diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index 405e8de..bba5726 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -10,18 +10,21 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: govulncheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go-version run: | make print-go-version >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go-version.outputs.result }} diff --git a/.github/workflows/make-self-upgrade.yaml b/.github/workflows/make-self-upgrade.yaml index 93beedf..2c6feca 100644 --- a/.github/workflows/make-self-upgrade.yaml +++ b/.github/workflows/make-self-upgrade.yaml @@ -8,6 +8,9 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: self_upgrade: runs-on: ubuntu-latest @@ -27,13 +30,13 @@ jobs: echo "This workflow should not be run on a non-branch-head." exit 1 - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go-version run: | make print-go-version >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go-version.outputs.result }} @@ -64,7 +67,7 @@ jobs: git push -f origin "$SELF_UPGRADE_BRANCH" - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { repo, owner } = context.repo; @@ -77,7 +80,7 @@ jobs: }); if (pulls.data.length < 1) { - await github.rest.pulls.create({ + const result = await github.rest.pulls.create({ title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, owner: owner, repo: repo, @@ -87,4 +90,10 @@ jobs: 'This PR is auto-generated to bump the Makefile modules.', ].join('\n'), }); + await github.rest.issues.addLabels({ + owner, + repo, + issue_number: result.data.number, + labels: ['skip-review'] + }); } diff --git a/klone.yaml b/klone.yaml index e7cb8db..85f0acf 100644 --- a/klone.yaml +++ b/klone.yaml @@ -10,65 +10,65 @@ targets: - folder_name: boilerplate repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/boilerplate - folder_name: cert-manager repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/cert-manager - folder_name: controller-gen repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/controller-gen - folder_name: generate-verify repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/generate-verify - folder_name: go repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/go - folder_name: helm repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/helm - folder_name: help repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/help - folder_name: kind repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/kind - folder_name: klone repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/klone - folder_name: oci-build repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/oci-build - folder_name: oci-publish repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/oci-publish - folder_name: repository-base repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/repository-base - folder_name: tools repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: 7458086828acec84648afb1beb18da8a7d0e5e3c + repo_hash: 52d325f8aced0b9b6fae6fbe3d2bd2644fddcc93 repo_path: modules/tools diff --git a/make/_shared/go/base/.github/workflows/govulncheck.yaml b/make/_shared/go/base/.github/workflows/govulncheck.yaml index 405e8de..bba5726 100644 --- a/make/_shared/go/base/.github/workflows/govulncheck.yaml +++ b/make/_shared/go/base/.github/workflows/govulncheck.yaml @@ -10,18 +10,21 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: govulncheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go-version run: | make print-go-version >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go-version.outputs.result }} diff --git a/make/_shared/help/help.sh b/make/_shared/help/help.sh index d9c831f..400aab3 100755 --- a/make/_shared/help/help.sh +++ b/make/_shared/help/help.sh @@ -71,10 +71,10 @@ done <<< "$raw_expansions" ## 3. Sort and print the extracted line items -RULE_COLOR="$(tput setaf 6)" -CATEGORY_COLOR="$(tput setaf 3)" -CLEAR_STYLE="$(tput sgr0)" -PURPLE=$(tput setaf 125) +RULE_COLOR="$(TERM=xterm tput setaf 6)" +CATEGORY_COLOR="$(TERM=xterm tput setaf 3)" +CLEAR_STYLE="$(TERM=xterm tput sgr0)" +PURPLE=$(TERM=xterm tput setaf 125) extracted_lines=$(echo -e "$extracted_lines" | LC_ALL=C sort -r) current_category="" diff --git a/make/_shared/kind/00_kind_image_versions.mk b/make/_shared/kind/00_kind_image_versions.mk new file mode 100755 index 0000000..6188f6a --- /dev/null +++ b/make/_shared/kind/00_kind_image_versions.mk @@ -0,0 +1,22 @@ +# +skip_license_check + +# This file is auto-generated by the learn_tools_shas.kind_images.sh script. +# Do not edit manually. + +kind_image_kindversion := v0.23.0 + +kind_image_kube_1.25_amd64 := docker.io/kindest/node:v1.25.16@sha256:06bd8a1c3af74cf360a524aa0c4a59922e023a1fb3526ee748609d4823f560f3 +kind_image_kube_1.25_arm64 := docker.io/kindest/node:v1.25.16@sha256:3b2127454d2e55a96e594debf450b80e87fe3273f0c7f74aa0c6be9972b8467e +kind_image_kube_1.26_amd64 := docker.io/kindest/node:v1.26.15@sha256:ad06ec62683fe300927150377e43df432da2228261bedf8eb2442fe5956d5e58 +kind_image_kube_1.26_arm64 := docker.io/kindest/node:v1.26.15@sha256:73f30c6f49b97aa178d14483dfb3ad47a1e014a53589ec02191c3fcd1df7cb71 +kind_image_kube_1.27_amd64 := docker.io/kindest/node:v1.27.13@sha256:30c5d91cab1f2915ad61f38b6279254397c433fc745b74533daa3c1e16617326 +kind_image_kube_1.27_arm64 := docker.io/kindest/node:v1.27.13@sha256:f72a6686e25f80052f37b177215a0a353ed23718d8ee2739cc17cfdb4b8feffb +kind_image_kube_1.28_amd64 := docker.io/kindest/node:v1.28.9@sha256:9ba4d311e7861d27b210e5960e5ce921a7c53d3c67e0545fd8a1cb9a76dfa2cb +kind_image_kube_1.28_arm64 := docker.io/kindest/node:v1.28.9@sha256:2bbf55860a6d38e25e5db113a1035f2286c87fb4f7b1594cfc3643a17b59351f +kind_image_kube_1.29_amd64 := docker.io/kindest/node:v1.29.4@sha256:ea40a6bd365a17f71fd3883a1d34a0791d7d6b0eb75832c6d85b6f2326827f1e +kind_image_kube_1.29_arm64 := docker.io/kindest/node:v1.29.4@sha256:e63a7f74e80b746328fbaa70be406639d0c31c8c8cf0a3d57efdd23c64fe4bba +kind_image_kube_1.30_amd64 := docker.io/kindest/node:v1.30.0@sha256:2af5d1b382926abcd6336312d652cd045b7cc47475844a608669c71b1fefcfbc +kind_image_kube_1.30_arm64 := docker.io/kindest/node:v1.30.0@sha256:5e4ce6f9033bdb9ce81a7fd699c8e67cfcacfab57076058e3e6f33c32036b42b + +kind_image_latest_amd64 := $(kind_image_kube_1.30_amd64) +kind_image_latest_arm64 := $(kind_image_kube_1.30_arm64) diff --git a/make/_shared/kind/00_mod.mk b/make/_shared/kind/00_mod.mk index 576d33e..a448915 100644 --- a/make/_shared/kind/00_mod.mk +++ b/make/_shared/kind/00_mod.mk @@ -12,17 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +include $(dir $(lastword $(MAKEFILE_LIST)))/00_kind_image_versions.mk + images_amd64 ?= images_arm64 ?= -kind_k8s_version := v1.29.4 - -# Goto https://github.com/kubernetes-sigs/kind/releases/tag/ and find the -# multi-arch digest for the image you want to use. Then use crane to get the platform -# specific digest. For example (digest is the multi-arch digest from the release page): -# digest="sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245" -# crane digest --platform=linux/amd64 docker.io/kindest/node@$digest -# crane digest --platform=linux/arm64 docker.io/kindest/node@$digest - -images_amd64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:ea40a6bd365a17f71fd3883a1d34a0791d7d6b0eb75832c6d85b6f2326827f1e -images_arm64 += docker.io/kindest/node:$(kind_k8s_version)@sha256:e63a7f74e80b746328fbaa70be406639d0c31c8c8cf0a3d57efdd23c64fe4bba +images_amd64 += $(kind_image_latest_amd64) +images_arm64 += $(kind_image_latest_arm64) diff --git a/make/_shared/kind/kind-image-preload.mk b/make/_shared/kind/kind-image-preload.mk index a157ad2..e95c9ee 100644 --- a/make/_shared/kind/kind-image-preload.mk +++ b/make/_shared/kind/kind-image-preload.mk @@ -32,6 +32,11 @@ images_files := $(foreach image,$(images),$(subst :,+,$(image))) images_tar_dir := $(bin_dir)/downloaded/containers/$(HOST_ARCH) images_tars := $(images_files:%=$(images_tar_dir)/%.tar) +# Download the images as tarballs. We must use the tag because the digest +# will change after we docker import the image. The tag is the only way to +# reference the image after it has been imported. Before downloading the +# image, we check that the provided digest matches the digest of the image +# that we are about to pull. $(images_tars): $(images_tar_dir)/%.tar: | $(NEEDS_CRANE) @$(eval image=$(subst +,:,$*)) @$(eval image_without_digest=$(shell cut -d@ -f1 <<<"$(image)")) diff --git a/make/_shared/kind/kind.mk b/make/_shared/kind/kind.mk index c573420..4f0a894 100644 --- a/make/_shared/kind/kind.mk +++ b/make/_shared/kind/kind.mk @@ -39,7 +39,7 @@ $(bin_dir)/scratch/cluster-check: FORCE | $(NEEDS_KIND) $(bin_dir)/scratch $(eval export KUBECONFIG=$(absolute_kubeconfig)) kind_post_create_hook ?= -$(kind_kubeconfig): $(kind_cluster_config) $(bin_dir)/scratch/cluster-check | images-preload $(bin_dir)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL) +$(kind_kubeconfig): $(kind_cluster_config) $(bin_dir)/scratch/cluster-check | images-preload $(bin_dir)/scratch $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_CTR) @[ -f "$(bin_dir)/scratch/cluster-check" ] && ( \ $(KIND) delete cluster --name $(kind_cluster_name); \ $(CTR) load -i $(docker.io/kindest/node.TAR); \ diff --git a/make/_shared/oci-build/00_mod.mk b/make/_shared/oci-build/00_mod.mk index 11a09ed..b7e2b0b 100644 --- a/make/_shared/oci-build/00_mod.mk +++ b/make/_shared/oci-build/00_mod.mk @@ -16,11 +16,11 @@ oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le # Use distroless as minimal base image to package the manager binary # To get latest SHA run "crane digest quay.io/jetstack/base-static:latest" -base_image_static := quay.io/jetstack/base-static@sha256:23631cd1be9a63515cb5975e783284b209f7f9a449c02bb117f2a15413e13bfa +base_image_static := quay.io/jetstack/base-static@sha256:262e3020adb3b09ddbf9cd8fe672330451a556c8e7024142fa205c8876c3fd75 # Use custom apko-built image as minimal base image to package the manager binary # To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest" -base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:95b33b948da3790ac09f112486a1e9f10e3e705cfacc159cb7b12429b874c78f +base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:f776795838d73f9836b134f688b4c827fcd7ed22f46d3cefcb9f57d668388fef # Utility functions fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set)) diff --git a/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml index 93beedf..2c6feca 100644 --- a/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml +++ b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml @@ -8,6 +8,9 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: self_upgrade: runs-on: ubuntu-latest @@ -27,13 +30,13 @@ jobs: echo "This workflow should not be run on a non-branch-head." exit 1 - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go-version run: | make print-go-version >> "$GITHUB_OUTPUT" - - uses: actions/setup-go@v5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go-version.outputs.result }} @@ -64,7 +67,7 @@ jobs: git push -f origin "$SELF_UPGRADE_BRANCH" - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { repo, owner } = context.repo; @@ -77,7 +80,7 @@ jobs: }); if (pulls.data.length < 1) { - await github.rest.pulls.create({ + const result = await github.rest.pulls.create({ title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, owner: owner, repo: repo, @@ -87,4 +90,10 @@ jobs: 'This PR is auto-generated to bump the Makefile modules.', ].join('\n'), }); + await github.rest.issues.addLabels({ + owner, + repo, + issue_number: result.data.number, + labels: ['skip-review'] + }); } diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk index 8065fdc..8d5ad2c 100644 --- a/make/_shared/tools/00_mod.mk +++ b/make/_shared/tools/00_mod.mk @@ -42,7 +42,13 @@ for_each_kv = $(foreach item,$2,$(eval $(call $1,$(word 1,$(subst =, ,$(item))), # variables: https://stackoverflow.com/questions/54726457 export PATH := $(CURDIR)/$(bin_dir)/tools:$(PATH) -CTR=docker +CTR ?= docker +.PHONY: __require-ctr +ifneq ($(shell command -v $(CTR) >/dev/null || echo notfound),) +__require-ctr: + @:$(error "$(CTR) (or set CTR to a docker-compatible tool)") +endif +NEEDS_CTR = __require-ctr tools := # https://github.com/helm/helm/releases @@ -241,8 +247,13 @@ detected_vendoring := $(findstring vendor-go,$(MAKECMDGOALS))$(shell [ -f $(bin_ export VENDOR_GO ?= $(detected_vendoring) ifeq ($(VENDOR_GO),) +.PHONY: __require-go +ifneq ($(shell command -v go >/dev/null || echo notfound),) +__require-go: + @:$(error "$(GO) (or run 'make vendor-go')") +endif GO := go -NEEDS_GO := # +NEEDS_GO = __require-go else export GOROOT := $(CURDIR)/$(bin_dir)/tools/goroot export PATH := $(CURDIR)/$(bin_dir)/tools/goroot/bin:$(PATH) @@ -604,10 +615,7 @@ $(DOWNLOAD_DIR)/tools/preflight@$(PREFLIGHT_VERSION)_linux_$(HOST_ARCH): | $(DOW missing=$(shell (command -v curl >/dev/null || echo curl) \ && (command -v sha256sum >/dev/null || command -v shasum >/dev/null || echo sha256sum) \ && (command -v git >/dev/null || echo git) \ - && (command -v rsync >/dev/null || echo rsync) \ - && ([ -n "$(findstring vendor-go,$(MAKECMDGOALS),)" ] \ - || command -v $(GO) >/dev/null || echo "$(GO) (or run 'make vendor-go')") \ - && (command -v $(CTR) >/dev/null || echo "$(CTR) (or set CTR to a docker-compatible tool)")) + && (command -v rsync >/dev/null || echo rsync)) ifneq ($(missing),) $(error Missing required tools: $(missing)) endif