chore: pin hugo version and deps with go.mod

Copy go.mod and go.sum into the site dev container and use them to
pin the versions and checksums for hugo and its dependencies.

Modify `make container-image` to update the pinned version of hugo
to match HUGO_VERSION in netlify.toml, instead of passing in the
version as a build-arg.

This should help reduce risk of importing newer dependency versions
that haven't passed vulnerability checks.

go.work

@@ -49,4 +49,5 @@ use (
 	./plugin/someteam.example.com/v1/stringprefixer
 	./plugin/someteam.example.com/v1/validator
 	./plugin/untested/v1/gogetter
+	./site/tools
 )

site/Dockerfile

@@ -13,13 +13,11 @@ RUN apk add --no-cache \
     build-base \
     libc6-compat
 
-ARG HUGO_VERSION
-
-RUN mkdir $HOME/src && \
-    cd $HOME/src && \
-    curl -L https://github.com/gohugoio/hugo/archive/refs/tags/v${HUGO_VERSION}.tar.gz | tar -xz && \
-    cd "hugo-${HUGO_VERSION}" && \
-    go install --tags extended
+RUN mkdir -p /go/src/sigs.k8s.io/kustomize/site/tools
+WORKDIR /go/src/sigs.k8s.io/kustomize/site/tools
+COPY tools/go.mod ./
+COPY tools/go.sum ./
+RUN go install --tags extended github.com/gohugoio/hugo
 
 FROM docker.io/library/golang:1.20-alpine
 

site/Makefile

@@ -43,13 +43,22 @@ build-preview: module-check ## Build site with drafts and future posts enabled
 serve: module-check ## Boot the development server.
 	hugo server --buildFuture --environment development
 
+## Update the hugo version in tools/go.mod to match HUGO_VERSION in netlify.toml
+.PHONY: tools
+tools: netlify.toml
+	@echo "Hugo: v$(HUGO_VERSION)"
+	@set -euo pipefail && cd tools && \
+		sed -e "/github.com\/gohugoio\/hugo/ s/v[0-9]\+\.[0-9]\+\.[0-9]\+/v$(HUGO_VERSION)/" go.mod > go.mod.next && \
+		mv go.mod.next go.mod && \
+		echo "Updated tools/go.mod"
+	cd tools && go mod tidy
+
 ## Build a container image for the preview of the website
 .PHONY: container-image
-container-image: netlify.toml Dockerfile hugo.toml
+container-image: tools netlify.toml Dockerfile hugo.toml
 	$(CONTAINER_ENGINE) build . \
 		--network=host \
-		--tag $(CONTAINER_IMAGE) \
-		--build-arg HUGO_VERSION=$(HUGO_VERSION)
+		--tag $(CONTAINER_IMAGE)
 
 # no build lock to allow for read-only mounts
 ## Boot the development server using container.

site/netlify.toml

@@ -4,7 +4,7 @@ command = "git submodule update --init --recursive --depth 1 && hugo"
 publish = "publishedSite/"
 
 [build.environment]
-HUGO_VERSION = "0.120.3"
+HUGO_VERSION = "0.120.4"
 NODE_ENV = "development"
 NETLIFY_BUILD_DEBUG = "true"
 

site/tools/go.mod

@@ -0,0 +1,154 @@
+module sigs.k8s.io/kustomize/site/tools
+
+go 1.20
+
+require github.com/gohugoio/hugo v0.120.4
+
+require (
+	cloud.google.com/go v0.110.7 // indirect
+	cloud.google.com/go/compute v1.23.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/iam v1.1.1 // indirect
+	cloud.google.com/go/storage v1.31.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
+	github.com/BurntSushi/locker v0.0.0-20171006230638-a6e239ea1c69 // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/alecthomas/chroma/v2 v2.10.0 // indirect
+	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/aws/aws-sdk-go v1.45.14 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.20.0 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.11 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.18.32 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.31 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.7 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.76 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.37 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.31 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.38 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.32 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.31 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.38.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.13.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.21.1 // indirect
+	github.com/aws/smithy-go v1.14.0 // indirect
+	github.com/bep/clocks v0.5.0 // indirect
+	github.com/bep/debounce v1.2.0 // indirect
+	github.com/bep/gitmap v1.1.2 // indirect
+	github.com/bep/goat v0.5.0 // indirect
+	github.com/bep/godartsass v1.2.0 // indirect
+	github.com/bep/godartsass/v2 v2.0.0 // indirect
+	github.com/bep/golibsass v1.1.1 // indirect
+	github.com/bep/gowebp v0.2.0 // indirect
+	github.com/bep/lazycache v0.2.0 // indirect
+	github.com/bep/logg v0.3.0 // indirect
+	github.com/bep/mclib v1.20400.20402 // indirect
+	github.com/bep/overlayfs v0.6.0 // indirect
+	github.com/bep/simplecobra v0.3.2 // indirect
+	github.com/bep/tmc v0.5.1 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cli/safeexec v1.0.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/disintegration/gift v1.2.1 // indirect
+	github.com/dlclark/regexp2 v1.10.0 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/evanw/esbuild v0.19.5 // indirect
+	github.com/fatih/color v1.15.0 // indirect
+	github.com/frankban/quicktest v1.14.6 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/getkin/kin-openapi v0.120.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/gobuffalo/flect v1.0.2 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/gohugoio/go-i18n/v2 v2.1.3-0.20230805085216-e63c13218d0e // indirect
+	github.com/gohugoio/locales v0.14.0 // indirect
+	github.com/gohugoio/localescompressed v1.0.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/s2a-go v0.1.5 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/google/wire v0.5.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hairyhenderson/go-codeowners v0.4.0 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/invopop/yaml v0.2.0 // indirect
+	github.com/jdkato/prose v1.2.1 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/kyokomi/emoji/v2 v2.2.12 // indirect
+	github.com/magefile/mage v1.15.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/marekm4/color-extractor v1.2.1 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/mitchellh/hashstructure v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
+	github.com/muesli/smartcrop v0.3.0 // indirect
+	github.com/niklasfasching/go-org v1.7.0 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/perimeterx/marshmallow v1.1.5 // indirect
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd // indirect
+	github.com/sanity-io/litter v1.5.5 // indirect
+	github.com/spf13/afero v1.10.0 // indirect
+	github.com/spf13/cast v1.5.1 // indirect
+	github.com/spf13/cobra v1.7.0 // indirect
+	github.com/spf13/fsync v0.9.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/tdewolff/minify/v2 v2.20.5 // indirect
+	github.com/tdewolff/parse/v2 v2.7.3 // indirect
+	github.com/yuin/goldmark v1.6.0 // indirect
+	github.com/yuin/goldmark-emoji v1.0.2 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/automaxprocs v1.5.3 // indirect
+	gocloud.dev v0.34.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/exp v0.0.0-20221031165847-c99f073a8326 // indirect
+	golang.org/x/image v0.13.0 // indirect
+	golang.org/x/mod v0.13.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/oauth2 v0.11.0 // indirect
+	golang.org/x/sync v0.4.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.14.0 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	google.golang.org/api v0.138.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 // indirect
+	google.golang.org/grpc v1.57.0 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	howett.net/plist v1.0.0 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.2.0 // indirect
+)