[CI] Merge self-upgrade-main into main

.github/workflows/govulncheck.yaml

@@ -10,18 +10,21 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

.github/workflows/make-self-upgrade.yaml

@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   self_upgrade:
     runs-on: ubuntu-latest
@@ -27,13 +30,13 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -64,7 +67,7 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;
@@ -77,7 +80,7 @@ jobs:
             });
 
             if (pulls.data.length < 1) {
-              await github.rest.pulls.create({
+              const result = await github.rest.pulls.create({
                 title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
                 owner: owner,
                 repo: repo,
@@ -87,4 +90,10 @@ jobs:
                   'This PR is auto-generated to bump the Makefile modules.',
                 ].join('\n'),
               });
+              await github.rest.issues.addLabels({
+                owner,
+                repo,
+                issue_number: result.data.number,
+                labels: ['skip-review']
+              });
             }

klone.yaml

@@ -9,60 +9,60 @@ targets:
     - folder_name: api-docs
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 652f41ca2a789690977902191af89b423482853f
       repo_path: modules/api-docs
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/go
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/oci-build
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: adb1dd2ffdb07aae9aea40c201633c7ae59714d8
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/tools

make/_shared/go/01_mod.mk

@@ -23,6 +23,41 @@ endif
 go_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
 golangci_lint_override := $(dir $(lastword $(MAKEFILE_LIST)))/.golangci.override.yaml
 
+.PHONY: go-workspace
+go-workspace: export GOWORK?=$(abspath go.work)
+## Create a go.work file in the repository root (or GOWORK)
+##
+## @category Development
+go-workspace: | $(NEEDS_GO)
+	@rm -f $(GOWORK)
+	$(GO) work init
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
+		| while read d; do \
+				target=$$(dirname $${d}); \
+				$(GO) work use "$${target}"; \
+			done
+
+.PHONY: go-tidy
+## Alias for `make generate-go-mod-tidy`
+## @category [shared] Generate/ Verify
+go-tidy: generate-go-mod-tidy
+
+.PHONY: generate-go-mod-tidy
+## Run `go mod tidy` on all Go modules
+## @category [shared] Generate/ Verify
+generate-go-mod-tidy: | $(NEEDS_GO)
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
+		| while read d; do \
+				target=$$(dirname $${d}); \
+				echo "Running 'go mod tidy' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
+				$(GO) mod tidy || exit; \
+				popd >/dev/null; \
+				echo ""; \
+			done
+
+shared_generate_targets += generate-go-mod-tidy
+
 .PHONY: generate-govulncheck
 ## Generate base files in the repository
 ## @category [shared] Generate/ Verify

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -10,18 +10,21 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

make/_shared/help/help.sh

@@ -71,10 +71,10 @@ done <<< "$raw_expansions"
 
 ## 3. Sort and print the extracted line items
 
-RULE_COLOR="$(tput setaf 6)"
-CATEGORY_COLOR="$(tput setaf 3)"
-CLEAR_STYLE="$(tput sgr0)"
-PURPLE=$(tput setaf 125)
+RULE_COLOR="$(TERM=xterm tput setaf 6)"
+CATEGORY_COLOR="$(TERM=xterm tput setaf 3)"
+CLEAR_STYLE="$(TERM=xterm tput sgr0)"
+PURPLE=$(TERM=xterm tput setaf 125)
 
 extracted_lines=$(echo -e "$extracted_lines" | LC_ALL=C sort -r)
 current_category=""

make/_shared/kind/00_kind_image_versions.mk

@@ -0,0 +1,22 @@
+# +skip_license_check
+
+# This file is auto-generated by the learn_tools_shas.kind_images.sh script.
+# Do not edit manually.
+
+kind_image_kindversion := v0.23.0
+
+kind_image_kube_1.25_amd64 := docker.io/kindest/node:v1.25.16@sha256:06bd8a1c3af74cf360a524aa0c4a59922e023a1fb3526ee748609d4823f560f3
+kind_image_kube_1.25_arm64 := docker.io/kindest/node:v1.25.16@sha256:3b2127454d2e55a96e594debf450b80e87fe3273f0c7f74aa0c6be9972b8467e
+kind_image_kube_1.26_amd64 := docker.io/kindest/node:v1.26.15@sha256:ad06ec62683fe300927150377e43df432da2228261bedf8eb2442fe5956d5e58
+kind_image_kube_1.26_arm64 := docker.io/kindest/node:v1.26.15@sha256:73f30c6f49b97aa178d14483dfb3ad47a1e014a53589ec02191c3fcd1df7cb71
+kind_image_kube_1.27_amd64 := docker.io/kindest/node:v1.27.13@sha256:30c5d91cab1f2915ad61f38b6279254397c433fc745b74533daa3c1e16617326
+kind_image_kube_1.27_arm64 := docker.io/kindest/node:v1.27.13@sha256:f72a6686e25f80052f37b177215a0a353ed23718d8ee2739cc17cfdb4b8feffb
+kind_image_kube_1.28_amd64 := docker.io/kindest/node:v1.28.9@sha256:9ba4d311e7861d27b210e5960e5ce921a7c53d3c67e0545fd8a1cb9a76dfa2cb
+kind_image_kube_1.28_arm64 := docker.io/kindest/node:v1.28.9@sha256:2bbf55860a6d38e25e5db113a1035f2286c87fb4f7b1594cfc3643a17b59351f
+kind_image_kube_1.29_amd64 := docker.io/kindest/node:v1.29.4@sha256:ea40a6bd365a17f71fd3883a1d34a0791d7d6b0eb75832c6d85b6f2326827f1e
+kind_image_kube_1.29_arm64 := docker.io/kindest/node:v1.29.4@sha256:e63a7f74e80b746328fbaa70be406639d0c31c8c8cf0a3d57efdd23c64fe4bba
+kind_image_kube_1.30_amd64 := docker.io/kindest/node:v1.30.0@sha256:2af5d1b382926abcd6336312d652cd045b7cc47475844a608669c71b1fefcfbc
+kind_image_kube_1.30_arm64 := docker.io/kindest/node:v1.30.0@sha256:5e4ce6f9033bdb9ce81a7fd699c8e67cfcacfab57076058e3e6f33c32036b42b
+
+kind_image_latest_amd64 := $(kind_image_kube_1.30_amd64)
+kind_image_latest_arm64 := $(kind_image_kube_1.30_arm64)

make/_shared/kind/00_mod.mk

@@ -12,17 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+include $(dir $(lastword $(MAKEFILE_LIST)))/00_kind_image_versions.mk
+
 images_amd64 ?=
 images_arm64 ?=
 
-kind_k8s_version := v1.29.4
-
-# Goto https://github.com/kubernetes-sigs/kind/releases/tag/<KIND-VERSION> and find the
-# multi-arch digest for the image you want to use. Then use crane to get the platform
-# specific digest. For example (digest is the multi-arch digest from the release page):
-# digest="sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245"
-# crane digest --platform=linux/amd64 docker.io/kindest/node@$digest
-# crane digest --platform=linux/arm64 docker.io/kindest/node@$digest
-
-images_amd64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:ea40a6bd365a17f71fd3883a1d34a0791d7d6b0eb75832c6d85b6f2326827f1e
-images_arm64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:e63a7f74e80b746328fbaa70be406639d0c31c8c8cf0a3d57efdd23c64fe4bba
+images_amd64 += $(kind_image_latest_amd64)
+images_arm64 += $(kind_image_latest_arm64)

make/_shared/kind/kind-image-preload.mk

@@ -32,6 +32,11 @@ images_files := $(foreach image,$(images),$(subst :,+,$(image)))
 images_tar_dir := $(bin_dir)/downloaded/containers/$(HOST_ARCH)
 images_tars := $(images_files:%=$(images_tar_dir)/%.tar)
 
+# Download the images as tarballs. We must use the tag because the digest
+# will change after we docker import the image. The tag is the only way to
+# reference the image after it has been imported. Before downloading the
+# image, we check that the provided digest matches the digest of the image
+# that we are about to pull.
 $(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_CRANE)
 	@$(eval image=$(subst +,:,$*))
 	@$(eval image_without_digest=$(shell cut -d@ -f1 <<<"$(image)"))

make/_shared/kind/kind.mk

@@ -39,7 +39,7 @@ $(bin_dir)/scratch/cluster-check: FORCE | $(NEEDS_KIND) $(bin_dir)/scratch
 	$(eval export KUBECONFIG=$(absolute_kubeconfig))
 
 kind_post_create_hook ?= 
-$(kind_kubeconfig): $(kind_cluster_config) $(bin_dir)/scratch/cluster-check | images-preload $(bin_dir)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL)
+$(kind_kubeconfig): $(kind_cluster_config) $(bin_dir)/scratch/cluster-check | images-preload $(bin_dir)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_CTR)
 	@[ -f "$(bin_dir)/scratch/cluster-check" ] && ( \
 		$(KIND) delete cluster --name $(kind_cluster_name); \
 		$(CTR) load -i $(docker.io/kindest/node.TAR); \

make/_shared/oci-build/00_mod.mk

@@ -16,11 +16,11 @@ oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
 
 # Use distroless as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static:latest"
-base_image_static := quay.io/jetstack/base-static@sha256:23631cd1be9a63515cb5975e783284b209f7f9a449c02bb117f2a15413e13bfa
+base_image_static := quay.io/jetstack/base-static@sha256:262e3020adb3b09ddbf9cd8fe672330451a556c8e7024142fa205c8876c3fd75
 
 # Use custom apko-built image as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest"
-base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:95b33b948da3790ac09f112486a1e9f10e3e705cfacc159cb7b12429b874c78f
+base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:f776795838d73f9836b134f688b4c827fcd7ed22f46d3cefcb9f57d668388fef
 
 # Utility functions
 fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set))

make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml

@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   self_upgrade:
     runs-on: ubuntu-latest
@@ -27,13 +30,13 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -64,7 +67,7 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;
@@ -77,7 +80,7 @@ jobs:
             });
 
             if (pulls.data.length < 1) {
-              await github.rest.pulls.create({
+              const result = await github.rest.pulls.create({
                 title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
                 owner: owner,
                 repo: repo,
@@ -87,4 +90,10 @@ jobs:
                   'This PR is auto-generated to bump the Makefile modules.',
                 ].join('\n'),
               });
+              await github.rest.issues.addLabels({
+                owner,
+                repo,
+                issue_number: result.data.number,
+                labels: ['skip-review']
+              });
             }