From c1b9790974afdd5a5c5cb03adc09ef32465a987e Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Thu, 28 Mar 2024 19:45:55 +0100 Subject: [PATCH] add go Makefile module Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- .github/workflows/govulncheck.yaml | 28 +++++ .golangci.yaml | 98 +++++++++++++++ klone.yaml | 21 ++-- make/00_mod.mk | 2 + make/_shared/go/.golangci.override.yaml | 75 ++++++++++++ make/_shared/go/01_mod.mk | 113 ++++++++++++++++++ make/_shared/go/README.md | 3 + .../base/.github/workflows/govulncheck.yaml | 28 +++++ 8 files changed, 360 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/govulncheck.yaml create mode 100644 .golangci.yaml create mode 100644 make/_shared/go/.golangci.override.yaml create mode 100644 make/_shared/go/01_mod.mk create mode 100644 make/_shared/go/README.md create mode 100644 make/_shared/go/base/.github/workflows/govulncheck.yaml diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml new file mode 100644 index 0000000..405e8de --- /dev/null +++ b/.github/workflows/govulncheck.yaml @@ -0,0 +1,28 @@ +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead. + +# Run govulncheck at midnight every night on the main branch, +# to alert us to recent vulnerabilities which affect the Go code in this +# project. +name: govulncheck +on: + workflow_dispatch: {} + schedule: + - cron: '0 0 * * *' + +jobs: + govulncheck: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - id: go-version + run: | + make print-go-version >> "$GITHUB_OUTPUT" + + - uses: actions/setup-go@v5 + with: + go-version: ${{ steps.go-version.outputs.result }} + + - run: make verify-govulncheck diff --git a/.golangci.yaml b/.golangci.yaml new file mode 100644 index 0000000..27c1335 --- /dev/null +++ b/.golangci.yaml @@ -0,0 +1,98 @@ +issues: + exclude-rules: + - linters: + - errcheck + - forbidigo + - gci + - gocritic + - gosec + - misspell + - prealloc + - unparam + - unused + - errorlint + - gosimple + - nilerr + - nilnil + - staticcheck + - dupword + - noctx + - predeclared + - unconvert + - usestdlibvars + text: ".*" +linters: + # Explicitly define all enabled linters + disable-all: true + enable: + - asasalint + - asciicheck + - bidichk + - bodyclose + - containedctx + - contextcheck + - decorder + - dogsled + - dupword + - durationcheck + - errcheck + - errchkjson + - errname + - errorlint + - execinquery + - exhaustive + - exportloopref + - forbidigo + - gci + - ginkgolinter + - gocheckcompilerdirectives + - gochecksumtype + - gocritic + - gofmt + - goheader + - goimports + - gomoddirectives + - gomodguard + - goprintffuncname + - gosec + - gosimple + - gosmopolitan + - govet + - grouper + - importas + - ineffassign + - interfacebloat + - loggercheck + - makezero + - mirror + - misspell + - musttag + - nakedret + - nilerr + - nilnil + - noctx + - nosprintfhostport + - prealloc + - predeclared + - promlinter + - protogetter + - reassign + - sloglint + - staticcheck + - tagalign + - tenv + - testableexamples + - typecheck + - unconvert + - unparam + - unused + - usestdlibvars + - wastedassign +linters-settings: + gci: + sections: + - standard # Standard section: captures all standard packages. + - default # Default section: contains all imports that could not be matched to another section type. + - prefix(github.com/cert-manager/cmctl/v2) # Custom section: groups all imports with the specified Prefix. + - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled. + - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled. diff --git a/klone.yaml b/klone.yaml index 7b4e866..96a8c76 100644 --- a/klone.yaml +++ b/klone.yaml @@ -10,40 +10,45 @@ targets: - folder_name: boilerplate repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: bee8fa83c976e2bb96e58191ea560a5398e3fcda + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 repo_path: modules/boilerplate - folder_name: cert-manager repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: bee8fa83c976e2bb96e58191ea560a5398e3fcda + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 repo_path: modules/cert-manager - folder_name: executable repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: bee8fa83c976e2bb96e58191ea560a5398e3fcda + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 repo_path: modules/executable - folder_name: generate-verify repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: bee8fa83c976e2bb96e58191ea560a5398e3fcda + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 repo_path: modules/generate-verify + - folder_name: go + repo_url: https://github.com/cert-manager/makefile-modules.git + repo_ref: main + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 + repo_path: modules/go - folder_name: help repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: bee8fa83c976e2bb96e58191ea560a5398e3fcda + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 repo_path: modules/help - folder_name: klone repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: bee8fa83c976e2bb96e58191ea560a5398e3fcda + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 repo_path: modules/klone - folder_name: repository-base repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: bee8fa83c976e2bb96e58191ea560a5398e3fcda + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 repo_path: modules/repository-base - folder_name: tools repo_url: https://github.com/cert-manager/makefile-modules.git repo_ref: main - repo_hash: bee8fa83c976e2bb96e58191ea560a5398e3fcda + repo_hash: 9ce477bd5bd50415ebf74ec26d8dc3c6e06c9e03 repo_path: modules/tools diff --git a/make/00_mod.mk b/make/00_mod.mk index b0de30d..911a2bc 100644 --- a/make/00_mod.mk +++ b/make/00_mod.mk @@ -32,3 +32,5 @@ go_kubectl_cert-manager_ldflags := \ -X $(repo_name)/pkg/build/commands.registerCompletion=false \ -X github.com/cert-manager/cert-manager/pkg/util/version.AppVersion=$(VERSION) \ -X github.com/cert-manager/cert-manager/pkg/util/version.AppGitCommit=$(GITCOMMIT) + +golangci_lint_config := .golangci.yaml diff --git a/make/_shared/go/.golangci.override.yaml b/make/_shared/go/.golangci.override.yaml new file mode 100644 index 0000000..9279ee5 --- /dev/null +++ b/make/_shared/go/.golangci.override.yaml @@ -0,0 +1,75 @@ +linters: + # Explicitly define all enabled linters + disable-all: true + enable: + - asasalint + - asciicheck + - bidichk + - bodyclose + - containedctx + - contextcheck + - decorder + - dogsled + - dupword + - durationcheck + - errcheck + - errchkjson + - errname + - errorlint + - execinquery + - exhaustive + - exportloopref + - forbidigo + - gci + - ginkgolinter + - gocheckcompilerdirectives + - gochecksumtype + - gocritic + - gofmt + - goheader + - goimports + - gomoddirectives + - gomodguard + - goprintffuncname + - gosec + - gosimple + - gosmopolitan + - govet + - grouper + - importas + - ineffassign + - interfacebloat + - loggercheck + - makezero + - mirror + - misspell + - musttag + - nakedret + - nilerr + - nilnil + - noctx + - nosprintfhostport + - prealloc + - predeclared + - promlinter + - protogetter + - reassign + - sloglint + - staticcheck + - tagalign + - tenv + - testableexamples + - typecheck + - unconvert + - unparam + - unused + - usestdlibvars + - wastedassign +linters-settings: + gci: + sections: + - standard # Standard section: captures all standard packages. + - default # Default section: contains all imports that could not be matched to another section type. + - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix. + - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled. + - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled. diff --git a/make/_shared/go/01_mod.mk b/make/_shared/go/01_mod.mk new file mode 100644 index 0000000..fca9888 --- /dev/null +++ b/make/_shared/go/01_mod.mk @@ -0,0 +1,113 @@ +# Copyright 2023 The cert-manager Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ifndef bin_dir +$(error bin_dir is not set) +endif + +ifndef repo_name +$(error repo_name is not set) +endif + +go_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/ +golangci_lint_override := $(dir $(lastword $(MAKEFILE_LIST)))/.golangci.override.yaml + +.PHONY: generate-govulncheck +## Generate base files in the repository +## @category [shared] Generate/ Verify +generate-govulncheck: + cp -r $(go_base_dir)/. ./ + +shared_generate_targets += generate-govulncheck + +.PHONY: verify-govulncheck +## Verify all Go modules for vulnerabilities using govulncheck +## @category [shared] Generate/ Verify +# +# Runs `govulncheck` on all Go modules related to the project. +# Ignores Go modules among the temporary build artifacts in _bin, to avoid +# scanning the code of the vendored Go, after running make vendor-go. +# Ignores Go modules in make/_shared, because those will be checked in centrally +# in the makefile_modules repository. +# +# `verify-govulncheck` not added to the `shared_verify_targets` variable and is +# not run by `make verify`, because `make verify` is run for each PR, and we do +# not want new vulnerabilities in existing code to block the merging of PRs. +# Instead `make verify-govulnecheck` is intended to be run periodically by a CI job. +verify-govulncheck: | $(NEEDS_GOVULNCHECK) + @find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \ + | while read d; do \ + echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${d}'"; \ + pushd "$${d}" >/dev/null; \ + GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(GOVULNCHECK) ./... || exit; \ + popd >/dev/null; \ + echo ""; \ + done + +ifdef golangci_lint_config + +# see https://stackoverflow.com/a/53408233 +sed_inplace := sed -i'' +ifeq ($(HOST_OS),darwin) + sed_inplace := sed -i '' +endif + +.PHONY: generate-golangci-lint-config +## Generate a golangci-lint configuration file +## @category [shared] Generate/ Verify +generate-golangci-lint-config: | $(NEEDS_YQ) $(bin_dir)/scratch + cp $(golangci_lint_config) $(bin_dir)/scratch/golangci-lint.yaml.tmp + $(YQ) -i 'del(.linters.enable)' $(bin_dir)/scratch/golangci-lint.yaml.tmp + $(YQ) eval-all -i '. as $$item ireduce ({}; . * $$item)' $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_override) + $(sed_inplace) 's|{{REPO-NAME}}|$(repo_name)|g' $(bin_dir)/scratch/golangci-lint.yaml.tmp + mv $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_config) + +shared_generate_targets += generate-golangci-lint-config + +.PHONY: verify-golangci-lint +## Verify all Go modules using golangci-lint +## @category [shared] Generate/ Verify +verify-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch + @find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \ + | while read d; do \ + echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config)' in directory '$${d}'"; \ + pushd "$${d}" >/dev/null; \ + $(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) || exit; \ + popd >/dev/null; \ + echo ""; \ + done + +shared_verify_targets_dirty += verify-golangci-lint + +.PHONY: fix-golangci-lint +## Fix all Go modules using golangci-lint +## @category [shared] Generate/ Verify +fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch + gci write \ + -s "standard" \ + -s "default" \ + -s "prefix($(repo_name))" \ + -s "blank" \ + -s "dot" . + + @find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \ + | while read d; do \ + echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${d}'"; \ + pushd "$${d}" >/dev/null; \ + $(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix || exit; \ + popd >/dev/null; \ + echo ""; \ + done + +endif diff --git a/make/_shared/go/README.md b/make/_shared/go/README.md new file mode 100644 index 0000000..ad1962b --- /dev/null +++ b/make/_shared/go/README.md @@ -0,0 +1,3 @@ +# README + +A module for various Go static checks. diff --git a/make/_shared/go/base/.github/workflows/govulncheck.yaml b/make/_shared/go/base/.github/workflows/govulncheck.yaml new file mode 100644 index 0000000..405e8de --- /dev/null +++ b/make/_shared/go/base/.github/workflows/govulncheck.yaml @@ -0,0 +1,28 @@ +# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. +# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead. + +# Run govulncheck at midnight every night on the main branch, +# to alert us to recent vulnerabilities which affect the Go code in this +# project. +name: govulncheck +on: + workflow_dispatch: {} + schedule: + - cron: '0 0 * * *' + +jobs: + govulncheck: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - id: go-version + run: | + make print-go-version >> "$GITHUB_OUTPUT" + + - uses: actions/setup-go@v5 + with: + go-version: ${{ steps.go-version.outputs.result }} + + - run: make verify-govulncheck