add go Makefile module

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
cert-manager · Apr 3, 2024 · 4070555 · 4070555
1 parent 39dc360
commit 4070555
Show file tree

Hide file tree

Showing 8 changed files with 341 additions and 0 deletions.
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
@@ -0,0 +1,28 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead.
+
+# Run govulncheck at midnight every night on the main branch,
+# to alert us to recent vulnerabilities which affect the Go code in this
+# project.
+name: govulncheck
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - run: make verify-govulncheck
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -0,0 +1,91 @@
+issues:
+  exclude-rules:
+    - linters:
+        - errcheck
+        - forbidigo
+        - gci
+        - gocritic
+        - gosec
+        - misspell
+        - unparam
+        - unused
+        - nilerr
+        - nilnil
+        - staticcheck
+        - dupword
+        - noctx
+        - predeclared
+        - unconvert
+        - usestdlibvars
+      text: ".*"
+linters:
+  # Explicitly define all enabled linters
+  disable-all: true
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - decorder
+    - dogsled
+    - dupword
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - execinquery
+    - exhaustive
+    - exportloopref
+    - forbidigo
+    - gci
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocritic
+    - gofmt
+    - goheader
+    - gomoddirectives
+    - gomodguard
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - gosmopolitan
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - interfacebloat
+    - loggercheck
+    - makezero
+    - mirror
+    - misspell
+    - musttag
+    - nakedret
+    - nilerr
+    - nilnil
+    - noctx
+    - nosprintfhostport
+    - predeclared
+    - promlinter
+    - protogetter
+    - reassign
+    - sloglint
+    - staticcheck
+    - tagalign
+    - tenv
+    - testableexamples
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - wastedassign
+linters-settings:
+  gci:
+    sections:
+      - standard # Standard section: captures all standard packages.
+      - default # Default section: contains all imports that could not be matched to another section type.
+      - prefix(github.com/cert-manager/cmctl/v2) # Custom section: groups all imports with the specified Prefix.
+      - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+      - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
diff --git a/klone.yaml b/klone.yaml
@@ -27,6 +27,11 @@ targets:
       repo_ref: main
       repo_hash: 2b3ed7d6563ecd61de7d5f3b95a0efb4462ba110
       repo_path: modules/generate-verify
+    - folder_name: go
+      repo_url: https://github.com/cert-manager/makefile-modules.git
+      repo_ref: main
+      repo_hash: 2b3ed7d6563ecd61de7d5f3b95a0efb4462ba110
+      repo_path: modules/go
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main

diff --git a/make/00_mod.mk b/make/00_mod.mk
@@ -32,3 +32,5 @@ go_kubectl_cert-manager_ldflags := \
 	-X $(repo_name)/pkg/build/commands.registerCompletion=false \
 	-X github.com/cert-manager/cert-manager/pkg/util/version.AppVersion=$(VERSION) \
 	-X github.com/cert-manager/cert-manager/pkg/util/version.AppGitCommit=$(GITCOMMIT)
+
+golangci_lint_config := .golangci.yaml
diff --git a/make/_shared/go/.golangci.override.yaml b/make/_shared/go/.golangci.override.yaml
@@ -0,0 +1,71 @@
+linters:
+  # Explicitly define all enabled linters
+  disable-all: true
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - decorder
+    - dogsled
+    - dupword
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - execinquery
+    - exhaustive
+    - exportloopref
+    - forbidigo
+    - gci
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocritic
+    - gofmt
+    - goheader
+    - gomoddirectives
+    - gomodguard
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - gosmopolitan
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - interfacebloat
+    - loggercheck
+    - makezero
+    - mirror
+    - misspell
+    - musttag
+    - nakedret
+    - nilerr
+    - nilnil
+    - noctx
+    - nosprintfhostport
+    - predeclared
+    - promlinter
+    - protogetter
+    - reassign
+    - sloglint
+    - staticcheck
+    - tagalign
+    - tenv
+    - testableexamples
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - wastedassign
+linters-settings:
+  gci:
+    sections:
+      - standard # Standard section: captures all standard packages.
+      - default # Default section: contains all imports that could not be matched to another section type.
+      - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix.
+      - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+      - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
diff --git a/make/_shared/go/01_mod.mk b/make/_shared/go/01_mod.mk
@@ -0,0 +1,113 @@
+# Copyright 2023 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ifndef bin_dir
+$(error bin_dir is not set)
+endif
+
+ifndef repo_name
+$(error repo_name is not set)
+endif
+
+go_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
+golangci_lint_override := $(dir $(lastword $(MAKEFILE_LIST)))/.golangci.override.yaml
+
+.PHONY: generate-govulncheck
+## Generate base files in the repository
+## @category [shared] Generate/ Verify
+generate-govulncheck:
+	cp -r $(go_base_dir)/. ./
+
+shared_generate_targets += generate-govulncheck
+
+.PHONY: verify-govulncheck
+## Verify all Go modules for vulnerabilities using govulncheck
+## @category [shared] Generate/ Verify
+#
+# Runs `govulncheck` on all Go modules related to the project.
+# Ignores Go modules among the temporary build artifacts in _bin, to avoid
+# scanning the code of the vendored Go, after running make vendor-go.
+# Ignores Go modules in make/_shared, because those will be checked in centrally
+# in the makefile_modules repository.
+#
+# `verify-govulncheck` not added to the `shared_verify_targets` variable and is
+# not run by `make verify`, because `make verify` is run for each PR, and we do
+# not want new vulnerabilities in existing code to block the merging of PRs.
+# Instead `make verify-govulnecheck` is intended to be run periodically by a CI job.
+verify-govulncheck: | $(NEEDS_GOVULNCHECK)
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+		| while read d; do \
+				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${d}'"; \
+				pushd "$${d}" >/dev/null; \
+				GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(GOVULNCHECK) ./... || exit; \
+				popd >/dev/null; \
+				echo ""; \
+			done
+
+ifdef golangci_lint_config
+
+# see https://stackoverflow.com/a/53408233
+sed_inplace := sed -i''
+ifeq ($(HOST_OS),darwin)
+	sed_inplace := sed -i ''
+endif
+
+.PHONY: generate-golangci-lint-config
+## Generate a golangci-lint configuration file
+## @category [shared] Generate/ Verify
+generate-golangci-lint-config: | $(NEEDS_YQ) $(bin_dir)/scratch
+	cp $(golangci_lint_config) $(bin_dir)/scratch/golangci-lint.yaml.tmp
+	$(YQ) -i 'del(.linters.enable)' $(bin_dir)/scratch/golangci-lint.yaml.tmp
+	$(YQ) eval-all -i '. as $$item ireduce ({}; . * $$item)' $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_override)
+	$(sed_inplace) 's|{{REPO-NAME}}|$(repo_name)|g' $(bin_dir)/scratch/golangci-lint.yaml.tmp
+	mv $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_config)
+
+shared_generate_targets += generate-golangci-lint-config
+
+.PHONY: verify-golangci-lint
+## Verify all Go modules using golangci-lint
+## @category [shared] Generate/ Verify
+verify-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+		| while read d; do \
+				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config)' in directory '$${d}'"; \
+				pushd "$${d}" >/dev/null; \
+				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout 4m || exit; \
+				popd >/dev/null; \
+				echo ""; \
+			done
+
+shared_verify_targets_dirty += verify-golangci-lint
+
+.PHONY: fix-golangci-lint
+## Fix all Go modules using golangci-lint
+## @category [shared] Generate/ Verify
+fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
+	gci write \
+		-s "standard" \
+		-s "default" \
+		-s "prefix($(repo_name))" \
+		-s "blank" \
+		-s "dot" .
+
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
+		| while read d; do \
+				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${d}'"; \
+				pushd "$${d}" >/dev/null; \
+				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix || exit; \
+				popd >/dev/null; \
+				echo ""; \
+			done
+
+endif
diff --git a/make/_shared/go/README.md b/make/_shared/go/README.md
@@ -0,0 +1,3 @@
+# README
+
+A module for various Go static checks.
diff --git a/make/_shared/go/base/.github/workflows/govulncheck.yaml b/make/_shared/go/base/.github/workflows/govulncheck.yaml
@@ -0,0 +1,28 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead.
+
+# Run govulncheck at midnight every night on the main branch,
+# to alert us to recent vulnerabilities which affect the Go code in this
+# project.
+name: govulncheck
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - run: make verify-govulncheck