[VC-45002] Upgrade makefile modules to the latest version

.github/chainguard/make-self-upgrade.sts.yaml

@@ -0,0 +1,10 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:jetstack/jetstack-secure:ref:refs/heads/(main|master)$
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write

.github/chainguard/renovate.sts.yaml

@@ -0,0 +1,14 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/renovate.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:jetstack/jetstack-secure:ref:refs/heads/(main|master)$
+
+permissions:
+  administration: read
+  contents: write
+  issues: write
+  pull_requests: write
+  security_events: read
+  statuses: write
+  workflows: write

.github/dependabot.yaml

@@ -9,12 +9,12 @@ updates:
   schedule:
     interval: daily
   groups:
-    all:
+    all-go-deps:
       patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: daily
   groups:
-    all:
+    all-gh-actions:
       patterns: ["*"]

.github/renovate.json5

@@ -0,0 +1,6 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'github>cert-manager/renovate-config:default.json5',
+  ],
+}

.github/workflows/govulncheck.yaml

@@ -21,10 +21,10 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'jetstack'
+    if: github.repository == 'jetstack/jetstack-secure'
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option

.github/workflows/make-self-upgrade.yaml

@@ -15,11 +15,10 @@ jobs:
   self_upgrade:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'cert-manager'
+    if: github.repository == 'jetstack/jetstack-secure'
 
     permissions:
-      contents: write
-      pull-requests: write
+      id-token: write
 
     env:
       SOURCE_BRANCH: "${{ github.ref_name }}"
@@ -32,17 +31,26 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+        id: octo-sts
+        with:
+          scope: 'jetstack/jetstack-secure'
+          identity: make-self-upgrade
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
-        with: { fetch-depth: 0 }
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -73,8 +81,9 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
           script: |
             const { repo, owner } = context.repo;
             const pulls = await github.rest.pulls.list({
@@ -100,6 +109,6 @@ jobs:
                 owner,
                 repo,
                 issue_number: result.data.number,
-                labels: ['skip-review']
+                labels: ['ok-to-test', 'skip-review', 'release-note-none', 'kind/cleanup']
               });
             }

.github/workflows/renovate.yaml

@@ -0,0 +1,62 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/renovate.yaml instead.
+
+name: Renovate
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 2 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+
+    if: github.repository == 'jetstack/jetstack-secure'
+
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Fail if branch is not head of branch.
+        if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
+        run: |
+          echo "This workflow should not be run on a non-branch-head."
+          exit 1
+
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+        id: octo-sts
+        with:
+          scope: 'jetstack/jetstack-secure'
+          identity: renovate
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@7876d7a812254599d262d62b6b2c2706018258a2 # v43.0.10
+        with:
+          configurationFile: .github/renovate.json5
+          token: ${{ steps.octo-sts.outputs.token }}
+        env:
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+          RENOVATE_ONBOARDING: "false"
+          RENOVATE_PLATFORM: "github"
+          LOG_LEVEL: "debug"
+          RENOVATE_ALLOWED_COMMANDS: '[".*"]'

Makefile

@@ -39,7 +39,7 @@
 # For details on some of these "prelude" settings, see:
 # https://clarkgrubb.com/makefile-style-guide
 MAKEFLAGS += --warn-undefined-variables --no-builtin-rules
-SHELL := /usr/bin/env bash
+SHELL := /usr/bin/env PS1="" bash
 .SHELLFLAGS := -uo pipefail -c
 .DEFAULT_GOAL := help
 .DELETE_ON_ERROR:

klone.yaml

@@ -10,55 +10,55 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/tools

make/00_mod.mk

@@ -1,4 +1,10 @@
-repo_name := github.com/jetstack/preflight
+repo_name := github.com/jetstack/jetstack-secure
+# TODO(wallrj): This is a hack to allow use the old preflight repo name in the
+# gci section of the golangci-lint config until we can rename the go module.
+# Without this hack, golangci-lint will complain that the
+# github.com/jetstack/preflight imports should be grouped with all the other
+# third-party modules.
+generate-golangci-lint-config: repo_name := github.com/jetstack/preflight
 
 license_ignore := gitlab.com/venafi,github.com/jetstack
 
@@ -42,9 +48,9 @@ helm_chart_image_name := quay.io/jetstack/charts/venafi-kubernetes-agent
 helm_chart_version := $(VERSION)
 helm_labels_template_name := preflight.labels
 
-# We skip using the upstream govulncheck targets because we need to customise the workflow YAML
+# We skip using the upstream govulncheck generate target because we need to customise the workflow YAML
 # locally. We provide the targets in this repo instead, and manually maintain the workflow.
-govulncheck_skip := true
+dont_generate_govulncheck := true
 
 helm_image_name ?= $(oci_preflight_image_name)
 helm_image_tag ?= $(oci_preflight_image_tag)

make/_shared/go/01_mod.mk

@@ -20,6 +20,10 @@ ifndef repo_name
 $(error repo_name is not set)
 endif
 
+ifndef golangci_lint_config
+$(error golangci_lint_config is not set)
+endif
+
 golangci_lint_override := $(dir $(lastword $(MAKEFILE_LIST)))/.golangci.override.yaml
 
 .PHONY: go-workspace
@@ -51,33 +55,31 @@ generate-go-mod-tidy: | $(NEEDS_GO)
 				echo "Running 'go mod tidy' in directory '$${target}'"; \
 				pushd "$${target}" >/dev/null; \
 				$(GO) mod tidy || exit; \
+				$(GO) get toolchain@none || exit; \
 				popd >/dev/null; \
 				echo ""; \
 			done
 
-shared_generate_targets += generate-go-mod-tidy
+shared_generate_targets := generate-go-mod-tidy $(shared_generate_targets)
 
-ifndef govulncheck_skip
+ifndef dont_generate_govulncheck
 
-default_govulncheck_generate_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
-# The base directory used to copy the govulncheck GH action from. This can be
-# overwritten with an action with extra authentication or with a totally different
-# pipeline (eg. a GitLab pipeline).
-govulncheck_generate_base_dir ?= $(default_govulncheck_generate_base_dir)
-
-# The org name used in the govulncheck GH action. This is used to prevent the govulncheck job
-# being run on every fork of the repo.
-govulncheck_generate_org ?= cert-manager
+govulncheck_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
 
 .PHONY: generate-govulncheck
 ## Generate base files in the repository
 ## @category [shared] Generate/ Verify
 generate-govulncheck:
-	@mkdir -p ./.github/workflows
-	sed 's/ORGNAMEHERE/$(govulncheck_generate_org)/g' $(govulncheck_generate_base_dir)/.github/workflows/govulncheck.yaml > .github/workflows/govulncheck.yaml
+	cp -r $(govulncheck_base_dir)/. ./
+	cd $(govulncheck_base_dir) && \
+		find . -type f | while read file; do \
+			sed "s|{{REPLACE:GH-REPOSITORY}}|$(repo_name:github.com/%=%)|g" "$$file" > "$(CURDIR)/$$file"; \
+		done
 
 shared_generate_targets += generate-govulncheck
 
+endif # dont_generate_govulncheck
+
 .PHONY: verify-govulncheck
 ## Verify all Go modules for vulnerabilities using govulncheck
 ## @category [shared] Generate/ Verify
@@ -103,10 +105,6 @@ verify-govulncheck: | $(NEEDS_GOVULNCHECK)
 				echo ""; \
 			done
 
-endif # govulncheck_skip
-
-ifdef golangci_lint_config
-
 .PHONY: generate-golangci-lint-config
 ## Generate a golangci-lint configuration file
 ## @category [shared] Generate/ Verify
@@ -155,5 +153,3 @@ fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(NEEDS_GCI) $(bin_dir)/
 				popd >/dev/null; \
 				echo ""; \
 			done
-
-endif

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -17,10 +17,10 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'ORGNAMEHERE'
+    if: github.repository == '{{REPLACE:GH-REPOSITORY}}'
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
@@ -30,7 +30,7 @@ jobs:
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}