Upgrade Makefile modules to their latest versions

.github/dependabot.yaml

@@ -9,12 +9,12 @@ updates:
   schedule:
     interval: daily
   groups:
-    all:
+    all-go-deps:
       patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: daily
   groups:
-    all:
+    all-gh-actions:
       patterns: ["*"]

.github/workflows/govulncheck.yaml

@@ -21,10 +21,10 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'jetstack'
+    if: github.repository == 'jetstack/preflight'
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option

.github/workflows/make-self-upgrade.yaml

@@ -15,7 +15,7 @@ jobs:
   self_upgrade:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'cert-manager'
+    if: github.repository == 'jetstack/preflight'
 
     permissions:
       contents: write
@@ -32,7 +32,7 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option

Makefile

@@ -39,7 +39,7 @@
 # For details on some of these "prelude" settings, see:
 # https://clarkgrubb.com/makefile-style-guide
 MAKEFLAGS += --warn-undefined-variables --no-builtin-rules
-SHELL := /usr/bin/env bash
+SHELL := /usr/bin/env PS1="" bash
 .SHELLFLAGS := -uo pipefail -c
 .DEFAULT_GOAL := help
 .DELETE_ON_ERROR:

klone.yaml

@@ -7,58 +7,63 @@
 
 targets:
   make/_shared:
+    - folder_name: boilerplate
+      repo_url: https://github.com/cert-manager/makefile-modules.git
+      repo_ref: main
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
+      repo_path: modules/boilerplate
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: d2abf2fdef0a202871a1137fcb6f7b9f639b61f9
       repo_path: modules/tools

make/00_mod.mk

@@ -42,9 +42,9 @@ helm_chart_image_name := quay.io/jetstack/charts/venafi-kubernetes-agent
 helm_chart_version := $(VERSION)
 helm_labels_template_name := preflight.labels
 
-# We skip using the upstream govulncheck targets because we need to customise the workflow YAML
+# We skip using the upstream govulncheck generate target because we need to customise the workflow YAML
 # locally. We provide the targets in this repo instead, and manually maintain the workflow.
-govulncheck_skip := true
+dont_generate_govulncheck := true
 
 # Allows us to replace the Helm values.yaml's image.repository and image.tag
 # with the right values.

make/02_mod.mk

@@ -64,24 +64,3 @@ test-helm: | $(NEEDS_HELM-UNITTEST)
 ## @category Testing
 test-helm-snapshot: | $(NEEDS_HELM-UNITTEST)
 	$(HELM-UNITTEST) ./deploy/charts/venafi-kubernetes-agent/ -u
-
-
-.PHONY: verify-govulncheck
-## Verify all Go modules for vulnerabilities using govulncheck Copied from makefile-modules
-## @category [shared] Generate/ Verify
-#
-# Runs `govulncheck` on all Go modules related to the project.
-# Ignores Go modules among the temporary build artifacts in _bin, to avoid
-# scanning the code of the vendored Go, after running make vendor-go.
-# Ignores Go modules in make/_shared, because those will be checked in centrally
-# in the makefile_modules repository.
-verify-govulncheck: | $(NEEDS_GOVULNCHECK)
-	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
-		| while read d; do \
-				target=$$(dirname $${d}); \
-				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${target}'"; \
-				pushd "$${target}" >/dev/null; \
-				GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(GOVULNCHECK) ./... || exit; \
-				popd >/dev/null; \
-				echo ""; \
-			done

make/_shared/boilerplate/00_mod.mk

@@ -0,0 +1,17 @@
+# Copyright 2023 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+default_go_header_file := $(dir $(lastword $(MAKEFILE_LIST)))/template/boilerplate.go.txt
+
+go_header_file ?= $(default_go_header_file)

make/_shared/boilerplate/01_mod.mk

@@ -0,0 +1,31 @@
+# Copyright 2023 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
+
+.PHONY: verify-boilerplate
+## Verify that all files have the correct boilerplate.
+## @category [shared] Generate/ Verify
+verify-boilerplate: | $(NEEDS_BOILERSUITE)
+	$(BOILERSUITE) .
+
+shared_verify_targets += verify-boilerplate
+
+.PHONY: generate-license
+## Generate LICENSE file in the repository
+## @category [shared] Generate/ Verify
+generate-license:
+	cp -r $(base_dir)/. ./
+
+shared_generate_targets += generate-base

make/_shared/boilerplate/template/boilerplate.go.txt

@@ -0,0 +1,15 @@
+/*
+Copyright The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/

make/_shared/go/01_mod.mk

@@ -20,6 +20,10 @@ ifndef repo_name
 $(error repo_name is not set)
 endif
 
+ifndef golangci_lint_config
+$(error golangci_lint_config is not set)
+endif
+
 golangci_lint_override := $(dir $(lastword $(MAKEFILE_LIST)))/.golangci.override.yaml
 
 .PHONY: go-workspace
@@ -57,27 +61,24 @@ generate-go-mod-tidy: | $(NEEDS_GO)
 
 shared_generate_targets += generate-go-mod-tidy
 
-ifndef govulncheck_skip
+base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
 
-default_govulncheck_generate_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
-# The base directory used to copy the govulncheck GH action from. This can be
-# overwritten with an action with extra authentication or with a totally different
-# pipeline (eg. a GitLab pipeline).
-govulncheck_generate_base_dir ?= $(default_govulncheck_generate_base_dir)
-
-# The org name used in the govulncheck GH action. This is used to prevent the govulncheck job
-# being run on every fork of the repo.
-govulncheck_generate_org ?= cert-manager
+ifndef dont_generate_govulncheck
 
 .PHONY: generate-govulncheck
 ## Generate base files in the repository
 ## @category [shared] Generate/ Verify
 generate-govulncheck:
-	@mkdir -p ./.github/workflows
-	sed 's/ORGNAMEHERE/$(govulncheck_generate_org)/g' $(govulncheck_generate_base_dir)/.github/workflows/govulncheck.yaml > .github/workflows/govulncheck.yaml
+	cp -r $(base_dir)/. ./
+	cd $(base_dir) && \
+		find . -type f | while read file; do \
+			sed "s|{{REPLACE:GH-REPOSITORY}}|$(repo_name:github.com/%=%)|g" "$$file" > "$(CURDIR)/$$file"; \
+		done
 
 shared_generate_targets += generate-govulncheck
 
+endif # dont_generate_govulncheck
+
 .PHONY: verify-govulncheck
 ## Verify all Go modules for vulnerabilities using govulncheck
 ## @category [shared] Generate/ Verify
@@ -103,10 +104,6 @@ verify-govulncheck: | $(NEEDS_GOVULNCHECK)
 				echo ""; \
 			done
 
-endif # govulncheck_skip
-
-ifdef golangci_lint_config
-
 .PHONY: generate-golangci-lint-config
 ## Generate a golangci-lint configuration file
 ## @category [shared] Generate/ Verify
@@ -155,5 +152,3 @@ fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(NEEDS_GCI) $(bin_dir)/
 				popd >/dev/null; \
 				echo ""; \
 			done
-
-endif

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -17,10 +17,10 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'ORGNAMEHERE'
+    if: github.repository == '{{REPLACE:GH-REPOSITORY}}'
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option

make/_shared/helm/helm.mk

@@ -16,10 +16,6 @@ ifndef bin_dir
 $(error bin_dir is not set)
 endif
 
-ifndef repo_name
-$(error repo_name is not set)
-endif
-
 ifndef helm_chart_source_dir
 $(error helm_chart_source_dir is not set)
 endif
@@ -32,7 +28,7 @@ ifndef helm_chart_version
 $(error helm_chart_version is not set)
 endif
 ifneq ($(helm_chart_version:v%=v),v)
-$(error helm_chart_version "$(helm_chart_version)" should start with a "v")
+$(error helm_chart_version "$(helm_chart_version)" should start with a "v" - did you forget to pull tags from the remote repository?)
 endif
 
 ifndef helm_values_mutation_function

make/_shared/oci-build/00_mod.mk

@@ -16,11 +16,11 @@ oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
 
 # Use distroless as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static:latest"
-base_image_static := quay.io/jetstack/base-static@sha256:01d887b98d90226dbaeb32b9cab0dbede410a652fa16829c6fd2f94df55d7757
+base_image_static := quay.io/jetstack/base-static@sha256:3644c30edf618b9e84ed98af7f529b1e9e3d67a54fcd557083f91fc991a0031c
 
 # Use custom apko-built image as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest"
-base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:35531ca8c25f441a15b9ae211aaa2a9978334c45dd2a9c130525aa73c8bdf5af
+base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:6adec8e50b746da4a707af588936b02c09126aa1c73035d6e0fb293643479e6d
 
 # Utility functions
 fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set))

make/_shared/repository-base/01_mod.mk

@@ -12,6 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+ifndef repo_name
+$(error repo_name is not set)
+endif
+
 base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
 base_dependabot_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base-dependabot/
 
@@ -21,12 +25,20 @@ ifdef repository_base_no_dependabot
 ## @category [shared] Generate/ Verify
 generate-base:
 	cp -r $(base_dir)/. ./
+	cd $(base_dir) && \
+		find . -type f | while read file; do \
+			sed "s|{{REPLACE:GH-REPOSITORY}}|$(repo_name:github.com/%=%)|g" "$$file" > "$(CURDIR)/$$file"; \
+		done
 else
 .PHONY: generate-base
 ## Generate base files in the repository
 ## @category [shared] Generate/ Verify
 generate-base:
 	cp -r $(base_dir)/. ./
+	cd $(base_dir) && \
+		find . -type f | while read file; do \
+			sed "s|{{REPLACE:GH-REPOSITORY}}|$(repo_name:github.com/%=%)|g" "$$file" > "$(CURDIR)/$$file"; \
+		done
 	cp -r $(base_dependabot_dir)/. ./
 endif
 

make/_shared/repository-base/base-dependabot/.github/dependabot.yaml

@@ -9,12 +9,12 @@ updates:
   schedule:
     interval: daily
   groups:
-    all:
+    all-go-deps:
       patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: daily
   groups:
-    all:
+    all-gh-actions:
       patterns: ["*"]