Merge pull request #107 from cert-manager/self-upgrade-main

cert-manager-prow[bot] · web-flow · commit 34940cc2b651 · 2025-09-04T18:37:15.000Z
[CI] Self-upgrade merging self-upgrade-main into main
diff --git a/.github/chainguard/make-self-upgrade.sts.yaml b/.github/chainguard/make-self-upgrade.sts.yaml
@@ -0,0 +1,10 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:cert-manager/csi-lib:ref:refs/heads/(main|master)$
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
diff --git a/.github/chainguard/renovate.sts.yaml b/.github/chainguard/renovate.sts.yaml
@@ -0,0 +1,14 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/renovate.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:cert-manager/csi-lib:ref:refs/heads/(main|master)$
+
+permissions:
+  administration: read
+  contents: write
+  issues: write
+  pull_requests: write
+  security_events: read
+  statuses: write
+  workflows: write
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -5,8 +5,13 @@
   $schema: 'https://docs.renovatebot.com/renovate-schema.json',
   enabled: true,
   gitAuthor: 'Renovate Bot <renovate-bot@users.noreply.github.com>',
+  gitIgnoredAuthors: [
+    'Renovate Bot <renovate-bot@users.noreply.github.com>',
+    'cert-manager-bot <cert-manager-bot@users.noreply.github.com>',
+  ],
   recreateWhen: 'always', // TODO: Remove; temporary fix to force Renovate to ignore "foreign" commits
   enabledManagers: [
+    'github-actions',
     'gomod',
   ],
   extends: [
@@ -24,14 +29,25 @@
     'ok-to-test',
     'release-note-none',
   ],
-  postUpgradeTasks: {
-    commands: [
-      'make generate',
-    ],
-    executionMode: 'branch',
-  },
   // packageRules uses globs for matchPackageNames. Some packages have a separate major version i.e. /v on them which is when we would need package**/**.
   packageRules: [
+    {
+      groupName: 'Misc GitHub actions',
+      matchManagers: [
+        'github-actions',
+      ],
+    },
+    {
+      matchManagers: [
+        'gomod',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'make vendor-go generate',
+        ],
+        executionMode: 'branch',
+      }
+    },
     {
       groupName: 'Misc Go deps',
       matchManagers: [
@@ -141,5 +157,10 @@
   ],
   ignorePaths: [
     '**/vendor/**',
+    // Exclude files that are mastered from makefile-modules and shouldn't be upgraded in projects using makefile-modules.
+    'make/_shared/**',
+    '.github/workflows/govulncheck.yaml',
+    '.github/workflows/make-self-upgrade.yaml',
+    '.github/workflows/renovate.yaml',
   ],
 }
diff --git a/.github/workflows/make-self-upgrade.yaml b/.github/workflows/make-self-upgrade.yaml
@@ -18,8 +18,7 @@ jobs:
     if: github.repository == 'cert-manager/csi-lib'
 
     permissions:
-      contents: write
-      pull-requests: write
+      id-token: write
     
     env:
       SOURCE_BRANCH: "${{ github.ref_name }}"
@@ -32,11 +31,20 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # main
+        id: octo-sts
+        with:
+          scope: 'cert-manager/csi-lib'
+          identity: make-self-upgrade
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
-        with: { fetch-depth: 0 }
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
 
       - id: go-version
         run: |
@@ -75,6 +83,7 @@ jobs:
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
           script: |
             const { repo, owner } = context.repo;
             const pulls = await github.rest.pulls.list({
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
@@ -17,10 +17,7 @@ jobs:
     if: github.repository == 'cert-manager/csi-lib'
 
     permissions:
-      contents: write
-      issues: write
-      statuses: write
-      pull-requests: write
+      id-token: write
 
     steps:
       - name: Fail if branch is not head of branch.
@@ -29,11 +26,20 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # main
+        id: octo-sts
+        with:
+          scope: 'cert-manager/csi-lib'
+          identity: renovate
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
-        with: { fetch-depth: 0 }
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
 
       - id: go-version
         run: |
@@ -47,7 +53,7 @@ jobs:
         uses: renovatebot/github-action@a447f09147d00e00ae2a82ad5ef51ca89352da80 # v43.0.9
         with:
           configurationFile: .github/renovate.json5
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.octo-sts.outputs.token }}
         env:
           RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
           RENOVATE_ONBOARDING: "false"
diff --git a/klone.yaml b/klone.yaml
@@ -9,55 +9,55 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/go
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/oci-build
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 63afb5c9df5725b127e132082e1c35997bd8e516
+      repo_hash: 217b9616a01c901044098e5ae0c285ae3b1223ac
       repo_path: modules/tools
diff --git a/make/_shared/repository-base/01_mod.mk b/make/_shared/repository-base/01_mod.mk
@@ -34,6 +34,8 @@ else
 ## Generate base files in the repository
 ## @category [shared] Generate/ Verify
 generate-base:
+	# TODO(erikgb): Remove; just a temporary command to clean out Dependabot files
+	rm -f ./.github/dependabot.yaml
 	cp -r $(repository_base_dir)/. ./
 	cd $(repository_base_dir) && \
 		find . -type f | while read file; do \
diff --git a/make/_shared/repository-base/base-dependabot/.github/dependabot.yaml b/make/_shared/repository-base/base-dependabot/.github/dependabot.yaml
diff --git a/make/_shared/repository-base/base-dependabot/.github/renovate.json5 b/make/_shared/repository-base/base-dependabot/.github/renovate.json5
@@ -5,8 +5,13 @@
   $schema: 'https://docs.renovatebot.com/renovate-schema.json',
   enabled: true,
   gitAuthor: 'Renovate Bot <renovate-bot@users.noreply.github.com>',
+  gitIgnoredAuthors: [
+    'Renovate Bot <renovate-bot@users.noreply.github.com>',
+    'cert-manager-bot <cert-manager-bot@users.noreply.github.com>',
+  ],
   recreateWhen: 'always', // TODO: Remove; temporary fix to force Renovate to ignore "foreign" commits
   enabledManagers: [
+    'github-actions',
     'gomod',
   ],
   extends: [
@@ -24,14 +29,25 @@
     'ok-to-test',
     'release-note-none',
   ],
-  postUpgradeTasks: {
-    commands: [
-      'make generate',
-    ],
-    executionMode: 'branch',
-  },
   // packageRules uses globs for matchPackageNames. Some packages have a separate major version i.e. /v on them which is when we would need package**/**.
   packageRules: [
+    {
+      groupName: 'Misc GitHub actions',
+      matchManagers: [
+        'github-actions',
+      ],
+    },
+    {
+      matchManagers: [
+        'gomod',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'make vendor-go generate',
+        ],
+        executionMode: 'branch',
+      }
+    },
     {
       groupName: 'Misc Go deps',
       matchManagers: [
@@ -141,5 +157,10 @@
   ],
   ignorePaths: [
     '**/vendor/**',
+    // Exclude files that are mastered from makefile-modules and shouldn't be upgraded in projects using makefile-modules.
+    'make/_shared/**',
+    '.github/workflows/govulncheck.yaml',
+    '.github/workflows/make-self-upgrade.yaml',
+    '.github/workflows/renovate.yaml',
   ],
 }
diff --git a/make/_shared/repository-base/base-dependabot/.github/workflows/renovate.yaml b/make/_shared/repository-base/base-dependabot/.github/workflows/renovate.yaml
@@ -17,10 +17,7 @@ jobs:
     if: github.repository == '{{REPLACE:GH-REPOSITORY}}'
 
     permissions:
-      contents: write
-      issues: write
-      statuses: write
-      pull-requests: write
+      id-token: write
 
     steps:
       - name: Fail if branch is not head of branch.
@@ -29,11 +26,20 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # main
+        id: octo-sts
+        with:
+          scope: '{{REPLACE:GH-REPOSITORY}}'
+          identity: renovate
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
-        with: { fetch-depth: 0 }
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
 
       - id: go-version
         run: |
@@ -47,7 +53,7 @@ jobs:
         uses: renovatebot/github-action@a447f09147d00e00ae2a82ad5ef51ca89352da80 # v43.0.9
         with:
           configurationFile: .github/renovate.json5
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.octo-sts.outputs.token }}
         env:
           RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
           RENOVATE_ONBOARDING: "false"
diff --git a/make/_shared/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml b/make/_shared/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml
@@ -0,0 +1,10 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:{{REPLACE:GH-REPOSITORY}}:ref:refs/heads/(main|master)$
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write
diff --git a/make/_shared/repository-base/base/.github/chainguard/renovate.sts.yaml b/make/_shared/repository-base/base/.github/chainguard/renovate.sts.yaml
diff --git a/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml b/make/_shared/repository-base/base/.github/workflows/make-self-upgrade.yaml
diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk
