if tc.err == nil && err != nil {
-			t.Errorf("Error: failed to parse URL %q: %s", te.url, err)
+				t.Fatalf("Error: failed to parse URL %q: %s", tc.url, err)
-			continue
+			}
-		}
+			if tc.err != nil && err == nil {
-		if te.err != nil && err == nil {
+				t.Fatalf("Error: expected error %q, got none when parsing URL %q", tc.err, tc.url)
-			t.Errorf("Error: expected error %q, got none when parsing URL %q", te.err, te.url)
+			}
-			continue
+			if tc.err != nil && err.Error() != tc.err.Error() {
-		}
+				t.Fatalf("Error: expected error %q, got %q when parsing URL %q", tc.err, err, tc.url)
-		if te.err != nil && err.Error() != te.err.Error() {
+			}
-			t.Errorf("Error: expected error %q, got %q when parsing URL %q", te.err, err, te.url)
+			if u != nil && u.String() != tc.expectedURL {
-			continue
+				t.Errorf("Error: expected URL: %q, but got %q for URL: %q", tc.expectedURL, u.String(), tc.url)
-		}
+			}
-		if u != nil && u.String() != te.expectedURL {
+		})
 			t.Errorf("Error: expected URL: %q, but got %q for URL: %q", te.expectedURL, u.String(), te.url)
 		}
 	}
 }
@@ -1,3 +1,5 @@
 //go:build linux && cgo
 package main
 import (
@@ -1,6 +1,6 @@
 #include <string.h>
 #include <stdlib.h>
-#include "secretservice_linux.h"
+#include "secretservice.h"
 const SecretSchema *docker_get_schema(void)
 {
@@ -1,12 +1,15 @@
 //go:build linux && cgo
 package secretservice
 /*
 #cgo pkg-config: libsecret-1
-#include "secretservice_linux.h"
+#include "secretservice.h"
 #include <stdlib.h>
 */
 import "C"
 import (
 	"errors"
 	"unsafe"
@@ -1,3 +1,5 @@
 //go:build linux && cgo
 package secretservice
 import (
@@ -11,7 +13,7 @@ func TestSecretServiceHelper(t *testing.T) {
 	t.Skip("test requires gnome-keyring but travis CI doesn't have it")
 	creds := &credentials.Credentials{
-		ServerURL: "https://foobar.docker.io:2376/v1",
+		ServerURL: "https://foobar.example.com:2376/v1",
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
@@ -28,7 +30,6 @@ func TestSecretServiceHelper(t *testing.T) {
 	// remove them as they probably come from a previous failed test
 	for k, v := range oldAuths {
 		if strings.Compare(k, creds.ServerURL) == 0 && strings.Compare(v, creds.Username) == 0 {
 			if err := helper.Delete(creds.ServerURL); err != nil {
 				t.Fatal(err)
 			}
@@ -4,7 +4,7 @@ wincred
 Go wrapper around the Windows Credential Manager API functions.
 [![GitHub release](https://img.shields.io/github/release/danieljoos/wincred.svg?style=flat-square)](https://github.com/danieljoos/wincred/releases/latest)
-[![Test Status](https://img.shields.io/github/workflow/status/danieljoos/wincred/test?label=test&logo=github&style=flat-square)](https://github.com/danieljoos/wincred/actions?query=workflow%3Atest)
+[![Test Status](https://img.shields.io/github/actions/workflow/status/danieljoos/wincred/test.yml?label=test&logo=github&style=flat-square)](https://github.com/danieljoos/wincred/actions?query=workflow%3Atest)
 [![Go Report Card](https://goreportcard.com/badge/github.com/danieljoos/wincred)](https://goreportcard.com/report/github.com/danieljoos/wincred)
 [![Codecov](https://img.shields.io/codecov/c/github/danieljoos/wincred?logo=codecov&style=flat-square)](https://codecov.io/gh/danieljoos/wincred)
 [![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/github.com/danieljoos/wincred)
@@ -1,21 +1,23 @@
 //go:build windows
 // +build windows
 package wincred
 import (
 	"reflect"
 	"syscall"
 	"unsafe"
-	syscall "golang.org/x/sys/windows"
+	"golang.org/x/sys/windows"
 )
 var (
-	modadvapi32            = syscall.NewLazyDLL("advapi32.dll")
+	modadvapi32            = windows.NewLazySystemDLL("advapi32.dll")
-	procCredRead      proc = modadvapi32.NewProc("CredReadW")
+	procCredRead           = modadvapi32.NewProc("CredReadW")
 	procCredWrite     proc = modadvapi32.NewProc("CredWriteW")
 	procCredDelete    proc = modadvapi32.NewProc("CredDeleteW")
 	procCredFree      proc = modadvapi32.NewProc("CredFree")
-	procCredEnumerate proc = modadvapi32.NewProc("CredEnumerateW")
+	procCredEnumerate      = modadvapi32.NewProc("CredEnumerateW")
 )
 // Interface for syscall.Proc: helps testing
@@ -29,7 +31,7 @@ type sysCREDENTIAL struct {
 	Type               uint32
 	TargetName         *uint16
 	Comment            *uint16
-	LastWritten        syscall.Filetime
+	LastWritten        windows.Filetime
 	CredentialBlobSize uint32
 	CredentialBlob     uintptr
 	Persist            uint32
@@ -59,15 +61,16 @@ const (
 	sysCRED_TYPE_DOMAIN_EXTENDED         sysCRED_TYPE = 0x6
 	// https://docs.microsoft.com/en-us/windows/desktop/Debug/system-error-codes
-	sysERROR_NOT_FOUND         = syscall.Errno(1168)
+	sysERROR_NOT_FOUND         = windows.Errno(1168)
-	sysERROR_INVALID_PARAMETER = syscall.Errno(87)
+	sysERROR_INVALID_PARAMETER = windows.Errno(87)
 )
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-credreadw
 func sysCredRead(targetName string, typ sysCRED_TYPE) (*Credential, error) {
 	var pcred *sysCREDENTIAL
-	targetNamePtr, _ := syscall.UTF16PtrFromString(targetName)
+	targetNamePtr, _ := windows.UTF16PtrFromString(targetName)
-	ret, _, err := procCredRead.Call(
+	ret, _, err := syscall.SyscallN(
 		procCredRead.Addr(),
 		uintptr(unsafe.Pointer(targetNamePtr)),
 		uintptr(typ),
 		0,
@@ -98,7 +101,7 @@ func sysCredWrite(cred *Credential, typ sysCRED_TYPE) error {
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/nf-wincred-creddeletew
 func sysCredDelete(cred *Credential, typ sysCRED_TYPE) error {
-	targetNamePtr, _ := syscall.UTF16PtrFromString(cred.TargetName)
+	targetNamePtr, _ := windows.UTF16PtrFromString(cred.TargetName)
 	ret, _, err := procCredDelete.Call(
 		uintptr(unsafe.Pointer(targetNamePtr)),
 		uintptr(typ),
@@ -117,9 +120,10 @@ func sysCredEnumerate(filter string, all bool) ([]*Credential, error) {
 	var pcreds uintptr
 	var filterPtr *uint16
 	if !all {
-		filterPtr, _ = syscall.UTF16PtrFromString(filter)
+		filterPtr, _ = windows.UTF16PtrFromString(filter)
 	}
-	ret, _, err := procCredEnumerate.Call(
+	ret, _, err := syscall.SyscallN(
 		procCredEnumerate.Addr(),
 		uintptr(unsafe.Pointer(filterPtr)),
 		0,
 		uintptr(unsafe.Pointer(&count)),
@@ -1,102 +0,0 @@
 // Copyright 2020 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package execabs is a drop-in replacement for os/exec
 // that requires PATH lookups to find absolute paths.
 // That is, execabs.Command("cmd") runs the same PATH lookup
 // as exec.Command("cmd"), but if the result is a path
 // which is relative, the Run and Start methods will report
 // an error instead of running the executable.
 //
 // See https://blog.golang.org/path-security for more information
 // about when it may be necessary or appropriate to use this package.
 package execabs
 import (
 	"context"
 	"fmt"
 	"os/exec"
 	"path/filepath"
 	"reflect"
 	"unsafe"
 )
 // ErrNotFound is the error resulting if a path search failed to find an executable file.
 // It is an alias for exec.ErrNotFound.
 var ErrNotFound = exec.ErrNotFound
 // Cmd represents an external command being prepared or run.
 // It is an alias for exec.Cmd.
 type Cmd = exec.Cmd
 // Error is returned by LookPath when it fails to classify a file as an executable.
 // It is an alias for exec.Error.
 type Error = exec.Error
 // An ExitError reports an unsuccessful exit by a command.
 // It is an alias for exec.ExitError.
 type ExitError = exec.ExitError
 func relError(file, path string) error {
 	return fmt.Errorf("%s resolves to executable in current directory (.%c%s)", file, filepath.Separator, path)
 }
 // LookPath searches for an executable named file in the directories
 // named by the PATH environment variable. If file contains a slash,
 // it is tried directly and the PATH is not consulted. The result will be
 // an absolute path.
 //
 // LookPath differs from exec.LookPath in its handling of PATH lookups,
 // which are used for file names without slashes. If exec.LookPath's
 // PATH lookup would have returned an executable from the current directory,
 // LookPath instead returns an error.
 func LookPath(file string) (string, error) {
 	path, err := exec.LookPath(file)
 	if err != nil && !isGo119ErrDot(err) {
 		return "", err
 	}
 	if filepath.Base(file) == file && !filepath.IsAbs(path) {
 		return "", relError(file, path)
 	}
 	return path, nil
 }
 func fixCmd(name string, cmd *exec.Cmd) {
 	if filepath.Base(name) == name && !filepath.IsAbs(cmd.Path) {
 		// exec.Command was called with a bare binary name and
 		// exec.LookPath returned a path which is not absolute.
 		// Set cmd.lookPathErr and clear cmd.Path so that it
 		// cannot be run.
 		lookPathErr := (*error)(unsafe.Pointer(reflect.ValueOf(cmd).Elem().FieldByName("lookPathErr").Addr().Pointer()))
 		if *lookPathErr == nil {
 			*lookPathErr = relError(name, cmd.Path)
 		}
 		cmd.Path = ""
 	}
 }
 // CommandContext is like Command but includes a context.
 //
 // The provided context is used to kill the process (by calling os.Process.Kill)
 // if the context becomes done before the command completes on its own.
 func CommandContext(ctx context.Context, name string, arg ...string) *exec.Cmd {
 	cmd := exec.CommandContext(ctx, name, arg...)
 	fixCmd(name, cmd)
 	return cmd
 }
 // Command returns the Cmd struct to execute the named program with the given arguments.
 // See exec.Command for most details.
 //
 // Command differs from exec.Command in its handling of PATH lookups,
 // which are used when the program name contains no slashes.
 // If exec.Command would have returned an exec.Cmd configured to run an
 // executable from the current directory, Command instead
 // returns an exec.Cmd that will return an error from Start or Run.
 func Command(name string, arg ...string) *exec.Cmd {
 	cmd := exec.Command(name, arg...)
 	fixCmd(name, cmd)
 	return cmd
 }
@@ -1,12 +0,0 @@
 // Copyright 2022 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !go1.19
 // +build !go1.19
 package execabs
 func isGo119ErrDot(err error) bool {
 	return false
 }
@@ -1,15 +0,0 @@
 // Copyright 2022 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build go1.19
 // +build go1.19
 package execabs
 import "strings"
 func isGo119ErrDot(err error) bool {
 	// TODO: return errors.Is(err, exec.ErrDot)
 	return strings.Contains(err.Error(), "current directory")
 }
@@ -37,14 +37,14 @@ func (token Token) Environ(inheritExisting bool) (env []string, err error) {
 		return nil, err
 	}
 	defer DestroyEnvironmentBlock(block)
-	blockp := uintptr(unsafe.Pointer(block))
+	blockp := unsafe.Pointer(block)
 	for {
-		entry := UTF16PtrToString((*uint16)(unsafe.Pointer(blockp)))
+		entry := UTF16PtrToString((*uint16)(blockp))
 		if len(entry) == 0 {
 			break
 		}
 		env = append(env, entry)
-		blockp += 2 * (uintptr(len(entry)) + 1)
+		blockp = unsafe.Add(blockp, 2*(len(entry)+1))
 	}
 	return env, nil
 }
@@ -95,12 +95,17 @@ func ComposeCommandLine(args []string) string {
 // DecomposeCommandLine breaks apart its argument command line into unescaped parts using CommandLineToArgv,
 // as gathered from GetCommandLine, QUERY_SERVICE_CONFIG's BinaryPathName argument, or elsewhere that
 // command lines are passed around.
 // DecomposeCommandLine returns error if commandLine contains NUL.
 func DecomposeCommandLine(commandLine string) ([]string, error) {
 	if len(commandLine) == 0 {
 		return []string{}, nil
 	}
 	utf16CommandLine, err := UTF16FromString(commandLine)
 	if err != nil {
 		return nil, errorspkg.New("string with NUL passed to DecomposeCommandLine")
 	}
 	var argc int32
-	argv, err := CommandLineToArgv(StringToUTF16Ptr(commandLine), &argc)
+	argv, err := CommandLineToArgv(&utf16CommandLine[0], &argc)
 	if err != nil {
 		return nil, err
 	}
@@ -141,6 +141,12 @@ const (
 	SERVICE_DYNAMIC_INFORMATION_LEVEL_START_REASON = 1
 )
 type ENUM_SERVICE_STATUS struct {
 	ServiceName   *uint16
 	DisplayName   *uint16
 	ServiceStatus SERVICE_STATUS
 }
 type SERVICE_STATUS struct {
 	ServiceType             uint32
 	CurrentState            uint32
@@ -245,3 +251,4 @@ type QUERY_SERVICE_LOCK_STATUS struct {
 //sys	UnsubscribeServiceChangeNotifications(subscription uintptr) = sechost.UnsubscribeServiceChangeNotifications?
 //sys	RegisterServiceCtrlHandlerEx(serviceName *uint16, handlerProc uintptr, context uintptr) (handle Handle, err error) = advapi32.RegisterServiceCtrlHandlerExW
 //sys	QueryServiceDynamicInformation(service Handle, infoLevel uint32, dynamicInfo unsafe.Pointer) (err error) = advapi32.QueryServiceDynamicInformation?
 //sys	EnumDependentServices(service Handle, activityState uint32, services *ENUM_SERVICE_STATUS, buffSize uint32, bytesNeeded *uint32, servicesReturned *uint32) (err error) = advapi32.EnumDependentServicesW
@@ -30,8 +30,6 @@ import (
 	"strings"
 	"syscall"
 	"unsafe"
 	"golang.org/x/sys/internal/unsafeheader"
 )
 // ByteSliceFromString returns a NUL-terminated slice of bytes
@@ -83,13 +81,7 @@ func BytePtrToString(p *byte) string {
 		ptr = unsafe.Pointer(uintptr(ptr) + 1)
 	}
-	var s []byte
+	return string(unsafe.Slice(p, n))
 	h := (*unsafeheader.Slice)(unsafe.Pointer(&s))
 	h.Data = unsafe.Pointer(p)
 	h.Len = n
 	h.Cap = n
 	return string(s)
 }
 // Single-word zero for use when we need a valid pointer to 0 bytes.
@@ -10,7 +10,6 @@ import (
 	errorspkg "errors"
 	"fmt"
 	"runtime"
 	"strings"
 	"sync"
 	"syscall"
 	"time"
@@ -87,22 +86,13 @@ func StringToUTF16(s string) []uint16 {
 // s, with a terminating NUL added. If s contains a NUL byte at any
 // location, it returns (nil, syscall.EINVAL).
 func UTF16FromString(s string) ([]uint16, error) {
-	if strings.IndexByte(s, 0) != -1 {
+	return syscall.UTF16FromString(s)
 		return nil, syscall.EINVAL
 	}
 	return utf16.Encode([]rune(s + "\x00")), nil
 }
 // UTF16ToString returns the UTF-8 encoding of the UTF-16 sequence s,
 // with a terminating NUL and any bytes after the NUL removed.
 func UTF16ToString(s []uint16) string {
-	for i, v := range s {
+	return syscall.UTF16ToString(s)
 		if v == 0 {
 			s = s[:i]
 			break
 		}
 	}
 	return string(utf16.Decode(s))
 }
 // StringToUTF16Ptr is deprecated. Use UTF16PtrFromString instead.
@@ -138,13 +128,7 @@ func UTF16PtrToString(p *uint16) string {
 		ptr = unsafe.Pointer(uintptr(ptr) + unsafe.Sizeof(*p))
 	}
-	var s []uint16
+	return string(utf16.Decode(unsafe.Slice(p, n)))
 	h := (*unsafeheader.Slice)(unsafe.Pointer(&s))
 	h.Data = unsafe.Pointer(p)
 	h.Len = n
 	h.Cap = n
 	return string(utf16.Decode(s))
 }
 func Getpagesize() int { return 4096 }
@@ -364,6 +348,16 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	SetCommTimeouts(handle Handle, timeouts *CommTimeouts) (err error)
 //sys	GetActiveProcessorCount(groupNumber uint16) (ret uint32)
 //sys	GetMaximumProcessorCount(groupNumber uint16) (ret uint32)
 //sys	EnumWindows(enumFunc uintptr, param unsafe.Pointer) (err error) = user32.EnumWindows
 //sys	EnumChildWindows(hwnd HWND, enumFunc uintptr, param unsafe.Pointer) = user32.EnumChildWindows
 //sys	GetClassName(hwnd HWND, className *uint16, maxCount int32) (copied int32, err error) = user32.GetClassNameW
 //sys	GetDesktopWindow() (hwnd HWND) = user32.GetDesktopWindow
 //sys	GetForegroundWindow() (hwnd HWND) = user32.GetForegroundWindow
 //sys	IsWindow(hwnd HWND) (isWindow bool) = user32.IsWindow
 //sys	IsWindowUnicode(hwnd HWND) (isUnicode bool) = user32.IsWindowUnicode
 //sys	IsWindowVisible(hwnd HWND) (isVisible bool) = user32.IsWindowVisible
 //sys	GetGUIThreadInfo(thread uint32, info *GUIThreadInfo) (err error) = user32.GetGUIThreadInfo
 //sys	GetLargePageMinimum() (size uintptr)
 // Volume Management Functions
 //sys	DefineDosDevice(flags uint32, deviceName *uint16, targetPath *uint16) (err error) = DefineDosDeviceW
@@ -439,6 +433,10 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	RtlAddFunctionTable(functionTable *RUNTIME_FUNCTION, entryCount uint32, baseAddress uintptr) (ret bool) = ntdll.RtlAddFunctionTable
 //sys	RtlDeleteFunctionTable(functionTable *RUNTIME_FUNCTION) (ret bool) = ntdll.RtlDeleteFunctionTable
 // Desktop Window Manager API (Dwmapi)
 //sys	DwmGetWindowAttribute(hwnd HWND, attribute uint32, value unsafe.Pointer, size uint32) (ret error) = dwmapi.DwmGetWindowAttribute
 //sys	DwmSetWindowAttribute(hwnd HWND, attribute uint32, value unsafe.Pointer, size uint32) (ret error) = dwmapi.DwmSetWindowAttribute
 // syscall interface implementation for other packages
 // GetCurrentProcess returns the handle for the current process.
@@ -748,7 +746,7 @@ func Utimes(path string, tv []Timeval) (err error) {
 	if e != nil {
 		return e
 	}
-	defer Close(h)
+	defer CloseHandle(h)
 	a := NsecToFiletime(tv[0].Nanoseconds())
 	w := NsecToFiletime(tv[1].Nanoseconds())
 	return SetFileTime(h, nil, &a, &w)
@@ -768,7 +766,7 @@ func UtimesNano(path string, ts []Timespec) (err error) {
 	if e != nil {
 		return e
 	}
-	defer Close(h)
+	defer CloseHandle(h)
 	a := NsecToFiletime(TimespecToNsec(ts[0]))
 	w := NsecToFiletime(TimespecToNsec(ts[1]))
 	return SetFileTime(h, nil, &a, &w)
@@ -826,6 +824,9 @@ const socket_error = uintptr(^uint32(0))
 //sys	WSAStartup(verreq uint32, data *WSAData) (sockerr error) = ws2_32.WSAStartup
 //sys	WSACleanup() (err error) [failretval==socket_error] = ws2_32.WSACleanup
 //sys	WSAIoctl(s Handle, iocc uint32, inbuf *byte, cbif uint32, outbuf *byte, cbob uint32, cbbr *uint32, overlapped *Overlapped, completionRoutine uintptr) (err error) [failretval==socket_error] = ws2_32.WSAIoctl
 //sys	WSALookupServiceBegin(querySet *WSAQUERYSET, flags uint32, handle *Handle) (err error) [failretval==socket_error] = ws2_32.WSALookupServiceBeginW
 //sys	WSALookupServiceNext(handle Handle, flags uint32, size *int32, querySet *WSAQUERYSET) (err error) [failretval==socket_error] = ws2_32.WSALookupServiceNextW
 //sys	WSALookupServiceEnd(handle Handle) (err error) [failretval==socket_error] = ws2_32.WSALookupServiceEnd
 //sys	socket(af int32, typ int32, protocol int32) (handle Handle, err error) [failretval==InvalidHandle] = ws2_32.socket
 //sys	sendto(s Handle, buf []byte, flags int32, to unsafe.Pointer, tolen int32) (err error) [failretval==socket_error] = ws2_32.sendto
 //sys	recvfrom(s Handle, buf []byte, flags int32, from *RawSockaddrAny, fromlen *int32) (n int32, err error) [failretval==-1] = ws2_32.recvfrom
@@ -1021,8 +1022,7 @@ func (rsa *RawSockaddrAny) Sockaddr() (Sockaddr, error) {
 		for n < len(pp.Path) && pp.Path[n] != 0 {
 			n++
 		}
-		bytes := (*[len(pp.Path)]byte)(unsafe.Pointer(&pp.Path[0]))[0:n]
+		sa.Name = string(unsafe.Slice((*byte)(unsafe.Pointer(&pp.Path[0])), n))
 		sa.Name = string(bytes)
 		return sa, nil
 	case AF_INET:
@@ -1108,9 +1108,13 @@ func Shutdown(fd Handle, how int) (err error) {
 }
 func WSASendto(s Handle, bufs *WSABuf, bufcnt uint32, sent *uint32, flags uint32, to Sockaddr, overlapped *Overlapped, croutine *byte) (err error) {
-	rsa, l, err := to.sockaddr()
+	var rsa unsafe.Pointer
-	if err != nil {
+	var l int32
-		return err
+	if to != nil {
 		rsa, l, err = to.sockaddr()
 		if err != nil {
 			return err
 		}
 	}
 	return WSASendTo(s, bufs, bufcnt, sent, flags, (*RawSockaddrAny)(unsafe.Pointer(rsa)), l, overlapped, croutine)
 }
@@ -1243,6 +1243,51 @@ const (
 	DnsSectionAdditional = 0x0003
 )
 const (
 	// flags of WSALookupService
 	LUP_DEEP                = 0x0001
 	LUP_CONTAINERS          = 0x0002
 	LUP_NOCONTAINERS        = 0x0004
 	LUP_NEAREST             = 0x0008
 	LUP_RETURN_NAME         = 0x0010
 	LUP_RETURN_TYPE         = 0x0020
 	LUP_RETURN_VERSION      = 0x0040
 	LUP_RETURN_COMMENT      = 0x0080
 	LUP_RETURN_ADDR         = 0x0100
 	LUP_RETURN_BLOB         = 0x0200
 	LUP_RETURN_ALIASES      = 0x0400
 	LUP_RETURN_QUERY_STRING = 0x0800
 	LUP_RETURN_ALL          = 0x0FF0
 	LUP_RES_SERVICE         = 0x8000
 	LUP_FLUSHCACHE    = 0x1000
 	LUP_FLUSHPREVIOUS = 0x2000
 	LUP_NON_AUTHORITATIVE      = 0x4000
 	LUP_SECURE                 = 0x8000
 	LUP_RETURN_PREFERRED_NAMES = 0x10000
 	LUP_DNS_ONLY               = 0x20000
 	LUP_ADDRCONFIG           = 0x100000
 	LUP_DUAL_ADDR            = 0x200000
 	LUP_FILESERVER           = 0x400000
 	LUP_DISABLE_IDN_ENCODING = 0x00800000
 	LUP_API_ANSI             = 0x01000000
 	LUP_RESOLUTION_HANDLE = 0x80000000
 )
 const (
 	// values of WSAQUERYSET's namespace
 	NS_ALL       = 0
 	NS_DNS       = 12
 	NS_NLA       = 15
 	NS_BTH       = 16
 	NS_EMAIL     = 37
 	NS_PNRPNAME  = 38
 	NS_PNRPCLOUD = 39
 )
 type DNSSRVData struct {
 	Target   *uint16
 	Priority uint16
@@ -2175,19 +2220,23 @@ type JOBOBJECT_BASIC_UI_RESTRICTIONS struct {
 }
 const (
-	// JobObjectInformationClass
+	// JobObjectInformationClass for QueryInformationJobObject and SetInformationJobObject
 	JobObjectAssociateCompletionPortInformation = 7
 	JobObjectBasicAccountingInformation         = 1
 	JobObjectBasicAndIoAccountingInformation    = 8
 	JobObjectBasicLimitInformation              = 2
 	JobObjectBasicProcessIdList                 = 3
 	JobObjectBasicUIRestrictions                = 4
 	JobObjectCpuRateControlInformation          = 15
 	JobObjectEndOfJobTimeInformation            = 6
 	JobObjectExtendedLimitInformation           = 9
 	JobObjectGroupInformation                   = 11
 	JobObjectGroupInformationEx                 = 14
-	JobObjectLimitViolationInformation2         = 35
+	JobObjectLimitViolationInformation          = 13
 	JobObjectLimitViolationInformation2         = 34
 	JobObjectNetRateControlInformation          = 32
 	JobObjectNotificationLimitInformation       = 12
-	JobObjectNotificationLimitInformation2      = 34
+	JobObjectNotificationLimitInformation2      = 33
 	JobObjectSecurityLimitInformation           = 5
 )
@@ -3213,3 +3262,88 @@ type ModuleInfo struct {
 }
 const ALL_PROCESSOR_GROUPS = 0xFFFF
 type Rect struct {
 	Left   int32
 	Top    int32
 	Right  int32
 	Bottom int32
 }
 type GUIThreadInfo struct {
 	Size        uint32
 	Flags       uint32
 	Active      HWND
 	Focus       HWND
 	Capture     HWND
 	MenuOwner   HWND
 	MoveSize    HWND
 	CaretHandle HWND
 	CaretRect   Rect
 }
 const (
 	DWMWA_NCRENDERING_ENABLED            = 1
 	DWMWA_NCRENDERING_POLICY             = 2
 	DWMWA_TRANSITIONS_FORCEDISABLED      = 3
 	DWMWA_ALLOW_NCPAINT                  = 4
 	DWMWA_CAPTION_BUTTON_BOUNDS          = 5
 	DWMWA_NONCLIENT_RTL_LAYOUT           = 6
 	DWMWA_FORCE_ICONIC_REPRESENTATION    = 7
 	DWMWA_FLIP3D_POLICY                  = 8
 	DWMWA_EXTENDED_FRAME_BOUNDS          = 9
 	DWMWA_HAS_ICONIC_BITMAP              = 10
 	DWMWA_DISALLOW_PEEK                  = 11
 	DWMWA_EXCLUDED_FROM_PEEK             = 12
 	DWMWA_CLOAK                          = 13
 	DWMWA_CLOAKED                        = 14
 	DWMWA_FREEZE_REPRESENTATION          = 15
 	DWMWA_PASSIVE_UPDATE_MODE            = 16
 	DWMWA_USE_HOSTBACKDROPBRUSH          = 17
 	DWMWA_USE_IMMERSIVE_DARK_MODE        = 20
 	DWMWA_WINDOW_CORNER_PREFERENCE       = 33
 	DWMWA_BORDER_COLOR                   = 34
 	DWMWA_CAPTION_COLOR                  = 35
 	DWMWA_TEXT_COLOR                     = 36
 	DWMWA_VISIBLE_FRAME_BORDER_THICKNESS = 37
 )
 type WSAQUERYSET struct {
 	Size                uint32
 	ServiceInstanceName *uint16
 	ServiceClassId      *GUID
 	Version             *WSAVersion
 	Comment             *uint16
 	NameSpace           uint32
 	NSProviderId        *GUID
 	Context             *uint16
 	NumberOfProtocols   uint32
 	AfpProtocols        *AFProtocols
 	QueryString         *uint16
 	NumberOfCsAddrs     uint32
 	SaBuffer            *CSAddrInfo
 	OutputFlags         uint32
 	Blob                *BLOB
 }
 type WSAVersion struct {
 	Version                 uint32
 	EnumerationOfComparison int32
 }
 type AFProtocols struct {
 	AddressFamily int32
 	Protocol      int32
 }
 type CSAddrInfo struct {
 	LocalAddr  SocketAddress
 	RemoteAddr SocketAddress
 	SocketType int32
 	Protocol   int32
 }
 type BLOB struct {
 	Size     uint32
 	BlobData *byte
 }
@@ -40,6 +40,7 @@ var (
 	modadvapi32 = NewLazySystemDLL("advapi32.dll")
 	modcrypt32  = NewLazySystemDLL("crypt32.dll")
 	moddnsapi   = NewLazySystemDLL("dnsapi.dll")
 	moddwmapi   = NewLazySystemDLL("dwmapi.dll")
 	modiphlpapi = NewLazySystemDLL("iphlpapi.dll")
 	modkernel32 = NewLazySystemDLL("kernel32.dll")
 	modmswsock  = NewLazySystemDLL("mswsock.dll")
@@ -85,6 +86,7 @@ var (
 	procDeleteService                                        = modadvapi32.NewProc("DeleteService")
 	procDeregisterEventSource                                = modadvapi32.NewProc("DeregisterEventSource")
 	procDuplicateTokenEx                                     = modadvapi32.NewProc("DuplicateTokenEx")
 	procEnumDependentServicesW                               = modadvapi32.NewProc("EnumDependentServicesW")
 	procEnumServicesStatusExW                                = modadvapi32.NewProc("EnumServicesStatusExW")
 	procEqualSid                                             = modadvapi32.NewProc("EqualSid")
 	procFreeSid                                              = modadvapi32.NewProc("FreeSid")
@@ -175,6 +177,8 @@ var (
 	procDnsNameCompare_W                                     = moddnsapi.NewProc("DnsNameCompare_W")
 	procDnsQuery_W                                           = moddnsapi.NewProc("DnsQuery_W")
 	procDnsRecordListFree                                    = moddnsapi.NewProc("DnsRecordListFree")
 	procDwmGetWindowAttribute                                = moddwmapi.NewProc("DwmGetWindowAttribute")
 	procDwmSetWindowAttribute                                = moddwmapi.NewProc("DwmSetWindowAttribute")
 	procGetAdaptersAddresses                                 = modiphlpapi.NewProc("GetAdaptersAddresses")
 	procGetAdaptersInfo                                      = modiphlpapi.NewProc("GetAdaptersInfo")
 	procGetBestInterfaceEx                                   = modiphlpapi.NewProc("GetBestInterfaceEx")
@@ -249,6 +253,7 @@ var (
 	procGetFileType                                          = modkernel32.NewProc("GetFileType")
 	procGetFinalPathNameByHandleW                            = modkernel32.NewProc("GetFinalPathNameByHandleW")
 	procGetFullPathNameW                                     = modkernel32.NewProc("GetFullPathNameW")
 	procGetLargePageMinimum                                  = modkernel32.NewProc("GetLargePageMinimum")
 	procGetLastError                                         = modkernel32.NewProc("GetLastError")
 	procGetLogicalDriveStringsW                              = modkernel32.NewProc("GetLogicalDriveStringsW")
 	procGetLogicalDrives                                     = modkernel32.NewProc("GetLogicalDrives")
@@ -444,9 +449,18 @@ var (
 	procCommandLineToArgvW                                   = modshell32.NewProc("CommandLineToArgvW")
 	procSHGetKnownFolderPath                                 = modshell32.NewProc("SHGetKnownFolderPath")
 	procShellExecuteW                                        = modshell32.NewProc("ShellExecuteW")
 	procEnumChildWindows                                     = moduser32.NewProc("EnumChildWindows")
 	procEnumWindows                                          = moduser32.NewProc("EnumWindows")
 	procExitWindowsEx                                        = moduser32.NewProc("ExitWindowsEx")
 	procGetClassNameW                                        = moduser32.NewProc("GetClassNameW")
 	procGetDesktopWindow                                     = moduser32.NewProc("GetDesktopWindow")
 	procGetForegroundWindow                                  = moduser32.NewProc("GetForegroundWindow")
 	procGetGUIThreadInfo                                     = moduser32.NewProc("GetGUIThreadInfo")
 	procGetShellWindow                                       = moduser32.NewProc("GetShellWindow")
 	procGetWindowThreadProcessId                             = moduser32.NewProc("GetWindowThreadProcessId")
 	procIsWindow                                             = moduser32.NewProc("IsWindow")
 	procIsWindowUnicode                                      = moduser32.NewProc("IsWindowUnicode")
 	procIsWindowVisible                                      = moduser32.NewProc("IsWindowVisible")
 	procMessageBoxW                                          = moduser32.NewProc("MessageBoxW")
 	procCreateEnvironmentBlock                               = moduserenv.NewProc("CreateEnvironmentBlock")
 	procDestroyEnvironmentBlock                              = moduserenv.NewProc("DestroyEnvironmentBlock")
@@ -461,6 +475,9 @@ var (
 	procWSAEnumProtocolsW                                    = modws2_32.NewProc("WSAEnumProtocolsW")
 	procWSAGetOverlappedResult                               = modws2_32.NewProc("WSAGetOverlappedResult")
 	procWSAIoctl                                             = modws2_32.NewProc("WSAIoctl")
 	procWSALookupServiceBeginW                               = modws2_32.NewProc("WSALookupServiceBeginW")
 	procWSALookupServiceEnd                                  = modws2_32.NewProc("WSALookupServiceEnd")
 	procWSALookupServiceNextW                                = modws2_32.NewProc("WSALookupServiceNextW")
 	procWSARecv                                              = modws2_32.NewProc("WSARecv")
 	procWSARecvFrom                                          = modws2_32.NewProc("WSARecvFrom")
 	procWSASend                                              = modws2_32.NewProc("WSASend")
@@ -718,6 +735,14 @@ func DuplicateTokenEx(existingToken Token, desiredAccess uint32, tokenAttributes
 	return
 }
 func EnumDependentServices(service Handle, activityState uint32, services *ENUM_SERVICE_STATUS, buffSize uint32, bytesNeeded *uint32, servicesReturned *uint32) (err error) {
 	r1, _, e1 := syscall.Syscall6(procEnumDependentServicesW.Addr(), 6, uintptr(service), uintptr(activityState), uintptr(unsafe.Pointer(services)), uintptr(buffSize), uintptr(unsafe.Pointer(bytesNeeded)), uintptr(unsafe.Pointer(servicesReturned)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 func EnumServicesStatusEx(mgr Handle, infoLevel uint32, serviceType uint32, serviceState uint32, services *byte, bufSize uint32, bytesNeeded *uint32, servicesReturned *uint32, resumeHandle *uint32, groupName *uint16) (err error) {
 	r1, _, e1 := syscall.Syscall12(procEnumServicesStatusExW.Addr(), 10, uintptr(mgr), uintptr(infoLevel), uintptr(serviceType), uintptr(serviceState), uintptr(unsafe.Pointer(services)), uintptr(bufSize), uintptr(unsafe.Pointer(bytesNeeded)), uintptr(unsafe.Pointer(servicesReturned)), uintptr(unsafe.Pointer(resumeHandle)), uintptr(unsafe.Pointer(groupName)), 0, 0)
 	if r1 == 0 {
@@ -1525,6 +1550,22 @@ func DnsRecordListFree(rl *DNSRecord, freetype uint32) {
 	return
 }
 func DwmGetWindowAttribute(hwnd HWND, attribute uint32, value unsafe.Pointer, size uint32) (ret error) {
 	r0, _, _ := syscall.Syscall6(procDwmGetWindowAttribute.Addr(), 4, uintptr(hwnd), uintptr(attribute), uintptr(value), uintptr(size), 0, 0)
 	if r0 != 0 {
 		ret = syscall.Errno(r0)
 	}
 	return
 }
 func DwmSetWindowAttribute(hwnd HWND, attribute uint32, value unsafe.Pointer, size uint32) (ret error) {
 	r0, _, _ := syscall.Syscall6(procDwmSetWindowAttribute.Addr(), 4, uintptr(hwnd), uintptr(attribute), uintptr(value), uintptr(size), 0, 0)
 	if r0 != 0 {
 		ret = syscall.Errno(r0)
 	}
 	return
 }
 func GetAdaptersAddresses(family uint32, flags uint32, reserved uintptr, adapterAddresses *IpAdapterAddresses, sizePointer *uint32) (errcode error) {
 	r0, _, _ := syscall.Syscall6(procGetAdaptersAddresses.Addr(), 5, uintptr(family), uintptr(flags), uintptr(reserved), uintptr(unsafe.Pointer(adapterAddresses)), uintptr(unsafe.Pointer(sizePointer)), 0)
 	if r0 != 0 {
@@ -2152,6 +2193,12 @@ func GetFullPathName(path *uint16, buflen uint32, buf *uint16, fname **uint16) (
 	return
 }
 func GetLargePageMinimum() (size uintptr) {
 	r0, _, _ := syscall.Syscall(procGetLargePageMinimum.Addr(), 0, 0, 0, 0)
 	size = uintptr(r0)
 	return
 }
 func GetLastError() (lasterr error) {
 	r0, _, _ := syscall.Syscall(procGetLastError.Addr(), 0, 0, 0, 0)
 	if r0 != 0 {
@@ -3802,6 +3849,19 @@ func ShellExecute(hwnd Handle, verb *uint16, file *uint16, args *uint16, cwd *ui
 	return
 }
 func EnumChildWindows(hwnd HWND, enumFunc uintptr, param unsafe.Pointer) {
 	syscall.Syscall(procEnumChildWindows.Addr(), 3, uintptr(hwnd), uintptr(enumFunc), uintptr(param))
 	return
 }
 func EnumWindows(enumFunc uintptr, param unsafe.Pointer) (err error) {
 	r1, _, e1 := syscall.Syscall(procEnumWindows.Addr(), 2, uintptr(enumFunc), uintptr(param), 0)
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 func ExitWindowsEx(flags uint32, reason uint32) (err error) {
 	r1, _, e1 := syscall.Syscall(procExitWindowsEx.Addr(), 2, uintptr(flags), uintptr(reason), 0)
 	if r1 == 0 {
@@ -3810,6 +3870,35 @@ func ExitWindowsEx(flags uint32, reason uint32) (err error) {
 	return
 }
 func GetClassName(hwnd HWND, className *uint16, maxCount int32) (copied int32, err error) {
 	r0, _, e1 := syscall.Syscall(procGetClassNameW.Addr(), 3, uintptr(hwnd), uintptr(unsafe.Pointer(className)), uintptr(maxCount))
 	copied = int32(r0)
 	if copied == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 func GetDesktopWindow() (hwnd HWND) {
 	r0, _, _ := syscall.Syscall(procGetDesktopWindow.Addr(), 0, 0, 0, 0)
 	hwnd = HWND(r0)
 	return
 }
 func GetForegroundWindow() (hwnd HWND) {
 	r0, _, _ := syscall.Syscall(procGetForegroundWindow.Addr(), 0, 0, 0, 0)
 	hwnd = HWND(r0)
 	return
 }
 func GetGUIThreadInfo(thread uint32, info *GUIThreadInfo) (err error) {
 	r1, _, e1 := syscall.Syscall(procGetGUIThreadInfo.Addr(), 2, uintptr(thread), uintptr(unsafe.Pointer(info)), 0)
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 func GetShellWindow() (shellWindow HWND) {
 	r0, _, _ := syscall.Syscall(procGetShellWindow.Addr(), 0, 0, 0, 0)
 	shellWindow = HWND(r0)
@@ -3825,6 +3914,24 @@ func GetWindowThreadProcessId(hwnd HWND, pid *uint32) (tid uint32, err error) {
 	return
 }
 func IsWindow(hwnd HWND) (isWindow bool) {
 	r0, _, _ := syscall.Syscall(procIsWindow.Addr(), 1, uintptr(hwnd), 0, 0)
 	isWindow = r0 != 0
 	return
 }
 func IsWindowUnicode(hwnd HWND) (isUnicode bool) {
 	r0, _, _ := syscall.Syscall(procIsWindowUnicode.Addr(), 1, uintptr(hwnd), 0, 0)
 	isUnicode = r0 != 0
 	return
 }
 func IsWindowVisible(hwnd HWND) (isVisible bool) {
 	r0, _, _ := syscall.Syscall(procIsWindowVisible.Addr(), 1, uintptr(hwnd), 0, 0)
 	isVisible = r0 != 0
 	return
 }
 func MessageBox(hwnd HWND, text *uint16, caption *uint16, boxtype uint32) (ret int32, err error) {
 	r0, _, e1 := syscall.Syscall6(procMessageBoxW.Addr(), 4, uintptr(hwnd), uintptr(unsafe.Pointer(text)), uintptr(unsafe.Pointer(caption)), uintptr(boxtype), 0, 0)
 	ret = int32(r0)
@@ -3972,6 +4079,30 @@ func WSAIoctl(s Handle, iocc uint32, inbuf *byte, cbif uint32, outbuf *byte, cbo
 	return
 }
 func WSALookupServiceBegin(querySet *WSAQUERYSET, flags uint32, handle *Handle) (err error) {
 	r1, _, e1 := syscall.Syscall(procWSALookupServiceBeginW.Addr(), 3, uintptr(unsafe.Pointer(querySet)), uintptr(flags), uintptr(unsafe.Pointer(handle)))
 	if r1 == socket_error {
 		err = errnoErr(e1)
 	}
 	return
 }
 func WSALookupServiceEnd(handle Handle) (err error) {
 	r1, _, e1 := syscall.Syscall(procWSALookupServiceEnd.Addr(), 1, uintptr(handle), 0, 0)
 	if r1 == socket_error {
 		err = errnoErr(e1)
 	}
 	return
 }
 func WSALookupServiceNext(handle Handle, flags uint32, size *int32, querySet *WSAQUERYSET) (err error) {
 	r1, _, e1 := syscall.Syscall6(procWSALookupServiceNextW.Addr(), 4, uintptr(handle), uintptr(flags), uintptr(unsafe.Pointer(size)), uintptr(unsafe.Pointer(querySet)), 0, 0)
 	if r1 == socket_error {
 		err = errnoErr(e1)
 	}
 	return
 }
 func WSARecv(s Handle, bufs *WSABuf, bufcnt uint32, recvd *uint32, flags *uint32, overlapped *Overlapped, croutine *byte) (err error) {
 	r1, _, e1 := syscall.Syscall9(procWSARecv.Addr(), 7, uintptr(s), uintptr(unsafe.Pointer(bufs)), uintptr(bufcnt), uintptr(unsafe.Pointer(recvd)), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(overlapped)), uintptr(unsafe.Pointer(croutine)), 0, 0)
 	if r1 == socket_error {
@@ -1,8 +1,7 @@
-# github.com/danieljoos/wincred v1.1.2
+# github.com/danieljoos/wincred v1.2.0
-## explicit; go 1.13
+## explicit; go 1.18
 github.com/danieljoos/wincred
-# golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64
+# golang.org/x/sys v0.8.0
 ## explicit; go 1.17
 golang.org/x/sys/execabs
 golang.org/x/sys/internal/unsafeheader
 golang.org/x/sys/windows
@@ -1,3 +1,5 @@
 //go:build windows
 package main
 import (
@@ -1,3 +1,5 @@
 //go:build windows
 package wincred
 import (
@@ -111,15 +113,15 @@ func exactMatch(serverURL, target url.URL) bool {
 }
 func approximateMatch(serverURL, target url.URL) bool {
-	//if scheme is missing assume it is the same as target
+	// if scheme is missing assume it is the same as target
 	if serverURL.Scheme == "" {
 		serverURL.Scheme = target.Scheme
 	}
-	//if port is missing assume it is the same as target
+	// if port is missing assume it is the same as target
 	if serverURL.Port() == "" && target.Port() != "" {
 		serverURL.Host = serverURL.Host + ":" + target.Port()
 	}
-	//if path is missing assume it is the same as target
+	// if path is missing assume it is the same as target
 	if serverURL.Path == "" {
 		serverURL.Path = target.Path
 	}
@@ -0,0 +1,291 @@
 //go:build windows
 package wincred
 import (
 	"fmt"
 	"strings"
 	"testing"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 func TestWinCredHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v1",
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
 	creds1 := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v2",
 		Username:  "foobarbaz",
 		Secret:    "foobar",
 	}
 	helper := Wincred{}
 	// check for and remove remaining credentials from previous fail tests
 	oldauths, err := helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	for k, v := range oldauths {
 		if strings.Compare(k, creds.ServerURL) == 0 && strings.Compare(v, creds.Username) == 0 {
 			if err := helper.Delete(creds.ServerURL); err != nil {
 				t.Fatal(err)
 			}
 		} else if strings.Compare(k, creds1.ServerURL) == 0 && strings.Compare(v, creds1.Username) == 0 {
 			if err := helper.Delete(creds1.ServerURL); err != nil {
 				t.Fatal(err)
 			}
 		}
 	}
 	// recount for credentials
 	oldauths, err = helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if username != "foobar" {
 		t.Fatalf("expected %s, got %s\n", "foobar", username)
 	}
 	if secret != "foobarbaz" {
 		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 	auths, err := helper.List()
 	if err != nil || len(auths)-len(oldauths) != 1 {
 		t.Fatal(err)
 	}
 	helper.Add(creds1)
 	defer helper.Delete(creds1.ServerURL)
 	newauths, err := helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(newauths)-len(auths) != 1 {
 		if err == nil {
 			t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
 		}
 		t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
 	}
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
 }
 // TestWinCredHelperRetrieveAliases verifies that secrets can be accessed
 // through variations on the URL
 func TestWinCredHelperRetrieveAliases(t *testing.T) {
 	tests := []struct {
 		doc      string
 		storeURL string
 		readURL  string
 	}{
 		{
 			doc:      "stored with port, retrieved without",
 			storeURL: "https://foobar.docker.io:2376",
 			readURL:  "https://foobar.docker.io",
 		},
 		{
 			doc:      "stored as https, retrieved without scheme",
 			storeURL: "https://foobar.docker.io",
 			readURL:  "foobar.docker.io",
 		},
 		{
 			doc:      "stored with path, retrieved without",
 			storeURL: "https://foobar.docker.io/one/two",
 			readURL:  "https://foobar.docker.io",
 		},
 	}
 	helper := Wincred{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.storeURL, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.storeURL, err)
 		}
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			c := &credentials.Credentials{ServerURL: tc.storeURL, Username: "hello", Secret: "world"}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL %q: %s", tc.storeURL, err)
 			}
 			if _, _, err := helper.Get(tc.readURL); err != nil {
 				t.Errorf("Error: failed to read secret for URL %q using %q", tc.storeURL, tc.readURL)
 			}
 			if err := helper.Delete(tc.storeURL); err != nil {
 				t.Error(err)
 			}
 		})
 	}
 }
 // TestWinCredHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestWinCredHelperRetrieveStrict(t *testing.T) {
 	tests := []struct {
 		doc      string
 		storeURL string
 		readURL  string
 	}{
 		{
 			doc:      "stored as https, retrieved using http",
 			storeURL: "https://foobar.docker.io:2376",
 			readURL:  "http://foobar.docker.io:2376",
 		},
 		{
 			doc:      "stored as http, retrieved using https",
 			storeURL: "http://foobar.docker.io:2376",
 			readURL:  "https://foobar.docker.io:2376",
 		},
 		{
 			// stored as http, retrieved without a scheme specified (hence, using the default https://)
 			doc:      "stored as http, retrieved without scheme",
 			storeURL: "http://foobar.docker.io",
 			readURL:  "foobar.docker.io:5678",
 		},
 		{
 			doc:      "non-matching ports",
 			storeURL: "https://foobar.docker.io:1234",
 			readURL:  "https://foobar.docker.io:5678",
 		},
 		// TODO: is this desired behavior? The other way round does work
 		// {
 		// 	doc:      "non-matching ports (stored without port)",
 		// 	storeURL: "https://foobar.docker.io",
 		// 	readURL:  "https://foobar.docker.io:5678",
 		// },
 		{
 			doc:      "non-matching paths",
 			storeURL: "https://foobar.docker.io:1234/one/two",
 			readURL:  "https://foobar.docker.io:1234/five/six",
 		},
 	}
 	helper := Wincred{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.storeURL, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.storeURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.storeURL, err)
 		}
 	}
 	for _, tc := range tests {
 		tc := tc
 		t.Run(tc.doc, func(t *testing.T) {
 			c := &credentials.Credentials{ServerURL: tc.storeURL, Username: "hello", Secret: "world"}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL %q: %s", tc.storeURL, err)
 			}
 			if _, _, err := helper.Get(tc.readURL); err == nil {
 				t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", tc.storeURL, tc.readURL)
 			}
 			if err := helper.Delete(tc.storeURL); err != nil {
 				t.Error(err)
 			}
 		})
 	}
 }
 // TestWinCredHelperStoreRetrieve verifies that secrets stored in the
 // the keychain can be read back using the URL that was used to store them.
 func TestWinCredHelperStoreRetrieve(t *testing.T) {
 	tests := []struct {
 		url string
 	}{
 		{url: "foobar.docker.io"},
 		{url: "foobar.docker.io:2376"},
 		{url: "//foobar.docker.io:2376"},
 		{url: "https://foobar.docker.io:2376"},
 		{url: "http://foobar.docker.io:2376"},
 		{url: "https://foobar.docker.io:2376/some/path"},
 		{url: "https://foobar.docker.io:2376/some/other/path"},
 		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar"},
 	}
 	helper := Wincred{}
 	t.Cleanup(func() {
 		for _, tc := range tests {
 			if err := helper.Delete(tc.url); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 				t.Errorf("cleanup: failed to delete '%s': %v", tc.url, err)
 			}
 		}
 	})
 	// Clean store before testing.
 	for _, tc := range tests {
 		if err := helper.Delete(tc.url); err != nil && !credentials.IsErrCredentialsNotFound(err) {
 			t.Errorf("prepare: failed to delete '%s': %v", tc.url, err)
 		}
 	}
 	// Note that we don't delete between individual tests here, to verify that
 	// subsequent stores/overwrites don't affect storing / retrieving secrets.
 	for i, tc := range tests {
 		tc := tc
 		t.Run(tc.url, func(t *testing.T) {
 			c := &credentials.Credentials{
 				ServerURL: tc.url,
 				Username:  fmt.Sprintf("user-%d", i),
 				Secret:    fmt.Sprintf("secret-%d", i),
 			}
 			if err := helper.Add(c); err != nil {
 				t.Fatalf("Error: failed to store secret for URL: %s: %s", tc.url, err)
 			}
 			user, secret, err := helper.Get(tc.url)
 			if err != nil {
 				t.Fatalf("Error: failed to read secret for URL %q: %s", tc.url, err)
 			}
 			if user != c.Username {
 				t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, tc.url)
 			}
 			if secret != c.Secret {
 				t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, tc.url)
 			}
 		})
 	}
 }
 func TestMissingCredentials(t *testing.T) {
 	helper := Wincred{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Fatalf("expected ErrCredentialsNotFound, got %v", err)
 	}
 }
@@ -1,244 +0,0 @@
 package wincred
 import (
 	"fmt"
 	"strings"
 	"testing"
 	"github.com/docker/docker-credential-helpers/credentials"
 )
 func TestWinCredHelper(t *testing.T) {
 	creds := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v1",
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
 	creds1 := &credentials.Credentials{
 		ServerURL: "https://foobar.docker.io:2376/v2",
 		Username:  "foobarbaz",
 		Secret:    "foobar",
 	}
 	helper := Wincred{}
 	// check for and remove remaining credentials from previous fail tests
 	oldauths, err := helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	for k, v := range oldauths {
 		if strings.Compare(k, creds.ServerURL) == 0 && strings.Compare(v, creds.Username) == 0 {
 			if err := helper.Delete(creds.ServerURL); err != nil {
 				t.Fatal(err)
 			}
 		} else if strings.Compare(k, creds1.ServerURL) == 0 && strings.Compare(v, creds1.Username) == 0 {
 			if err := helper.Delete(creds1.ServerURL); err != nil {
 				t.Fatal(err)
 			}
 		}
 	}
 	// recount for credentials
 	oldauths, err = helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
 	}
 	username, secret, err := helper.Get(creds.ServerURL)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if username != "foobar" {
 		t.Fatalf("expected %s, got %s\n", "foobar", username)
 	}
 	if secret != "foobarbaz" {
 		t.Fatalf("expected %s, got %s\n", "foobarbaz", secret)
 	}
 	auths, err := helper.List()
 	if err != nil || len(auths)-len(oldauths) != 1 {
 		t.Fatal(err)
 	}
 	helper.Add(creds1)
 	defer helper.Delete(creds1.ServerURL)
 	newauths, err := helper.List()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(newauths)-len(auths) != 1 {
 		if err == nil {
 			t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
 		}
 		t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
 	}
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
 }
 // TestWinCredHelperRetrieveAliases verifies that secrets can be accessed
 // through variations on the URL
 func TestWinCredHelperRetrieveAliases(t *testing.T) {
 	tests := []struct {
 		storeURL string
 		readURL  string
 	}{
 		// stored with port, retrieved without
 		{"https://foobar.docker.io:2376", "https://foobar.docker.io"},
 		// stored as https, retrieved without scheme
 		{"https://foobar.docker.io", "foobar.docker.io"},
 		// stored with path, retrieved without
 		{"https://foobar.docker.io/one/two", "https://foobar.docker.io"},
 	}
 	helper := Wincred{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.storeURL)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.storeURL)
 	}
 	for _, te := range tests {
 		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
 			continue
 		}
 		if _, _, err := helper.Get(te.readURL); err != nil {
 			t.Errorf("Error: failed to read secret for URL %q using %q", te.storeURL, te.readURL)
 		}
 		helper.Delete(te.storeURL)
 	}
 }
 // TestWinCredHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestWinCredHelperRetrieveStrict(t *testing.T) {
 	tests := []struct {
 		storeURL string
 		readURL  string
 	}{
 		// stored as https, retrieved using http
 		{"https://foobar.docker.io:2376", "http://foobar.docker.io:2376"},
 		// stored as http, retrieved using https
 		{"http://foobar.docker.io:2376", "https://foobar.docker.io:2376"},
 		// same: stored as http, retrieved without a scheme specified (hence, using the default https://)
 		{"http://foobar.docker.io", "foobar.docker.io:5678"},
 		// non-matching ports
 		{"https://foobar.docker.io:1234", "https://foobar.docker.io:5678"},
 		// non-matching ports TODO is this desired behavior? The other way round does work
 		//{"https://foobar.docker.io", "https://foobar.docker.io:5678"},
 		// non-matching paths
 		{"https://foobar.docker.io:1234/one/two", "https://foobar.docker.io:1234/five/six"},
 	}
 	helper := Wincred{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.storeURL)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.storeURL)
 	}
 	for _, te := range tests {
 		c := &credentials.Credentials{ServerURL: te.storeURL, Username: "hello", Secret: "world"}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL %q: %s", te.storeURL, err)
 			continue
 		}
 		if _, _, err := helper.Get(te.readURL); err == nil {
 			t.Errorf("Error: managed to read secret for URL %q using %q, but should not be able to", te.storeURL, te.readURL)
 		}
 		helper.Delete(te.storeURL)
 	}
 }
 // TestWinCredHelperStoreRetrieve verifies that secrets stored in the
 // the keychain can be read back using the URL that was used to store them.
 func TestWinCredHelperStoreRetrieve(t *testing.T) {
 	tests := []struct {
 		url string
 	}{
 		{url: "foobar.docker.io"},
 		{url: "foobar.docker.io:2376"},
 		{url: "//foobar.docker.io:2376"},
 		{url: "https://foobar.docker.io:2376"},
 		{url: "http://foobar.docker.io:2376"},
 		{url: "https://foobar.docker.io:2376/some/path"},
 		{url: "https://foobar.docker.io:2376/some/other/path"},
 		{url: "https://foobar.docker.io:2376/some/other/path?foo=bar"},
 	}
 	helper := Wincred{}
 	defer func() {
 		for _, te := range tests {
 			helper.Delete(te.url)
 		}
 	}()
 	// Clean store before testing.
 	for _, te := range tests {
 		helper.Delete(te.url)
 	}
 	// Note that we don't delete between individual tests here, to verify that
 	// subsequent stores/overwrites don't affect storing / retrieving secrets.
 	for i, te := range tests {
 		c := &credentials.Credentials{
 			ServerURL: te.url,
 			Username:  fmt.Sprintf("user-%d", i),
 			Secret:    fmt.Sprintf("secret-%d", i),
 		}
 		if err := helper.Add(c); err != nil {
 			t.Errorf("Error: failed to store secret for URL: %s: %s", te.url, err)
 			continue
 		}
 		user, secret, err := helper.Get(te.url)
 		if err != nil {
 			t.Errorf("Error: failed to read secret for URL %q: %s", te.url, err)
 			continue
 		}
 		if user != c.Username {
 			t.Errorf("Error: expected username %s, got username %s for URL: %s", c.Username, user, te.url)
 		}
 		if secret != c.Secret {
 			t.Errorf("Error: expected secret %s, got secret %s for URL: %s", c.Secret, secret, te.url)
 		}
 	}
 }
 func TestMissingCredentials(t *testing.T) {
 	helper := Wincred{}
 	_, _, err := helper.Get("https://adsfasdf.wrewerwer.com/asdfsdddd")
 	if !credentials.IsErrCredentialsNotFound(err) {
 		t.Fatalf("expected ErrCredentialsNotFound, got %v", err)
 	}
 }