makefile-modules: migrate the Makefile to makefile-modules

Initially, my goal was to just renamed the Makefile to make/02_mod.mk,
and change nothing else, with the intent of migrating bit by bit. After
a few attempts, I found that the fact that the Makefile is being run
within a container makes things needlessly complex, and trying to make
makefile-modules work in that context isn't worth it. That's why I
propose to migrate everything at once, with the goal of making no
breaking changes to the Helm charts and containers (except for the
binary location, binary name, entrypoint, and cmd).

Author: maelvls

.github/dependabot.yaml

@@ -1,23 +1,20 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead.
+
+# Update Go dependencies and GitHub Actions dependencies daily.
 version: 2
 updates:
-- package-ecosystem: gomod
-  directory: /
-  schedule:
-    interval: daily
-  groups:
-    all:
-      patterns: ["*"]
-- package-ecosystem: github-actions
-  directory: /
-  schedule:
-    interval: daily
-  groups:
-    all:
-      patterns: ["*"]
-- package-ecosystem: docker
-  directory: /
-  schedule:
-    interval: daily
-  groups:
-    all:
-      patterns: ["*"]
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+    groups:
+      all:
+        patterns: ["*"]
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    groups:
+      all:
+        patterns: ["*"]

.github/workflows/make-self-upgrade.yaml

@@ -0,0 +1,99 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml instead.
+
+name: make-self-upgrade
+concurrency: make-self-upgrade
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  self_upgrade:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+    
+    env:
+      SOURCE_BRANCH: "${{ github.ref_name }}"
+      SELF_UPGRADE_BRANCH: "self-upgrade-${{ github.ref_name }}"
+
+    steps:
+      - name: Fail if branch is not head of branch.
+        if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
+        run: |
+          echo "This workflow should not be run on a non-branch-head."
+          exit 1
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - run: |
+          git checkout -B "$SELF_UPGRADE_BRANCH"
+
+      - run: |
+          make -j upgrade-klone
+          make -j generate
+
+      - id: is-up-to-date
+        shell: bash
+        run: |
+          git_status=$(git status -s)
+          is_up_to_date="true"
+          if [ -n "$git_status" ]; then
+              is_up_to_date="false"
+              echo "The following changes will be committed:"
+              echo "$git_status"
+          fi
+          echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT"
+
+      - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
+        run: |
+          git config --global user.name "cert-manager-bot"
+          git config --global user.email "[email protected]"
+          git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff
+          git push -f origin "$SELF_UPGRADE_BRANCH"
+
+      - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const { repo, owner } = context.repo;
+            const pulls = await github.rest.pulls.list({
+              owner: owner,
+              repo: repo,
+              head: owner + ':' + process.env.SELF_UPGRADE_BRANCH,
+              base: process.env.SOURCE_BRANCH,
+              state: 'open',
+            });
+            
+            if (pulls.data.length < 1) {
+              const result = await github.rest.pulls.create({
+                title: '[CI] Merge ' + process.env.SELF_UPGRADE_BRANCH + ' into ' + process.env.SOURCE_BRANCH,
+                owner: owner,
+                repo: repo,
+                head: process.env.SELF_UPGRADE_BRANCH,
+                base: process.env.SOURCE_BRANCH,
+                body: [
+                  'This PR is auto-generated to bump the Makefile modules.',
+                ].join('\n'),
+              });
+              await github.rest.issues.addLabels({
+                owner,
+                repo,
+                issue_number: result.data.number,
+                labels: ['skip-review']
+              });
+            }

.github/workflows/release.yml

@@ -0,0 +1,108 @@
+---
+name: release
+on:
+  push:
+    tags:
+      - "v*"
+
+env:
+  VERSION: ${{ github.ref_name }}
+
+jobs:
+  build_images:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read # needed for checkout
+      packages: write # needed for push images
+      id-token: write # needed for keyless signing
+
+    env:
+      GOPRIVATE: github.com/jetstack/venafi-connection-lib
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - name: Configure jetstack/venafi-connection-lib repo pull access
+        run: |
+          mkdir ~/.ssh
+          chmod 700 ~/.ssh
+
+          echo "${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}" > ~/.ssh/venafi_connection_lib_id
+          chmod 600 ~/.ssh/venafi_connection_lib_id
+
+          cat <<EOT >> ~/.ssh/config
+          Host venafi-connection-lib.github.com
+          HostName github.com
+          IdentityFile ~/.ssh/venafi_connection_lib_id
+          IdentitiesOnly yes
+          EOT
+
+          cat <<EOT >> ~/.gitconfig
+          [url "[email protected]:jetstack/venafi-connection-lib"]
+            insteadOf = https://github.com/jetstack/venafi-connection-lib
+          EOT
+
+      - uses: actions/cache@v4
+        with:
+          path: _bin/downloaded
+          key: downloaded-${{ runner.os }}-${{ hashFiles('make/_shared/tools/00_mod.mk') }}-${{ hashFiles('make/_shared/kind/00_kind_image_versions.mk') }}
+
+      - id: release
+        run: make release
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.release.outputs.RELEASE_HELM_CHART_NAME }}-${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }}.tgz
+          path: ${{ steps.release.outputs.RELEASE_HELM_CHART_TAR }}
+          if-no-files-found: error
+
+    outputs:
+      RELEASE_OCI_PREFLIGHT_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PREFLIGHT_IMAGE }}
+      RELEASE_OCI_PREFLIGHT_TAG: ${{ steps.release.outputs.RELEASE_OCI_PREFLIGHT_TAG }}
+      RELEASE_HELM_CHART_NAME: ${{ steps.release.outputs.RELEASE_HELM_CHART_NAME }}
+      RELEASE_HELM_CHART_VERSION: ${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }}
+
+  github_release:
+    runs-on: ubuntu-latest
+
+    needs: build_images
+
+    permissions:
+      contents: write # needed for creating a PR
+      pull-requests: write # needed for creating a PR
+
+    steps:
+      - run: |
+          touch .notes-file
+          echo "OCI_PREFLIGHT_IMAGE: ${{ needs.build_images.outputs.RELEASE_OCI_PREFLIGHT_IMAGE }}" >> .notes-file
+          echo "OCI_PREFLIGHT_TAG: ${{ needs.build_images.outputs.RELEASE_OCI_PREFLIGHT_TAG }}" >> .notes-file
+          echo "HELM_CHART_NAME: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}" >> .notes-file
+          echo "HELM_CHART_VERSION: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file
+
+      - id: chart_download
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}-${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}.tgz
+
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create "$VERSION" \
+            --repo="$GITHUB_REPOSITORY" \
+            --title="${VERSION}" \
+            --draft \
+            --verify-tag \
+            --notes-file .notes-file
+
+          gh release upload "$VERSION" \
+            --repo="$GITHUB_REPOSITORY" \
+            "${{ steps.chart_download.outputs.download-path }}/${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}-${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}.tgz"