fix: add credentials for pulling private dependency with govulncheck

It seems difficult to stop govulncheck attempting to pull and analyse
private dependencies. We still want to run it, so the simplest thing to
do is diverge from upstream makefile-modules and maintain the
govulncheck workflow by hand in this repo.

This requires changes to the govulncheck workflow itself, and means we
have to disable the upstream govulncheck targets and copy them locally.

Signed-off-by: Ashley Davis <[email protected]>

Author: SgtCoDFish

.github/workflows/govulncheck.yaml

@@ -1,5 +1,9 @@
-# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
-# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead.
+# This file is MANUALLY maintained, but was originally based on the makefile-modules govulncheck workflow. See the original:
+# https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml
+
+# This file is separated from the upstream file so we can add additional auth for pulling
+# private dependencies. Govulncheck doesn't seem to be able to support skipping private
+# dependencies.
 
 # Run govulncheck at midnight every night on the main branch,
 # to alert us to recent vulnerabilities which affect the Go code in this
@@ -26,6 +30,12 @@ jobs:
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
         with: { fetch-depth: 0 }
 
+      # NOTE: This step is the change from the upstream workflow.
+      # We need credentials to pull the private dependency.
+      - uses: ./.github/actions/repo_access
+        with:
+          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
+
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"

klone.yaml

@@ -10,55 +10,55 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/tools

make/00_mod.mk

@@ -42,7 +42,9 @@ helm_chart_image_name := quay.io/jetstack/charts/venafi-kubernetes-agent
 helm_chart_version := $(VERSION)
 helm_labels_template_name := preflight.labels
 
-govulncheck_generate_org := jetstack
+# We skip using the upstream govulncheck targets because we need to customise the workflow YAML
+# locally. We provide the targets in this repo instead, and manually maintain the workflow.
+govulncheck_skip := true
 
 # Allows us to replace the Helm values.yaml's image.repository and image.tag
 # with the right values.

make/02_mod.mk

@@ -64,3 +64,24 @@ test-helm: | $(NEEDS_HELM-UNITTEST)
 ## @category Testing
 test-helm-snapshot: | $(NEEDS_HELM-UNITTEST)
 	$(HELM-UNITTEST) ./deploy/charts/venafi-kubernetes-agent/ -u
+
+
+.PHONY: verify-govulncheck
+## Verify all Go modules for vulnerabilities using govulncheck Copied from makefile-modules
+## @category [shared] Generate/ Verify
+#
+# Runs `govulncheck` on all Go modules related to the project.
+# Ignores Go modules among the temporary build artifacts in _bin, to avoid
+# scanning the code of the vendored Go, after running make vendor-go.
+# Ignores Go modules in make/_shared, because those will be checked in centrally
+# in the makefile_modules repository.
+verify-govulncheck: | $(NEEDS_GOVULNCHECK)
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
+		| while read d; do \
+				target=$$(dirname $${d}); \
+				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
+				GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(GOVULNCHECK) ./... || exit; \
+				popd >/dev/null; \
+				echo ""; \
+			done

make/_shared/go/01_mod.mk

@@ -57,6 +57,8 @@ generate-go-mod-tidy: | $(NEEDS_GO)
 
 shared_generate_targets += generate-go-mod-tidy
 
+ifndef govulncheck_skip
+
 default_govulncheck_generate_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
 # The base directory used to copy the govulncheck GH action from. This can be
 # overwritten with an action with extra authentication or with a totally different
@@ -101,6 +103,8 @@ verify-govulncheck: | $(NEEDS_GOVULNCHECK)
 				echo ""; \
 			done
 
+endif # govulncheck_skip
+
 ifdef golangci_lint_config
 
 .PHONY: generate-golangci-lint-config

make/_shared/tools/00_mod.mk

@@ -172,7 +172,7 @@ ADDITIONAL_TOOLS ?=
 tools += $(ADDITIONAL_TOOLS)
 
 # https://go.dev/dl/
-VENDORED_GO_VERSION := 1.24.5
+VENDORED_GO_VERSION := 1.24.6
 
 # Print the go version which can be used in GH actions
 .PHONY: print-go-version
@@ -394,10 +394,10 @@ $(call for_each_kv,go_dependency,$(go_dependencies))
 # File downloads #
 ##################
 
-go_linux_amd64_SHA256SUM=10ad9e86233e74c0f6590fe5426895de6bf388964210eac34a6d83f38918ecdc
-go_linux_arm64_SHA256SUM=0df02e6aeb3d3c06c95ff201d575907c736d6c62cfa4b6934c11203f1d600ffa
-go_darwin_amd64_SHA256SUM=2fe5f3866b8fbcd20625d531f81019e574376b8a840b0a096d8a2180308b1672
-go_darwin_arm64_SHA256SUM=92d30a678f306c327c544758f2d2fa5515aa60abe9dba4ca35fbf9b8bfc53212
+go_linux_amd64_SHA256SUM=bbca37cc395c974ffa4893ee35819ad23ebb27426df87af92e93a9ec66ef8712
+go_linux_arm64_SHA256SUM=124ea6033a8bf98aa9fbab53e58d134905262d45a022af3a90b73320f3c3afd5
+go_darwin_amd64_SHA256SUM=4a8d7a32052f223e71faab424a69430455b27b3fff5f4e651f9d97c3e51a8746
+go_darwin_arm64_SHA256SUM=4e29202c49573b953be7cc3500e1f8d9e66ddd12faa8cf0939a4951411e09a2a
 
 .PRECIOUS: $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz
 $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(DOWNLOAD_DIR)/tools