feat: move to gmpctl; adding shmft

Signed-off-by: bwplotka <[email protected]>

Author: bwplotka

.bingo/Variables.mk

@@ -47,3 +47,9 @@ $(MDOX): $(BINGO_DIR)/mdox.mod
 	@echo "(re)installing $(GOBIN)/mdox-v0.9.0"
 	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=mdox.mod -o=$(GOBIN)/mdox-v0.9.0 "github.com/bwplotka/mdox"
 
+SHFMT := $(GOBIN)/shfmt-v3.12.0
+$(SHFMT): $(BINGO_DIR)/shfmt.mod
+	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
+	@echo "(re)installing $(GOBIN)/shfmt-v3.12.0"
+	@cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=shfmt.mod -o=$(GOBIN)/shfmt-v3.12.0 "mvdan.cc/sh/v3/cmd/shfmt"
+

.bingo/shfmt.mod

@@ -0,0 +1,5 @@
+module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
+
+go 1.25.0
+
+require mvdan.cc/sh/v3 v3.12.0 // cmd/shfmt

.bingo/shfmt.sum

@@ -0,0 +1,12 @@
+github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
+github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+mvdan.cc/editorconfig v0.3.0 h1:D1D2wLYEYGpawWT5SpM5pRivgEgXjtEXwC9MWhEY0gQ=
+mvdan.cc/editorconfig v0.3.0/go.mod h1:NcJHuDtNOTEJ6251indKiWuzK6+VcrMuLzGMLKBFupQ=
+mvdan.cc/sh/v3 v3.12.0 h1:ejKUR7ONP5bb+UGHGEG/k9V5+pRVIyD+LsZz7o8KHrI=
+mvdan.cc/sh/v3 v3.12.0/go.mod h1:Se6Cj17eYSn+sNooLZiEUnNNmNxg0imoYlTu4CyaGyg=

.bingo/variables.env

@@ -16,3 +16,5 @@ HELM="${GOBIN}/helm-v3.14.0"
 
 MDOX="${GOBIN}/mdox-v0.9.0"
 
+SHFMT="${GOBIN}/shfmt-v3.12.0"
+

.github/workflows/release-bot.yml

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+if [[ -n "${DEBUG_MODE:-}" ]]; then
+	set -o xtrace
+fi
+
+SCRIPT_DIR="$(
+	cd -- "$(dirname "$0")" >/dev/null 2>&1
+	pwd -P
+)"
+
+pushd "${SCRIPT_DIR}/gmpctl" >/dev/null
+# NOTE gmpctl expects the whole gmpctl directory to be present.
+# We could consider embedding bash scripts, config into binary, but it's good
+# for now.
+go run ./ "$@"
+popd >/dev/null

hack/gmpctl.sh

@@ -0,0 +1 @@
+data

hack/gmpctl/.gitignore

@@ -0,0 +1,15 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dir: "./data"

hack/gmpctl/.gmpctl.default.yaml

@@ -0,0 +1,107 @@
+# gmpctl
+
+`gmpctl` is an interactive CLI for common operations on GMP projects.
+
+It's a starting point for smaller or bigger automation on OSS side (e.g. releasing, syncing or even debugging).
+
+> NOTE: This script is far from perfect, but it's better than doing things manually. Feel free to contribute,
+> fix bugs and add more automation for common tasks!
+
+## Setup
+
+1. To start using `gmpctl` you need to have a clone of `prometheus-engine` on your machine (you probably have already one!
+   to fetch the latest `main` for the best experience (latest scripts).
+
+2. The next this is to obtain NVD API key to avoid rate-limits when querying CVE DB. See https://nvd.nist.gov/developers/request-an-api-key and save this key to `hack/vulnupdatelist/api.text`
+
+3. You can configure different work directory for gmpctl via `-c` flag. By default, `gmpctl` does the work in `hack/gmpctl/.data`)
+
+Enjoy!
+
+## Usage
+
+Generally `gmpctl` does not need flags for general usage. It interactively asks you for
+key information and confirmations e.g.
+
+```bash
+./hack/gmpctl.sh release                         
+┃ What do you want to release? 
+ ┃ > release/0.17
+ ┃   release/0.15
+ ┃   release/0.14
+ ┃   release/0.12
+ ┃   release-2.45.3-gmp
+ ┃   release-2.53.5-gmp
+↑ up • ↓ down • / filter • enter submit
+```
+
+`gmpctl` maintains 1 git clone for each project and uses `git worktree` for each command and branch.
+
+`gmpctl` commands are aimed to be **idempotent**, meaning you should be able to run it multiple times with the
+same parameters, and it will continue the previous work or at least yield same results. This is crucial when iterating
+on breaking go mod updates for vulnerabilities or fork sync conflicts.
+
+```text mdox-exec="bash hack/gmpctl.sh --help"
+Usage: gmpctl [COMMAND] [FLAGS]
+  -c string
+    	Path to the configuration file. See config.go#Config for the structure. (default ".gmpctl.default.yaml")
+  -v	Enabled verbose, debug output (e.g. logging os.Exec commands)
+
+--- Commands ---
+[release] Usage of release:
+  -b string
+    	Release branch to work on; Project is auto-detected from this
+  -patch
+    	If true, and --tag is empty, forces a new patch version as a new TAG.
+  -t string
+    	Tag to release. If empty, next TAG version will be auto-detected (double check this!)
+
+[vulnfix] Usage of vulnfix:
+  -b string
+    	Release branch to work on; Project is auto-detected from this
+  -pr-branch string
+    	(default: $USER/BRANCH-vulnfix) Upstream branch to push to (user-confirmed first).
+  -sync-dockerfiles-from
+    	Optional branch name to sync Dockerfiles from. Useful when things changed.
+```
+
+## `gmpctl` development
+
+Some rules to follow:
+
+* Downstream functions should literally use `panicf` for error handling. This improves readability and enormously help
+  with debugging errors. The obvious exception is when code needs to handle this error. Then swap panic with a proper `err error` pattern.
+* Offer choice, be interactive! See `dialog.go` and https://github.com/charmbracelet/huh on what's possible.
+
+## Bash development
+
+While the `gmpctl` is written in Go, you might notice some functionalities are in Bash.
+
+Bash is funky, but sometimes more readable than Go/easier to iterate.
+Eventually, we could rewrite more critical pieces to Go, but you're welcome to add some quick
+pieces in bash to automate some stuff.
+
+It's trivial to call bash function from `gmpctl` e.g.:
+
+```go
+if err := runLibFunction(dir, opts, "release-lib:vulnfix"); err != nil {
+	return err
+} 
+```
+
+Some rules to follow:
+* CI checks bash formatting via https://github.com/mvdan/sh?tab=readme-ov-file#shfmt. You can install this on your IDE for formatting.
+* Write only libraries (functions). The starting point for scripts should be always Go gmpctl CLI.
+* Function names have `release-lib::` prefix to figure out where they come from.
+* Function check their required arguments/envvars; always.
+* Especially for functions that return strings via stdout:
+  * Ensure all error messages are redirected to stderr, use log_err func for this.
+  * Be careful with pushd/popd which log to stdout, you can redirect those to stderr too.
+
+## TODO
+
+* Ability to configure NVD API key in gmpctl config.
+* Port fork-sync script from the old PR.
+* Generate some on-demand query of vulnerabilities for all releases (aka dashboard.)
+* Fix NPM vulns (although it's rate).
+* Ability to schedule multiple scripts at once and managing that? (lot's of work vs multiple terminals)