Merge pull request #14 from sapcc/gh-build-images

bump go-makefile-maker and enable image build
sapcc · Jan 8, 2025 · f46f500 · f46f500
2 parents 3c13beb + 7373177
commit f46f500
Show file tree

Hide file tree

Showing 10 changed files with 185 additions and 35 deletions.
diff --git a/.envrc b/.envrc
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2019–2020 Target, Copyright 2021 The Nix Community
+# SPDX-License-Identifier: Apache-2.0
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv)"
+else
+  use nix
+fi
diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 name: Checks
 "on":
   push:
@@ -26,15 +29,17 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.1
+          go-version: 1.23.4
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
           version: latest
       - name: Dependency Licenses Review
         run: make check-dependency-licenses
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
       - name: Run govulncheck
-        uses: golang/govulncheck-action@v1
+        run: govulncheck -format text ./...
       - name: Check for spelling errors
         uses: reviewdog/action-misspell@v1
         with:

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 name: CI
 "on":
   push:
@@ -29,7 +32,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.1
+          go-version: 1.23.4
   test:
     name: Test
     needs:
@@ -42,7 +45,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.1
+          go-version: 1.23.4
       - name: Run tests and generate coverage report
         run: make build/cover.out
       - name: Upload coverage report to Coveralls

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 name: CodeQL
 "on":
   push:
@@ -29,7 +32,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.1
+          go-version: 1.23.4
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:

diff --git a/.github/workflows/container-registry-ghcr.yaml b/.github/workflows/container-registry-ghcr.yaml
@@ -0,0 +1,56 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
+name: Container Registry GHCR
+"on":
+  push:
+    branches:
+      - main
+  workflow_dispatch: {}
+permissions:
+  contents: read
+  packages: write
+jobs:
+  build-and-push-image:
+    name: Push container to ghcr.io
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            # https://github.com/docker/metadata-action#typeedge
+            type=edge
+            # https://github.com/docker/metadata-action#latest-tag
+            type=raw,value=latest,enable={{is_default_branch}}
+            # https://github.com/docker/metadata-action#typesemver
+            type=semver,pattern={{raw}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 run:
   timeout: 3m # 1m by default
   modules-download-mode: readonly
@@ -32,8 +35,10 @@ linters-settings:
   errcheck:
     # Report about assignment of errors to blank identifier.
     check-blank: true
-    # Report about not checking of errors in type assertions.
-    check-type-assertions: true
+    # Do not report about not checking of errors in type assertions.
+    # This is not as dangerous as skipping error values because an unchecked type assertion just immediately panics.
+    # We disable this because it makes a ton of useless noise esp. in test code.
+    check-type-assertions: false
   forbidigo:
     analyze-types: true # required for pkg:
     forbid:
@@ -82,6 +87,9 @@ linters-settings:
   goimports:
     # Put local imports after 3rd-party packages.
     local-prefixes: github.com/sapcc/cni-nanny
+  gomoddirectives:
+    toolchain-forbidden: true
+    go-version-pattern: '1\.\d+(\.0)?$'
   gosec:
     excludes:
       # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/)
@@ -109,6 +117,9 @@ linters-settings:
     time-month: true
     time-weekday: true
     tls-signature-scheme: true
+  usetesting:
+    os-setenv: true
+    os-temp-dir: true
   whitespace:
     # Enforce newlines (or comments) after multi-line function signatures.
     multi-func: true
@@ -127,13 +138,15 @@ linters:
     - errcheck
     - errname
     - errorlint
+    - exptostd
     - forbidigo
     - ginkgolinter
     - gocheckcompilerdirectives
     - goconst
     - gocritic
     - gofmt
     - goimports
+    - gomoddirectives
     - gosec
     - gosimple
     - govet
@@ -156,4 +169,5 @@ linters:
     - unparam
     - unused
     - usestdlibvars
+    - usetesting
     - whitespace
diff --git a/Makefile b/Makefile
@@ -3,6 +3,9 @@
 # Edit Makefile.maker.yaml instead.                                            #
 ################################################################################
 
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 MAKEFLAGS=--warn-undefined-variables
 # /bin/sh is dash on Debian which does not support all features of ash/bash
 # to fix that we use /bin/bash only on Debian to not break Alpine
@@ -15,11 +18,17 @@ endif
 default: FORCE
 	@echo 'There is nothing to build, use `make check` for running the test suite or `make help` for a list of available targets.'
 
-prepare-static-check: FORCE
+install-golangci-lint: FORCE
 	@if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest; fi
+
+install-go-licence-detector: FORCE
 	@if ! hash go-licence-detector 2>/dev/null; then printf "\e[1;36m>> Installing go-licence-detector...\e[0m\n"; go install go.elastic.co/go-licence-detector@latest; fi
+
+install-addlicense: FORCE
 	@if ! hash addlicense 2>/dev/null; then  printf "\e[1;36m>> Installing addlicense...\e[0m\n";  go install github.com/google/addlicense@latest; fi
 
+prepare-static-check: FORCE install-golangci-lint install-go-licence-detector install-addlicense
+
 install-controller-gen: FORCE
 	@if ! hash controller-gen 2>/dev/null; then printf "\e[1;36m>> Installing controller-gen...\e[0m\n"; go install sigs.k8s.io/controller-tools/cmd/controller-gen@latest; fi
 
@@ -33,7 +42,6 @@ GO_BUILDFLAGS =
 GO_LDFLAGS =
 GO_TESTENV =
 GO_BUILDENV =
-TESTBIN=$(shell pwd)/testbin
 
 # which packages to test with test runner
 GO_TESTPKGS := $(shell go list -f '{{if or .TestGoFiles .XTestGoFiles}}{{.Dir}}{{end}}' ./...)
@@ -52,16 +60,16 @@ check: FORCE static-check build/cover.html
 
 generate: install-controller-gen
 	@printf "\e[1;36m>> controller-gen\e[0m\n"
-	@controller-gen crd rbac:roleName=cni-nanny paths="./..." output:crd:artifacts:config=crd
-	@controller-gen object paths=./...
+	@controller-gen crd rbac:roleName=cni-nanny webhook paths="./..." output:crd:artifacts:config=crd
+	@controller-gen object paths="./..."
 
-run-golangci-lint: FORCE prepare-static-check
+run-golangci-lint: FORCE install-golangci-lint
 	@printf "\e[1;36m>> golangci-lint\e[0m\n"
 	@golangci-lint run
 
 build/cover.out: FORCE install-ginkgo generate install-setup-envtest | build
 	@printf "\e[1;36m>> Running tests\e[0m\n"
-	KUBEBUILDER_ASSETS="$(shell setup-envtest use 1.31 --bin-dir $(TESTBIN) -p path)" ginkgo run --randomize-all -output-dir=build $(GO_BUILDFLAGS) -ldflags '-s -w $(GO_LDFLAGS)' -covermode=count -coverpkg=$(subst $(space),$(comma),$(GO_COVERPKGS)) $(GO_TESTPKGS)
+	KUBEBUILDER_ASSETS=$$(setup-envtest use 1.31 -p path) ginkgo run --randomize-all -output-dir=build $(GO_BUILDFLAGS) -ldflags '-s -w $(GO_LDFLAGS)' -covermode=count -coverpkg=$(subst $(space),$(comma),$(GO_COVERPKGS)) $(GO_TESTPKGS)
 	@mv build/coverprofile.out build/cover.out
 
 build/cover.html: build/cover.out
@@ -77,15 +85,19 @@ tidy-deps: FORCE
 	go mod tidy
 	go mod verify
 
-license-headers: FORCE prepare-static-check
+force-license-headers: FORCE install-addlicense
+	@printf "\e[1;36m>> addlicense\e[0m\n"
+	echo -n $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...)) | xargs -d" " -I{} bash -c 'year="$$(rg -P "Copyright (....) SAP SE" -Nor "\$$1" {})"; awk -i inplace '"'"'{if (display) {print} else {!/^\/\*/ && !/^\*/ && !/^\$$/}}; /^package /{print;display=1}'"'"' {}; addlicense -c "SAP SE" -s=only -y "$$year" -- {}'
+
+license-headers: FORCE install-addlicense
 	@printf "\e[1;36m>> addlicense\e[0m\n"
-	@addlicense -c "SAP SE" -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+	@addlicense -c "SAP SE" -s=only -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
 
-check-license-headers: FORCE prepare-static-check
+check-license-headers: FORCE install-addlicense
 	@printf "\e[1;36m>> addlicense --check\e[0m\n"
 	@addlicense --check -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
 
-check-dependency-licenses: FORCE prepare-static-check
+check-dependency-licenses: FORCE install-go-licence-detector
 	@printf "\e[1;36m>> go-licence-detector\e[0m\n"
 	@go list -m -mod=readonly -json all | go-licence-detector -includeIndirect -rules .license-scan-rules.json -overrides .license-scan-overrides.jsonl
 
@@ -97,35 +109,38 @@ vars: FORCE
 	@printf "GO_COVERPKGS=$(GO_COVERPKGS)\n"
 	@printf "GO_LDFLAGS=$(GO_LDFLAGS)\n"
 	@printf "GO_TESTPKGS=$(GO_TESTPKGS)\n"
-	@printf "TESTBIN=$(TESTBIN)\n"
 help: FORCE
 	@printf "\n"
 	@printf "\e[1mUsage:\e[0m\n"
 	@printf "  make \e[36m<target>\e[0m\n"
 	@printf "\n"
 	@printf "\e[1mGeneral\e[0m\n"
-	@printf "  \e[36mvars\e[0m                       Display values of relevant Makefile variables.\n"
-	@printf "  \e[36mhelp\e[0m                       Display this help.\n"
+	@printf "  \e[36mvars\e[0m                         Display values of relevant Makefile variables.\n"
+	@printf "  \e[36mhelp\e[0m                         Display this help.\n"
 	@printf "\n"
 	@printf "\e[1mPrepare\e[0m\n"
-	@printf "  \e[36mprepare-static-check\e[0m       Install any tools required by static-check. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
-	@printf "  \e[36minstall-controller-gen\e[0m     Install controller-gen required by static-check and build-all. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
-	@printf "  \e[36minstall-setup-envtest\e[0m      Install setup-envtest required by check. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
-	@printf "  \e[36minstall-ginkgo\e[0m             Install ginkgo required when using it as test runner. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
+	@printf "  \e[36minstall-golangci-lint\e[0m        Install golangci-lint required by run-golangci-lint/static-check\n"
+	@printf "  \e[36minstall-go-licence-detector\e[0m  Install-go-licence-detector required by check-dependency-licenses/static-check\n"
+	@printf "  \e[36minstall-addlicense\e[0m           Install addlicense required by check-license-headers/license-headers/static-check\n"
+	@printf "  \e[36mprepare-static-check\e[0m         Install any tools required by static-check. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
+	@printf "  \e[36minstall-controller-gen\e[0m       Install controller-gen required by static-check and build-all. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
+	@printf "  \e[36minstall-setup-envtest\e[0m        Install setup-envtest required by check. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
+	@printf "  \e[36minstall-ginkgo\e[0m               Install ginkgo required when using it as test runner. This is used in CI before dropping privileges, you should probably install all the tools using your package manager\n"
 	@printf "\n"
 	@printf "\e[1mTest\e[0m\n"
-	@printf "  \e[36mcheck\e[0m                      Run the test suite (unit tests and golangci-lint).\n"
-	@printf "  \e[36mgenerate\e[0m                   Generate code for Kubernetes CRDs and deepcopy.\n"
-	@printf "  \e[36mrun-golangci-lint\e[0m          Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n"
-	@printf "  \e[36mbuild/cover.out\e[0m            Run tests and generate coverage report.\n"
-	@printf "  \e[36mbuild/cover.html\e[0m           Generate an HTML file with source code annotations from the coverage report.\n"
-	@printf "  \e[36mstatic-check\e[0m               Run static code checks\n"
+	@printf "  \e[36mcheck\e[0m                        Run the test suite (unit tests and golangci-lint).\n"
+	@printf "  \e[36mgenerate\e[0m                     Generate code for Kubernetes CRDs and deepcopy.\n"
+	@printf "  \e[36mrun-golangci-lint\e[0m            Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n"
+	@printf "  \e[36mbuild/cover.out\e[0m              Run tests and generate coverage report.\n"
+	@printf "  \e[36mbuild/cover.html\e[0m             Generate an HTML file with source code annotations from the coverage report.\n"
+	@printf "  \e[36mstatic-check\e[0m                 Run static code checks\n"
 	@printf "\n"
 	@printf "\e[1mDevelopment\e[0m\n"
-	@printf "  \e[36mtidy-deps\e[0m                  Run go mod tidy and go mod verify.\n"
-	@printf "  \e[36mlicense-headers\e[0m            Add license headers to all non-vendored source code files.\n"
-	@printf "  \e[36mcheck-license-headers\e[0m      Check license headers in all non-vendored .go files.\n"
-	@printf "  \e[36mcheck-dependency-licenses\e[0m  Check all dependency licenses using go-licence-detector.\n"
-	@printf "  \e[36mclean\e[0m                      Run git clean.\n"
+	@printf "  \e[36mtidy-deps\e[0m                    Run go mod tidy and go mod verify.\n"
+	@printf "  \e[36mforce-license-headers\e[0m        Remove and re-add all license headers to all non-vendored source code files.\n"
+	@printf "  \e[36mlicense-headers\e[0m              Add license headers to all non-vendored source code files.\n"
+	@printf "  \e[36mcheck-license-headers\e[0m        Check license headers in all non-vendored .go files.\n"
+	@printf "  \e[36mcheck-dependency-licenses\e[0m    Check all dependency licenses using go-licence-detector.\n"
+	@printf "  \e[36mclean\e[0m                        Run git clean.\n"
 
 .PHONY: FORCE
diff --git a/Makefile.maker.yaml b/Makefile.maker.yaml
@@ -23,6 +23,13 @@ githubWorkflow:
     enabled: true
   securityChecks:
     enabled: true
+  pushContainerToGhcr:
+    enabled: true
+    platforms: "linux/amd64"
+    tagStrategy:
+      - edge
+      - latest
+      - semver
 
 renovate:
   enabled: true

diff --git a/REUSE.toml b/REUSE.toml
@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
+version = 1
+
+[[annotations]]
+path = [
+  ".github/CODEOWNERS",
+  ".github/renovate.json",
+  ".gitignore",
+  ".license-scan-overrides.jsonl",
+  ".license-scan-rules.json",
+  "go.mod",
+  "go.sum",
+  "Makefile.maker.yaml",
+]
+SPDX-FileCopyrightText = "SAP SE"
+SPDX-License-Identifier = "Apache-2.0"