Merge pull request #10 from ThatsMrTalbot/chore/upgrade-klone

chore: make upgrade-klone

Author: ThatsMrTalbot

.github/dependabot.yaml

@@ -1,20 +1,22 @@
 # THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
-# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/dependabot.yaml instead.
 
 # Update Go dependencies and GitHub Actions dependencies daily.
 version: 2
 updates:
-- package-ecosystem: gomod
-  directory: /
-  schedule:
-    interval: daily
-  groups:
-    all:
-      patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: daily
+  exclude-paths: # Exclude files that are mastered from makefile-modules and shouldn't be upgraded in projects using makefile-modules.
+    - .github/workflows/govulncheck.yaml
+    - .github/workflows/make-self-upgrade.yaml
+    - .github/workflows/renovate.yaml
   groups:
-    all:
+    all-gh-actions:
       patterns: ["*"]
+  labels:
+    - dependencies
+    - kind/cleanup
+    - release-note-none
+    - ok-to-test

.github/renovate.json5

@@ -0,0 +1,120 @@
+// THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+// Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/renovate.json5 instead.
+
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  enabled: true,
+  gitAuthor: 'cert-manager-bot <[email protected]>',
+  enabledManagers: [
+    'gomod',
+  ],
+  extends: [
+    'config:best-practices',
+    ':gitSignOff',
+    ':semanticCommits',
+    ':disableVulnerabilityAlerts',
+    ':prConcurrentLimit10', // Set a limit to avoid too many PRs, at least on the first run
+    ':prHourlyLimitNone',
+  ],
+  timezone: 'Europe/London',
+  labels: [
+    'dependencies',
+    'kind/cleanup',
+    'ok-to-test',
+    'release-note-none',
+  ],
+  postUpgradeTasks: {
+    commands: [
+      'make generate',
+    ],
+    executionMode: 'branch',
+  },
+  packageRules: [
+    {
+      groupName: 'Misc Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        '*',
+      ],
+    },
+    {
+      groupName: 'Testing Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'github.com/onsi/ginkgo**/**',
+        'github.com/onsi/gomega**/**',
+        'github.com/stretchr/testify**/**',
+      ],
+    },
+    {
+      groupName: 'Cloud Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'github.com/akamai**/**',
+        'github.com/aws**/**',
+        'github.com/Azure**/**',
+        'github.com/AzureAD**/**',
+        'github.com/cloudflare**/**',
+        'github.com/digitalocean**/**',
+        'google.golang.org/api',
+      ],
+    },
+    {
+      groupName: 'Kubernetes Go deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'sigs.k8s.io**/**',
+        'k8s.io**/**',
+      ],
+    },
+    {
+      groupName: 'Kubernetes Go patches',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'k8s.io**/**',
+      ],
+      matchUpdateTypes: [
+        'patch',
+      ],
+      addLabels: [
+        'skip-review', // Adding label to allow PRs to automerge
+      ]
+    },
+    {
+      groupName: 'golang.org/x deps',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        'golang.org/x**/*',
+      ],
+      addLabels: [
+        'skip-review', // Adding label to allow PRs to automerge
+      ],
+    },
+    {
+      description: 'Disable Go pseudo-version updates',
+      matchManagers: [
+        'gomod',
+      ],
+      matchPackageNames: [
+        '*',
+      ],
+      matchCurrentValue: 'v0.0.0*',
+      enabled: false,
+    },
+  ],
+  ignorePaths: [
+    '**/vendor/**',
+  ],
+}

.github/workflows/govulncheck.yaml

@@ -10,18 +10,27 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
+    if: github.repository == 'cert-manager/trust-manager-csi-driver'
+
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

.github/workflows/make-self-upgrade.yaml

@@ -8,10 +8,15 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   self_upgrade:
     runs-on: ubuntu-latest
 
+    if: github.repository == 'cert-manager/trust-manager-csi-driver'
+
     permissions:
       contents: write
       pull-requests: write
@@ -27,13 +32,17 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -64,7 +73,7 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { repo, owner } = context.repo;
@@ -77,7 +86,7 @@ jobs:
             });
             
             if (pulls.data.length < 1) {
-              await github.rest.pulls.create({
+              const result = await github.rest.pulls.create({
                 title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
                 owner: owner,
                 repo: repo,
@@ -87,4 +96,10 @@ jobs:
                   'This PR is auto-generated to bump the Makefile modules.',
                 ].join('\n'),
               });
+              await github.rest.issues.addLabels({
+                owner,
+                repo,
+                issue_number: result.data.number,
+                labels: ['ok-to-test', 'skip-review']
+              });
             }

.github/workflows/renovate.yaml

@@ -0,0 +1,56 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base-dependabot/.github/workflows/renovate.yaml instead.
+
+name: Renovate
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 2 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+
+    if: github.repository == 'cert-manager/trust-manager-csi-driver'
+
+    permissions:
+      contents: write
+      issues: write
+      statuses: write
+      pull-requests: write
+
+    steps:
+      - name: Fail if branch is not head of branch.
+        if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
+        run: |
+          echo "This workflow should not be run on a non-branch-head."
+          exit 1
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@a447f09147d00e00ae2a82ad5ef51ca89352da80 # v43.0.9
+        with:
+          configurationFile: .github/renovate.json5
+          token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+          RENOVATE_ONBOARDING: "false"
+          RENOVATE_PLATFORM: "github"
+          LOG_LEVEL: "debug"
+          RENOVATE_ALLOWED_COMMANDS: '[".*"]'

.golangci.yaml

@@ -1,39 +1,46 @@
+version: "2"
 linters:
-  # Explicitly define all enabled linters
-  disable-all: true
+  default: none
+  exclusions:
+    generated: lax
+    presets: [comments, common-false-positives, legacy, std-error-handling]
+    paths: [third_party, builtin$, examples$]
+    warn-unused: true
+  settings:
+    staticcheck:
+      checks: ["all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008"]
   enable:
     - asasalint
     - asciicheck
     - bidichk
     - bodyclose
+    - canonicalheader
     - contextcheck
+    - copyloopvar
     - decorder
     - dogsled
     - dupword
     - durationcheck
     - errcheck
     - errchkjson
     - errname
-    - execinquery
     - exhaustive
-    - exportloopref
+    - exptostd
     - forbidigo
-    - gci
     - ginkgolinter
     - gocheckcompilerdirectives
     - gochecksumtype
     - gocritic
-    - gofmt
     - goheader
     - goprintffuncname
     - gosec
-    - gosimple
     - gosmopolitan
     - govet
     - grouper
     - importas
     - ineffassign
     - interfacebloat
+    - intrange
     - loggercheck
     - makezero
     - mirror
@@ -51,19 +58,23 @@ linters:
     - sloglint
     - staticcheck
     - tagalign
-    - tenv
     - testableexamples
-    - typecheck
     - unconvert
     - unparam
     - unused
     - usestdlibvars
+    - usetesting
     - wastedassign
-linters-settings:
-  gci:
-    sections:
-      - standard # Standard section: captures all standard packages.
-      - default # Default section: contains all imports that could not be matched to another section type.
-      - prefix(github.com/cert-manager/trust-manager-csi-driver) # Custom section: groups all imports with the specified Prefix.
-      - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
-      - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+formatters:
+  enable: [gci, gofmt]
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(github.com/cert-manager/trust-manager-csi-driver) # Custom section: groups all imports with the specified Prefix.
+        - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+        - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+  exclusions:
+    generated: lax
+    paths: [third_party, builtin$, examples$]