From 820dd21835b91a6af95ff43cc64ac721f86e1831 Mon Sep 17 00:00:00 2001 From: Adam Talbot Date: Fri, 15 Mar 2024 14:45:16 +0000 Subject: [PATCH 1/2] feat: add makefile modules for local dev Signed-off-by: Adam Talbot --- .github/dependabot.yaml | 20 + .github/workflows/make-self-upgrade.yaml | 86 +++ .gitignore | 3 + Makefile | 109 ++++ OWNERS_ALIASES | 13 + klone.yaml | 39 ++ make/00_mod.mk | 3 + make/02_mod.mk | 53 ++ make/_shared/boilerplate/00_mod.mk | 17 + make/_shared/boilerplate/01_mod.mk | 21 + .../boilerplate/template/boilerplate.go.txt | 15 + make/_shared/generate-verify/00_mod.mk | 17 + make/_shared/generate-verify/02_mod.mk | 33 + make/_shared/generate-verify/util/verify.sh | 63 ++ make/_shared/help/01_mod.mk | 22 + make/_shared/help/help.sh | 113 ++++ make/_shared/klone/01_mod.mk | 27 + make/_shared/repository-base/01_mod.mk | 23 + .../base/.github/dependabot.yaml | 20 + .../.github/workflows/make-self-upgrade.yaml | 86 +++ make/_shared/repository-base/base/LICENSE | 201 ++++++ make/_shared/repository-base/base/Makefile | 109 ++++ .../repository-base/base/OWNERS_ALIASES | 13 + make/_shared/tools/00_mod.mk | 603 ++++++++++++++++++ make/_shared/tools/util/checkhash.sh | 56 ++ make/_shared/tools/util/hash.sh | 25 + 26 files changed, 1790 insertions(+) create mode 100644 .github/dependabot.yaml create mode 100644 .github/workflows/make-self-upgrade.yaml create mode 100644 Makefile create mode 100644 OWNERS_ALIASES create mode 100644 klone.yaml create mode 100644 make/00_mod.mk create mode 100644 make/02_mod.mk create mode 100644 make/_shared/boilerplate/00_mod.mk create mode 100644 make/_shared/boilerplate/01_mod.mk create mode 100644 make/_shared/boilerplate/template/boilerplate.go.txt create mode 100644 make/_shared/generate-verify/00_mod.mk create mode 100644 make/_shared/generate-verify/02_mod.mk create mode 100755 make/_shared/generate-verify/util/verify.sh create mode 100644 make/_shared/help/01_mod.mk create mode 100755 make/_shared/help/help.sh create mode 100644 make/_shared/klone/01_mod.mk create mode 100644 make/_shared/repository-base/01_mod.mk create mode 100644 make/_shared/repository-base/base/.github/dependabot.yaml create mode 100644 make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml create mode 100644 make/_shared/repository-base/base/LICENSE create mode 100644 make/_shared/repository-base/base/Makefile create mode 100644 make/_shared/repository-base/base/OWNERS_ALIASES create mode 100644 make/_shared/tools/00_mod.mk create mode 100755 make/_shared/tools/util/checkhash.sh create mode 100755 make/_shared/tools/util/hash.sh diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 00000000000..35367ea5cee --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,20 @@ +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead. + +# Update Go dependencies and GitHub Actions dependencies weekly. +version: 2 +updates: +- package-ecosystem: gomod + directory: / + schedule: + interval: weekly + groups: + all: + patterns: ["*"] +- package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + all: + patterns: ["*"] diff --git a/.github/workflows/make-self-upgrade.yaml b/.github/workflows/make-self-upgrade.yaml new file mode 100644 index 00000000000..ccebdb244eb --- /dev/null +++ b/.github/workflows/make-self-upgrade.yaml @@ -0,0 +1,86 @@ +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml instead. + +name: make-self-upgrade +concurrency: make-self-upgrade +on: + workflow_dispatch: {} + schedule: + - cron: '0 0 * * *' + +jobs: + build_images: + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + + steps: + - name: Fail if branch is not main + if: github.ref != 'refs/heads/main' + run: | + echo "This workflow should not be run on a branch other than main." + exit 1 + + - uses: actions/checkout@v4 + + - id: go-version + run: | + make print-go-version >> "$GITHUB_OUTPUT" + + - uses: actions/setup-go@v5 + with: + go-version: ${{ steps.go-version.outputs.result }} + + - run: | + git checkout -B "self-upgrade" + + - run: | + make -j upgrade-klone + make -j generate + + - id: is-up-to-date + shell: bash + run: | + git_status=$(git status -s) + is_up_to_date="true" + if [ -n "$git_status" ]; then + is_up_to_date="false" + echo "The following changes will be committed:" + echo "$git_status" + fi + echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT" + + - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} + run: | + git config --global user.name "jetstack-bot" + git config --global user.email "jetstack-bot@users.noreply.github.com" + git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff + git push -f origin self-upgrade + + - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} + uses: actions/github-script@v7 + with: + script: | + const { repo, owner } = context.repo; + const pulls = await github.rest.pulls.list({ + owner: owner, + repo: repo, + head: owner + ':self-upgrade', + base: 'main', + state: 'open', + }); + + if (pulls.data.length < 1) { + await github.rest.pulls.create({ + title: '[CI] Merge self-upgrade into main', + owner: owner, + repo: repo, + head: 'self-upgrade', + base: 'main', + body: [ + 'This PR is auto-generated to bump the Makefile modules.', + ].join('\n'), + }); + } diff --git a/.gitignore b/.gitignore index 51b489a0e58..87b845dc21d 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,6 @@ public/feed.* # Our release-process.md tells us to run 'sed' commands that create .bak files. *.bak + +# Makefile modules bin_dir +_bin \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 00000000000..6e1916a5a6d --- /dev/null +++ b/Makefile @@ -0,0 +1,109 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/Makefile instead. + +# NOTE FOR DEVELOPERS: "How do the Makefiles work and how can I extend them?" +# +# Shared Makefile logic lives in the make/_shared/ directory. The source of truth for these files +# lies outside of this repository, eg. in the cert-manager/makefile-modules repository. +# +# Logic specific to this repository must be defined in the make/00_mod.mk and make/02_mod.mk files: +# - The make/00_mod.mk file is included first and contains variable definitions needed by +# the shared Makefile logic. +# - The make/02_mod.mk file is included later, it can make use of most of the shared targets +# defined in the make/_shared/ directory (all targets defined in 00_mod.mk and 01_mod.mk). +# This file should be used to define targets specific to this repository. + +################################## + +# Some modules build their dependencies from variables, we want these to be +# evalutated at the last possible moment. For this we use second expansion to +# re-evaluate the generate and verify targets a second time. +# +# See https://www.gnu.org/software/make/manual/html_node/Secondary-Expansion.html +.SECONDEXPANSION: + +# For details on some of these "prelude" settings, see: +# https://clarkgrubb.com/makefile-style-guide +MAKEFLAGS += --warn-undefined-variables --no-builtin-rules +SHELL := /usr/bin/env bash +.SHELLFLAGS := -uo pipefail -c +.DEFAULT_GOAL := help +.DELETE_ON_ERROR: +.SUFFIXES: +FORCE: + +noop: # do nothing + +################################## +# Host OS and architecture setup # +################################## + +# The reason we don't use "go env GOOS" or "go env GOARCH" is that the "go" +# binary may not be available in the PATH yet when the Makefiles are +# evaluated. HOST_OS and HOST_ARCH only support Linux, *BSD and macOS (M1 +# and Intel). +HOST_OS ?= $(shell uname -s | tr A-Z a-z) +HOST_ARCH ?= $(shell uname -m) + +ifeq (x86_64, $(HOST_ARCH)) + HOST_ARCH = amd64 +else ifeq (aarch64, $(HOST_ARCH)) + # linux reports the arm64 arch as aarch64 + HOST_ARCH = arm64 +endif + +################################## +# Git and versioning information # +################################## + +VERSION ?= $(shell git describe --tags --always --match='v*' --abbrev=14 --dirty) +IS_PRERELEASE := $(shell git describe --tags --always --match='v*' --abbrev=0 | grep -q '-' && echo true || echo false) +GITCOMMIT := $(shell git rev-parse HEAD) +GITEPOCH := $(shell git show -s --format=%ct HEAD) + +################################## +# Global variables and dirs # +################################## + +bin_dir := _bin + +# The ARTIFACTS environment variable is set by the CI system to a directory +# where artifacts should be placed. These artifacts are then uploaded to a +# storage bucket by the CI system (https://docs.prow.k8s.io/docs/components/pod-utilities/). +# An example of such an artifact is a jUnit XML file containing test results. +# If the ARTIFACTS environment variable is not set, we default to a local +# directory in the _bin directory. +ARTIFACTS ?= $(bin_dir)/artifacts + +$(bin_dir) $(ARTIFACTS) $(bin_dir)/scratch: + mkdir -p $@ + +.PHONY: clean +## Clean all temporary files +## @category [shared] Tools +clean: + rm -rf $(bin_dir) + +################################## +# Include all the Makefiles # +################################## + +-include make/00_mod.mk +-include make/_shared/*/00_mod.mk +-include make/_shared/*/01_mod.mk +-include make/02_mod.mk +-include make/_shared/*/02_mod.mk diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES new file mode 100644 index 00000000000..6d51f05b459 --- /dev/null +++ b/OWNERS_ALIASES @@ -0,0 +1,13 @@ +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/OWNERS_ALIASES instead. + +aliases: + cm-maintainers: + - munnerz + - joshvanl + - wallrj + - jakexks + - maelvls + - irbekrm + - sgtcodfish + - inteon diff --git a/klone.yaml b/klone.yaml new file mode 100644 index 00000000000..7f1ed41a67c --- /dev/null +++ b/klone.yaml @@ -0,0 +1,39 @@ +# This klone.yaml file describes the Makefile modules and versions that are +# cloned into the "make/_shared" folder. These modules are dynamically imported +# by the root Makefile. The "make upgrade-klone" target can be used to pull +# the latest version from the upstream repositories (using the repo_ref value). +# +# More info can be found here: https://github.com/cert-manager/makefile-modules + +targets: + make/_shared: + - folder_name: boilerplate + repo_url: https://github.com/cert-manager/makefile-modules.git + repo_ref: main + repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_path: modules/boilerplate + - folder_name: generate-verify + repo_url: https://github.com/cert-manager/makefile-modules.git + repo_ref: main + repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_path: modules/generate-verify + - folder_name: help + repo_url: https://github.com/cert-manager/makefile-modules.git + repo_ref: main + repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_path: modules/help + - folder_name: klone + repo_url: https://github.com/cert-manager/makefile-modules.git + repo_ref: main + repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_path: modules/klone + - folder_name: repository-base + repo_url: https://github.com/cert-manager/makefile-modules.git + repo_ref: main + repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_path: modules/repository-base + - folder_name: tools + repo_url: https://github.com/cert-manager/makefile-modules.git + repo_ref: main + repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_path: modules/tools diff --git a/make/00_mod.mk b/make/00_mod.mk new file mode 100644 index 00000000000..5202776b237 --- /dev/null +++ b/make/00_mod.mk @@ -0,0 +1,3 @@ +# Node and NPM are installed from the same source, so the versions must match +ADDITIONAL_TOOLS += node=v20.11.1 +ADDITIONAL_TOOLS += npm=v20.11.1 \ No newline at end of file diff --git a/make/02_mod.mk b/make/02_mod.mk new file mode 100644 index 00000000000..5217c3cccb4 --- /dev/null +++ b/make/02_mod.mk @@ -0,0 +1,53 @@ +npm_scripts = build start dev check +.PHONY: $(npm_scripts) +$(npm_scripts): | $(NEEDS_NPM) + $(NPM) run $@ + +## Vendor the node modules +## @category Development +vendor: | $(NEEDS_NPM) + $(NPM) ci + +## Build the site, which then can be served with `make start` +## @category Development +build: vendor + +## Serve the site on port 3000 +## @category Development +start: vendor + +## Start the dev server, this server will reload for every change you make to +## the codebase +## @category Development +dev: vendor + +## Run code linting and checks +## @category Development +check: vendor + +########## +# NodeJS # +########## + +# https://nodejs.org/dist/v20.11.1/SHASUMS256.txt.asc +NODE_linux_amd64_SHA256SUM=bf3a779bef19452da90fb88358ec2c57e0d2f882839b20dc6afc297b6aafc0d7 +NODE_linux_arm64_SHA256SUM=e34ab2fc2726b4abd896bcbff0250e9b2da737cbd9d24267518a802ed0606f3b +NODE_darwin_amd64_SHA256SUM=c52e7fb0709dbe63a4cbe08ac8af3479188692937a7bd8e776e0eedfa33bb848 +NODE_darwin_arm64_SHA256SUM=e0065c61f340e85106a99c4b54746c5cee09d59b08c5712f67f99e92aa44995d + +.PRECIOUS: $(bin_dir)/scratch/node@$(NODE_VERSION)_% +$(bin_dir)/scratch/node@$(NODE_VERSION)_%: | $(bin_dir)/scratch + $(CURL) https://nodejs.org/dist/$(NODE_VERSION)/node-$(NODE_VERSION)-$(subst amd64,x64,$(subst _,-,$*)).tar.gz -o $@.tar.gz + $(checkhash_script) $@.tar.gz $(NODE_$*_SHA256SUM) + mkdir -p $@ + tar xzf $@.tar.gz --strip-components=1 -C $@ + rm -f $@.tar.gz + +$(bin_dir)/downloaded/tools/node@$(NODE_VERSION)_%: | $(bin_dir)/scratch/node@$(NODE_VERSION)_% $(bin_dir)/downloaded/tools + $(LN) $(CURDIR)/$(bin_dir)/scratch/node@$(NODE_VERSION)_$*/bin/node $@ + +$(bin_dir)/downloaded/tools/npm@$(NPM_VERSION)_%: | $(bin_dir)/scratch/node@$(NPM_VERSION)_% $(bin_dir)/downloaded/tools + $(LN) $(CURDIR)/$(bin_dir)/scratch/node@$(NODE_VERSION)_$*/bin/npm $@ + +# Export the node bin dir so npm can work +export PATH := $(CURDIR)/$(bin_dir)/scratch/node@$(NODE_VERSION)_$(HOST_OS)_$(HOST_ARCH)/bin:$(PATH) \ No newline at end of file diff --git a/make/_shared/boilerplate/00_mod.mk b/make/_shared/boilerplate/00_mod.mk new file mode 100644 index 00000000000..46f32fc5c42 --- /dev/null +++ b/make/_shared/boilerplate/00_mod.mk @@ -0,0 +1,17 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +default_go_header_file := $(dir $(lastword $(MAKEFILE_LIST)))/template/boilerplate.go.txt + +go_header_file ?= $(default_go_header_file) diff --git a/make/_shared/boilerplate/01_mod.mk b/make/_shared/boilerplate/01_mod.mk new file mode 100644 index 00000000000..677fdff97f5 --- /dev/null +++ b/make/_shared/boilerplate/01_mod.mk @@ -0,0 +1,21 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.PHONY: verify-boilerplate +## Verify that all files have the correct boilerplate. +## @category [shared] Generate/ Verify +verify-boilerplate: | $(NEEDS_BOILERSUITE) + $(BOILERSUITE) . + +shared_verify_targets += verify-boilerplate diff --git a/make/_shared/boilerplate/template/boilerplate.go.txt b/make/_shared/boilerplate/template/boilerplate.go.txt new file mode 100644 index 00000000000..f0214588363 --- /dev/null +++ b/make/_shared/boilerplate/template/boilerplate.go.txt @@ -0,0 +1,15 @@ +/* +Copyright The cert-manager Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ \ No newline at end of file diff --git a/make/_shared/generate-verify/00_mod.mk b/make/_shared/generate-verify/00_mod.mk new file mode 100644 index 00000000000..9b145a95f04 --- /dev/null +++ b/make/_shared/generate-verify/00_mod.mk @@ -0,0 +1,17 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +shared_generate_targets ?= +shared_verify_targets ?= +shared_verify_targets_dirty ?= diff --git a/make/_shared/generate-verify/02_mod.mk b/make/_shared/generate-verify/02_mod.mk new file mode 100644 index 00000000000..2f2daacd976 --- /dev/null +++ b/make/_shared/generate-verify/02_mod.mk @@ -0,0 +1,33 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.PHONY: generate +## Generate all generate targets. +## @category [shared] Generate/ Verify +generate: $$(shared_generate_targets) + +verify_script := $(dir $(lastword $(MAKEFILE_LIST)))/util/verify.sh + +# Run the supplied make target argument in a temporary workspace and diff the results. +verify-%: FORCE + $(verify_script) $(MAKE) -s $* + +verify_generated_targets = $(shared_generate_targets:%=verify-%) + +.PHONY: verify +## Verify code and generate targets. +## @category [shared] Generate/ Verify +verify: $$(verify_generated_targets) $$(shared_verify_targets) + @echo "The following targets create temporary files in the current directory, that is why they have to be run last:" + $(MAKE) noop $(shared_verify_targets_dirty) diff --git a/make/_shared/generate-verify/util/verify.sh b/make/_shared/generate-verify/util/verify.sh new file mode 100755 index 00000000000..206d3e63a7b --- /dev/null +++ b/make/_shared/generate-verify/util/verify.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env bash + +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Verify that the supplied command does not make any changes to the repository. +# +# This is called from the Makefile to verify that all code generation scripts +# have been run and that their changes have been committed to the repository. +# +# Runs any of the scripts or Make targets in this repository, after making a +# copy of the repository, then reports any changes to the files in the copy. + +# For example: +# +# make verify-helm-chart-update || \ +# make helm-chart-update +# +set -o errexit +set -o nounset +set -o pipefail + +projectdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )/../../../.." && pwd )" + +cd "${projectdir}" + +# Use short form arguments here to support BSD/macOS. `-d` instructs +# it to make a directory, `-t` provides a prefix to use for the directory name. +tmp="$(mktemp -d /tmp/verify.sh.XXXXXXXX)" + +cleanup() { + rm -rf "${tmp}" +} +trap "cleanup" EXIT SIGINT + +cp -a "${projectdir}/." "${tmp}" +pushd "${tmp}" >/dev/null + +"$@" + +popd >/dev/null + +if ! diff \ + --exclude=".git" \ + --exclude="_bin" \ + --new-file --unified --show-c-function --recursive "${projectdir}" "${tmp}" +then + echo + echo "Project '${projectdir}' is out of date." + echo "Please run '${*}'" + exit 1 +fi diff --git a/make/_shared/help/01_mod.mk b/make/_shared/help/01_mod.mk new file mode 100644 index 00000000000..1a6a3b48b24 --- /dev/null +++ b/make/_shared/help/01_mod.mk @@ -0,0 +1,22 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +help_sh := $(dir $(lastword $(MAKEFILE_LIST)))/help.sh + +.PHONY: help +help: + @MAKEFILE_LIST="$(MAKEFILE_LIST)" \ + MAKE="$(MAKE)" \ + $(help_sh) diff --git a/make/_shared/help/help.sh b/make/_shared/help/help.sh new file mode 100755 index 00000000000..96c4ad8e062 --- /dev/null +++ b/make/_shared/help/help.sh @@ -0,0 +1,113 @@ +#!/usr/bin/env bash + +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -eu -o pipefail + +## 1. Build set of extracted line items + +EMPTYLINE_REGEX="^[[:space:]]*$" +DOCBLOCK_REGEX="^##[[:space:]]*(.*)$" +CATEGORY_REGEX="^##[[:space:]]*@category[[:space:]]*(.*)$" +TARGET_REGEX="^(([a-zA-Z0-9\_\/\%\$\(\)]|-)+):.*$" + +EMPTY_ITEM="" + +# shellcheck disable=SC2086 +raw_lines=$(cat ${MAKEFILE_LIST} | tr '\t' ' ' | grep -E "($TARGET_REGEX|$DOCBLOCK_REGEX|$EMPTYLINE_REGEX)") +extracted_lines="" +extracted_current="$EMPTY_ITEM" +max_target_length=0 + +## Extract all the commented targets from the Makefile +while read -r line; do + if [[ $line =~ $EMPTYLINE_REGEX ]]; then + # Reset current item. + extracted_current="$EMPTY_ITEM" + elif [[ $line =~ $CATEGORY_REGEX ]]; then + extracted_current=${extracted_current///${BASH_REMATCH[1]}} + elif [[ $line =~ $TARGET_REGEX ]]; then + # only keep the target if there is a comment + if [[ $extracted_current != *""* ]]; then + max_target_length=$(( ${#BASH_REMATCH[1]} > max_target_length ? ${#BASH_REMATCH[1]} : max_target_length )) + extracted_current=${extracted_current///${BASH_REMATCH[1]}} + extracted_lines="$extracted_lines\n$extracted_current" + fi + + extracted_current="$EMPTY_ITEM" + elif [[ $line =~ $DOCBLOCK_REGEX ]]; then + extracted_current=${extracted_current///${BASH_REMATCH[1]}} + fi +done <<< "$raw_lines" + +## 2. Build mapping for expanding targets + +ASSIGNMENT_REGEX="^(([a-zA-Z0-9\_\/\%\$\(\)]|-)+)[[:space:]]*:=[[:space:]]*(.*)$" + +raw_expansions=$(${MAKE} --dry-run --print-data-base noop | tr '\t' ' ' | grep -E "$ASSIGNMENT_REGEX") +extracted_expansions="" + +while read -r line; do + if [[ $line =~ $ASSIGNMENT_REGEX ]]; then + target=${BASH_REMATCH[1]} + expansion=${BASH_REMATCH[3]// /, } + extracted_expansions="$extracted_expansions\n$target$expansion" + fi +done <<< "$raw_expansions" + +## 3. Sort and print the extracted line items + +RULE_COLOR="$(tput setaf 6)" +CATEGORY_COLOR="$(tput setaf 3)" +CLEAR_STYLE="$(tput sgr0)" +PURPLE=$(tput setaf 125) + +extracted_lines=$(echo -e "$extracted_lines" | LC_ALL=C sort -r) +current_category="" + +## Print the help +echo "Usage: make [target1] [target2] ..." + +IFS=$'\n'; for line in $extracted_lines; do + category=$([[ $line =~ \(.*)\ ]] && echo "${BASH_REMATCH[1]}") + target=$([[ $line =~ \(.*)\ ]] && echo "${BASH_REMATCH[1]}") + comment=$([[ $line =~ \(.*)\ ]] && echo -e "${BASH_REMATCH[1]///\\n}") + + # Print the category header if it's changed + if [[ "$current_category" != "$category" ]]; then + current_category=$category + echo -e "\n${CATEGORY_COLOR}${current_category}${CLEAR_STYLE}" + fi + + # replace any $(...) with the actual value + if [[ $target =~ \$\((.*)\) ]]; then + new_target=$(echo -e "$extracted_expansions" | grep "${BASH_REMATCH[1]}" || true) + if [[ -n "$new_target" ]]; then + target=$([[ $new_target =~ \(.*)\ ]] && echo -e "${BASH_REMATCH[1]}") + fi + fi + + # Print the target and its multiline comment + is_first_line=true + while read -r comment_line; do + if [[ "$is_first_line" == true ]]; then + is_first_line=false + padding=$(( max_target_length - ${#target} )) + printf " %s%${padding}s ${PURPLE}>${CLEAR_STYLE} %s\n" "${RULE_COLOR}${target}${CLEAR_STYLE}" "" "${comment_line}" + else + printf " %${max_target_length}s %s\n" "" "${comment_line}" + fi + done <<< "$comment" +done diff --git a/make/_shared/klone/01_mod.mk b/make/_shared/klone/01_mod.mk new file mode 100644 index 00000000000..a3d07dd2778 --- /dev/null +++ b/make/_shared/klone/01_mod.mk @@ -0,0 +1,27 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.PHONY: generate-klone +## Generate klone shared Makefiles +## @category [shared] Generate/ Verify +generate-klone: | $(NEEDS_KLONE) + $(KLONE) sync + +shared_generate_targets += generate-klone + +.PHONY: upgrade-klone +## Upgrade klone Makefile modules to latest version +## @category [shared] Self-upgrade +upgrade-klone: | $(NEEDS_KLONE) + $(KLONE) upgrade diff --git a/make/_shared/repository-base/01_mod.mk b/make/_shared/repository-base/01_mod.mk new file mode 100644 index 00000000000..251ac88e56c --- /dev/null +++ b/make/_shared/repository-base/01_mod.mk @@ -0,0 +1,23 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/ + +.PHONY: generate-base +## Generate base files in the repository +## @category [shared] Generate/ Verify +generate-base: + cp -r $(base_dir)/. ./ + +shared_generate_targets += generate-base diff --git a/make/_shared/repository-base/base/.github/dependabot.yaml b/make/_shared/repository-base/base/.github/dependabot.yaml new file mode 100644 index 00000000000..35367ea5cee --- /dev/null +++ b/make/_shared/repository-base/base/.github/dependabot.yaml @@ -0,0 +1,20 @@ +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead. + +# Update Go dependencies and GitHub Actions dependencies weekly. +version: 2 +updates: +- package-ecosystem: gomod + directory: / + schedule: + interval: weekly + groups: + all: + patterns: ["*"] +- package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + all: + patterns: ["*"] diff --git a/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml new file mode 100644 index 00000000000..ccebdb244eb --- /dev/null +++ b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml @@ -0,0 +1,86 @@ +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml instead. + +name: make-self-upgrade +concurrency: make-self-upgrade +on: + workflow_dispatch: {} + schedule: + - cron: '0 0 * * *' + +jobs: + build_images: + runs-on: ubuntu-latest + + permissions: + contents: write + pull-requests: write + + steps: + - name: Fail if branch is not main + if: github.ref != 'refs/heads/main' + run: | + echo "This workflow should not be run on a branch other than main." + exit 1 + + - uses: actions/checkout@v4 + + - id: go-version + run: | + make print-go-version >> "$GITHUB_OUTPUT" + + - uses: actions/setup-go@v5 + with: + go-version: ${{ steps.go-version.outputs.result }} + + - run: | + git checkout -B "self-upgrade" + + - run: | + make -j upgrade-klone + make -j generate + + - id: is-up-to-date + shell: bash + run: | + git_status=$(git status -s) + is_up_to_date="true" + if [ -n "$git_status" ]; then + is_up_to_date="false" + echo "The following changes will be committed:" + echo "$git_status" + fi + echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT" + + - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} + run: | + git config --global user.name "jetstack-bot" + git config --global user.email "jetstack-bot@users.noreply.github.com" + git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff + git push -f origin self-upgrade + + - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} + uses: actions/github-script@v7 + with: + script: | + const { repo, owner } = context.repo; + const pulls = await github.rest.pulls.list({ + owner: owner, + repo: repo, + head: owner + ':self-upgrade', + base: 'main', + state: 'open', + }); + + if (pulls.data.length < 1) { + await github.rest.pulls.create({ + title: '[CI] Merge self-upgrade into main', + owner: owner, + repo: repo, + head: 'self-upgrade', + base: 'main', + body: [ + 'This PR is auto-generated to bump the Makefile modules.', + ].join('\n'), + }); + } diff --git a/make/_shared/repository-base/base/LICENSE b/make/_shared/repository-base/base/LICENSE new file mode 100644 index 00000000000..261eeb9e9f8 --- /dev/null +++ b/make/_shared/repository-base/base/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/make/_shared/repository-base/base/Makefile b/make/_shared/repository-base/base/Makefile new file mode 100644 index 00000000000..6e1916a5a6d --- /dev/null +++ b/make/_shared/repository-base/base/Makefile @@ -0,0 +1,109 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/Makefile instead. + +# NOTE FOR DEVELOPERS: "How do the Makefiles work and how can I extend them?" +# +# Shared Makefile logic lives in the make/_shared/ directory. The source of truth for these files +# lies outside of this repository, eg. in the cert-manager/makefile-modules repository. +# +# Logic specific to this repository must be defined in the make/00_mod.mk and make/02_mod.mk files: +# - The make/00_mod.mk file is included first and contains variable definitions needed by +# the shared Makefile logic. +# - The make/02_mod.mk file is included later, it can make use of most of the shared targets +# defined in the make/_shared/ directory (all targets defined in 00_mod.mk and 01_mod.mk). +# This file should be used to define targets specific to this repository. + +################################## + +# Some modules build their dependencies from variables, we want these to be +# evalutated at the last possible moment. For this we use second expansion to +# re-evaluate the generate and verify targets a second time. +# +# See https://www.gnu.org/software/make/manual/html_node/Secondary-Expansion.html +.SECONDEXPANSION: + +# For details on some of these "prelude" settings, see: +# https://clarkgrubb.com/makefile-style-guide +MAKEFLAGS += --warn-undefined-variables --no-builtin-rules +SHELL := /usr/bin/env bash +.SHELLFLAGS := -uo pipefail -c +.DEFAULT_GOAL := help +.DELETE_ON_ERROR: +.SUFFIXES: +FORCE: + +noop: # do nothing + +################################## +# Host OS and architecture setup # +################################## + +# The reason we don't use "go env GOOS" or "go env GOARCH" is that the "go" +# binary may not be available in the PATH yet when the Makefiles are +# evaluated. HOST_OS and HOST_ARCH only support Linux, *BSD and macOS (M1 +# and Intel). +HOST_OS ?= $(shell uname -s | tr A-Z a-z) +HOST_ARCH ?= $(shell uname -m) + +ifeq (x86_64, $(HOST_ARCH)) + HOST_ARCH = amd64 +else ifeq (aarch64, $(HOST_ARCH)) + # linux reports the arm64 arch as aarch64 + HOST_ARCH = arm64 +endif + +################################## +# Git and versioning information # +################################## + +VERSION ?= $(shell git describe --tags --always --match='v*' --abbrev=14 --dirty) +IS_PRERELEASE := $(shell git describe --tags --always --match='v*' --abbrev=0 | grep -q '-' && echo true || echo false) +GITCOMMIT := $(shell git rev-parse HEAD) +GITEPOCH := $(shell git show -s --format=%ct HEAD) + +################################## +# Global variables and dirs # +################################## + +bin_dir := _bin + +# The ARTIFACTS environment variable is set by the CI system to a directory +# where artifacts should be placed. These artifacts are then uploaded to a +# storage bucket by the CI system (https://docs.prow.k8s.io/docs/components/pod-utilities/). +# An example of such an artifact is a jUnit XML file containing test results. +# If the ARTIFACTS environment variable is not set, we default to a local +# directory in the _bin directory. +ARTIFACTS ?= $(bin_dir)/artifacts + +$(bin_dir) $(ARTIFACTS) $(bin_dir)/scratch: + mkdir -p $@ + +.PHONY: clean +## Clean all temporary files +## @category [shared] Tools +clean: + rm -rf $(bin_dir) + +################################## +# Include all the Makefiles # +################################## + +-include make/00_mod.mk +-include make/_shared/*/00_mod.mk +-include make/_shared/*/01_mod.mk +-include make/02_mod.mk +-include make/_shared/*/02_mod.mk diff --git a/make/_shared/repository-base/base/OWNERS_ALIASES b/make/_shared/repository-base/base/OWNERS_ALIASES new file mode 100644 index 00000000000..6d51f05b459 --- /dev/null +++ b/make/_shared/repository-base/base/OWNERS_ALIASES @@ -0,0 +1,13 @@ +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/OWNERS_ALIASES instead. + +aliases: + cm-maintainers: + - munnerz + - joshvanl + - wallrj + - jakexks + - maelvls + - irbekrm + - sgtcodfish + - inteon diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk new file mode 100644 index 00000000000..e4c2a5a7277 --- /dev/null +++ b/make/_shared/tools/00_mod.mk @@ -0,0 +1,603 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ifndef bin_dir +$(error bin_dir is not set) +endif + +########################################## + +$(bin_dir)/scratch/image $(bin_dir)/tools $(bin_dir)/downloaded $(bin_dir)/downloaded/tools: + @mkdir -p $@ + +checkhash_script := $(dir $(lastword $(MAKEFILE_LIST)))/util/checkhash.sh + +for_each_kv = $(foreach item,$2,$(eval $(call $1,$(word 1,$(subst =, ,$(item))),$(word 2,$(subst =, ,$(item)))))) + +# To make sure we use the right version of each tool, we put symlink in +# $(bin_dir)/tools, and the actual binaries are in $(bin_dir)/downloaded. When bumping +# the version of the tools, this symlink gets updated. + +# Let's have $(bin_dir)/tools in front of the PATH so that we don't inavertedly +# pick up the wrong binary somewhere. Watch out, $(shell echo $$PATH) will +# still print the original PATH, since GNU make does not honor exported +# variables: https://stackoverflow.com/questions/54726457 +export PATH := $(CURDIR)/$(bin_dir)/tools:$(PATH) + +CTR=docker + +TOOLS := +# https://github.com/helm/helm/releases +TOOLS += helm=v3.14.0 +# https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl +TOOLS += kubectl=v1.29.1 +# https://github.com/kubernetes-sigs/kind/releases +TOOLS += kind=v0.20.0 +# https://www.vaultproject.io/downloads +TOOLS += vault=1.15.4 +# https://github.com/Azure/azure-workload-identity/releases +TOOLS += azwi=v1.2.0 +# https://github.com/kyverno/kyverno/releases +TOOLS += kyverno=v1.11.3 +# https://github.com/mikefarah/yq/releases +TOOLS += yq=v4.40.5 +# https://github.com/ko-build/ko/releases +TOOLS += ko=0.15.1 +# https://github.com/protocolbuffers/protobuf/releases +TOOLS += protoc=25.2 +# https://github.com/aquasecurity/trivy/releases +TOOLS += trivy=v0.45.0 +# https://github.com/vmware-tanzu/carvel-ytt/releases +TOOLS += ytt=v0.45.4 +# https://github.com/rclone/rclone/releases +TOOLS += rclone=v1.64.0 + +### go packages +# https://pkg.go.dev/sigs.k8s.io/controller-tools/cmd/controller-gen?tab=versions +TOOLS += controller-gen=v0.14.0 +# https://pkg.go.dev/golang.org/x/tools/cmd/goimports?tab=versions +TOOLS += goimports=v0.17.0 +# https://pkg.go.dev/github.com/google/go-licenses/licenses?tab=versions +TOOLS += go-licenses=706b9c60edd424a8b6d253fe10dfb7b8e942d4a5 +# https://pkg.go.dev/gotest.tools/gotestsum?tab=versions +TOOLS += gotestsum=v1.11.0 +# https://pkg.go.dev/sigs.k8s.io/kustomize/kustomize/v4?tab=versions +TOOLS += kustomize=v4.5.7 +# https://pkg.go.dev/github.com/itchyny/gojq?tab=versions +TOOLS += gojq=v0.12.14 +# https://pkg.go.dev/github.com/google/go-containerregistry/pkg/crane?tab=versions +TOOLS += crane=v0.18.0 +# https://pkg.go.dev/google.golang.org/protobuf/cmd/protoc-gen-go?tab=versions +TOOLS += protoc-gen-go=v1.32.0 +# https://pkg.go.dev/github.com/norwoodj/helm-docs/cmd/helm-docs?tab=versions +TOOLS += helm-docs=v1.12.0 +# https://pkg.go.dev/github.com/sigstore/cosign/v2/cmd/cosign?tab=versions +TOOLS += cosign=v2.2.2 +# https://pkg.go.dev/github.com/cert-manager/boilersuite?tab=versions +TOOLS += boilersuite=v0.1.0 +# https://pkg.go.dev/github.com/princjef/gomarkdoc/cmd/gomarkdoc?tab=versions +TOOLS += gomarkdoc=v1.1.0 +# https://pkg.go.dev/oras.land/oras/cmd/oras?tab=versions +TOOLS += oras=v1.1.0 +# https://pkg.go.dev/github.com/onsi/ginkgo/v2/ginkgo?tab=versions +# The gingko version should be kept in sync with the version used in code. +# If there is no go.mod file (which is only the case for the makefile-modules +# repo), then we default to a version that we know exists. We have to do this +# because otherwise the awk failure renders the whole makefile unusable. +TOOLS += ginkgo=$(shell [[ -f go.mod ]] && awk '/ginkgo\/v2/ {print $$2}' go.mod || echo "v2.13.2") +# https://pkg.go.dev/github.com/cert-manager/klone?tab=versions +TOOLS += klone=v0.0.4 +# https://pkg.go.dev/github.com/goreleaser/goreleaser?tab=versions +TOOLS += goreleaser=v1.23.0 +# https://pkg.go.dev/github.com/anchore/syft/cmd/syft?tab=versions +TOOLS += syft=v0.100.0 +# https://github.com/cert-manager/helm-tool +TOOLS += helm-tool=v0.4.2 +# https://github.com/cert-manager/cmctl +TOOLS += cmctl=2f75014a7c360c319f8c7c8afe8e9ce33fe26dca +# https://pkg.go.dev/github.com/cert-manager/release/cmd/cmrel?tab=versions +TOOLS += cmrel=fa10147dadc8c36718b7b08aed6d8c6418eb2 +# https://github.com/golangci/golangci-lint/releases +TOOLS += golangci-lint=v1.55.2 +# https://pkg.go.dev/golang.org/x/vuln?tab=versions +TOOLS += govulncheck=v1.0.4 + +# https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions +K8S_CODEGEN_VERSION=v0.29.1 +TOOLS += client-gen=$(K8S_CODEGEN_VERSION) +TOOLS += deepcopy-gen=$(K8S_CODEGEN_VERSION) +TOOLS += informer-gen=$(K8S_CODEGEN_VERSION) +TOOLS += lister-gen=$(K8S_CODEGEN_VERSION) +TOOLS += applyconfiguration-gen=$(K8S_CODEGEN_VERSION) +TOOLS += openapi-gen=$(K8S_CODEGEN_VERSION) +TOOLS += defaulter-gen=$(K8S_CODEGEN_VERSION) +TOOLS += conversion-gen=$(K8S_CODEGEN_VERSION) + +# https://github.com/kubernetes-sigs/kubebuilder/blob/tools-releases/build/cloudbuild_tools.yaml +KUBEBUILDER_ASSETS_VERSION=1.29.0 +TOOLS += etcd=$(KUBEBUILDER_ASSETS_VERSION) +TOOLS += kube-apiserver=$(KUBEBUILDER_ASSETS_VERSION) + +# Additional tools can be defined to reuse the tooling in this file +ADDITIONAL_TOOLS ?= +TOOLS += $(ADDITIONAL_TOOLS) + +# https://go.dev/dl/ +VENDORED_GO_VERSION := 1.21.8 + +# Print the go version which can be used in GH actions +.PHONY: print-go-version +print-go-version: + @echo result=$(VENDORED_GO_VERSION) + +# When switching branches which use different versions of the tools, we +# need a way to re-trigger the symlinking from $(bin_dir)/downloaded to $(bin_dir)/tools. +$(bin_dir)/scratch/%_VERSION: FORCE | $(bin_dir)/scratch + @test "$($*_VERSION)" == "$(shell cat $@ 2>/dev/null)" || echo $($*_VERSION) > $@ + +# --silent = don't print output like progress meters +# --show-error = but do print errors when they happen +# --fail = exit with a nonzero error code without the response from the server when there's an HTTP error +# --location = follow redirects from the server +# --retry = the number of times to retry a failed attempt to connect +# --retry-connrefused = retry even if the initial connection was refused +CURL = curl --silent --show-error --fail --location --retry 10 --retry-connrefused + +# In Prow, the pod has the folder "$(bin_dir)/downloaded" mounted into the +# container. For some reason, even though the permissions are correct, +# binaries that are mounted with hostPath can't be executed. When in CI, we +# copy the binaries to work around that. Using $(LN) is only required when +# dealing with binaries. Other files and folders can be symlinked. +# +# Details on how "$(bin_dir)/downloaded" gets cached are available in the +# description of the PR https://github.com/jetstack/testing/pull/651. +# +# We use "printenv CI" instead of just "ifeq ($(CI),)" because otherwise we +# would get "warning: undefined variable 'CI'". +ifeq ($(shell printenv CI),) +LN := ln -f -s +else +LN := cp -f -r +endif + +UC = $(shell echo '$1' | tr a-z A-Z) +LC = $(shell echo '$1' | tr A-Z a-z) + +TOOL_NAMES := + +# for each item `xxx` in the TOOLS variable: +# - a $(XXX_VERSION) variable is generated +# -> this variable contains the version of the tool +# - a $(NEEDS_XXX) variable is generated +# -> this variable contains the target name for the tool, +# which is the relative path of the binary, this target +# should be used when adding the tool as a dependency to +# your target, you can't use $(XXX) as a dependency because +# make does not support an absolute path as a dependency +# - a $(XXX) variable is generated +# -> this variable contains the absolute path of the binary, +# the absolute path should be used when executing the binary +# in targets or in scripts, because it is agnostic to the +# working directory +# - an unversioned target $(bin_dir)/tools/xxx is generated that +# creates a copy/ link to the corresponding versioned target: +# $(bin_dir)/tools/xxx@$(XXX_VERSION)_$(HOST_OS)_$(HOST_ARCH) +define tool_defs +TOOL_NAMES += $1 + +$(call UC,$1)_VERSION ?= $2 +NEEDS_$(call UC,$1) := $$(bin_dir)/tools/$1 +$(call UC,$1) := $$(CURDIR)/$$(bin_dir)/tools/$1 + +$$(bin_dir)/tools/$1: $$(bin_dir)/scratch/$(call UC,$1)_VERSION | $$(bin_dir)/downloaded/tools/$1@$$($(call UC,$1)_VERSION)_$$(HOST_OS)_$$(HOST_ARCH) $$(bin_dir)/tools + cd $$(dir $$@) && $$(LN) $$(patsubst $$(bin_dir)/%,../%,$$(word 1,$$|)) $$(notdir $$@) + @touch $$@ # making sure the target of the symlink is newer than *_VERSION +endef + +$(foreach TOOL,$(TOOLS),$(eval $(call tool_defs,$(word 1,$(subst =, ,$(TOOL))),$(word 2,$(subst =, ,$(TOOL)))))) + +TOOLS_PATHS := $(TOOL_NAMES:%=$(bin_dir)/tools/%) + +###### +# Go # +###### + +# $(NEEDS_GO) is a target that is set as an order-only prerequisite in +# any target that calls $(GO), e.g.: +# +# $(bin_dir)/tools/crane: $(NEEDS_GO) +# $(GO) build -o $(bin_dir)/tools/crane +# +# $(NEEDS_GO) is empty most of the time, except when running "make vendor-go" +# or when "make vendor-go" was previously run, in which case $(NEEDS_GO) is set +# to $(bin_dir)/tools/go, since $(bin_dir)/tools/go is a prerequisite of +# any target depending on Go when "make vendor-go" was run. +NEEDS_GO := $(if $(findstring vendor-go,$(MAKECMDGOALS))$(shell [ -f $(bin_dir)/tools/go ] && echo yes), $(bin_dir)/tools/go,) +ifeq ($(NEEDS_GO),) +GO := go +else +export GOROOT := $(CURDIR)/$(bin_dir)/tools/goroot +export PATH := $(CURDIR)/$(bin_dir)/tools/goroot/bin:$(PATH) +GO := $(CURDIR)/$(bin_dir)/tools/go +endif + +.PHONY: vendor-go +## By default, this Makefile uses the system's Go. You can use a "vendored" +## version of Go that will get downloaded by running this command once. To +## disable vendoring, run "make unvendor-go". When vendoring is enabled, +## you will want to set the following: +## +## export PATH="$PWD/$(bin_dir)/tools:$PATH" +## export GOROOT="$PWD/$(bin_dir)/tools/goroot" +## @category [shared] Tools +vendor-go: $(bin_dir)/tools/go + +.PHONY: unvendor-go +unvendor-go: $(bin_dir)/tools/go + rm -rf $(bin_dir)/tools/go $(bin_dir)/tools/goroot + +.PHONY: which-go +## Print the version and path of go which will be used for building and +## testing in Makefile commands. Vendored go will have a path in ./bin +## @category [shared] Tools +which-go: | $(NEEDS_GO) + @$(GO) version + @echo "go binary used for above version information: $(GO)" + +$(bin_dir)/tools/go: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(bin_dir)/tools/goroot $(bin_dir)/tools + cd $(dir $@) && $(LN) ./goroot/bin/go $(notdir $@) + @touch $@ # making sure the target of the symlink is newer than *_VERSION + +# The "_" in "_bin" prevents "go mod tidy" from trying to tidy the vendored goroot. +$(bin_dir)/tools/goroot: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(bin_dir)/go_vendor/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH)/goroot $(bin_dir)/tools + @rm -rf $(bin_dir)/tools/goroot + cd $(dir $@) && $(LN) $(patsubst $(bin_dir)/%,../%,$(word 1,$|)) $(notdir $@) + @touch $@ # making sure the target of the symlink is newer than *_VERSION + +# Extract the tar to the _bin/go directory, this directory is not cached across CI runs. +$(bin_dir)/go_vendor/go@$(VENDORED_GO_VERSION)_%/goroot: | $(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz + @rm -rf $@ && mkdir -p $(dir $@) + tar xzf $| -C $(dir $@) + mv $(dir $@)/go $(dir $@)/goroot + +# Keep the downloaded tar so it is cached across CI runs. +.PRECIOUS: $(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz +$(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz: | $(bin_dir)/downloaded/tools + $(CURL) https://go.dev/dl/go$(VENDORED_GO_VERSION).$(subst _,-,$*).tar.gz -o $@ + +################### +# go dependencies # +################### + +GO_DEPENDENCIES := +GO_DEPENDENCIES += ginkgo=github.com/onsi/ginkgo/v2/ginkgo +GO_DEPENDENCIES += controller-gen=sigs.k8s.io/controller-tools/cmd/controller-gen +GO_DEPENDENCIES += goimports=golang.org/x/tools/cmd/goimports +GO_DEPENDENCIES += go-licenses=github.com/google/go-licenses +GO_DEPENDENCIES += gotestsum=gotest.tools/gotestsum +GO_DEPENDENCIES += kustomize=sigs.k8s.io/kustomize/kustomize/v4 +GO_DEPENDENCIES += gojq=github.com/itchyny/gojq/cmd/gojq +GO_DEPENDENCIES += crane=github.com/google/go-containerregistry/cmd/crane +GO_DEPENDENCIES += protoc-gen-go=google.golang.org/protobuf/cmd/protoc-gen-go +GO_DEPENDENCIES += helm-docs=github.com/norwoodj/helm-docs/cmd/helm-docs +GO_DEPENDENCIES += cosign=github.com/sigstore/cosign/v2/cmd/cosign +GO_DEPENDENCIES += boilersuite=github.com/cert-manager/boilersuite +GO_DEPENDENCIES += gomarkdoc=github.com/princjef/gomarkdoc/cmd/gomarkdoc +GO_DEPENDENCIES += oras=oras.land/oras/cmd/oras +GO_DEPENDENCIES += klone=github.com/cert-manager/klone +GO_DEPENDENCIES += goreleaser=github.com/goreleaser/goreleaser +GO_DEPENDENCIES += syft=github.com/anchore/syft/cmd/syft +GO_DEPENDENCIES += client-gen=k8s.io/code-generator/cmd/client-gen +GO_DEPENDENCIES += deepcopy-gen=k8s.io/code-generator/cmd/deepcopy-gen +GO_DEPENDENCIES += informer-gen=k8s.io/code-generator/cmd/informer-gen +GO_DEPENDENCIES += lister-gen=k8s.io/code-generator/cmd/lister-gen +GO_DEPENDENCIES += applyconfiguration-gen=k8s.io/code-generator/cmd/applyconfiguration-gen +GO_DEPENDENCIES += openapi-gen=k8s.io/code-generator/cmd/openapi-gen +GO_DEPENDENCIES += defaulter-gen=k8s.io/code-generator/cmd/defaulter-gen +GO_DEPENDENCIES += conversion-gen=k8s.io/code-generator/cmd/conversion-gen +GO_DEPENDENCIES += helm-tool=github.com/cert-manager/helm-tool +GO_DEPENDENCIES += cmctl=github.com/cert-manager/cmctl/v2 +GO_DEPENDENCIES += cmrel=github.com/cert-manager/release/cmd/cmrel +GO_DEPENDENCIES += golangci-lint=github.com/golangci/golangci-lint/cmd/golangci-lint +GO_DEPENDENCIES += govulncheck=golang.org/x/vuln/cmd/govulncheck + +################# +# go build tags # +################# + +GO_TAGS := + +# Additional Go dependencies can be defined to re-use the tooling in this file +ADDITIONAL_GO_DEPENDENCIES ?= +ADDITIONAL_GO_TAGS ?= +GO_DEPENDENCIES += $(ADDITIONAL_GO_DEPENDENCIES) +GO_TAGS += $(ADDITIONAL_GO_TAGS) + +go_tags_init = go_tags_$1 := +$(call for_each_kv,go_tags_init,$(GO_DEPENDENCIES)) + +go_tags_defs = go_tags_$1 += $2 +$(call for_each_kv,go_tags_defs,$(GO_TAGS)) + +define go_dependency +$$(bin_dir)/downloaded/tools/$1@$($(call UC,$1)_VERSION)_%: | $$(NEEDS_GO) $$(bin_dir)/downloaded/tools + GOWORK=off GOBIN=$$(CURDIR)/$$(dir $$@) $$(GO) install --tags "$(strip $(go_tags_$1))" $2@$($(call UC,$1)_VERSION) + @mv $$(CURDIR)/$$(dir $$@)/$1 $$@ +endef +$(call for_each_kv,go_dependency,$(GO_DEPENDENCIES)) + +######## +# Helm # +######## + +HELM_linux_amd64_SHA256SUM=f43e1c3387de24547506ab05d24e5309c0ce0b228c23bd8aa64e9ec4b8206651 +HELM_linux_arm64_SHA256SUM=b29e61674731b15f6ad3d1a3118a99d3cc2ab25a911aad1b8ac8c72d5a9d2952 +HELM_darwin_amd64_SHA256SUM=804586896496f7b3da97f56089ea00f220e075e969b6fdf6c0b7b9cdc22de120 +HELM_darwin_arm64_SHA256SUM=c2f36f3289a01c7c93ca11f84d740a170e0af1d2d0280bd523a409a62b8dfa1d + +$(bin_dir)/downloaded/tools/helm@$(HELM_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) https://get.helm.sh/helm-$(HELM_VERSION)-$(subst _,-,$*).tar.gz -o $@.tar.gz + $(checkhash_script) $@.tar.gz $(HELM_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $@.tar.gz $(subst _,-,$*)/helm > $@ + chmod +x $@ + rm -f $@.tar.gz + +########### +# kubectl # +########### + +KUBECTL_linux_amd64_SHA256SUM=69ab3a931e826bf7ac14d38ba7ca637d66a6fcb1ca0e3333a2cafdf15482af9f +KUBECTL_linux_arm64_SHA256SUM=96d6dc7b2bdcd344ce58d17631c452225de5bbf59b83fd3c89c33c6298fb5d8b +KUBECTL_darwin_amd64_SHA256SUM=c4da86e5c0fc9415db14a48d9ef1515b0b472346cbc9b7f015175b6109505d2c +KUBECTL_darwin_arm64_SHA256SUM=c31b99d7bf0faa486a6554c5f96e36af4821a488e90176a12ba18298bc4c8fb0 + +$(bin_dir)/downloaded/tools/kubectl@$(KUBECTL_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/$(subst _,/,$*)/kubectl -o $@ + $(checkhash_script) $@ $(KUBECTL_$*_SHA256SUM) + chmod +x $@ + +######## +# kind # +######## + +KIND_linux_amd64_SHA256SUM=513a7213d6d3332dd9ef27c24dab35e5ef10a04fa27274fe1c14d8a246493ded +KIND_linux_arm64_SHA256SUM=639f7808443559aa30c3642d9913b1615d611a071e34f122340afeda97b8f422 +KIND_darwin_amd64_SHA256SUM=bffd8fb2006dc89fa0d1dde5ba6bf48caacb707e4df8551528f49145ebfeb7ad +KIND_darwin_arm64_SHA256SUM=8df041a5cae55471f3b039c3c9942226eb909821af63b5677fc80904caffaabf + +$(bin_dir)/downloaded/tools/kind@$(KIND_VERSION)_%: | $(bin_dir)/downloaded/tools $(bin_dir)/tools + $(CURL) -sSfL https://github.com/kubernetes-sigs/kind/releases/download/$(KIND_VERSION)/kind-$(subst _,-,$*) -o $@ + $(checkhash_script) $@ $(KIND_$*_SHA256SUM) + chmod +x $@ + +######### +# vault # +######### + +VAULT_linux_amd64_SHA256SUM=f42f550713e87cceef2f29a4e2b754491697475e3d26c0c5616314e40edd8e1b +VAULT_linux_arm64_SHA256SUM=79aee168078eb8c0dbb31c283e1136a7575f59fe36fccbb1f1ef6a16e0b67fdb +VAULT_darwin_amd64_SHA256SUM=a9d7c6e76d7d5c9be546e9a74860b98db6486fc0df095d8b00bc7f63fb1f6c1c +VAULT_darwin_arm64_SHA256SUM=4bf594a231bef07fbcfbf7329c8004acb8d219ce6a7aff186e0bac7027a0ab25 + +$(bin_dir)/downloaded/tools/vault@$(VAULT_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) https://releases.hashicorp.com/vault/$(VAULT_VERSION)/vault_$(VAULT_VERSION)_$*.zip -o $@.zip + $(checkhash_script) $@.zip $(VAULT_$*_SHA256SUM) + unzip -qq -c $@.zip > $@ + chmod +x $@ + rm -f $@.zip + +######## +# azwi # +######## + +AZWI_linux_amd64_SHA256SUM=d2ef0f27609b7157595fe62b13c03381a481f833c1e1b6290df560454890d337 +AZWI_linux_arm64_SHA256SUM=72e34bc96611080095e90ecce58a72e50debf846106b13976f2972bf06ae12df +AZWI_darwin_amd64_SHA256SUM=2be5f18c0acfb213a22db5a149dd89c7d494690988cb8e8a785dd6915f7094d0 +AZWI_darwin_arm64_SHA256SUM=d0b01768102dd472c72c98bb51ae990af8779e811c9f7ab1db48ccefc9988f4c + +$(bin_dir)/downloaded/tools/azwi@$(AZWI_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) https://github.com/Azure/azure-workload-identity/releases/download/$(AZWI_VERSION)/azwi-$(AZWI_VERSION)-$(subst _,-,$*).tar.gz -o $@.tar.gz + $(checkhash_script) $@.tar.gz $(AZWI_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $@.tar.gz azwi > $@ && chmod 775 $@ + rm -f $@.tar.gz + +############################ +# kubebuilder-tools assets # +# kube-apiserver / etcd # +############################ + +KUBEBUILDER_TOOLS_linux_amd64_SHA256SUM=e9899574fb92fd4a4ca27539d15a30f313f8a482b61b46cb874a07f2ba4f9bcb +KUBEBUILDER_TOOLS_linux_arm64_SHA256SUM=ef22e16c439b45f3e116498f7405be311bab92c3345766ab2142e86458cda92e +KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=e5796637cc8e40029f0def639bbe7d99193c1872555c919d2b76c32e0e34378f +KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=9734b90206f17a46f4dd0a7e3bb107d44aec9e79b7b135c6eb7c8a250ffd5e03 + +$(bin_dir)/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: $(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(bin_dir)/downloaded/tools + $(checkhash_script) $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $< kubebuilder/bin/etcd > $@ && chmod 775 $@ + +$(bin_dir)/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_%: $(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(bin_dir)/downloaded/tools + $(checkhash_script) $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $< kubebuilder/bin/kube-apiserver > $@ && chmod 775 $@ + +$(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(bin_dir)/downloaded/tools + $(CURL) https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$(KUBEBUILDER_ASSETS_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $@ + +########### +# kyverno # +########### + +KYVERNO_linux_amd64_SHA256SUM=08cf3640b847e3bbd41c5014ece4e0aa6c39915f5c199eeac8d80267955676e6 +KYVERNO_linux_arm64_SHA256SUM=31805a52e98733b390c60636f209e0bda3174bd09e764ba41fa971126b98d2fc +KYVERNO_darwin_amd64_SHA256SUM=21fa0733d1a73d510fa0e30ac10310153b7124381aa21224b54fe34a38239542 +KYVERNO_darwin_arm64_SHA256SUM=022bc2640f05482cab290ca8cd28a67f55b24c14b93076bd144c37a1732e6d7e + +$(bin_dir)/downloaded/tools/kyverno@$(KYVERNO_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) https://github.com/kyverno/kyverno/releases/download/$(KYVERNO_VERSION)/kyverno-cli_$(KYVERNO_VERSION)_$(subst amd64,x86_64,$*).tar.gz -fsSL -o $@.tar.gz + $(checkhash_script) $@.tar.gz $(KYVERNO_$*_SHA256SUM) + @# O writes the specified file to stdout + tar xfO $@.tar.gz kyverno > $@ + chmod +x $@ + rm -f $@.tar.gz + +###### +# yq # +###### + +YQ_linux_amd64_SHA256SUM=0d6aaf1cf44a8d18fbc7ed0ef14f735a8df8d2e314c4cc0f0242d35c0a440c95 +YQ_linux_arm64_SHA256SUM=9431f0fa39a0af03a152d7fe19a86e42e9ff28d503ed4a70598f9261ec944a97 +YQ_darwin_amd64_SHA256SUM=7f88b959c3fd2755e77dbf5bd92780dc3626c1c00ac45d5b5134f04189a142dc +YQ_darwin_arm64_SHA256SUM=1ef0022ed6d0769d19e2d391dd731162034b0e0ba2c9b53dda039d16cec1c26a + +$(bin_dir)/downloaded/tools/yq@$(YQ_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$* -o $@ + $(checkhash_script) $@ $(YQ_$*_SHA256SUM) + chmod +x $@ + +###### +# ko # +###### + +KO_linux_amd64_SHA256SUM=5b06079590371954cceadf0ddcfa8471afb039c29a2e971043915957366a2f39 +KO_linux_arm64_SHA256SUM=fcbb736f7440d686ca1cf8b4c3f6b9b80948eb17d6cef7c14242eddd275cab42 +KO_darwin_amd64_SHA256SUM=4f388a4b08bde612a20d799045a57a9b8847483baf1a1590d3c32735e7c30c16 +KO_darwin_arm64_SHA256SUM=45f2c1a50fdadb7ef38abbb479897d735c95238ec25c4f505177d77d60ed91d6 + +$(bin_dir)/downloaded/tools/ko@$(KO_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) https://github.com/ko-build/ko/releases/download/v$(KO_VERSION)/ko_$(KO_VERSION)_$(subst linux,Linux,$(subst darwin,Darwin,$(subst amd64,x86_64,$*))).tar.gz -o $@.tar.gz + $(checkhash_script) $@.tar.gz $(KO_$*_SHA256SUM) + tar xfO $@.tar.gz ko > $@ + chmod +x $@ + rm -f $@.tar.gz + +########## +# protoc # +########## + +PROTOC_linux_amd64_SHA256SUM=78ab9c3288919bdaa6cfcec6127a04813cf8a0ce406afa625e48e816abee2878 +PROTOC_linux_arm64_SHA256SUM=07683afc764e4efa3fa969d5f049fbc2bdfc6b4e7786a0b233413ac0d8753f6b +PROTOC_darwin_amd64_SHA256SUM=5fe89993769616beff1ed77408d1335216379ce7010eee80284a01f9c87c8888 +PROTOC_darwin_arm64_SHA256SUM=8822b090c396800c96ac652040917eb3fbc5e542538861aad7c63b8457934b20 + +$(bin_dir)/downloaded/tools/protoc@$(PROTOC_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) https://github.com/protocolbuffers/protobuf/releases/download/v$(PROTOC_VERSION)/protoc-$(PROTOC_VERSION)-$(subst darwin,osx,$(subst arm64,aarch_64,$(subst amd64,x86_64,$(subst _,-,$*)))).zip -o $@.zip + $(checkhash_script) $@.zip $(PROTOC_$*_SHA256SUM) + unzip -qq -c $@.zip bin/protoc > $@ + chmod +x $@ + rm -f $@.zip + +######### +# trivy # +######### + +TRIVY_linux_amd64_SHA256SUM=b9785455f711e3116c0a97b01ad6be334895143ed680a405e88a4c4c19830d5d +TRIVY_linux_arm64_SHA256SUM=a192edfcef8766fa7e3e96a6a5faf50cd861371785891857471548e4af7cb60b +TRIVY_darwin_amd64_SHA256SUM=997622dee1d07de0764f903b72d16ec4314daaf202d91c957137b4fd1a2f73c3 +TRIVY_darwin_arm64_SHA256SUM=68aa451f395fa5418f5af59ce4081ef71075c857b95a297dc61da49c6a229a45 + +$(bin_dir)/downloaded/tools/trivy@$(TRIVY_VERSION)_%: | $(bin_dir)/downloaded/tools + $(eval OS_AND_ARCH := $(subst darwin,macOS,$*)) + $(eval OS_AND_ARCH := $(subst linux,Linux,$(OS_AND_ARCH))) + $(eval OS_AND_ARCH := $(subst arm64,ARM64,$(OS_AND_ARCH))) + $(eval OS_AND_ARCH := $(subst amd64,64bit,$(OS_AND_ARCH))) + + $(CURL) https://github.com/aquasecurity/trivy/releases/download/$(TRIVY_VERSION)/trivy_$(patsubst v%,%,$(TRIVY_VERSION))_$(subst _,-,$(OS_AND_ARCH)).tar.gz -o $@.tar.gz + $(checkhash_script) $@.tar.gz $(TRIVY_$*_SHA256SUM) + tar xfO $@.tar.gz trivy > $@ + chmod +x $@ + rm $@.tar.gz + +####### +# ytt # +####### + +YTT_linux_amd64_SHA256SUM=9bf62175c7cc0b54f9731a5b87ee40250f0457b1fce1b0b36019c2f8d96db8f8 +YTT_linux_arm64_SHA256SUM=cbfc85f11ffd8e61d63accf799b8997caaebe46ee046290cc1c4d05ed1ab145b +YTT_darwin_amd64_SHA256SUM=2b6d173dec1b6087e22690386474786fd9a2232c4479d8975cc98ae8160eea76 +YTT_darwin_arm64_SHA256SUM=3e6f092bfe7a121d15126a0de6503797818c6b6745fbc97213f519d35fab08f9 + +$(bin_dir)/downloaded/tools/ytt@$(YTT_VERSION)_%: | $(bin_dir)/downloaded/tools + $(CURL) -sSfL https://github.com/vmware-tanzu/carvel-ytt/releases/download/$(YTT_VERSION)/ytt-$(subst _,-,$*) -o $@ + $(checkhash_script) $@ $(YTT_$*_SHA256SUM) + chmod +x $@ + +########## +# rclone # +########## + +RCLONE_linux_amd64_SHA256SUM=7ebdb680e615f690bd52c661487379f9df8de648ecf38743e49fe12c6ace6dc7 +RCLONE_linux_arm64_SHA256SUM=b5a6cb3aef4fd1a2165fb8c21b1b1705f3cb754a202adc81931b47cd39c64749 +RCLONE_darwin_amd64_SHA256SUM=9ef83833296876f3182b87030b4f2e851b56621bad4ca4d7a14753553bb8b640 +RCLONE_darwin_arm64_SHA256SUM=9183f495b28acb12c872175c6af1f6ba8ca677650cb9d2774caefea273294c8a + +$(bin_dir)/downloaded/tools/rclone@$(RCLONE_VERSION)_%: | $(bin_dir)/downloaded/tools + $(eval OS_AND_ARCH := $(subst darwin,osx,$*)) + $(CURL) https://github.com/rclone/rclone/releases/download/$(RCLONE_VERSION)/rclone-$(RCLONE_VERSION)-$(subst _,-,$(OS_AND_ARCH)).zip -o $@.zip + $(checkhash_script) $@.zip $(RCLONE_$*_SHA256SUM) + @# -p writes to stdout, the second file arg specifies the sole file we + @# want to extract + unzip -p $@.zip rclone-$(RCLONE_VERSION)-$(subst _,-,$(OS_AND_ARCH))/rclone > $@ + chmod +x $@ + rm -f $@.zip + +################# +# Other Targets # +################# + +# Although we "vendor" most tools in $(bin_dir)/tools, we still require some binaries +# to be available on the system. The vendor-go MAKECMDGOALS trick prevents the +# check for the presence of Go when 'make vendor-go' is run. + +# Gotcha warning: MAKECMDGOALS only contains what the _top level_ make invocation used, and doesn't look at target dependencies +# i.e. if we have a target "abc: vendor-go test" and run "make abc", we'll get an error +# about go being missing even though abc itself depends on vendor-go! +# That means we need to pass vendor-go at the top level if go is not installed (i.e. "make vendor-go abc") + +MISSING=$(shell (command -v curl >/dev/null || echo curl) \ + && (command -v sha256sum >/dev/null || command -v shasum >/dev/null || echo sha256sum) \ + && (command -v git >/dev/null || echo git) \ + && ([ -n "$(findstring vendor-go,$(MAKECMDGOALS),)" ] \ + || command -v $(GO) >/dev/null || echo "$(GO) (or run 'make vendor-go')") \ + && (command -v $(CTR) >/dev/null || echo "$(CTR) (or set CTR to a docker-compatible tool)")) +ifneq ($(MISSING),) +$(error Missing required tools: $(MISSING)) +endif + +.PHONY: tools +## Download and setup all tools +## @category [shared] Tools +tools: $(TOOLS_PATHS) + +self_file := $(dir $(lastword $(MAKEFILE_LIST)))/00_mod.mk + +# This target is used to learn the sha256sum of the tools. It is used only +# in the makefile-modules repo, and should not be used in any other repo. +.PHONY: tools-learn-sha +tools-learn-sha: | $(bin_dir) + rm -rf ./$(bin_dir)/ + mkdir -p ./$(bin_dir)/scratch/ + $(eval export LEARN_FILE=$(CURDIR)/$(bin_dir)/scratch/learn_tools_file) + echo -n "" > "$(LEARN_FILE)" + + HOST_OS=linux HOST_ARCH=amd64 $(MAKE) tools + HOST_OS=linux HOST_ARCH=arm64 $(MAKE) tools + HOST_OS=darwin HOST_ARCH=amd64 $(MAKE) tools + HOST_OS=darwin HOST_ARCH=arm64 $(MAKE) tools + + while read p; do \ + sed -i "$$p" $(self_file); \ + done <"$(LEARN_FILE)" diff --git a/make/_shared/tools/util/checkhash.sh b/make/_shared/tools/util/checkhash.sh new file mode 100755 index 00000000000..f626f6f9cfe --- /dev/null +++ b/make/_shared/tools/util/checkhash.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -eu -o pipefail + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +# This script takes the hash of its first argument and verifies it against the +# hex hash given in its second argument + +function usage_and_exit() { + echo "usage: $0 " + echo "or: LEARN_FILE= $0 " + exit 1 +} + +HASH_TARGET=${1:-} +EXPECTED_HASH=${2:-} + +if [[ -z $HASH_TARGET ]]; then + usage_and_exit +fi + +if [[ -z $EXPECTED_HASH ]]; then + usage_and_exit +fi + +SHASUM=$("${SCRIPT_DIR}/hash.sh" "$HASH_TARGET") + +if [[ "$SHASUM" == "$EXPECTED_HASH" ]]; then + exit 0 +fi + +# When running 'make learn-sha-tools', we don't want this script to fail. +# Instead we log what sha values are wrong, so the make.mk file can be updated. + +if [ "${LEARN_FILE:-}" != "" ]; then + echo "s/$EXPECTED_HASH/$SHASUM/g" >> "${LEARN_FILE:-}" + exit 0 +fi + +echo "invalid checksum for \"$HASH_TARGET\": wanted \"$EXPECTED_HASH\" but got \"$SHASUM\"" +exit 1 diff --git a/make/_shared/tools/util/hash.sh b/make/_shared/tools/util/hash.sh new file mode 100755 index 00000000000..3e58bfcb8f5 --- /dev/null +++ b/make/_shared/tools/util/hash.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -eu -o pipefail + +# This script is a wrapper for outputting purely the sha256 hash of the input file, +# ideally in a portable way. + +case "$(uname -s)" in + Darwin*) shasum -a 256 "$1";; + *) sha256sum "$1" +esac | cut -d" " -f1 \ No newline at end of file From 1974533173c1b0cbcc3ec0dfc8f56be768ffab3e Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 22 Apr 2024 15:52:17 +0200 Subject: [PATCH 2/2] run 'make upgrade-klone' and 'make generate' Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- .github/dependabot.yaml | 6 ++-- .github/workflows/make-self-upgrade.yaml | 30 +++++++++++-------- klone.yaml | 12 ++++---- make/_shared/repository-base/01_mod.mk | 10 +++++++ .../.github/dependabot.yaml | 6 ++-- .../.github/workflows/make-self-upgrade.yaml | 30 +++++++++++-------- make/_shared/tools/00_mod.mk | 23 +++++++++----- 7 files changed, 72 insertions(+), 45 deletions(-) rename make/_shared/repository-base/{base => base-dependabot}/.github/dependabot.yaml (78%) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 35367ea5cee..81b92973404 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -1,20 +1,20 @@ # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead. -# Update Go dependencies and GitHub Actions dependencies weekly. +# Update Go dependencies and GitHub Actions dependencies daily. version: 2 updates: - package-ecosystem: gomod directory: / schedule: - interval: weekly + interval: daily groups: all: patterns: ["*"] - package-ecosystem: github-actions directory: / schedule: - interval: weekly + interval: daily groups: all: patterns: ["*"] diff --git a/.github/workflows/make-self-upgrade.yaml b/.github/workflows/make-self-upgrade.yaml index ccebdb244eb..93beedff044 100644 --- a/.github/workflows/make-self-upgrade.yaml +++ b/.github/workflows/make-self-upgrade.yaml @@ -9,18 +9,22 @@ on: - cron: '0 0 * * *' jobs: - build_images: + self_upgrade: runs-on: ubuntu-latest permissions: contents: write pull-requests: write + + env: + SOURCE_BRANCH: "${{ github.ref_name }}" + SELF_UPGRADE_BRANCH: "self-upgrade-${{ github.ref_name }}" steps: - - name: Fail if branch is not main - if: github.ref != 'refs/heads/main' + - name: Fail if branch is not head of branch. + if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }} run: | - echo "This workflow should not be run on a branch other than main." + echo "This workflow should not be run on a non-branch-head." exit 1 - uses: actions/checkout@v4 @@ -34,7 +38,7 @@ jobs: go-version: ${{ steps.go-version.outputs.result }} - run: | - git checkout -B "self-upgrade" + git checkout -B "$SELF_UPGRADE_BRANCH" - run: | make -j upgrade-klone @@ -54,10 +58,10 @@ jobs: - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} run: | - git config --global user.name "jetstack-bot" - git config --global user.email "jetstack-bot@users.noreply.github.com" + git config --global user.name "cert-manager-bot" + git config --global user.email "cert-manager-bot@users.noreply.github.com" git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff - git push -f origin self-upgrade + git push -f origin "$SELF_UPGRADE_BRANCH" - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} uses: actions/github-script@v7 @@ -67,18 +71,18 @@ jobs: const pulls = await github.rest.pulls.list({ owner: owner, repo: repo, - head: owner + ':self-upgrade', - base: 'main', + head: owner + ':' + process.env.SELF_UPGRADE_BRANCH, + base: process.env.SOURCE_BRANCH, state: 'open', }); if (pulls.data.length < 1) { await github.rest.pulls.create({ - title: '[CI] Merge self-upgrade into main', + title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, owner: owner, repo: repo, - head: 'self-upgrade', - base: 'main', + head: process.env.SELF_UPGRADE_BRANCH, + base: process.env.SOURCE_BRANCH, body: [ 'This PR is auto-generated to bump the Makefile modules.', ].join('\n'), diff --git a/klone.yaml b/klone.yaml index 7f1ed41a67c..56c814d2e42 100644 --- a/klone.yaml +++ b/klone.yaml @@ -10,30 +10,30 @@ targets: - folder_name: boilerplate repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_hash: e9363accaaee20a995bbf8f1c9cba2ea77da8935 repo_path: modules/boilerplate - folder_name: generate-verify repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_hash: e9363accaaee20a995bbf8f1c9cba2ea77da8935 repo_path: modules/generate-verify - folder_name: help repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_hash: e9363accaaee20a995bbf8f1c9cba2ea77da8935 repo_path: modules/help - folder_name: klone repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_hash: e9363accaaee20a995bbf8f1c9cba2ea77da8935 repo_path: modules/klone - folder_name: repository-base repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_hash: e9363accaaee20a995bbf8f1c9cba2ea77da8935 repo_path: modules/repository-base - folder_name: tools repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: caaef09569dec46733ee1c1e9c79198872f6ff9a + repo_hash: e9363accaaee20a995bbf8f1c9cba2ea77da8935 repo_path: modules/tools diff --git a/make/_shared/repository-base/01_mod.mk b/make/_shared/repository-base/01_mod.mk index 251ac88e56c..aa6b7ee2e34 100644 --- a/make/_shared/repository-base/01_mod.mk +++ b/make/_shared/repository-base/01_mod.mk @@ -13,11 +13,21 @@ # limitations under the License. base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/ +base_dependabot_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base-dependabot/ +ifdef repository_base_no_dependabot .PHONY: generate-base ## Generate base files in the repository ## @category [shared] Generate/ Verify generate-base: cp -r $(base_dir)/. ./ +else +.PHONY: generate-base +## Generate base files in the repository +## @category [shared] Generate/ Verify +generate-base: + cp -r $(base_dir)/. ./ + cp -r $(base_dependabot_dir)/. ./ +endif shared_generate_targets += generate-base diff --git a/make/_shared/repository-base/base/.github/dependabot.yaml b/make/_shared/repository-base/base-dependabot/.github/dependabot.yaml similarity index 78% rename from make/_shared/repository-base/base/.github/dependabot.yaml rename to make/_shared/repository-base/base-dependabot/.github/dependabot.yaml index 35367ea5cee..81b92973404 100644 --- a/make/_shared/repository-base/base/.github/dependabot.yaml +++ b/make/_shared/repository-base/base-dependabot/.github/dependabot.yaml @@ -1,20 +1,20 @@ # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. # Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead. -# Update Go dependencies and GitHub Actions dependencies weekly. +# Update Go dependencies and GitHub Actions dependencies daily. version: 2 updates: - package-ecosystem: gomod directory: / schedule: - interval: weekly + interval: daily groups: all: patterns: ["*"] - package-ecosystem: github-actions directory: / schedule: - interval: weekly + interval: daily groups: all: patterns: ["*"] diff --git a/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml index ccebdb244eb..93beedff044 100644 --- a/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml +++ b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml @@ -9,18 +9,22 @@ on: - cron: '0 0 * * *' jobs: - build_images: + self_upgrade: runs-on: ubuntu-latest permissions: contents: write pull-requests: write + + env: + SOURCE_BRANCH: "${{ github.ref_name }}" + SELF_UPGRADE_BRANCH: "self-upgrade-${{ github.ref_name }}" steps: - - name: Fail if branch is not main - if: github.ref != 'refs/heads/main' + - name: Fail if branch is not head of branch. + if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }} run: | - echo "This workflow should not be run on a branch other than main." + echo "This workflow should not be run on a non-branch-head." exit 1 - uses: actions/checkout@v4 @@ -34,7 +38,7 @@ jobs: go-version: ${{ steps.go-version.outputs.result }} - run: | - git checkout -B "self-upgrade" + git checkout -B "$SELF_UPGRADE_BRANCH" - run: | make -j upgrade-klone @@ -54,10 +58,10 @@ jobs: - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} run: | - git config --global user.name "jetstack-bot" - git config --global user.email "jetstack-bot@users.noreply.github.com" + git config --global user.name "cert-manager-bot" + git config --global user.email "cert-manager-bot@users.noreply.github.com" git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff - git push -f origin self-upgrade + git push -f origin "$SELF_UPGRADE_BRANCH" - if: ${{ steps.is-up-to-date.outputs.result != 'true' }} uses: actions/github-script@v7 @@ -67,18 +71,18 @@ jobs: const pulls = await github.rest.pulls.list({ owner: owner, repo: repo, - head: owner + ':self-upgrade', - base: 'main', + head: owner + ':' + process.env.SELF_UPGRADE_BRANCH, + base: process.env.SOURCE_BRANCH, state: 'open', }); if (pulls.data.length < 1) { await github.rest.pulls.create({ - title: '[CI] Merge self-upgrade into main', + title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH, owner: owner, repo: repo, - head: 'self-upgrade', - base: 'main', + head: process.env.SELF_UPGRADE_BRANCH, + base: process.env.SOURCE_BRANCH, body: [ 'This PR is auto-generated to bump the Makefile modules.', ].join('\n'), diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk index e4c2a5a7277..3977bfae897 100644 --- a/make/_shared/tools/00_mod.mk +++ b/make/_shared/tools/00_mod.mk @@ -51,7 +51,7 @@ TOOLS += azwi=v1.2.0 # https://github.com/kyverno/kyverno/releases TOOLS += kyverno=v1.11.3 # https://github.com/mikefarah/yq/releases -TOOLS += yq=v4.40.5 +TOOLS += yq=v4.43.1 # https://github.com/ko-build/ko/releases TOOLS += ko=0.15.1 # https://github.com/protocolbuffers/protobuf/releases @@ -109,9 +109,15 @@ TOOLS += cmctl=2f75014a7c360c319f8c7c8afe8e9ce33fe26dca # https://pkg.go.dev/github.com/cert-manager/release/cmd/cmrel?tab=versions TOOLS += cmrel=fa10147dadc8c36718b7b08aed6d8c6418eb2 # https://github.com/golangci/golangci-lint/releases -TOOLS += golangci-lint=v1.55.2 +TOOLS += golangci-lint=v1.57.1 # https://pkg.go.dev/golang.org/x/vuln?tab=versions TOOLS += govulncheck=v1.0.4 +# https://pkg.go.dev/github.com/operator-framework/operator-sdk/cmd/operator-sdk?tab=versions +TOOLS += operator-sdk=v1.34.1 +# https://pkg.go.dev/github.com/cli/cli/v2?tab=versions +TOOLS += gh=v2.47.0 +# https:///github.com/redhat-openshift-ecosystem/openshift-preflight/releases +TOOLS += preflight=1.9.1 # https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions K8S_CODEGEN_VERSION=v0.29.1 @@ -134,7 +140,7 @@ ADDITIONAL_TOOLS ?= TOOLS += $(ADDITIONAL_TOOLS) # https://go.dev/dl/ -VENDORED_GO_VERSION := 1.21.8 +VENDORED_GO_VERSION := 1.21.9 # Print the go version which can be used in GH actions .PHONY: print-go-version @@ -311,6 +317,9 @@ GO_DEPENDENCIES += cmctl=github.com/cert-manager/cmctl/v2 GO_DEPENDENCIES += cmrel=github.com/cert-manager/release/cmd/cmrel GO_DEPENDENCIES += golangci-lint=github.com/golangci/golangci-lint/cmd/golangci-lint GO_DEPENDENCIES += govulncheck=golang.org/x/vuln/cmd/govulncheck +GO_DEPENDENCIES += operator-sdk=github.com/operator-framework/operator-sdk/cmd/operator-sdk +GO_DEPENDENCIES += gh=github.com/cli/cli/v2/cmd/gh +GO_DEPENDENCIES += preflight=github.com/redhat-openshift-ecosystem/openshift-preflight/cmd/preflight ################# # go build tags # @@ -458,10 +467,10 @@ $(bin_dir)/downloaded/tools/kyverno@$(KYVERNO_VERSION)_%: | $(bin_dir)/downloade # yq # ###### -YQ_linux_amd64_SHA256SUM=0d6aaf1cf44a8d18fbc7ed0ef14f735a8df8d2e314c4cc0f0242d35c0a440c95 -YQ_linux_arm64_SHA256SUM=9431f0fa39a0af03a152d7fe19a86e42e9ff28d503ed4a70598f9261ec944a97 -YQ_darwin_amd64_SHA256SUM=7f88b959c3fd2755e77dbf5bd92780dc3626c1c00ac45d5b5134f04189a142dc -YQ_darwin_arm64_SHA256SUM=1ef0022ed6d0769d19e2d391dd731162034b0e0ba2c9b53dda039d16cec1c26a +YQ_linux_amd64_SHA256SUM=cfbbb9ba72c9402ef4ab9d8f843439693dfb380927921740e51706d90869c7e1 +YQ_linux_arm64_SHA256SUM=a8186efb079673293289f8c31ee252b0d533c7bb8b1ada6a778ddd5ec0f325b6 +YQ_darwin_amd64_SHA256SUM=fdc42b132ac460037f4f0f48caea82138772c651d91cfbb735210075ddfdbaed +YQ_darwin_arm64_SHA256SUM=9f1063d910698834cb9176593aa288471898031929138d226c2c2de9f262f8e5 $(bin_dir)/downloaded/tools/yq@$(YQ_VERSION)_%: | $(bin_dir)/downloaded/tools $(CURL) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$* -o $@