Merge pull request #32 from inteon/upgrade_makefiles

Upgrade makefile modules

Author: inteon

.github/dependabot.yaml

@@ -1,20 +1,20 @@
 # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
 # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead.
 
-# Update Go dependencies and GitHub Actions dependencies weekly.
+# Update Go dependencies and GitHub Actions dependencies daily.
 version: 2
 updates:
 - package-ecosystem: gomod
   directory: /
   schedule:
-    interval: weekly
+    interval: daily
   groups:
     all:
       patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
-    interval: weekly
+    interval: daily
   groups:
     all:
       patterns: ["*"]

.github/workflows/govulncheck.yaml

@@ -0,0 +1,28 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead.
+
+# Run govulncheck at midnight every night on the main branch,
+# to alert us to recent vulnerabilities which affect the Go code in this
+# project.
+name: govulncheck
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - run: make verify-govulncheck

.github/workflows/make-self-upgrade.yaml

@@ -9,18 +9,22 @@ on:
     - cron: '0 0 * * *'
 
 jobs:
-  build_images:
+  self_upgrade:
     runs-on: ubuntu-latest
 
     permissions:
       contents: write
       pull-requests: write
+    
+    env:
+      SOURCE_BRANCH: "${{ github.ref_name }}"
+      SELF_UPGRADE_BRANCH: "self-upgrade-${{ github.ref_name }}"
 
     steps:
-      - name: Fail if branch is not main
-        if: github.ref != 'refs/heads/main'
+      - name: Fail if branch is not head of branch.
+        if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
         run: |
-          echo "This workflow should not be run on a branch other than main."
+          echo "This workflow should not be run on a non-branch-head."
           exit 1
 
       - uses: actions/checkout@v4
@@ -34,7 +38,7 @@ jobs:
           go-version: ${{ steps.go-version.outputs.result }}
 
       - run: |
-          git checkout -B "self-upgrade"
+          git checkout -B "$SELF_UPGRADE_BRANCH"
 
       - run: |
           make -j upgrade-klone
@@ -54,10 +58,10 @@ jobs:
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
         run: |
-          git config --global user.name "jetstack-bot"
-          git config --global user.email "jetstack[email protected]"
+          git config --global user.name "cert-manager-bot"
+          git config --global user.email "cert-manager[email protected]"
           git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff
-          git push -f origin self-upgrade
+          git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
         uses: actions/github-script@v7
@@ -67,18 +71,18 @@ jobs:
             const pulls = await github.rest.pulls.list({
               owner: owner,
               repo: repo,
-              head: owner + ':self-upgrade',
-              base: 'main',
+              head: owner + ':' + process.env.SELF_UPGRADE_BRANCH,
+              base: process.env.SOURCE_BRANCH,
               state: 'open',
             });
             
             if (pulls.data.length < 1) {
               await github.rest.pulls.create({
-                title: '[CI] Merge self-upgrade into main',
+                title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
                 owner: owner,
                 repo: repo,
-                head: 'self-upgrade',
-                base: 'main',
+                head: process.env.SELF_UPGRADE_BRANCH,
+                base: process.env.SOURCE_BRANCH,
                 body: [
                   'This PR is auto-generated to bump the Makefile modules.',
                 ].join('\n'),

.github/workflows/release.yaml

@@ -8,19 +8,24 @@ env:
   VERSION: ${{ github.ref_name }}
 
 jobs:
-  github_release:
+  build_images:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write # needed for creating a PR
-      pull-requests: write # needed for creating a PR
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
 
     steps:
+      - uses: actions/checkout@v4
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
       - env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh release create "$VERSION" \
-            --repo="$GITHUB_REPOSITORY" \
-            --title="${VERSION}" \
-            --draft \
-            --verify-tag 
+        run: make release

.golangci.yaml

@@ -0,0 +1,79 @@
+issues:
+  exclude-rules:
+    - linters:
+        - errcheck
+        - forbidigo
+        - gci
+        - gocritic
+        - exhaustive
+        - nilnil
+      text: ".*"
+linters:
+  # Explicitly define all enabled linters
+  disable-all: true
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - decorder
+    - dogsled
+    - dupword
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - execinquery
+    - exhaustive
+    - exportloopref
+    - forbidigo
+    - gci
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocritic
+    - gofmt
+    - goheader
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - gosmopolitan
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - interfacebloat
+    - loggercheck
+    - makezero
+    - mirror
+    - misspell
+    - musttag
+    - nakedret
+    - nilerr
+    - nilnil
+    - noctx
+    - nosprintfhostport
+    - predeclared
+    - promlinter
+    - protogetter
+    - reassign
+    - sloglint
+    - staticcheck
+    - tagalign
+    - tenv
+    - testableexamples
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - wastedassign
+linters-settings:
+  gci:
+    sections:
+      - standard # Standard section: captures all standard packages.
+      - default # Default section: contains all imports that could not be matched to another section type.
+      - prefix(github.com/cert-manager/helm-tool) # Custom section: groups all imports with the specified Prefix.
+      - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+      - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.

.goreleaser.yml

@@ -0,0 +1,40 @@
+# Our Makefile will automatically add additional settings
+# to this builds array (environment variables, flags, ...)
+builds:
+  - id: helm-tool
+
+# config the checksum filename
+# https://goreleaser.com/customization/checksum
+checksum:
+  name_template: 'checksums.txt'
+
+# creates SBOMs of all archives and the source tarball using syft
+# https://goreleaser.com/customization/sbom
+sboms:
+  - artifacts: binary
+    documents:
+      - "{{ .ArtifactName }}{{ .ArtifactExt }}.spdx.sbom"
+
+# signs the checksum file
+# all files (including the sboms) are included in the checksum, so we don't need to sign each one if we don't want to
+# https://goreleaser.com/customization/sign
+signs:
+- cmd: cosign
+  signature: "${artifact}.cosign.bundle"
+  env:
+  - COSIGN_EXPERIMENTAL=1
+  args:
+    - sign-blob
+    - '--bundle=${signature}'
+    - '${artifact}'
+    - "--yes" # needed on cosign 2.0.0+
+  artifacts: checksum
+  output: true
+
+archives:
+  - name_template: "{{ .Binary }}_{{ .Os }}_{{ .Arch }}"
+    format: binary
+
+release:
+  draft: true
+  make_latest: false

Makefile

@@ -29,6 +29,15 @@
 
 ##################################
 
+# Some modules build their dependencies from variables, we want these to be 
+# evalutated at the last possible moment. For this we use second expansion to 
+# re-evaluate the generate and verify targets a second time.
+#
+# See https://www.gnu.org/software/make/manual/html_node/Secondary-Expansion.html
+.SECONDEXPANSION:
+
+# For details on some of these "prelude" settings, see:
+# https://clarkgrubb.com/makefile-style-guide
 MAKEFLAGS += --warn-undefined-variables --no-builtin-rules
 SHELL := /usr/bin/env bash
 .SHELLFLAGS := -uo pipefail -c
@@ -39,6 +48,10 @@ FORCE:
 
 noop: # do nothing
 
+# Set empty value for MAKECMDGOALS to prevent the "warning: undefined variable 'MAKECMDGOALS'"
+# warning from happening when running make without arguments
+MAKECMDGOALS ?=
+
 ##################################
 # Host OS and architecture setup #
 ##################################
@@ -47,8 +60,10 @@ noop: # do nothing
 # binary may not be available in the PATH yet when the Makefiles are
 # evaluated. HOST_OS and HOST_ARCH only support Linux, *BSD and macOS (M1
 # and Intel).
-HOST_OS ?= $(shell uname -s | tr A-Z a-z)
-HOST_ARCH ?= $(shell uname -m)
+host_os := $(shell uname -s | tr A-Z a-z)
+host_arch := $(shell uname -m)
+HOST_OS ?= $(host_os)
+HOST_ARCH ?= $(host_arch)
 
 ifeq (x86_64, $(HOST_ARCH))
 	HOST_ARCH = amd64
@@ -61,7 +76,8 @@ endif
 # Git and versioning information #
 ##################################
 
-VERSION ?= $(shell git describe --tags --always --match='v*' --abbrev=14 --dirty)
+git_version := $(shell git describe --tags --always --match='v*' --abbrev=14 --dirty)
+VERSION ?= $(git_version)
 IS_PRERELEASE := $(shell git describe --tags --always --match='v*' --abbrev=0 | grep -q '-' && echo true || echo false)
 GITCOMMIT := $(shell git rev-parse HEAD)
 GITEPOCH := $(shell git show -s --format=%ct HEAD)

OWNERS

@@ -1,20 +1,4 @@
 approvers:
-- munnerz
-- joshvanl
-- wallrj
-- jakexks
-- maelvls
-- irbekrm
-- sgtcodfish
-- inteon
-- thatsmrtalbot
+- cm-maintainers
 reviewers:
-- munnerz
-- joshvanl
-- wallrj
-- jakexks
-- maelvls
-- irbekrm
-- sgtcodfish
-- inteon
-- thatsmrtalbot
+- cm-maintainers

OWNERS_ALIASES

@@ -11,3 +11,4 @@ aliases:
     - irbekrm
     - sgtcodfish
     - inteon
+    - thatsmrtalbot