Grouped CI related cherry-picks

- Add args to golangci-lint to show lines number kubernetes-sigs#2180
- Align github actions with upstream CAPI kubernetes-sigs#2167
- flavorgen generates all flavors by default kubernetes-sigs#2172
  - only CI parts
- Add verify-govulncheck target and integrate to scan action kubernetes-sigs#2174
- Use shellcheck binary instead of self-built docker image kubernetes-sigs#2211
- Add doctoc and generate + verify targets kubernetes-sigs#2147
  - only CI parts

.github/dependabot.yml

@@ -11,19 +11,24 @@ updates:
       prefix: ":seedling:"
   labels:
     - "ok-to-test"
+
 # Go
 - package-ecosystem: "gomod"
   directory: "/"
   schedule:
     interval: "weekly"
+    day: "monday"
   ignore:
-  # Ignore k8s modules as they are upgraded manually
-  # together with controller-runtime and CAPI dependencies.
+  # Ignore controller-runtime as its upgraded manually.
+  - dependency-name: "sigs.k8s.io/controller-runtime"
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+    # Ignore k8s and its transitives modules as they are upgraded manually
+    # together with controller-runtime.
   - dependency-name: "k8s.io/*"
-  - dependency-name: "sigs.k8s.io/*"
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   - dependency-name: "sigs.k8s.io/cluster-api/test"
     update-types: ["version-update:semver-major", "version-update:semver-minor"]
   commit-message:
     prefix: ":seedling:"
   labels:
-    - "ok-to-test"
+    - "ok-to-test"

.github/workflows/golangci-lint.yaml → .github/workflows/pr-golangci-lint.yaml

@@ -1,4 +1,4 @@
-name: golangci-lint
+name: PR golangci-lint
 
 on:
   pull_request:
@@ -17,10 +17,11 @@ jobs:
         id: vars
         run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
       - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # tag=v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
         with:
           go-version: ${{ steps.vars.outputs.go_version }}
       - name: golangci-lint
         uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # tag=v3.6.0
         with:
-          version: v1.53.3
+          version: v1.53.3
+          args: --out-format=colored-line-number

.github/workflows/pr-md-link-check.yaml

@@ -0,0 +1,23 @@
+name: PR check Markdown links
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+    paths:
+      - '**.md'
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  markdown-link-check:
+    name: Broken Links
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+    - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # tag=v1
+      with:
+        use-quiet-mode: 'yes'
+        config-file: .markdownlinkcheck.json
+        check-modified-files-only: 'yes'
+        base-branch: main

.github/workflows/verify-pr.yml → .github/workflows/pr-verify.yaml

@@ -1,4 +1,4 @@
-name: Verify PR
+name: PR Verify
 
 on:
   pull_request_target:
@@ -14,6 +14,6 @@ jobs:
     steps:
       - name: Verifier action
         id: verifier
-        uses: kubernetes-sigs/kubebuilder-release-tools@v0.3.0
+        uses: kubernetes-sigs/kubebuilder-release-tools@4f3d1085b4458a49ed86918b4b55505716715b77 # tag=v0.3.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yaml

@@ -23,7 +23,7 @@ jobs:
       - name: Calculate go version
         run: echo "go_version=$(make go-version)" >> $GITHUB_ENV
       - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # tag=v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
         with:
           go-version: ${{ env.go_version }}
       - name: generate release artifacts

.github/workflows/weekly-md-link-check.yaml

@@ -0,0 +1,26 @@
+name: Weekly check all Markdown links
+
+on:
+  schedule:
+    # Cron for every Monday at 12:00 UTC.
+    - cron: "0 12 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  markdown-link-check:
+    name: Broken Links
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+        with:
+          ref: ${{ matrix.branch }}
+      - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # tag=v1
+        with:
+          use-quiet-mode: 'yes'
+          config-file: .markdownlinkcheck.json

.github/workflows/weekly-security-scan.yaml

@@ -0,0 +1,32 @@
+name: Weekly security scan
+
+on:
+  schedule:
+    # Cron for every Monday at 12:00 UTC.
+    - cron: "0 12 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  scan:
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+      with:
+        ref: ${{ matrix.branch }}
+    - name: Calculate go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+    - name: Set up Go
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    - name: Run verify security target
+      run: make verify-security

.github/workflows/weekly-test-release.yaml

@@ -0,0 +1,40 @@
+name: Weekly release test
+
+# Note: This workflow does not build for releases. It attempts to build release binaries periodically to ensure the repo
+# release machinery is in a good state.
+
+on:
+  schedule:
+    # Cron for every day at 12:00 UTC.
+    - cron: "0 12 * * *"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  weekly-test-release:
+    name: Test release
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+        with:
+          ref: ${{ matrix.branch }}
+          fetch-depth: 0
+      - name: Set env
+        run:  echo "RELEASE_TAG=v9.9.9-fake" >> $GITHUB_ENV
+      - name: Set fake tag for release
+        run: |
+          git tag ${{ env.RELEASE_TAG }}
+      - name: Calculate go version
+        run: echo "go_version=$(make go-version)" >> $GITHUB_ENV
+      - name: Set up Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
+        with:
+          go-version: ${{ env.go_version }}
+      - name: Test release
+        run: |
+          make release

.markdownlinkcheck.json

@@ -0,0 +1,17 @@
+{
+    "ignorePatterns": [{
+        "pattern": "^http://localhost"
+    }],
+    "httpHeaders": [{
+        "comment": "Workaround as suggested here: https://github.com/tcort/markdown-link-check/issues/201",
+        "urls": ["https://docs.github.com/"],
+        "headers": {
+            "Accept-Encoding": "zstd, br, gzip, deflate"
+        }
+    }],
+    "timeout": "10s",
+    "retryOn429": true,
+    "retryCount": 5,
+    "fallbackRetryDelay": "30s",
+    "aliveStatusCodes": [200, 206]
+}

Makefile

@@ -134,6 +134,8 @@ GO_APIDIFF_BIN := go-apidiff
 GO_APIDIFF := $(abspath $(TOOLS_BIN_DIR)/$(GO_APIDIFF_BIN)-$(GO_APIDIFF_VER))
 GO_APIDIFF_PKG := github.com/joelanford/go-apidiff
 
+SHELLCHECK_VER := v0.9.0
+
 KPROMO_VER := v4.0.4
 KPROMO_BIN := kpromo
 KPROMO :=  $(abspath $(TOOLS_BIN_DIR)/$(KPROMO_BIN)-$(KPROMO_VER))
@@ -150,10 +152,15 @@ GINKGO := $(abspath $(TOOLS_BIN_DIR)/$(GINKGO_BIN)-$(GINGKO_VER))
 GINKGO_PKG := github.com/onsi/ginkgo/v2/ginkgo
 
 GOLANGCI_LINT_BIN := golangci-lint
-GOLANGCI_LINT_VER := $(shell cat .github/workflows/golangci-lint.yaml | grep [[:space:]]version: | sed 's/.*version: //')
+GOLANGCI_LINT_VER := $(shell cat .github/workflows/pr-golangci-lint.yaml | grep [[:space:]]version: | sed 's/.*version: //')
 GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
 GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint
 
+GOVULNCHECK_BIN := govulncheck
+GOVULNCHECK_VER := v1.0.0
+GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER))
+GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck
+
 GOVC_VER := $(shell cat go.mod | grep "github.com/vmware/govmomi" | awk '{print $$NF}')
 GOVC_BIN := govc
 GOVC := $(abspath $(TOOLS_BIN_DIR)/$(GOVC_BIN)-$(GOVC_VER))
@@ -228,7 +235,7 @@ help:  # Display this help
 
 .PHONY: generate
 generate: ## Run all generate targets
-	$(MAKE) generate-modules generate-manifests generate-go-deepcopy generate-go-conversions
+	$(MAKE) generate-modules generate-manifests generate-go-deepcopy generate-go-conversions generate-flavors
 
 .PHONY: generate-manifests
 generate-manifests: $(CONTROLLER_GEN) ## Generate manifests e.g. CRD, RBAC etc.
@@ -276,6 +283,10 @@ generate-go-conversions: $(CONTROLLER_GEN) $(CONVERSION_GEN) ## Runs Go related
 generate-modules: ## Run go mod tidy to ensure modules are up to date
 	go mod tidy
 
+.PHONY: generate-doctoc
+generate-doctoc:
+	TRACE=$(TRACE) ./hack/generate-doctoc.sh
+
 .PHONY: generate-e2e-templates
 generate-e2e-templates: ## Generate e2e cluster templates
 	$(MAKE) release-flavors
@@ -311,7 +322,6 @@ generate-e2e-templates: ## Generate e2e cluster templates
 lint: $(GOLANGCI_LINT) ## Lint the codebase
 	$(MAKE) lint-go-full
 	$(MAKE) lint-markdown
-	$(MAKE) lint-shell
 
 GOLANGCI_LINT_EXTRA_ARGS ?= --fast=true
 .PHONY: lint-go
@@ -326,10 +336,6 @@ lint-go-full: lint-go ## Run slower linters to detect possible issues
 lint-markdown: ## Lint the project's markdown
 	docker run --rm -v "$$(pwd)":/build$(DOCKER_VOL_OPTS) gcr.io/cluster-api-provider-vsphere/extra/mdlint:0.17.0 -- /md/lint -i contrib/haproxy/openapi -i _releasenotes .
 
-.PHONY: lint-shell
-lint-shell: ## Lint the project's shell scripts
-	docker run --rm -t -v "$$(pwd)":/build:ro gcr.io/cluster-api-provider-vsphere/extra/shellcheck
-
 .PHONY: lint-fix
 lint-fix: $(GOLANGCI_LINT) ## Lint the codebase and run auto-fixers if supported by the linter
 	GOLANGCI_LINT_EXTRA_ARGS="--fast=false --fix" $(MAKE) lint-go
@@ -340,10 +346,10 @@ APIDIFF_OLD_COMMIT ?= $(shell git rev-parse origin/main)
 apidiff: $(GO_APIDIFF) ## Check for API differences
 	$(GO_APIDIFF) $(APIDIFF_OLD_COMMIT) --print-compatible
 
-ALL_VERIFY_CHECKS = boilerplate modules gen conversions
+ALL_VERIFY_CHECKS = boilerplate shellcheck modules gen conversions doctoc flavors
 
 .PHONY: verify
-verify: $(addprefix verify-,$(ALL_VERIFY_CHECKS)) lint-markdown lint-shell ## Run all verify-* targets
+verify: $(addprefix verify-,$(ALL_VERIFY_CHECKS)) lint-markdown ## Run all verify-* targets
 
 .PHONY: verify-modules
 verify-modules: generate-modules  ## Verify go modules are up to date
@@ -367,14 +373,46 @@ verify-gen: generate  ## Verify go generated files are up to date
 verify-conversions: $(CONVERSION_VERIFIER)  ## Verifies expected API conversion are in place
 	$(CONVERSION_VERIFIER)
 
+.PHONY: verify-doctoc
+verify-doctoc: generate-doctoc
+	@if !(git diff --quiet HEAD); then \
+		git diff; \
+		echo "doctoc is out of date, run make generate-doctoc"; exit 1; \
+	fi
+
 .PHONY: verify-boilerplate
 verify-boilerplate: ## Verify boilerplate text exists in each file
 	TRACE=$(TRACE) ./hack/verify-boilerplate.sh
 
+.PHONY: verify-shellcheck
+verify-shellcheck: ## Verify shell files
+	TRACE=$(TRACE) ./hack/verify-shellcheck.sh $(SHELLCHECK_VER)
+
 .PHONY: verify-container-images
 verify-container-images: ## Verify container images
 	TRACE=$(TRACE) ./hack/verify-container-images.sh
 
+.PHONY: verify-govulncheck
+verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
+	$(GOVULNCHECK) ./...
+
+.PHONY: verify-security
+verify-security: ## Verify code and images for vulnerabilities
+	$(MAKE) verify-container-images && R1=$$? || R1=$$?; \
+	$(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \
+	if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
+	  echo "Check for vulnerabilities failed! There are vulnerabilities to be fixed"; \
+		exit 1; \
+	fi
+
+.PHONY: verify-flavors
+verify-flavors: $(FLAVOR_DIR) generate-flavors ## Verify generated flavors
+	@if !(git diff --quiet HEAD -- $(FLAVOR_DIR)); then \
+		git diff $(FLAVOR_DIR); \
+		echo "flavor files in templates directory are out of date"; exit 1; \
+	fi
+
+
 ## --------------------------------------
 ## Build
 ## --------------------------------------
@@ -721,6 +759,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo.
 .PHONY: $(GOLANGCI_LINT_BIN)
 $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint.
 
+.PHONY: $(GOVULNCHECK_BIN)
+$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck.
+
 .PHONY: $(GOVC_BIN)
 $(GOVC_BIN): $(GOVC) ## Build a local copy of govc.
 
@@ -770,6 +811,9 @@ $(GINKGO): # Build ginkgo.
 $(GOLANGCI_LINT): # Build golangci-lint.
 	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)
 
+$(GOVULNCHECK): # Build govulncheck.
+	GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)
+
 $(GOVC): # Build GOVC.
 	CGO_ENABLED=0 GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVC_PKG) $(GOVC_BIN) $(GOVC_VER)