Merge pull request #68 from cert-manager/self-upgrade-main

[CI] Merge self-upgrade-main into main
cert-manager · Jul 17, 2024 · d7a3aaf · d7a3aaf
2 parents 0632ecd + 9df030b
commit d7a3aaf
Show file tree

Hide file tree

Showing 12 changed files with 101 additions and 49 deletions.
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
@@ -10,18 +10,21 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

diff --git a/.github/workflows/make-self-upgrade.yaml b/.github/workflows/make-self-upgrade.yaml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   self_upgrade:
     runs-on: ubuntu-latest
@@ -27,13 +30,13 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -64,7 +67,7 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;
@@ -77,7 +80,7 @@ jobs:
             });
             
             if (pulls.data.length < 1) {
-              await github.rest.pulls.create({
+              const result = await github.rest.pulls.create({
                 title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
                 owner: owner,
                 repo: repo,
@@ -87,4 +90,10 @@ jobs:
                   'This PR is auto-generated to bump the Makefile modules.',
                 ].join('\n'),
               });
+              await github.rest.issues.addLabels({
+                owner,
+                repo,
+                issue_number: result.data.number,
+                labels: ['skip-review']
+              });
             }
diff --git a/klone.yaml b/klone.yaml
@@ -10,65 +10,65 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c
+      repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93
       repo_path: modules/tools
diff --git a/make/_shared/go/base/.github/workflows/govulncheck.yaml b/make/_shared/go/base/.github/workflows/govulncheck.yaml
@@ -10,18 +10,21 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

diff --git a/make/_shared/help/help.sh b/make/_shared/help/help.sh
@@ -71,10 +71,10 @@ done <<< "$raw_expansions"
 
 ## 3. Sort and print the extracted line items
 
-RULE_COLOR="$(tput setaf 6)"
-CATEGORY_COLOR="$(tput setaf 3)"
-CLEAR_STYLE="$(tput sgr0)"
-PURPLE=$(tput setaf 125)
+RULE_COLOR="$(TERM=xterm tput setaf 6)"
+CATEGORY_COLOR="$(TERM=xterm tput setaf 3)"
+CLEAR_STYLE="$(TERM=xterm tput sgr0)"
+PURPLE=$(TERM=xterm tput setaf 125)
 
 extracted_lines=$(echo -e "$extracted_lines" | LC_ALL=C sort -r)
 current_category=""

diff --git a/make/_shared/kind/00_kind_image_versions.mk b/make/_shared/kind/00_kind_image_versions.mk
@@ -0,0 +1,22 @@
+# +skip_license_check
+
+# This file is auto-generated by the learn_tools_shas.kind_images.sh script.
+# Do not edit manually.
+
+kind_image_kindversion := v0.23.0
+
+kind_image_kube_1.25_amd64 := docker.io/kindest/node:v1.25.16@sha256:06bd8a1c3af74cf360a524aa0c4a59922e023a1fb3526ee748609d4823f560f3
+kind_image_kube_1.25_arm64 := docker.io/kindest/node:v1.25.16@sha256:3b2127454d2e55a96e594debf450b80e87fe3273f0c7f74aa0c6be9972b8467e
+kind_image_kube_1.26_amd64 := docker.io/kindest/node:v1.26.15@sha256:ad06ec62683fe300927150377e43df432da2228261bedf8eb2442fe5956d5e58
+kind_image_kube_1.26_arm64 := docker.io/kindest/node:v1.26.15@sha256:73f30c6f49b97aa178d14483dfb3ad47a1e014a53589ec02191c3fcd1df7cb71
+kind_image_kube_1.27_amd64 := docker.io/kindest/node:v1.27.13@sha256:30c5d91cab1f2915ad61f38b6279254397c433fc745b74533daa3c1e16617326
+kind_image_kube_1.27_arm64 := docker.io/kindest/node:v1.27.13@sha256:f72a6686e25f80052f37b177215a0a353ed23718d8ee2739cc17cfdb4b8feffb
+kind_image_kube_1.28_amd64 := docker.io/kindest/node:v1.28.9@sha256:9ba4d311e7861d27b210e5960e5ce921a7c53d3c67e0545fd8a1cb9a76dfa2cb
+kind_image_kube_1.28_arm64 := docker.io/kindest/node:v1.28.9@sha256:2bbf55860a6d38e25e5db113a1035f2286c87fb4f7b1594cfc3643a17b59351f
+kind_image_kube_1.29_amd64 := docker.io/kindest/node:v1.29.4@sha256:ea40a6bd365a17f71fd3883a1d34a0791d7d6b0eb75832c6d85b6f2326827f1e
+kind_image_kube_1.29_arm64 := docker.io/kindest/node:v1.29.4@sha256:e63a7f74e80b746328fbaa70be406639d0c31c8c8cf0a3d57efdd23c64fe4bba
+kind_image_kube_1.30_amd64 := docker.io/kindest/node:v1.30.0@sha256:2af5d1b382926abcd6336312d652cd045b7cc47475844a608669c71b1fefcfbc
+kind_image_kube_1.30_arm64 := docker.io/kindest/node:v1.30.0@sha256:5e4ce6f9033bdb9ce81a7fd699c8e67cfcacfab57076058e3e6f33c32036b42b
+
+kind_image_latest_amd64 := $(kind_image_kube_1.30_amd64)
+kind_image_latest_arm64 := $(kind_image_kube_1.30_arm64)
diff --git a/make/_shared/kind/00_mod.mk b/make/_shared/kind/00_mod.mk
@@ -12,17 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+include $(dir $(lastword $(MAKEFILE_LIST)))/00_kind_image_versions.mk
+
 images_amd64 ?=
 images_arm64 ?=
 
-kind_k8s_version := v1.29.4
-
-# Goto https://github.com/kubernetes-sigs/kind/releases/tag/<KIND-VERSION> and find the
-# multi-arch digest for the image you want to use. Then use crane to get the platform
-# specific digest. For example (digest is the multi-arch digest from the release page):
-# digest="sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245"
-# crane digest --platform=linux/amd64 docker.io/kindest/node@$digest
-# crane digest --platform=linux/arm64 docker.io/kindest/node@$digest
-
-images_amd64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:ea40a6bd365a17f71fd3883a1d34a0791d7d6b0eb75832c6d85b6f2326827f1e
-images_arm64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:e63a7f74e80b746328fbaa70be406639d0c31c8c8cf0a3d57efdd23c64fe4bba
+images_amd64 += $(kind_image_latest_amd64)
+images_arm64 += $(kind_image_latest_arm64)
diff --git a/make/_shared/kind/kind-image-preload.mk b/make/_shared/kind/kind-image-preload.mk
@@ -32,6 +32,11 @@ images_files := $(foreach image,$(images),$(subst :,+,$(image)))
 images_tar_dir := $(bin_dir)/downloaded/containers/$(HOST_ARCH)
 images_tars := $(images_files:%=$(images_tar_dir)/%.tar)
 
+# Download the images as tarballs. We must use the tag because the digest
+# will change after we docker import the image. The tag is the only way to
+# reference the image after it has been imported. Before downloading the
+# image, we check that the provided digest matches the digest of the image
+# that we are about to pull.
 $(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_CRANE)
 	@$(eval image=$(subst +,:,$*))
 	@$(eval image_without_digest=$(shell cut -d@ -f1 <<<"$(image)"))

diff --git a/make/_shared/kind/kind.mk b/make/_shared/kind/kind.mk
@@ -39,7 +39,7 @@ $(bin_dir)/scratch/cluster-check: FORCE | $(NEEDS_KIND) $(bin_dir)/scratch
 	$(eval export KUBECONFIG=$(absolute_kubeconfig))
 
 kind_post_create_hook ?= 
-$(kind_kubeconfig): $(kind_cluster_config) $(bin_dir)/scratch/cluster-check | images-preload $(bin_dir)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL)
+$(kind_kubeconfig): $(kind_cluster_config) $(bin_dir)/scratch/cluster-check | images-preload $(bin_dir)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_CTR)
 	@[ -f "$(bin_dir)/scratch/cluster-check" ] && ( \
 		$(KIND) delete cluster --name $(kind_cluster_name); \
 		$(CTR) load -i $(docker.io/kindest/node.TAR); \

diff --git a/make/_shared/oci-build/00_mod.mk b/make/_shared/oci-build/00_mod.mk
@@ -16,11 +16,11 @@ oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
 
 # Use distroless as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static:latest"
-base_image_static := quay.io/jetstack/base-static@sha256:23631cd1be9a63515cb5975e783284b209f7f9a449c02bb117f2a15413e13bfa
+base_image_static := quay.io/jetstack/base-static@sha256:262e3020adb3b09ddbf9cd8fe672330451a556c8e7024142fa205c8876c3fd75
 
 # Use custom apko-built image as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest"
-base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:95b33b948da3790ac09f112486a1e9f10e3e705cfacc159cb7b12429b874c78f
+base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:f776795838d73f9836b134f688b4c827fcd7ed22f46d3cefcb9f57d668388fef
 
 # Utility functions
 fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set))

diff --git a/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   self_upgrade:
     runs-on: ubuntu-latest
@@ -27,13 +30,13 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -64,7 +67,7 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;
@@ -77,7 +80,7 @@ jobs:
             });
             
             if (pulls.data.length < 1) {
-              await github.rest.pulls.create({
+              const result = await github.rest.pulls.create({
                 title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
                 owner: owner,
                 repo: repo,
@@ -87,4 +90,10 @@ jobs:
                   'This PR is auto-generated to bump the Makefile modules.',
                 ].join('\n'),
               });
+              await github.rest.issues.addLabels({
+                owner,
+                repo,
+                issue_number: result.data.number,
+                labels: ['skip-review']
+              });
             }
diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk
@@ -42,7 +42,13 @@ for_each_kv = $(foreach item,$2,$(eval $(call $1,$(word 1,$(subst =, ,$(item))),
 # variables: https://stackoverflow.com/questions/54726457
 export PATH := $(CURDIR)/$(bin_dir)/tools:$(PATH)
 
-CTR=docker
+CTR ?= docker
+.PHONY: __require-ctr
+ifneq ($(shell command -v $(CTR) >/dev/null || echo notfound),)
+__require-ctr:
+	@:$(error "$(CTR) (or set CTR to a docker-compatible tool)")
+endif
+NEEDS_CTR = __require-ctr
 
 tools :=
 # https://github.com/helm/helm/releases
@@ -241,8 +247,13 @@ detected_vendoring := $(findstring vendor-go,$(MAKECMDGOALS))$(shell [ -f $(bin_
 export VENDOR_GO ?= $(detected_vendoring)
 
 ifeq ($(VENDOR_GO),)
+.PHONY: __require-go
+ifneq ($(shell command -v go >/dev/null || echo notfound),)
+__require-go:
+	@:$(error "$(GO) (or run 'make vendor-go')")
+endif
 GO := go
-NEEDS_GO := #
+NEEDS_GO = __require-go
 else
 export GOROOT := $(CURDIR)/$(bin_dir)/tools/goroot
 export PATH := $(CURDIR)/$(bin_dir)/tools/goroot/bin:$(PATH)
@@ -604,10 +615,7 @@ $(DOWNLOAD_DIR)/tools/preflight@$(PREFLIGHT_VERSION)_linux_$(HOST_ARCH): | $(DOW
 missing=$(shell (command -v curl >/dev/null || echo curl) \
              && (command -v sha256sum >/dev/null || command -v shasum >/dev/null || echo sha256sum) \
              && (command -v git >/dev/null || echo git) \
-             && (command -v rsync >/dev/null || echo rsync) \
-             && ([ -n "$(findstring vendor-go,$(MAKECMDGOALS),)" ] \
-                || command -v $(GO) >/dev/null || echo "$(GO) (or run 'make vendor-go')") \
-             && (command -v $(CTR) >/dev/null || echo "$(CTR) (or set CTR to a docker-compatible tool)"))
+             && (command -v rsync >/dev/null || echo rsync))
 ifneq ($(missing),)
 $(error Missing required tools: $(missing))
 endif