From 948ecf67d00f1c72689252a9e60942ac193759fa Mon Sep 17 00:00:00 2001
From: Humble Chirammal <humble.devassy@gmail.com>
Date: Fri, 24 May 2024 12:35:25 +0530
Subject: [PATCH] Squashed 'release-tools/' changes from b54c1ba4..49676850

49676850 Merge pull request #254 from bells17/add-github-actions
d9bd160c Update skip list in codespell GitHub Action
adb3af9d Merge pull request #252 from bells17/update-go-version
f5aebfc9 Add GitHub Actions workflows
b82ee388 Merge pull request #253 from bells17/fix-typo
c3174562 Fix typo
0a785056 Bump to Go 1.22.3
edd89ad5 Merge pull request #251 from jsafrane/add-logcheck
043fd099 Add test-logcheck target
d7535ae0 Merge pull request #250 from jsafrane/go-1.22
b52e7ad3 Update go to 1.22.2
14fdb6f6 Merge pull request #247 from msau42/prow
dc4d0ae2 Merge pull request #249 from jsafrane/use-go-version
e681b170 Use .go-version to get Kubernetes go version
9b4352e9 Update release playbook
c7bb972c Fix release notes script to use fixed tags
463a0e9f Add script to update specific go modules

git-subtree-dir: release-tools
git-subtree-split: 49676850e1c9c41b263720e1756322d9e35edd73
---
 .github/dependabot.yaml                       | 12 +++
 .github/workflows/codespell.yml               | 15 +++
 .github/workflows/trivy.yaml                  | 29 ++++++
 SIDECAR_RELEASE_PROCESS.md                    |  9 +-
 build.make                                    |  7 ++
 ...otes.sh => generate-patch-release-notes.sh | 14 ++-
 go-modules-targeted-update.sh                 | 96 +++++++++++++++++++
 prow.sh                                       | 12 ++-
 verify-logcheck.sh                            | 37 +++++++
 9 files changed, 221 insertions(+), 10 deletions(-)
 create mode 100644 .github/dependabot.yaml
 create mode 100644 .github/workflows/codespell.yml
 create mode 100644 .github/workflows/trivy.yaml
 rename generate_patch_release_notes.sh => generate-patch-release-notes.sh (87%)
 create mode 100755 go-modules-targeted-update.sh
 create mode 100755 verify-logcheck.sh

diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 00000000..814a3449
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,12 @@
+version: 2
+enable-beta-ecosystems: true
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+      interval: "daily"
+  labels:
+    - "area/dependency"
+    - "release-note-none"
+    - "ok-to-test"
+  open-pull-requests-limit: 10
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
new file mode 100644
index 00000000..e74edcef
--- /dev/null
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,15 @@
+# GitHub Action to automate the identification of common misspellings in text files.
+# https://github.com/codespell-project/actions-codespell
+# https://github.com/codespell-project/codespell
+name: codespell
+on: [push, pull_request]
+jobs:
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: codespell-project/actions-codespell@master
+        with:
+          check_filenames: true
+          skip: "*.png,*.jpg,*.svg,*.sum,./.git,./.github/workflows/codespell.yml,./prow.sh"
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
new file mode 100644
index 00000000..47298478
--- /dev/null
+++ b/.github/workflows/trivy.yaml
@@ -0,0 +1,29 @@
+name: Run Trivy scanner for Go version vulnerabilities
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  trivy:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go version
+        id: go-version
+        run: |
+          GO_VERSION=$(cat prow.sh  | grep "configvar CSI_PROW_GO_VERSION_BUILD" | awk '{print $3}' | sed 's/"//g')
+          echo "version=$GO_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Run Trivy scanner for Go version vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'golang:${{ steps.go-version.outputs.version }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'library'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
diff --git a/SIDECAR_RELEASE_PROCESS.md b/SIDECAR_RELEASE_PROCESS.md
index 4f5d033c..647d2342 100644
--- a/SIDECAR_RELEASE_PROCESS.md
+++ b/SIDECAR_RELEASE_PROCESS.md
@@ -46,9 +46,12 @@ naming convention `<hostpath-deployment-version>-on-<kubernetes-version>`.
 ## Release Process
 1. Identify all issues and ongoing PRs that should go into the release, and
   drive them to resolution.
-1. Update dependencies for sidecars via
-   [go-modules-update.sh](https://github.com/kubernetes-csi/csi-driver-host-path/blob/HEAD/release-tools/go-modules-update.sh),
-  and get PRs approved and merged.
+1. Update dependencies for sidecars
+    1. For new minor versions, use
+   [go-modules-update.sh](https://github.com/kubernetes-csi/csi-release-tools/blob/HEAD/go-modules-update.sh),
+    1. For CVE fixes on patch versions, use
+   [go-modules-targeted-update.sh](https://github.com/kubernetes-csi/csi-release-tools/blob/HEAD/go-modules-targeted-update.sh),
+       Read the instructions at the top of the script.
 1. Check that all [canary CI
   jobs](https://testgrid.k8s.io/sig-storage-csi-ci) are passing,
   and that test coverage is adequate for the changes that are going into the release.
diff --git a/build.make b/build.make
index bceab34d..fe120c52 100644
--- a/build.make
+++ b/build.make
@@ -322,3 +322,10 @@ test-spelling:
 test-boilerplate:
 	@ echo; echo "### $@:"
 	@ ./release-tools/verify-boilerplate.sh "$(pwd)"
+
+# Test klog usage. This test is optional and must be explicitly added to `test` target in the main Makefile:
+# test: test-logcheck
+.PHONY: test-logcheck
+test-logcheck:
+	@ echo; echo "### $@:"
+	@ ./release-tools/verify-logcheck.sh
diff --git a/generate_patch_release_notes.sh b/generate-patch-release-notes.sh
similarity index 87%
rename from generate_patch_release_notes.sh
rename to generate-patch-release-notes.sh
index 606c24d2..2b9c13c3 100755
--- a/generate_patch_release_notes.sh
+++ b/generate-patch-release-notes.sh
@@ -48,7 +48,7 @@ function gen_patch_relnotes() {
   rm out.md || true
   rm -rf /tmp/k8s-repo || true
   GITHUB_TOKEN="$CSI_RELEASE_TOKEN" \
-  release-notes --discover=patch-to-latest --branch="$2" \
+  release-notes --start-rev="$3" --end-rev="$2" --branch="$2" \
     --org=kubernetes-csi --repo="$1" \
     --required-author="" --markdown-links --output out.md
 }
@@ -57,11 +57,14 @@ for rel in "${releases[@]}"; do
   read -r repo version <<< "$rel"
 
   # Parse minor version
-  minorPattern="(^[[:digit:]]+\.[[:digit:]]+)\."
-  [[ "$version" =~ $minorPattern ]]
+  minorPatchPattern="(^[[:digit:]]+\.[[:digit:]]+)\.([[:digit:]]+)"
+  [[ "$version" =~ $minorPatchPattern ]]
   minor="${BASH_REMATCH[1]}"
+  patch="${BASH_REMATCH[2]}"
 
-  echo "$repo" "$version" "$minor"
+  echo "$repo $version $minor $patch"
+  prevPatch="$((patch-1))"
+  prevVer="v$minor.$prevPatch"
 
   pushd "$repo/CHANGELOG"
 
@@ -74,7 +77,7 @@ for rel in "${releases[@]}"; do
   git checkout --track "upstream/release-$minor" -b "$branch"
 
   # Generate release notes
-  gen_patch_relnotes "$repo" "release-$minor"
+  gen_patch_relnotes "$repo" "release-$minor" "$prevVer"
   cat > tmp.md <<EOF
 # Release notes for v$version
 
@@ -84,6 +87,7 @@ EOF
 
   cat out.md >> tmp.md
   echo >> tmp.md
+  rm out.md
 
   file="CHANGELOG-$minor.md"
   cat "$file" >> tmp.md
diff --git a/go-modules-targeted-update.sh b/go-modules-targeted-update.sh
new file mode 100755
index 00000000..52146f31
--- /dev/null
+++ b/go-modules-targeted-update.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+# Copyright 2023 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# Usage: go-modules-targeted-update.sh
+#
+# Batch update specific dependencies for sidecars.
+#
+# Required environment variables
+# CSI_RELEASE_TOKEN: Github token needed for generating release notes
+# GITHUB_USER: Github username to create PRs with
+#
+# Instructions:
+# 1. Login with "gh auth login"
+# 2. Copy this script to the Github org directory (one directory above the
+# repos)
+# 3. Change $modules, $releases and $org if needed.
+# 4. Set environment variables
+# 5. Run script from the Github org directory
+#
+# Caveats:
+# - This script doesn't handle interface incompatibility of updates.
+#   You need to resolve interface incompatibility case by case. The
+#   most frequent case is to update the interface(new parameters,  
+#   name change of the method, etc.)in the sidecar repo and make sure
+#   the build and test pass.
+
+
+set -e
+set -x
+
+org="kubernetes-csi"
+
+modules=(
+"github.com/kubernetes-csi/csi-lib-utils@v0.15.1"
+)
+
+releases=(
+#"external-attacher release-4.4"
+#"external-provisioner release-3.6"
+#"external-resizer release-1.9"
+#"external-snapshotter release-6.3"
+#"node-driver-registrar release-2.9"
+)
+
+for rel in "${releases[@]}"; do
+
+    read -r repo branch <<< "$rel"
+    if [ "$repo" != "#" ]; then
+    (
+        cd "$repo"
+        git fetch upstream
+
+        if [ "$(git rev-parse --verify "module-update-$branch" 2>/dev/null)" ]; then
+            git checkout master && git branch -D "module-update-$branch"
+        fi
+        git checkout -B "module-update-$branch" "upstream/$branch"
+
+        for mod in "${modules[@]}"; do
+          go get "$mod"
+        done
+        go mod tidy
+        go mod vendor
+
+        git add --all
+        git commit -m "Update go modules"
+        git push origin "module-update-$branch" --force
+
+            # Create PR
+prbody=$(cat <<EOF
+Updated the following go modules:
+
+${modules[@]}
+
+\`\`\`release-note
+NONE
+\`\`\`
+EOF
+)
+        gh pr create --title="[$branch] Update go modules" --body "$prbody"  --head "$GITHUB_USER:module-update-$branch" --base "$branch" --repo="$org/$repo"
+    )
+    fi
+done
diff --git a/prow.sh b/prow.sh
index a27c71f3..049fb79a 100755
--- a/prow.sh
+++ b/prow.sh
@@ -86,7 +86,7 @@ configvar CSI_PROW_BUILD_PLATFORMS "linux amd64 amd64; linux ppc64le ppc64le -pp
 # which is disabled with GOFLAGS=-mod=vendor).
 configvar GOFLAGS_VENDOR "$( [ -d vendor ] && echo '-mod=vendor' )" "Go flags for using the vendor directory"
 
-configvar CSI_PROW_GO_VERSION_BUILD "1.21.5" "Go version for building the component" # depends on component's source code
+configvar CSI_PROW_GO_VERSION_BUILD "1.22.3" "Go version for building the component" # depends on component's source code
 configvar CSI_PROW_GO_VERSION_E2E "" "override Go version for building the Kubernetes E2E test suite" # normally doesn't need to be set, see install_e2e
 configvar CSI_PROW_GO_VERSION_SANITY "${CSI_PROW_GO_VERSION_BUILD}" "Go version for building the csi-sanity test suite" # depends on CSI_PROW_SANITY settings below
 configvar CSI_PROW_GO_VERSION_KIND "${CSI_PROW_GO_VERSION_BUILD}" "Go version for building 'kind'" # depends on CSI_PROW_KIND_VERSION below
@@ -564,7 +564,15 @@ go_version_for_kubernetes () (
     local version="$2"
     local go_version
 
-    # We use the minimal Go version specified for each K8S release (= minimum_go_version in hack/lib/golang.sh).
+    # Try to get the version for .go-version
+    go_version="$( cat "$path/.go-version" )"
+    if [ "$go_version" ]; then
+        echo "$go_version"
+        return
+    fi
+
+    # Fall back to hack/lib/golang.sh parsing.
+    # This is necessary in v1.26.0 and older Kubernetes releases that do not have .go-version.
     # More recent versions might also work, but we don't want to count on that.
     go_version="$(grep minimum_go_version= "$path/hack/lib/golang.sh" | sed -e 's/.*=go//')"
     if ! [ "$go_version" ]; then
diff --git a/verify-logcheck.sh b/verify-logcheck.sh
new file mode 100755
index 00000000..f3287e7b
--- /dev/null
+++ b/verify-logcheck.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script uses the logcheck tool to analyze the source code
+# for proper usage of klog contextual logging.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+LOGCHECK_VERSION=${1:-0.8.2}
+
+# This will canonicalize the path
+CSI_LIB_UTIL_ROOT=$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd -P)
+
+# Create a temporary directory for installing logcheck and
+# set up a trap command to remove it when the script exits.
+CSI_LIB_UTIL_TEMP=$(mktemp -d 2>/dev/null || mktemp -d -t csi-lib-utils.XXXXXX)
+trap 'rm -rf "${CSI_LIB_UTIL_TEMP}"' EXIT
+
+echo "Installing logcheck to temp dir: sigs.k8s.io/logtools/logcheck@v${LOGCHECK_VERSION}"
+GOBIN="${CSI_LIB_UTIL_TEMP}" go install "sigs.k8s.io/logtools/logcheck@v${LOGCHECK_VERSION}"
+echo "Verifying logcheck: ${CSI_LIB_UTIL_TEMP}/logcheck -check-contextual ${CSI_LIB_UTIL_ROOT}/..."
+"${CSI_LIB_UTIL_TEMP}/logcheck" -check-contextual -check-with-helpers "${CSI_LIB_UTIL_ROOT}/..."