Renovate: Update External dependencies

.github/renovate.json

@@ -1,6 +1,7 @@
 {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base",
+    "config:recommended",
     "default:pinDigestsDisabled",
     "mergeConfidence:all-badges",
     "docker:disable"
@@ -13,7 +14,7 @@
   ],
   "commitMessageAction": "Renovate: Update",
   "constraints": {
-    "go": "1.22"
+    "go": "1.23"
   },
   "dependencyDashboardOSVVulnerabilitySummary": "all",
   "osvVulnerabilityAlerts": true,
@@ -26,27 +27,25 @@
       "matchPackageNames": [
         "golang"
       ],
-      "allowedVersions": "1.22.x"
+      "allowedVersions": "1.23.x"
     },
     {
-      "matchPackagePatterns": [
-        "^github\\.com\\/sapcc\\/.*"
+      "matchPackageNames": [
+        "/^github\\.com\\/sapcc\\/.*/"
       ],
       "automerge": true,
       "groupName": "github.com/sapcc"
     },
     {
-      "excludePackagePatterns": [
-        "^github\\.com\\/sapcc\\/.*"
-      ],
-      "matchPackagePatterns": [
-        ".*"
+      "matchPackageNames": [
+        "!/^github\\.com\\/sapcc\\/.*/",
+        "/.*/"
       ],
       "groupName": "External dependencies"
     },
     {
-      "matchPackagePrefixes": [
-        "k8s.io/"
+      "matchPackageNames": [
+        "/^k8s.io\\//"
       ],
       "allowedVersions": "0.28.x"
     }

.github/workflows/checks.yaml

@@ -11,6 +11,7 @@ name: Checks
   pull_request:
     branches:
       - '*'
+  workflow_dispatch: {}
 permissions:
   checks: write
   contents: read
@@ -25,7 +26,11 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.22.2
+          go-version: 1.23.1
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
       - name: Dependency Licenses Review
         run: make check-dependency-licenses
       - name: Run govulncheck

.github/workflows/ci.yaml

@@ -15,11 +15,12 @@ name: CI
       - '*'
     paths-ignore:
       - '**.md'
+  workflow_dispatch: {}
 permissions:
   contents: read
 jobs:
-  buildAndLint:
-    name: Build & Lint
+  build:
+    name: Build
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
@@ -28,15 +29,11 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.22.2
-      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          version: latest
+          go-version: 1.23.1
   test:
     name: Test
     needs:
-      - buildAndLint
+      - build
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
@@ -45,7 +42,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.22.2
+          go-version: 1.23.1
       - name: Run tests and generate coverage report
         run: make build/cover.out
       - name: Upload coverage report to Coveralls

.github/workflows/codeql.yaml

@@ -13,6 +13,7 @@ name: CodeQL
       - main
   schedule:
     - cron: '00 07 * * 1'
+  workflow_dispatch: {}
 permissions:
   actions: read
   contents: read
@@ -28,7 +29,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.22.2
+          go-version: 1.23.1
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:

.golangci.yaml

@@ -26,8 +26,6 @@ issues:
   max-same-issues: 0
 
 linters-settings:
-  copyloopvar:
-    ignore-alias: true
   dupl:
     # Tokens count to trigger issue, 150 by default.
     threshold: 100
@@ -37,13 +35,22 @@ linters-settings:
     # Report about not checking of errors in type assertions.
     check-type-assertions: true
   forbidigo:
+    analyze-types: true # required for pkg:
     forbid:
       # ioutil package has been deprecated: https://github.com/golang/go/issues/42026
       - ^ioutil\..*$
       # Using http.DefaultServeMux is discouraged because it's a global variable that some packages silently and magically add handlers to (esp. net/http/pprof).
       # Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
       - ^http\.DefaultServeMux$
       - ^http\.Handle(?:Func)?$
+      # Forbid usage of old and archived square/go-jose
+      - pkg: ^gopkg\.in/square/go-jose\.v2$
+        msg: "gopk.in/square/go-jose is archived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
+      - pkg: ^github.com/coreos/go-oidc$
+        msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
+
+      - pkg: ^github.com/howeyc/gopass$
+        msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
   goconst:
     ignore-tests: true
     min-occurrences: 5
@@ -97,12 +104,10 @@ linters-settings:
     default-rpc-path: true
     http-method: true
     http-status-code: true
-    os-dev-null: true
     sql-isolation-level: true
-    syslog-priority: true
-    time-weekday: true
-    time-month: true
     time-layout: true
+    time-month: true
+    time-weekday: true
     tls-signature-scheme: true
   whitespace:
     # Enforce newlines (or comments) after multi-line function signatures.

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.22 as builder
+FROM golang:1.23 as builder
 ARG TARGETOS
 ARG TARGETARCH
 

Dockerfile.discovery

@@ -1,5 +1,5 @@
 # builder
-FROM golang:1.22 as builder
+FROM golang:1.23 as builder
 
 WORKDIR /src/
 

Makefile

@@ -32,6 +32,7 @@ install-ginkgo: FORCE
 GO_BUILDFLAGS =
 GO_LDFLAGS =
 GO_TESTENV =
+GO_BUILDENV =
 TESTBIN=$(shell pwd)/testbin
 
 # which packages to test with test runner
@@ -60,7 +61,7 @@ run-golangci-lint: FORCE prepare-static-check
 
 build/cover.out: FORCE install-ginkgo generate install-setup-envtest | build
 	@printf "\e[1;36m>> Running tests\e[0m\n"
-	KUBEBUILDER_ASSETS="$(shell setup-envtest use 1.29 --bin-dir $(TESTBIN) -p path)" ginkgo run --randomize-all -output-dir=build $(GO_BUILDFLAGS) -ldflags '-s -w $(GO_LDFLAGS)' -covermode=count -coverpkg=$(subst $(space),$(comma),$(GO_COVERPKGS)) $(GO_TESTPKGS)
+	KUBEBUILDER_ASSETS="$(shell setup-envtest use 1.31 --bin-dir $(TESTBIN) -p path)" ginkgo run --randomize-all -output-dir=build $(GO_BUILDFLAGS) -ldflags '-s -w $(GO_LDFLAGS)' -covermode=count -coverpkg=$(subst $(space),$(comma),$(GO_COVERPKGS)) $(GO_TESTPKGS)
 	@mv build/coverprofile.out build/cover.out
 
 build/cover.html: build/cover.out
@@ -78,11 +79,11 @@ tidy-deps: FORCE
 
 license-headers: FORCE prepare-static-check
 	@printf "\e[1;36m>> addlicense\e[0m\n"
-	@addlicense -c "SAP SE"  -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+	@addlicense -c "SAP SE" -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
 
 check-license-headers: FORCE prepare-static-check
 	@printf "\e[1;36m>> addlicense --check\e[0m\n"
-	@addlicense --check  -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+	@addlicense --check -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
 
 check-dependency-licenses: FORCE prepare-static-check
 	@printf "\e[1;36m>> go-licence-detector\e[0m\n"
@@ -122,7 +123,7 @@ help: FORCE
 	@printf "\n"
 	@printf "\e[1mDevelopment\e[0m\n"
 	@printf "  \e[36mtidy-deps\e[0m                  Run go mod tidy and go mod verify.\n"
-	@printf "  \e[36mlicense-headers\e[0m            Add license headers to all non-vendored .go files.\n"
+	@printf "  \e[36mlicense-headers\e[0m            Add license headers to all non-vendored source code files.\n"
 	@printf "  \e[36mcheck-license-headers\e[0m      Check license headers in all non-vendored .go files.\n"
 	@printf "  \e[36mcheck-dependency-licenses\e[0m  Check all dependency licenses using go-licence-detector.\n"
 	@printf "  \e[36mclean\e[0m                      Run git clean.\n"

go.mod

@@ -1,27 +1,26 @@
 module github.com/sapcc/cni-nanny
 
-go 1.22.3
-
-toolchain go1.22.5
+go 1.23
 
 require (
-	github.com/onsi/ginkgo/v2 v2.19.1
-	github.com/onsi/gomega v1.34.0
+	github.com/onsi/ginkgo/v2 v2.20.2
+	github.com/onsi/gomega v1.34.2
 	github.com/projectcalico/api v0.0.0-20240708202104-e3f70b269c2c
 	github.com/sapcc/go-traceroute v0.0.0-20210130143923-d034613e85fc
-	k8s.io/api v0.30.1
-	k8s.io/apimachinery v0.30.1
-	k8s.io/client-go v0.30.1
-	sigs.k8s.io/controller-runtime v0.18.4
+	k8s.io/api v0.31.0
+	k8s.io/apimachinery v0.31.0
+	k8s.io/client-go v0.31.0
+	sigs.k8s.io/controller-runtime v0.19.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -34,7 +33,7 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
+	github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -44,30 +43,31 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.19.0 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.52.3 // indirect
-	github.com/prometheus/procfs v0.13.0 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/exp v0.0.0-20240409090435-93d18d7e34b8 // indirect
-	golang.org/x/net v0.25.0 // indirect
-	golang.org/x/oauth2 v0.19.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/term v0.23.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.30.1 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/apiextensions-apiserver v0.31.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240411171206-dc4e619f62f3 // indirect
-	k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect