fix: use ErrorContains(t, err instead of Contains(t, err.Error() (#20220)

Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2026-04-21 17:07:16 +00:00 · 2024-10-04 15:36:05 +02:00 · 2024-10-04 15:36:05 +02:00 · 1c6ec19a86
commit 1c6ec19a86
parent ba0683c4d4
30 changed files with 98 additions and 177 deletions
--- a/cmd/argocd/commands/admin/settings_test.go
+++ b/cmd/argocd/commands/admin/settings_test.go
@ -200,8 +200,7 @@ admissionregistration.k8s.io/MutatingWebhookConfiguration:
 				require.NoError(t, err)
 				assert.Contains(t, summary, tc.containsSummary)
 			} else if tc.containsError != "" {
-				require.Error(t, err)
-				assert.Contains(t, err.Error(), tc.containsError)
+				assert.ErrorContains(t, err, tc.containsError)
 			}
 		})
 	}
--- a/cmpserver/plugin/plugin_test.go
+++ b/cmpserver/plugin/plugin_test.go
@ -451,8 +451,7 @@ func Test_getParametersAnnouncement_invalid_json(t *testing.T) {
 		Args:    []string{`[`},
 	}
 	_, err := getParametersAnnouncement(context.Background(), "", []*repoclient.ParameterAnnouncement{}, command, []*apiclient.EnvEntry{})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "unexpected end of JSON input")
+	assert.ErrorContains(t, err, "unexpected end of JSON input")
 }

 func Test_getParametersAnnouncement_bad_command(t *testing.T) {
@ -461,8 +460,7 @@ func Test_getParametersAnnouncement_bad_command(t *testing.T) {
 		Args:    []string{"1"},
 	}
 	_, err := getParametersAnnouncement(context.Background(), "", []*repoclient.ParameterAnnouncement{}, command, []*apiclient.EnvEntry{})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "error executing dynamic parameter output command")
+	assert.ErrorContains(t, err, "error executing dynamic parameter output command")
 }

 func Test_getTempDirMustCleanup(t *testing.T) {
--- a/common/common_test.go
+++ b/common/common_test.go
@ -101,8 +101,7 @@ func TestSetOptionalRedisPasswordFromKubeConfig(t *testing.T) {
 			}
 			err := SetOptionalRedisPasswordFromKubeConfig(ctx, kubeClient, tc.namespace, redisOptions)
 			if tc.expectedErr != "" {
-				require.Error(t, err)
-				require.Contains(t, err.Error(), tc.expectedErr)
+				require.ErrorContains(t, err, tc.expectedErr)
 			} else {
 				require.NoError(t, err)
 			}
--- a/pkg/apis/application/v1alpha1/types_test.go
+++ b/pkg/apis/application/v1alpha1/types_test.go
@ -454,8 +454,7 @@ func TestAppProject_IsDestinationPermitted_PermitOnlyProjectScopedClusters(t *te
 	_, err := proj.IsDestinationPermitted(ApplicationDestination{Server: "https://my-cluster.123.com", Namespace: "default"}, func(_ string) ([]*Cluster, error) {
 		return nil, errors.New("some error")
 	})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "could not retrieve project clusters")
+	assert.ErrorContains(t, err, "could not retrieve project clusters")
 }

 func TestAppProject_IsGroupKindPermitted(t *testing.T) {
@ -817,8 +816,7 @@ func TestAppProject_InvalidPolicyRules(t *testing.T) {
 	for _, bad := range badPolicies {
 		p.Spec.Roles[0].Policies = []string{bad.policy}
 		err = p.ValidateProject()
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), bad.errmsg)
+		assert.ErrorContains(t, err, bad.errmsg)
 	}
 }

--- a/reposerver/cache/cache_test.go
+++ b/reposerver/cache/cache_test.go
@ -570,8 +570,7 @@ func TestUnlockGitReferences(t *testing.T) {

 	t.Run("Test not locked", func(t *testing.T) {
 		err := cache.UnlockGitReferences("test-repo", "")
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "key is missing")
+		assert.ErrorContains(t, err, "key is missing")
 	})

 	t.Run("Test unlock", func(t *testing.T) {
--- a/reposerver/repository/repository_test.go
+++ b/reposerver/repository/repository_test.go
@ -280,7 +280,7 @@ func Test_GenerateManifests_NoOutOfBoundsAccess(t *testing.T) {
 			res, err := GenerateManifests(context.Background(), repoDir, "", "", &q, false, &git.NoopCredsStore{}, resource.MustParse("0"), nil)
 			require.Error(t, err)
 			assert.NotContains(t, err.Error(), mustNotContain)
-			assert.Contains(t, err.Error(), "illegal filepath")
+			require.ErrorContains(t, err, "illegal filepath")
 			assert.Nil(t, res)
 		})
 	}
@ -684,8 +684,7 @@ func TestInvalidMetadata(t *testing.T) {
 	src := argoappv1.ApplicationSource{Path: "./testdata/invalid-metadata", Directory: &argoappv1.ApplicationSourceDirectory{Recurse: true}}
 	q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, AppLabelKey: "test", AppName: "invalid-metadata", TrackingMethod: "annotation+label"}
 	_, err := service.GenerateManifest(context.Background(), &q)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "contains non-string value in the map under key \"invalid\"")
+	assert.ErrorContains(t, err, "contains non-string value in the map under key \"invalid\"")
 }

 func TestNilMetadataAccessors(t *testing.T) {
@ -763,8 +762,7 @@ func TestGenerateJsonnetLibOutside(t *testing.T) {
 		ProjectSourceRepos: []string{"*"},
 	}
 	_, err := service.GenerateManifest(context.Background(), &q)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "file '../../../testdata/jsonnet/vendor' resolved to outside repository root")
+	require.ErrorContains(t, err, "file '../../../testdata/jsonnet/vendor' resolved to outside repository root")
 }

 func TestManifestGenErrorCacheByNumRequests(t *testing.T) {
@ -1141,8 +1139,7 @@ func TestHelmWithMissingValueFiles(t *testing.T) {

 	// Should fail since we're passing a non-existent values file, and error should indicate that
 	_, err := service.GenerateManifest(context.Background(), req)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), fmt.Sprintf("%s: no such file or directory", missingValuesFile))
+	require.ErrorContains(t, err, fmt.Sprintf("%s: no such file or directory", missingValuesFile))

 	// Should template without error even if defining a non-existent values file
 	req.ApplicationSource.Helm.IgnoreMissingValueFiles = true
@ -1330,8 +1327,7 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) {
 			ProjectName:        "something",
 			ProjectSourceRepos: []string{"*"},
 		})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "outside repository root")
+		assert.ErrorContains(t, err, "outside repository root")
 	})

 	t.Run("Values file with relative path pointing inside repo root", func(t *testing.T) {
@ -1385,8 +1381,7 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) {
 			ProjectName:        "something",
 			ProjectSourceRepos: []string{"*"},
 		})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "outside repository root")
+		assert.ErrorContains(t, err, "outside repository root")
 	})

 	t.Run("Remote values file from forbidden protocol", func(t *testing.T) {
@ -1404,8 +1399,7 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) {
 			ProjectName:        "something",
 			ProjectSourceRepos: []string{"*"},
 		})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "is not allowed")
+		assert.ErrorContains(t, err, "is not allowed")
 	})

 	t.Run("Remote values file from custom allowed protocol", func(t *testing.T) {
@ -1423,8 +1417,7 @@ func TestGenerateHelmWithValuesDirectoryTraversalOutsideRepo(t *testing.T) {
 			ProjectName:        "something",
 			ProjectSourceRepos: []string{"*"},
 		})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "s3://my-bucket/my-chart-values.yaml: no such file or directory")
+		assert.ErrorContains(t, err, "s3://my-bucket/my-chart-values.yaml: no such file or directory")
 	})
 }

@ -2857,8 +2850,7 @@ func TestTestRepoOCI(t *testing.T) {
 			EnableOCI: true,
 		},
 	})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "OCI Helm repository URL should include hostname and port only")
+	assert.ErrorContains(t, err, "OCI Helm repository URL should include hostname and port only")
 }

 func Test_getHelmDependencyRepos(t *testing.T) {
--- a/server/account/account_test.go
+++ b/server/account/account_test.go
@ -163,16 +163,14 @@ func TestUpdatePassword_DoesNotHavePermissions(t *testing.T) {
 		})
 		ctx := adminContext(context.Background())
 		_, err := accountServer.UpdatePassword(ctx, &account.UpdatePasswordRequest{CurrentPassword: "oldpassword", NewPassword: "newpassword", Name: "anotherUser"})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "permission denied")
+		assert.ErrorContains(t, err, "permission denied")
 	})

 	t.Run("SSOAccountWithTheSameName", func(t *testing.T) {
 		accountServer, _ := newTestAccountServerExt(context.Background(), enforcer)
 		ctx := ssoAdminContext(context.Background(), time.Now())
 		_, err := accountServer.UpdatePassword(ctx, &account.UpdatePasswordRequest{CurrentPassword: "oldpassword", NewPassword: "newpassword", Name: "admin"})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "permission denied")
+		assert.ErrorContains(t, err, "permission denied")
 	})
 }

@ -182,8 +180,7 @@ func TestUpdatePassword_ProjectToken(t *testing.T) {
 	})
 	ctx := projTokenContext(context.Background())
 	_, err := accountServer.UpdatePassword(ctx, &account.UpdatePasswordRequest{CurrentPassword: "oldpassword", NewPassword: "newpassword"})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "password can only be changed for local users")
+	assert.ErrorContains(t, err, "password can only be changed for local users")
 }

 func TestUpdatePassword_OldSSOToken(t *testing.T) {
@ -291,9 +288,8 @@ func TestCreateToken_UserSpecifiedID(t *testing.T) {
 	require.NoError(t, err)

 	_, err = accountServer.CreateToken(ctx, &account.CreateTokenRequest{Name: "account1", Id: "test"})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "failed to update account with new token:")
-	assert.Contains(t, err.Error(), "account already has token with id 'test'")
+	require.ErrorContains(t, err, "failed to update account with new token:")
+	assert.ErrorContains(t, err, "account already has token with id 'test'")
 }

 func TestDeleteToken_SuccessfullyRemoved(t *testing.T) {
--- a/server/application/application_test.go
+++ b/server/application/application_test.go
@ -2007,7 +2007,7 @@ func TestServer_GetApplicationSyncWindowsState(t *testing.T) {
 		appServer := newTestAppServer(t, testApp)

 		active, err := appServer.GetApplicationSyncWindows(context.Background(), &application.ApplicationSyncWindowsQuery{Name: &testApp.Name})
-		assert.Contains(t, err.Error(), "not exist")
+		require.ErrorContains(t, err, "not exist")
 		assert.Nil(t, active)
 	})
 }
@ -2718,7 +2718,6 @@ func TestAppNamespaceRestrictions(t *testing.T) {
 			Name:         ptr.To("test-app"),
 			AppNamespace: ptr.To("argocd-1"),
 		})
-		require.Error(t, err)
 		require.ErrorContains(t, err, "permission denied")
 		require.Nil(t, app)
 	})
--- a/server/cluster/cluster_test.go
+++ b/server/cluster/cluster_test.go
@ -471,8 +471,7 @@ func TestRotateAuth(t *testing.T) {
 			Name: "my-cluster-name",
 		})

-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "Get \"https://my-cluster-name/")
+		assert.ErrorContains(t, err, "Get \"https://my-cluster-name/")
 	})

 	t.Run("RotateAuth by Server - Error from no such host", func(t *testing.T) {
@ -480,8 +479,7 @@ func TestRotateAuth(t *testing.T) {
 			Server: "https://my-cluster-name",
 		})

-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "Get \"https://my-cluster-name/")
+		assert.ErrorContains(t, err, "Get \"https://my-cluster-name/")
 	})
 }

--- a/server/project/project_test.go
+++ b/server/project/project_test.go
@ -583,7 +583,7 @@ p, role:admin, projects, update, *, allow`)
 		projectServer := NewServer("default", fake.NewSimpleClientset(), apps.NewSimpleClientset(projWithRole), enforcer, sync.NewKeyLock(), nil, nil, projInformer, settingsMgr, argoDB, testEnableEventList)
 		request := &project.ProjectUpdateRequest{Project: projWithRole}
 		_, err := projectServer.Update(context.Background(), request)
-		assert.Contains(t, err.Error(), "object must be of form 'test/*', 'test[/<NAMESPACE>]/<APPNAME>' or 'test/<APPNAME>'")
+		assert.ErrorContains(t, err, "object must be of form 'test/*', 'test[/<NAMESPACE>]/<APPNAME>' or 'test/<APPNAME>'")
 	})

 	t.Run("TestValidateProjectIncorrectProjectInRoleFailure", func(t *testing.T) {
@ -602,7 +602,7 @@ p, role:admin, projects, update, *, allow`)
 		projectServer := NewServer("default", fake.NewSimpleClientset(), apps.NewSimpleClientset(projWithRole), enforcer, sync.NewKeyLock(), nil, nil, projInformer, settingsMgr, argoDB, testEnableEventList)
 		request := &project.ProjectUpdateRequest{Project: projWithRole}
 		_, err := projectServer.Update(context.Background(), request)
-		assert.Contains(t, err.Error(), "policy subject must be: 'proj:test:testRole'")
+		assert.ErrorContains(t, err, "policy subject must be: 'proj:test:testRole'")
 	})

 	t.Run("TestValidateProjectIncorrectTokenInRoleFailure", func(t *testing.T) {
@ -621,7 +621,7 @@ p, role:admin, projects, update, *, allow`)
 		projectServer := NewServer("default", fake.NewSimpleClientset(), apps.NewSimpleClientset(projWithRole), enforcer, sync.NewKeyLock(), nil, nil, projInformer, settingsMgr, argoDB, testEnableEventList)
 		request := &project.ProjectUpdateRequest{Project: projWithRole}
 		_, err := projectServer.Update(context.Background(), request)
-		assert.Contains(t, err.Error(), "policy subject must be: 'proj:test:testRole'")
+		assert.ErrorContains(t, err, "policy subject must be: 'proj:test:testRole'")
 	})

 	t.Run("TestValidateProjectInvalidEffectFailure", func(t *testing.T) {
@ -639,7 +639,7 @@ p, role:admin, projects, update, *, allow`)
 		projectServer := NewServer("default", fake.NewSimpleClientset(), apps.NewSimpleClientset(projWithRole), enforcer, sync.NewKeyLock(), nil, nil, projInformer, settingsMgr, argoDB, testEnableEventList)
 		request := &project.ProjectUpdateRequest{Project: projWithRole}
 		_, err := projectServer.Update(context.Background(), request)
-		assert.Contains(t, err.Error(), "effect must be: 'allow' or 'deny'")
+		assert.ErrorContains(t, err, "effect must be: 'allow' or 'deny'")
 	})

 	t.Run("TestNormalizeProjectRolePolicies", func(t *testing.T) {
@ -685,7 +685,7 @@ p, role:admin, projects, update, *, allow`)
 		argoDB := db.NewDB("default", settingsMgr, kubeclientset)
 		projectServer := NewServer("default", fake.NewSimpleClientset(), apps.NewSimpleClientset(projectWithSyncWindows), enforcer, sync.NewKeyLock(), sessionMgr, nil, projInformer, settingsMgr, argoDB, testEnableEventList)
 		res, err := projectServer.GetSyncWindowsState(ctx, &project.SyncWindowsQuery{Name: "incorrect"})
-		assert.Contains(t, err.Error(), "not found")
+		require.ErrorContains(t, err, "not found")
 		assert.Nil(t, res)
 	})

--- a/test/e2e/app_deletion_test.go
+++ b/test/e2e/app_deletion_test.go
@ -58,7 +58,7 @@ func TestDeletingAppByLabel(t *testing.T) {
 		// delete is unsuccessful since no selector match
 		AndCLIOutput(
 			func(output string, err error) {
-				assert.Contains(t, err.Error(), "no apps match selector foo=baz")
+				assert.ErrorContains(t, err, "no apps match selector foo=baz")
 			},
 		).
 		When().
--- a/test/e2e/app_management_ns_test.go
+++ b/test/e2e/app_management_ns_test.go
@ -91,8 +91,7 @@ func TestNamespacedGetLogsDenySwitchOn(t *testing.T) {
 		Expect(HealthIs(health.HealthStatusHealthy)).
 		And(func(app *Application) {
 			_, err := RunCliWithRetry(5, "app", "logs", ctx.AppQualifiedName(), "--kind", "Deployment", "--group", "", "--name", "guestbook-ui")
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "permission denied")
+			assert.ErrorContains(t, err, "permission denied")
 		})
 }

@ -667,8 +666,7 @@ func TestNamespacedAppWithSecrets(t *testing.T) {
 			_, err = RunCli("app", "patch-resource", ctx.AppQualifiedName(), "--resource-name", "test-secret",
 				"--kind", "Secret", "--patch", `{"op": "add", "path": "/data", "value": "hello"}'`,
 				"--patch-type", "application/json-patch+json")
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), fmt.Sprintf("failed to patch Secret %s/test-secret", DeploymentNamespace()))
+			require.ErrorContains(t, err, fmt.Sprintf("failed to patch Secret %s/test-secret", DeploymentNamespace()))
 			assert.NotContains(t, err.Error(), "username")
 			assert.NotContains(t, err.Error(), "password")

@ -973,8 +971,7 @@ func TestNamespacedSyncResourceByLabel(t *testing.T) {
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
 		And(func(app *Application) {
 			_, err := RunCli("app", "sync", ctx.AppQualifiedName(), "--label", "this-label=does-not-exist")
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "level=fatal")
+			assert.ErrorContains(t, err, "level=fatal")
 		})
 }

@ -1045,8 +1042,7 @@ func TestNamespacedNoLocalSyncWithAutosyncEnabled(t *testing.T) {
 			require.NoError(t, err)

 			_, err = RunCli("app", "sync", app.QualifiedName(), "--local", guestbookPathLocal)
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "Cannot use local sync")
+			assert.ErrorContains(t, err, "Cannot use local sync")
 		})
 }

@ -1093,8 +1089,7 @@ func assertNSResourceActions(t *testing.T, appName string, successful bool) {
 		if successful {
 			require.NoError(t, err)
 		} else {
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), message)
+			assert.ErrorContains(t, err, message)
 		}
 	}

--- a/test/e2e/app_management_test.go
+++ b/test/e2e/app_management_test.go
@ -99,8 +99,7 @@ func TestGetLogsDenySwitchOn(t *testing.T) {
 		Expect(HealthIs(health.HealthStatusHealthy)).
 		And(func(app *Application) {
 			_, err := RunCliWithRetry(appLogsRetryCount, "app", "logs", app.Name, "--kind", "Deployment", "--group", "", "--name", "guestbook-ui")
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "permission denied")
+			assert.ErrorContains(t, err, "permission denied")
 		})
 }

@ -818,8 +817,7 @@ func TestAppWithSecrets(t *testing.T) {
 			_, err = RunCli("app", "patch-resource", "test-app-with-secrets", "--resource-name", "test-secret",
 				"--kind", "Secret", "--patch", `{"op": "add", "path": "/data", "value": "hello"}'`,
 				"--patch-type", "application/json-patch+json")
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), fmt.Sprintf("failed to patch Secret %s/test-secret", DeploymentNamespace()))
+			require.ErrorContains(t, err, fmt.Sprintf("failed to patch Secret %s/test-secret", DeploymentNamespace()))
 			assert.NotContains(t, err.Error(), "username")
 			assert.NotContains(t, err.Error(), "password")

@ -1324,8 +1322,7 @@ func TestSyncResourceByLabel(t *testing.T) {
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
 		And(func(app *Application) {
 			_, err := RunCli("app", "sync", app.Name, "--label", "this-label=does-not-exist")
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "level=fatal")
+			assert.ErrorContains(t, err, "level=fatal")
 		})
 }

@ -1342,8 +1339,7 @@ func TestSyncResourceByProject(t *testing.T) {
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
 		And(func(app *Application) {
 			_, err := RunCli("app", "sync", app.Name, "--project", "this-project-does-not-exist")
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "level=fatal")
+			assert.ErrorContains(t, err, "level=fatal")
 		})
 }

@ -1450,8 +1446,7 @@ func assertResourceActions(t *testing.T, appName string, successful bool) {
 		if successful {
 			require.NoError(t, err)
 		} else {
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), message)
+			assert.ErrorContains(t, err, message)
 		}
 	}

@ -2246,8 +2241,7 @@ func TestNamespaceAutoCreation(t *testing.T) {
 		And(func(app *Application) {
 			// Make sure the namespace we are about to update to does not exist
 			_, err := Run("", "kubectl", "get", "namespace", updatedNamespace)
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "not found")
+			assert.ErrorContains(t, err, "not found")
 		}).
 		When().
 		AppSet("--dest-namespace", updatedNamespace).
--- a/test/e2e/cluster_test.go
+++ b/test/e2e/cluster_test.go
@ -90,7 +90,7 @@ func TestClusterAddPermissionDenied(t *testing.T) {
 		Create().
 		Then().
 		AndCLIOutput(func(output string, err error) {
-			assert.Contains(t, err.Error(), "PermissionDenied desc = permission denied")
+			assert.ErrorContains(t, err, "PermissionDenied desc = permission denied")
 		})
 }

@ -255,7 +255,7 @@ func TestClusterDeleteDenied(t *testing.T) {
 		DeleteByName().
 		Then().
 		AndCLIOutput(func(output string, err error) {
-			assert.Contains(t, err.Error(), "PermissionDenied desc = permission denied")
+			assert.ErrorContains(t, err, "PermissionDenied desc = permission denied")
 		})

 	// Attempt to remove cluster creds by server
@ -269,7 +269,7 @@ func TestClusterDeleteDenied(t *testing.T) {
 		DeleteByServer().
 		Then().
 		AndCLIOutput(func(output string, err error) {
-			assert.Contains(t, err.Error(), "PermissionDenied desc = permission denied")
+			assert.ErrorContains(t, err, "PermissionDenied desc = permission denied")
 		})
 }

--- a/test/e2e/project_management_test.go
+++ b/test/e2e/project_management_test.go
@ -163,22 +163,19 @@ func TestAddProjectDestination(t *testing.T) {
 		"https://192.168.99.100:8443",
 		"test1",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "already defined")
+	require.ErrorContains(t, err, "already defined")

 	_, err = fixture.RunCli("proj", "add-destination", projectName,
 		"!*",
 		"test1",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "server has an invalid format, '!*'")
+	require.ErrorContains(t, err, "server has an invalid format, '!*'")

 	_, err = fixture.RunCli("proj", "add-destination", projectName,
 		"https://192.168.99.100:8443",
 		"!*",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "namespace has an invalid format, '!*'")
+	require.ErrorContains(t, err, "namespace has an invalid format, '!*'")

 	proj, err := fixture.AppClientset.ArgoprojV1alpha1().AppProjects(fixture.TestNamespace()).Get(context.Background(), projectName, metav1.GetOptions{})
 	require.NoError(t, err)
@ -249,8 +246,7 @@ func TestRemoveProjectDestination(t *testing.T) {
 		"https://192.168.99.100:8443",
 		"test1",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "does not exist")
+	require.ErrorContains(t, err, "does not exist")

 	proj, err := fixture.AppClientset.ArgoprojV1alpha1().AppProjects(fixture.TestNamespace()).Get(context.Background(), projectName, metav1.GetOptions{})
 	if err != nil {
@ -419,8 +415,7 @@ func TestAddOrphanedIgnore(t *testing.T) {
 		"--name",
 		"name",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "already defined")
+	require.ErrorContains(t, err, "already defined")

 	proj, err := fixture.AppClientset.ArgoprojV1alpha1().AppProjects(fixture.TestNamespace()).Get(context.Background(), projectName, metav1.GetOptions{})
 	require.NoError(t, err)
@ -466,8 +461,7 @@ func TestRemoveOrphanedIgnore(t *testing.T) {
 		"--name",
 		"name",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "does not exist")
+	require.ErrorContains(t, err, "does not exist")

 	proj, err := fixture.AppClientset.ArgoprojV1alpha1().AppProjects(fixture.TestNamespace()).Get(context.Background(), projectName, metav1.GetOptions{})
 	if err != nil {
@ -612,12 +606,11 @@ func TestGetVirtualProjectMatch(t *testing.T) {

 	// App trying to sync a resource which is not blacked listed anywhere
 	_, err = fixture.RunCli("app", "sync", fixture.Name(), "--resource", "apps:Deployment:guestbook-ui", "--timeout", fmt.Sprintf("%v", 10))
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "blocked by sync window")
+	require.ErrorContains(t, err, "blocked by sync window")

 	// app trying to sync a resource which is black listed by global project
 	_, err = fixture.RunCli("app", "sync", fixture.Name(), "--resource", ":Service:guestbook-ui", "--timeout", fmt.Sprintf("%v", 10))
-	assert.Contains(t, err.Error(), "blocked by sync window")
+	assert.ErrorContains(t, err, "blocked by sync window")
 }

 func TestAddProjectDestinationServiceAccount(t *testing.T) {
@ -676,8 +669,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"test-sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "already defined")
+	require.ErrorContains(t, err, "already defined")

 	// Given, an existing project,
 	// When, a duplicate default destination service account is added,
@ -687,8 +679,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"asdf",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "already added")
+	require.ErrorContains(t, err, "already added")

 	// Given, an existing project,
 	// When, a default destination service account with negation glob pattern for server is added,
@ -698,8 +689,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"test-sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "server has an invalid format, '!*'")
+	require.ErrorContains(t, err, "server has an invalid format, '!*'")

 	// Given, an existing project,
 	// When, a default destination service account with negation glob pattern for server is added,
@ -709,8 +699,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"test-sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "server has an invalid format, '!abc'")
+	require.ErrorContains(t, err, "server has an invalid format, '!abc'")

 	// Given, an existing project,
 	// When, a default destination service account with negation glob pattern for namespace is added,
@ -720,8 +709,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"!*",
 		"test-sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "namespace has an invalid format, '!*'")
+	require.ErrorContains(t, err, "namespace has an invalid format, '!*'")

 	// Given, an existing project,
 	// When, a default destination service account with negation glob pattern for namespace is added,
@ -731,8 +719,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"!abc",
 		"test-sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "namespace has an invalid format, '!abc'")
+	require.ErrorContains(t, err, "namespace has an invalid format, '!abc'")

 	// Given, an existing project,
 	// When, a default destination service account with empty service account is added,
@ -742,8 +729,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "defaultServiceAccount has an invalid format, ''")
+	require.ErrorContains(t, err, "defaultServiceAccount has an invalid format, ''")

 	// Given, an existing project,
 	// When, a default destination service account with service account having just white spaces is added,
@ -753,8 +739,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"   ",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "defaultServiceAccount has an invalid format, '   '")
+	require.ErrorContains(t, err, "defaultServiceAccount has an invalid format, '   '")

 	// Given, an existing project,
 	// When, a default destination service account with service account having backwards slash char is added,
@ -764,8 +749,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"test\\sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "defaultServiceAccount has an invalid format, 'test\\\\sa'")
+	require.ErrorContains(t, err, "defaultServiceAccount has an invalid format, 'test\\\\sa'")

 	// Given, an existing project,
 	// When, a default destination service account with service account having forward slash char is added,
@ -775,8 +759,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"test/sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "defaultServiceAccount has an invalid format, 'test/sa'")
+	require.ErrorContains(t, err, "defaultServiceAccount has an invalid format, 'test/sa'")

 	// Given, an existing project,
 	// When, a default destination service account with service account having square braces char is added,
@ -786,8 +769,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"[test-sa]",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "defaultServiceAccount has an invalid format, '[test-sa]'")
+	require.ErrorContains(t, err, "defaultServiceAccount has an invalid format, '[test-sa]'")

 	// Given, an existing project,
 	// When, a default destination service account with service account having curly braces char is added,
@ -797,8 +779,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"{test-sa}",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "defaultServiceAccount has an invalid format, '{test-sa}'")
+	require.ErrorContains(t, err, "defaultServiceAccount has an invalid format, '{test-sa}'")

 	// Given, an existing project,
 	// When, a default destination service account with service account having curly braces char is added,
@ -808,8 +789,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"test-ns",
 		"test-sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "server has an invalid format, '[[ech*'")
+	require.ErrorContains(t, err, "server has an invalid format, '[[ech*'")

 	// Given, an existing project,
 	// When, a default destination service account with service account having curly braces char is added,
@ -819,8 +799,7 @@ func TestAddProjectDestinationServiceAccount(t *testing.T) {
 		"[[ech*",
 		"test-sa",
 	)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "namespace has an invalid format, '[[ech*'")
+	require.ErrorContains(t, err, "namespace has an invalid format, '[[ech*'")

 	proj, err := fixture.AppClientset.ArgoprojV1alpha1().AppProjects(fixture.TestNamespace()).Get(context.Background(), projectName, metav1.GetOptions{})
 	require.NoError(t, err)
--- a/test/e2e/scoped_repository_test.go
+++ b/test/e2e/scoped_repository_test.go
@ -56,7 +56,7 @@ func TestCreateRepositoryNonAdminUserPermissionDenied(t *testing.T) {
 		Create().
 		Then().
 		AndCLIOutput(func(output string, err error) {
-			assert.Contains(t, err.Error(), "PermissionDenied desc = permission denied: repositories, create")
+			assert.ErrorContains(t, err, "PermissionDenied desc = permission denied: repositories, create")
 		})
 }

@ -83,7 +83,7 @@ func TestCreateRepositoryNonAdminUserWithWrongProject(t *testing.T) {
 		Create().
 		Then().
 		AndCLIOutput(func(output string, err error) {
-			assert.Contains(t, err.Error(), "PermissionDenied desc = permission denied: repositories, create")
+			assert.ErrorContains(t, err, "PermissionDenied desc = permission denied: repositories, create")
 		})
 }

@ -170,7 +170,7 @@ func TestDeleteRepositoryRbacDenied(t *testing.T) {
 		Delete().
 		Then().
 		AndCLIOutput(func(output string, err error) {
-			assert.Contains(t, err.Error(), "PermissionDenied desc = permission denied: repositories, delete")
+			assert.ErrorContains(t, err, "PermissionDenied desc = permission denied: repositories, delete")
 		})
 }

--- a/util/argo/argo_test.go
+++ b/util/argo/argo_test.go
@ -893,8 +893,7 @@ func TestSetAppOperations(t *testing.T) {
 		}
 		appIf := appclientset.NewSimpleClientset(&a).ArgoprojV1alpha1().Applications("default")
 		app, err := SetAppOperation(appIf, "someapp", &argoappv1.Operation{Sync: &argoappv1.SyncOperation{Revision: "aaa"}})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "operation is already in progress")
+		require.ErrorContains(t, err, "operation is already in progress")
 		assert.Nil(t, app)
 	})

@ -907,8 +906,7 @@ func TestSetAppOperations(t *testing.T) {
 		}
 		appIf := appclientset.NewSimpleClientset(&a).ArgoprojV1alpha1().Applications("default")
 		app, err := SetAppOperation(appIf, "someapp", &argoappv1.Operation{Sync: nil})
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "Operation unspecified")
+		require.ErrorContains(t, err, "Operation unspecified")
 		assert.Nil(t, app)
 	})

@ -973,7 +971,7 @@ func TestValidateDestination(t *testing.T) {
 		db.On("GetClusterServersByName", context.Background(), mock.Anything).Return(nil, fmt.Errorf("an error occurred"))

 		err := ValidateDestination(context.Background(), &dest, db)
-		assert.Contains(t, err.Error(), "an error occurred")
+		require.ErrorContains(t, err, "an error occurred")
 		assert.False(t, dest.IsServerInferred())
 	})

--- a/util/cache/cache_test.go
+++ b/util/cache/cache_test.go
@ -74,11 +74,9 @@ func TestCacheClient(t *testing.T) {
 		})
 		t.Run("Check for nil items", func(t *testing.T) {
 			err := cache.SetItem("foo", nil, &CacheActionOpts{Expiration: 0, Delete: true})
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "cannot set nil item")
+			require.ErrorContains(t, err, "cannot set nil item")
 			err = cache.GetItem("foo", nil)
-			require.Error(t, err)
-			assert.Contains(t, err.Error(), "cannot get item")
+			assert.ErrorContains(t, err, "cannot get item")
 		})
 	}
 }
--- a/util/cache/redis_test.go
+++ b/util/cache/redis_test.go
@ -90,8 +90,7 @@ func TestRedisSetCache(t *testing.T) {
 		var res string
 		client := NewRedisCache(redis.NewClient(&redis.Options{Addr: mr.Addr()}), 10*time.Second, RedisCompressionNone)
 		err = client.Get("foo", &res)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "cache: key is missing")
+		assert.ErrorContains(t, err, "cache: key is missing")
 	})
 }

--- a/util/cert/cert_test.go
+++ b/util/cert/cert_test.go
@ -505,7 +505,7 @@ func TestGetCertificateForConnect(t *testing.T) {
 		certs, err := GetCertificateForConnect("127.0.0.1")
 		require.Error(t, err)
 		assert.Empty(t, certs)
-		assert.Contains(t, err.Error(), "no certificates found")
+		assert.ErrorContains(t, err, "no certificates found")
 	})
 }

--- a/util/db/db_test.go
+++ b/util/db/db_test.go
@ -628,13 +628,13 @@ func TestFuzzyEquivalence(t *testing.T) {
 	repo, err = db.CreateRepository(ctx, &v1alpha1.Repository{
 		Repo: "https://github.com/argoproj/argocd-example-apps.git",
 	})
-	assert.Contains(t, err.Error(), "already exists")
+	require.ErrorContains(t, err, "already exists")
 	assert.Nil(t, repo)

 	repo, err = db.CreateRepository(ctx, &v1alpha1.Repository{
 		Repo: "https://github.com/argoproj/argocd-example-APPS",
 	})
-	assert.Contains(t, err.Error(), "already exists")
+	require.ErrorContains(t, err, "already exists")
 	assert.Nil(t, repo)

 	repo, err = db.GetRepository(ctx, "https://github.com/argoproj/argocd-example-APPS", "")
--- a/util/exec/exec_test.go
+++ b/util/exec/exec_test.go
@ -52,7 +52,7 @@ func TestRunWithExecRunOpts(t *testing.T) {
 		},
 	}
 	_, err := RunWithExecRunOpts(exec.Command("sh", "-c", "trap 'trap - 15 && echo captured && exit' 15 && sleep 2"), opts)
-	assert.Contains(t, err.Error(), "failed timeout after 200ms")
+	assert.ErrorContains(t, err, "failed timeout after 200ms")
 }

 func Test_getCommandArgsToLog(t *testing.T) {
--- a/util/gpg/gpg_test.go
+++ b/util/gpg/gpg_test.go
@ -98,8 +98,7 @@ func Test_GPG_InitializeGnuPG(t *testing.T) {
 		// we need to error out
 		t.Setenv(common.EnvGnuPGHome, f.Name())
 		err = InitializeGnuPG()
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "does not point to a directory")
+		assert.ErrorContains(t, err, "does not point to a directory")
 	})

 	t.Run("Unaccessible GNUPGHOME", func(t *testing.T) {
--- a/util/grpc/useragent_test.go
+++ b/util/grpc/useragent_test.go
@ -35,8 +35,7 @@ func Test_UserAgentEnforcer(t *testing.T) {
 		md := metadata.New(map[string]string{"user-agent": "argo-cd/3.0"})
 		ctx := metadata.NewIncomingContext(context.Background(), md)
 		err := userAgentEnforcer(ctx, clientName, constraintStr, semverConstraint)
-		require.Error(t, err)
-		require.Contains(t, err.Error(), "unsatisfied client version constraint")
+		require.ErrorContains(t, err, "unsatisfied client version constraint")
 	})
 	t.Run("Test legacy user-agent", func(t *testing.T) {
 		clientName := "argo-cd"
@ -45,8 +44,7 @@ func Test_UserAgentEnforcer(t *testing.T) {
 		md := metadata.New(map[string]string{"user-agent": "grpc-go/1.15.0"})
 		ctx := metadata.NewIncomingContext(context.Background(), md)
 		err := userAgentEnforcer(ctx, clientName, constraintStr, semverConstraint)
-		require.Error(t, err)
-		require.Contains(t, err.Error(), "unsatisfied client version constraint")
+		require.ErrorContains(t, err, "unsatisfied client version constraint")
 	})
 	t.Run("Test invalid version", func(t *testing.T) {
 		clientName := "argo-cd"
@ -55,7 +53,6 @@ func Test_UserAgentEnforcer(t *testing.T) {
 		md := metadata.New(map[string]string{"user-agent": "argo-cd/super"})
 		ctx := metadata.NewIncomingContext(context.Background(), md)
 		err := userAgentEnforcer(ctx, clientName, constraintStr, semverConstraint)
-		require.Error(t, err)
-		require.Contains(t, err.Error(), "could not parse version")
+		require.ErrorContains(t, err, "could not parse version")
 	})
 }
--- a/util/io/files/tar_test.go
+++ b/util/io/files/tar_test.go
@ -195,8 +195,7 @@ func TestUntgz(t *testing.T) {
 		err := files.Untgz(destDir, tgzFile, math.MaxInt64, false)

 		// then
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "illegal filepath in symlink")
+		assert.ErrorContains(t, err, "illegal filepath in symlink")
 	})

 	t.Run("preserves file mode", func(t *testing.T) {
--- a/util/io/path/resolved_test.go
+++ b/util/io/path/resolved_test.go
@ -111,8 +111,7 @@ func Test_resolveFilePath(t *testing.T) {
 	})
 	t.Run("Error on path resolving outside repository root", func(t *testing.T) {
 		p, remote, err := ResolveValueFilePathOrUrl("/foo/bar", "/foo", "baz/../../../bim.yaml", allowedRemoteProtocols)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "outside repository root")
+		require.ErrorContains(t, err, "outside repository root")
 		assert.False(t, remote)
 		assert.Equal(t, "", string(p))
 	})
@ -152,29 +151,25 @@ func Test_resolveFilePath(t *testing.T) {
 	})
 	t.Run("Overlapping root prefix without trailing slash", func(t *testing.T) {
 		p, remote, err := ResolveValueFilePathOrUrl(".", "/foo", "../foo2/baz.yaml", allowedRemoteProtocols)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "outside repository root")
+		require.ErrorContains(t, err, "outside repository root")
 		assert.False(t, remote)
 		assert.Equal(t, "", string(p))
 	})
 	t.Run("Overlapping root prefix with trailing slash", func(t *testing.T) {
 		p, remote, err := ResolveValueFilePathOrUrl(".", "/foo/", "../foo2/baz.yaml", allowedRemoteProtocols)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "outside repository root")
+		require.ErrorContains(t, err, "outside repository root")
 		assert.False(t, remote)
 		assert.Equal(t, "", string(p))
 	})
 	t.Run("Garbage input as values file", func(t *testing.T) {
 		p, remote, err := ResolveValueFilePathOrUrl(".", "/foo/", "kfdj\\ks&&&321209.,---e32908923%$§!\"", allowedRemoteProtocols)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "outside repository root")
+		require.ErrorContains(t, err, "outside repository root")
 		assert.False(t, remote)
 		assert.Equal(t, "", string(p))
 	})
 	t.Run("NUL-byte path input as values file", func(t *testing.T) {
 		p, remote, err := ResolveValueFilePathOrUrl(".", "/foo/", "\000", allowedRemoteProtocols)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "outside repository root")
+		require.ErrorContains(t, err, "outside repository root")
 		assert.False(t, remote)
 		assert.Equal(t, "", string(p))
 	})
--- a/util/lua/lua_test.go
+++ b/util/lua/lua_test.go
@ -684,8 +684,7 @@ func TestExecuteNewStyleActionMixedOperationsFailure(t *testing.T) {
 	testObj := StrToUnstructured(cronJobObjYaml)
 	vm := VM{}
 	_, err := vm.ExecuteResourceAction(testObj, createMixedOperationActionLuaFailing)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "unsupported operation")
+	assert.ErrorContains(t, err, "unsupported operation")
 }

 func TestExecuteResourceActionNonTableReturn(t *testing.T) {
--- a/util/session/sessionmanager_test.go
+++ b/util/session/sessionmanager_test.go
@ -160,8 +160,7 @@ func TestSessionManager_AdminToken_Deactivated(t *testing.T) {
 	}

 	_, _, err = mgr.Parse(token)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "account admin is disabled")
+	assert.ErrorContains(t, err, "account admin is disabled")
 }

 func TestSessionManager_AdminToken_LoginCapabilityDisabled(t *testing.T) {
@ -174,8 +173,7 @@ func TestSessionManager_AdminToken_LoginCapabilityDisabled(t *testing.T) {
 	}

 	_, _, err = mgr.Parse(token)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "account admin does not have 'apiKey' capability")
+	assert.ErrorContains(t, err, "account admin does not have 'apiKey' capability")
 }

 func TestSessionManager_ProjectToken(t *testing.T) {
@ -218,9 +216,7 @@ func TestSessionManager_ProjectToken(t *testing.T) {
 		require.NoError(t, err)

 		_, _, err = mgr.Parse(jwtToken)
-		require.Error(t, err)
-
-		assert.Contains(t, err.Error(), "does not exist in project 'default'")
+		assert.ErrorContains(t, err, "does not exist in project 'default'")
 	})
 }

@ -538,8 +534,7 @@ func TestMaxUsernameLength(t *testing.T) {
 	settingsMgr := settings.NewSettingsManager(context.Background(), getKubeClient("password", true), "argocd")
 	mgr := newSessionManager(settingsMgr, getProjLister(), NewUserStateStorage(nil))
 	err := mgr.VerifyUsernamePassword(username, "password")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), fmt.Sprintf(usernameTooLongError, maxUsernameLength))
+	assert.ErrorContains(t, err, fmt.Sprintf(usernameTooLongError, maxUsernameLength))
 }

 func TestMaxCacheSize(t *testing.T) {
--- a/util/settings/settings_test.go
+++ b/util/settings/settings_test.go
@ -1221,8 +1221,7 @@ func Test_GetTLSConfiguration(t *testing.T) {
 		)
 		settingsManager := NewSettingsManager(context.Background(), kubeClient, "default")
 		settings, err := settingsManager.GetSettings()
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "could not read from secret")
+		require.ErrorContains(t, err, "could not read from secret")
 		assert.NotNil(t, settings)
 	})
 	t.Run("No external TLS secret", func(t *testing.T) {
--- a/util/tls/tls_test.go
+++ b/util/tls/tls_test.go
@ -187,22 +187,19 @@ func TestGenerate(t *testing.T) {
 	t.Run("Invalid: No hosts specified", func(t *testing.T) {
 		opts := CertOptions{Hosts: []string{}, Organization: "Acme", ValidFrom: time.Now(), ValidFor: 10 * time.Hour}
 		_, _, err := generate(opts)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "hosts not supplied")
+		assert.ErrorContains(t, err, "hosts not supplied")
 	})

 	t.Run("Invalid: No organization specified", func(t *testing.T) {
 		opts := CertOptions{Hosts: []string{"localhost"}, Organization: "", ValidFrom: time.Now(), ValidFor: 10 * time.Hour}
 		_, _, err := generate(opts)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "organization not supplied")
+		assert.ErrorContains(t, err, "organization not supplied")
 	})

 	t.Run("Invalid: Unsupported curve specified", func(t *testing.T) {
 		opts := CertOptions{Hosts: []string{"localhost"}, Organization: "Acme", ECDSACurve: "Curve?", ValidFrom: time.Now(), ValidFor: 10 * time.Hour}
 		_, _, err := generate(opts)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "Unrecognized elliptic curve")
+		assert.ErrorContains(t, err, "Unrecognized elliptic curve")
 	})

 	for _, curve := range []string{"P224", "P256", "P384", "P521"} {