BOT: run 'make upgrade-klone' and 'make generate'

Signed-off-by: cert-manager-bot <[email protected]>

Author: cert-manager-bot

.github/workflows/govulncheck.yaml

@@ -17,6 +17,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
+    if: github.repository_owner == 'cert-manager'
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need

.golangci.yaml

@@ -1,11 +1,20 @@
+version: "2"
 linters:
-  # Explicitly define all enabled linters
-  disable-all: true
+  default: none
+  exclusions:
+    generated: lax
+    presets: [comments, common-false-positives, legacy, std-error-handling]
+    paths: [third_party$, builtin$, examples$]
+    warn-unused: true
+  settings:
+    staticcheck:
+      checks: ["all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008"]
   enable:
     - asasalint
     - asciicheck
     - bidichk
     - bodyclose
+    - canonicalheader
     - contextcheck
     - copyloopvar
     - decorder
@@ -16,23 +25,22 @@ linters:
     - errchkjson
     - errname
     - exhaustive
+    - exptostd
     - forbidigo
-    - gci
     - ginkgolinter
     - gocheckcompilerdirectives
     - gochecksumtype
     - gocritic
-    - gofmt
     - goheader
     - goprintffuncname
     - gosec
-    - gosimple
     - gosmopolitan
     - govet
     - grouper
     - importas
     - ineffassign
     - interfacebloat
+    - intrange
     - loggercheck
     - makezero
     - mirror
@@ -50,19 +58,23 @@ linters:
     - sloglint
     - staticcheck
     - tagalign
-    - tenv
     - testableexamples
-    - typecheck
     - unconvert
     - unparam
     - unused
     - usestdlibvars
+    - usetesting
     - wastedassign
-linters-settings:
-  gci:
-    sections:
-      - standard # Standard section: captures all standard packages.
-      - default # Default section: contains all imports that could not be matched to another section type.
-      - prefix(github.com/cert-manager/image-tool) # Custom section: groups all imports with the specified Prefix.
-      - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
-      - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+formatters:
+  enable: [gci, gofmt]
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(github.com/cert-manager/image-tool) # Custom section: groups all imports with the specified Prefix.
+        - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+        - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+  exclusions:
+    generated: lax
+    paths: [third_party$, builtin$, examples$]

klone.yaml

@@ -10,45 +10,45 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/cert-manager
     - folder_name: executable
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/executable
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/go
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/help
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/klone
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/tools

make/_shared/generate-verify/util/verify.sh

@@ -53,7 +53,7 @@ trap "cleanup" EXIT SIGINT
 # 2. rsync on macOS 15.4 and newer is actually openrsync, which has different permissions and throws errors when copying git objects
 #
 # So, we use find to list all files except _bin, and then copy each in turn
-find . -maxdepth 1 -not \( -path "./_bin" -prune \) | xargs -I% cp -af "${projectdir}/%" "${tmp}/"
+find . -maxdepth 1 -not \( -path "./_bin" \) -not \( -path "." \) | xargs -I% cp -af "${projectdir}/%" "${tmp}/"
 
 pushd "${tmp}" >/dev/null
 

make/_shared/go/.golangci.override.yaml

@@ -1,11 +1,20 @@
+version: "2"
 linters:
-  # Explicitly define all enabled linters
-  disable-all: true
+  default: none
+  exclusions:
+    generated: lax
+    presets: [ comments, common-false-positives, legacy, std-error-handling ]
+    paths: [ third_party$, builtin$, examples$ ]
+    warn-unused: true
+  settings:
+    staticcheck:
+      checks: [ "all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008" ]
   enable:
     - asasalint
     - asciicheck
     - bidichk
     - bodyclose
+    - canonicalheader
     - contextcheck
     - copyloopvar
     - decorder
@@ -16,23 +25,22 @@ linters:
     - errchkjson
     - errname
     - exhaustive
+    - exptostd
     - forbidigo
-    - gci
     - ginkgolinter
     - gocheckcompilerdirectives
     - gochecksumtype
     - gocritic
-    - gofmt
     - goheader
     - goprintffuncname
     - gosec
-    - gosimple
     - gosmopolitan
     - govet
     - grouper
     - importas
     - ineffassign
     - interfacebloat
+    - intrange
     - loggercheck
     - makezero
     - mirror
@@ -50,19 +58,23 @@ linters:
     - sloglint
     - staticcheck
     - tagalign
-    - tenv
     - testableexamples
-    - typecheck
     - unconvert
     - unparam
     - unused
     - usestdlibvars
+    - usetesting
     - wastedassign
-linters-settings:
-  gci:
-    sections:
-      - standard # Standard section: captures all standard packages.
-      - default # Default section: contains all imports that could not be matched to another section type.
-      - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix.
-      - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
-      - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+formatters:
+  enable: [ gci, gofmt ]
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix.
+        - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+        - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+  exclusions:
+    generated: lax
+    paths: [ third_party$, builtin$, examples$ ]

make/_shared/go/01_mod.mk

@@ -101,7 +101,12 @@ ifdef golangci_lint_config
 .PHONY: generate-golangci-lint-config
 ## Generate a golangci-lint configuration file
 ## @category [shared] Generate/ Verify
-generate-golangci-lint-config: | $(NEEDS_YQ) $(bin_dir)/scratch
+generate-golangci-lint-config: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
+	if [ "$$($(YQ) eval 'has("version") | not' $(golangci_lint_config))" == "true" ]; then \
+		$(GOLANGCI-LINT) migrate -c $(golangci_lint_config); \
+		rm $(basename $(golangci_lint_config)).bck$(suffix $(golangci_lint_config)); \
+	fi
+
 	cp $(golangci_lint_config) $(bin_dir)/scratch/golangci-lint.yaml.tmp
 	$(YQ) -i 'del(.linters.enable)' $(bin_dir)/scratch/golangci-lint.yaml.tmp
 	$(YQ) eval-all -i '. as $$item ireduce ({}; . * $$item)' $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_override)
@@ -119,9 +124,9 @@ verify-golangci-lint: | $(NEEDS_GO) $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir
 	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
 				target=$$(dirname $${d}); \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout)' in directory '$${target}'"; \
+				echo "Running 'GOVERSION=$(VENDORED_GO_VERSION) $(bin_dir)/tools/golangci-lint run -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout)' in directory '$${target}'"; \
 				pushd "$${target}" >/dev/null; \
-				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout) || exit; \
+				GOVERSION=$(VENDORED_GO_VERSION) $(GOLANGCI-LINT) run -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout) || exit; \
 				popd >/dev/null; \
 				echo ""; \
 			done
@@ -132,21 +137,12 @@ shared_verify_targets_dirty += verify-golangci-lint
 ## Fix all Go modules using golangci-lint
 ## @category [shared] Generate/ Verify
 fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(NEEDS_GCI) $(bin_dir)/scratch
-	$(GCI) write \
-		--skip-generated \
-		--skip-vendor \
-		-s "standard" \
-		-s "default" \
-		-s "prefix($(repo_name))" \
-		-s "blank" \
-		-s "dot" .
-
 	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
 				target=$$(dirname $${d}); \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${target}'"; \
+				echo "Running 'GOVERSION=$(VENDORED_GO_VERSION) $(bin_dir)/tools/golangci-lint fmt -c $(CURDIR)/$(golangci_lint_config)' in directory '$${target}'"; \
 				pushd "$${target}" >/dev/null; \
-				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix || exit; \
+				GOVERSION=$(VENDORED_GO_VERSION) $(GOLANGCI-LINT) fmt -c $(CURDIR)/$(golangci_lint_config) || exit; \
 				popd >/dev/null; \
 				echo ""; \
 			done

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -17,6 +17,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
+    if: github.repository_owner == 'cert-manager'
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need

make/_shared/tools/00_mod.mk

@@ -18,8 +18,17 @@ endif
 
 ##########################################
 
-export DOWNLOAD_DIR ?= $(CURDIR)/$(bin_dir)/downloaded
-export GOVENDOR_DIR ?= $(CURDIR)/$(bin_dir)/go_vendor
+default_shared_dir := $(CURDIR)/$(bin_dir)
+# If $(HOME) is set and $(CI) is not, use the $(HOME)/.cache
+# folder to store downloaded binaries.
+ifneq ($(shell printenv HOME),)
+ifeq ($(shell printenv CI),)
+default_shared_dir := $(HOME)/.cache/makefile-modules
+endif
+endif
+
+export DOWNLOAD_DIR ?= $(default_shared_dir)/downloaded
+export GOVENDOR_DIR ?= $(default_shared_dir)/go_vendor
 
 $(bin_dir)/tools $(DOWNLOAD_DIR)/tools:
 	@mkdir -p $@
@@ -118,12 +127,14 @@ tools += goreleaser=v1.26.2
 tools += syft=v1.22.0
 # https://github.com/cert-manager/helm-tool/releases
 tools += helm-tool=v0.5.3
+# https://github.com/cert-manager/image-tool/releases
+tools += image-tool=v0.0.2
 # https://github.com/cert-manager/cmctl/releases
 tools += cmctl=v2.1.1
 # https://pkg.go.dev/github.com/cert-manager/release/cmd/cmrel?tab=versions
 tools += cmrel=e3cbe5171488deda000145003e22567bdce622ea
-# https://pkg.go.dev/github.com/golangci/golangci-lint/cmd/golangci-lint?tab=versions
-tools += golangci-lint=v1.64.8
+# https://pkg.go.dev/github.com/golangci/golangci-lint/v2/cmd/golangci-lint?tab=versions
+tools += golangci-lint=v2.1.2
 # https://pkg.go.dev/golang.org/x/vuln?tab=versions
 tools += govulncheck=v1.1.4
 # https://pkg.go.dev/github.com/operator-framework/operator-sdk/cmd/operator-sdk?tab=versions
@@ -136,6 +147,8 @@ tools += preflight=1.12.1
 tools += gci=v0.13.6
 # https://github.com/google/yamlfmt/releases
 tools += yamlfmt=v0.16.0
+# https://github.com/yannh/kubeconform/releases
+tools += kubeconform=v0.6.7
 
 # https://pkg.go.dev/k8s.io/code-generator/cmd?tab=versions
 K8S_CODEGEN_VERSION := v0.32.3
@@ -334,14 +347,16 @@ go_dependencies += defaulter-gen=k8s.io/code-generator/cmd/defaulter-gen
 go_dependencies += conversion-gen=k8s.io/code-generator/cmd/conversion-gen
 go_dependencies += openapi-gen=k8s.io/kube-openapi/cmd/openapi-gen
 go_dependencies += helm-tool=github.com/cert-manager/helm-tool
+go_dependencies += image-tool=github.com/cert-manager/image-tool
 go_dependencies += cmctl=github.com/cert-manager/cmctl/v2
 go_dependencies += cmrel=github.com/cert-manager/release/cmd/cmrel
-go_dependencies += golangci-lint=github.com/golangci/golangci-lint/cmd/golangci-lint
+go_dependencies += golangci-lint=github.com/golangci/golangci-lint/v2/cmd/golangci-lint
 go_dependencies += govulncheck=golang.org/x/vuln/cmd/govulncheck
 go_dependencies += operator-sdk=github.com/operator-framework/operator-sdk/cmd/operator-sdk
 go_dependencies += gh=github.com/cli/cli/v2/cmd/gh
 go_dependencies += gci=github.com/daixiang0/gci
 go_dependencies += yamlfmt=github.com/google/yamlfmt/cmd/yamlfmt
+go_dependencies += kubeconform=github.com/yannh/kubeconform/cmd/kubeconform
 
 #################
 # go build tags #