Bump golang.org/x/tools from 0.9.3 to 0.11.0 in /hack/tools

[killianmuldoon]

The dependabot PR to update golang.org/x/tools from 0.9.3 to 0.11.0 resulted in a deprecation warning which caused the linter to fail with

hack/tools/mdbook/releaselink/releaselink.go:32:2: SA1019: "golang.org/x/tools/go/vcs" is deprecated: Use the go list command with -json flag instead, which implements up-to-date import path resolution behavior, module support, and includes the latest security fixes. (staticcheck)
        **"golang.org/x/tools/go/vcs":**

Related bump: #9052

The entire VCS package, which is used in the release link tool to translate the go module into the github URL, has been deprecated and AFAIU there is no replacement package. The advice is to use go list, but I don't know how this can be used in this case.

An alternative would be to take the parts of the code we need from the VCS package and keep them as part of the release link tool.

Fundamentally what we need is a way to map the go module to the URL location of the repo. This tool is used in other projects - at least in CAPA from a quick browse - so we can't simply hardcode the URL.

Using sigs.k8s.io/cluster-api as the base of the URL does not work for downloading release artifacts i.e. https://sigs.k8s.io/cluster-api/releases redirects to https://github.com/kubernetes-sigs/cluster-api/blob/main/releases

Tasks

Beta Give feedback

1. Re-enable dependabot for golang.org/x/tools - c/f 🌱 Bump golang.org/x/tools from 0.9.3 to 0.11.1 in /hack/tools #9109 (comment)

[killianmuldoon]

/help

[k8s-ci-robot]

@killianmuldoon:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

/triage accepted

Thx for opening the issue

[sbueringer]

Fundamentally what we need is a way to map the go module to the URL location of the repo. This tool is used in other projects - at least in CAPA from a quick browse - so we can't simply hardcode the URL.

Maybe we can make it configurable in some way (worst case env var)

[killianmuldoon]

Maybe we can make it configurable in some way (worst case env var)

Yeah - we could add it as a variable passed into the command where release link is called, but it would break other users any way we make this a requirement. Depends on how much value we see in maintaining this tool properly - we could deprecate the public version and move a more tightly coupled version into an internal package.

[killianmuldoon]

As a bit of extra contest - this is currently used in Cluster API providers for AWS, Cloudstack, IBMCloud and Openstack in public kubernetes sigs repos - https://cs.k8s.io/?q=sigs.k8s.io%2Fcluster-api%2Fhack%2Ftools%2Fmdbook%2Freleaselink&i=nope&files=&excludeFiles=&repos=

[sbueringer]

Note: Once we did this we have to enable dependabot for this dependency again: #9109 (comment)

@killianmuldoon Please add this as a task to the issue description

[killianmuldoon]

/assign