Merge pull request #640 from jetstack/fix-govulncheck

Fix govulncheck job by pulling more data from git

Author: SgtCoDFish

.github/workflows/govulncheck.yaml

@@ -19,12 +19,16 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

.github/workflows/make-self-upgrade.yaml

@@ -33,12 +33,16 @@ jobs:
           exit 1
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

klone.yaml

@@ -10,50 +10,50 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fbd26411777b12c2574d05f146cee617c6c50b63
+      repo_hash: 635a9ed0253409ac1543f59d97163d4a6a8c01b2
       repo_path: modules/tools

make/_shared/go/01_mod.mk

@@ -20,7 +20,6 @@ ifndef repo_name
 $(error repo_name is not set)
 endif
 
-go_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
 golangci_lint_override := $(dir $(lastword $(MAKEFILE_LIST)))/.golangci.override.yaml
 
 .PHONY: go-workspace
@@ -58,11 +57,17 @@ generate-go-mod-tidy: | $(NEEDS_GO)
 
 shared_generate_targets += generate-go-mod-tidy
 
+default_govulncheck_generate_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
+# The base directory used to copy the govulncheck GH action from. This can be
+# overwritten with an action with extra authentication or with a totally different
+# pipeline (eg. a GitLab pipeline).
+govulncheck_generate_base_dir ?= $(default_govulncheck_generate_base_dir)
+
 .PHONY: generate-govulncheck
 ## Generate base files in the repository
 ## @category [shared] Generate/ Verify
 generate-govulncheck:
-	cp -r $(go_base_dir)/. ./
+	cp -r $(govulncheck_generate_base_dir)/. ./
 
 shared_generate_targets += generate-govulncheck
 
@@ -79,7 +84,7 @@ shared_generate_targets += generate-govulncheck
 # `verify-govulncheck` not added to the `shared_verify_targets` variable and is
 # not run by `make verify`, because `make verify` is run for each PR, and we do
 # not want new vulnerabilities in existing code to block the merging of PRs.
-# Instead `make verify-govulnecheck` is intended to be run periodically by a CI job.
+# Instead `make verify-govulncheck` is intended to be run periodically by a CI job.
 verify-govulncheck: | $(NEEDS_GOVULNCHECK)
 	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
@@ -105,16 +110,18 @@ generate-golangci-lint-config: | $(NEEDS_YQ) $(bin_dir)/scratch
 
 shared_generate_targets += generate-golangci-lint-config
 
+golangci_lint_timeout ?= 10m
+
 .PHONY: verify-golangci-lint
 ## Verify all Go modules using golangci-lint
 ## @category [shared] Generate/ Verify
 verify-golangci-lint: | $(NEEDS_GO) $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
 	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
 				target=$$(dirname $${d}); \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config)' in directory '$${target}'"; \
+				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout)' in directory '$${target}'"; \
 				pushd "$${target}" >/dev/null; \
-				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout 4m || exit; \
+				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout) || exit; \
 				popd >/dev/null; \
 				echo ""; \
 			done

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -19,12 +19,16 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 

make/_shared/helm/crds.mk

@@ -67,8 +67,8 @@ generate-crds: | $(NEEDS_CONTROLLER-GEN) $(NEEDS_YQ)
 	done
 
 	@if [ -n "$$(ls $(crds_gen_temp) 2>/dev/null)" ]; then \
-		cp -Tr $(crds_gen_temp) $(crds_dir); \
-		cp $(crds_dir_readme) $(crds_dir)/README.md; \
+		cp $(crds_gen_temp)/* $(crds_dir)/ ; \
+		cp $(crds_dir_readme) $(crds_dir)/README.md ; \
 	fi
 
 shared_generate_targets += generate-crds

make/_shared/helm/helm.mk

@@ -45,9 +45,14 @@ helm_chart_name := $(notdir $(helm_chart_image_name))
 helm_chart_image_registry := $(dir $(helm_chart_image_name))
 helm_chart_image_tag := $(helm_chart_version)
 helm_chart_sources := $(shell find $(helm_chart_source_dir) -maxdepth 1 -type f) $(shell find $(helm_chart_source_dir)/templates -type f)
-helm_chart_archive := $(bin_dir)/scratch/image/$(helm_chart_name)-$(helm_chart_version).tgz
+helm_chart_archive := $(bin_dir)/scratch/helm/$(helm_chart_name)-$(helm_chart_version).tgz
+helm_digest_path := $(bin_dir)/scratch/helm/$(helm_chart_name)-$(helm_chart_version).digests
+helm_digest = $(shell head -1 $(helm_digest_path) 2> /dev/null)
 
-$(helm_chart_archive): $(helm_chart_sources) | $(NEEDS_HELM) $(NEEDS_YQ) $(bin_dir)/scratch/image
+$(bin_dir)/scratch/helm:
+	@mkdir -p $@
+
+$(helm_chart_archive): $(helm_chart_sources) | $(NEEDS_HELM) $(NEEDS_YQ) $(bin_dir)/scratch/helm
 	$(eval helm_chart_source_dir_versioned := $@.tmp)
 	rm -rf $(helm_chart_source_dir_versioned)
 	mkdir -p $(dir $(helm_chart_source_dir_versioned))
@@ -59,7 +64,7 @@ $(helm_chart_archive): $(helm_chart_sources) | $(NEEDS_HELM) $(NEEDS_YQ) $(bin_d
 		echo "Chart name does not match the name in the helm_chart_name variable"; \
 		exit 1; \
 	fi
-	
+
 	$(YQ) '.annotations."artifacthub.io/prerelease" = "$(IS_PRERELEASE)"' \
 		--inplace $(helm_chart_source_dir_versioned)/Chart.yaml
 
@@ -74,8 +79,13 @@ $(helm_chart_archive): $(helm_chart_sources) | $(NEEDS_HELM) $(NEEDS_YQ) $(bin_d
 ## Will also create a non-v-prefixed tag for the OCI image.
 ## @category [shared] Publish
 helm-chart-oci-push: $(helm_chart_archive) | $(NEEDS_HELM) $(NEEDS_CRANE)
-	$(HELM) push "$(helm_chart_archive)" "oci://$(helm_chart_image_registry)"
-	$(CRANE) copy "$(helm_chart_image_name):$(helm_chart_image_tag)" "$(helm_chart_image_name):$(helm_chart_image_tag:v%=%)"
+	$(HELM) push "$(helm_chart_archive)" "oci://$(helm_chart_image_registry)" 2>&1 \
+		| tee >(grep -o "sha256:.\+" | tee $(helm_digest_path))
+
+	@# $(helm_chart_image_tag:v%=%) removes the v prefix from the value stored in helm_chart_image_tag.
+	@# See https://www.gnu.org/software/make/manual/html_node/Substitution-Refs.html for the manual on the syntax.
+	helm_digest=$$(cat $(helm_digest_path)) && \
+	$(CRANE) copy "$(helm_chart_image_name)@$$helm_digest" "$(helm_chart_image_name):$(helm_chart_image_tag:v%=%)"
 
 .PHONY: helm-chart
 ## Create a helm chart
@@ -109,12 +119,34 @@ verify-helm-values: | $(NEEDS_HELM-TOOL) $(NEEDS_GOJQ)
 
 shared_verify_targets += verify-helm-values
 
+$(bin_dir)/scratch/kyverno:
+	@mkdir -p $@
+
+$(bin_dir)/scratch/kyverno/pod-security-policy.yaml: | $(NEEDS_KUSTOMIZE) $(bin_dir)/scratch/kyverno
+	@$(KUSTOMIZE) build https://github.com/kyverno/policies/pod-security/enforce > $@
+
+# Extra arguments for kyverno apply.
+kyverno_apply_extra_args :=
+# Allows known policy violations to be skipped by supplying Kyverno policy
+# exceptions.
+ifneq ("$(wildcard make/verify-pod-security-standards-exceptions.yaml)","")
+		kyverno_apply_extra_args += --exceptions make/verify-pod-security-standards-exceptions.yaml
+endif
+
 .PHONY: verify-pod-security-standards
 ## Verify that the Helm chart complies with the pod security standards.
+##
+## You can add Kyverno policy exceptions to
+## `make/verify-pod-security-standards-exceptions.yaml`, to skip some of the pod
+## security policy rules.
+##
 ## @category [shared] Generate/ Verify
-verify-pod-security-standards: $(helm_chart_archive) | $(NEEDS_KYVERNO) $(NEEDS_KUSTOMIZE) $(NEEDS_HELM)
-	$(KYVERNO) apply <($(KUSTOMIZE) build https://github.com/kyverno/policies/pod-security/enforce) \
-		--resource <($(HELM) template $(helm_chart_archive)) 2>/dev/null
+verify-pod-security-standards: $(helm_chart_archive) $(bin_dir)/scratch/kyverno/pod-security-policy.yaml | $(NEEDS_KYVERNO) $(NEEDS_HELM)
+	@$(HELM) template $(helm_chart_archive) $(INSTALL_OPTIONS) \
+	| $(KYVERNO) apply $(bin_dir)/scratch/kyverno/pod-security-policy.yaml \
+		$(kyverno_apply_extra_args) \
+		--resource - \
+		--table
 
 shared_verify_targets_dirty += verify-pod-security-standards
 

make/_shared/kind/00_kind_image_versions.mk

@@ -15,22 +15,16 @@
 # This file is auto-generated by the learn_kind_images.sh script in the makefile-modules repo.
 # Do not edit manually.
 
-kind_image_kindversion := v0.24.0
+kind_image_kindversion := v0.26.0
 
-kind_image_kube_1.25_amd64 := docker.io/kindest/node:v1.25.16@sha256:fedeb7ebef9794b3acbe656901f87231fb33381e0f586033ed18d2587bd9b73d
-kind_image_kube_1.25_arm64 := docker.io/kindest/node:v1.25.16@sha256:f16a9c7caa65d394176ce2e628eb371d5af8b7bd913e88c826a357cadde698c7
-kind_image_kube_1.26_amd64 := docker.io/kindest/node:v1.26.15@sha256:290e3765fbabbeb2ddcde36bdf3e8452166dc94a4c970a25c10290ebd480ca6e
-kind_image_kube_1.26_arm64 := docker.io/kindest/node:v1.26.15@sha256:7b34bc4f381a4aa0bd81239bbc2af5f44d933c11b3510da85f13cf8b2a34c9fd
-kind_image_kube_1.27_amd64 := docker.io/kindest/node:v1.27.16@sha256:84aff282b523c3943c374d95807e1e748ccd43432dce614d6c7a148a7028fb01
-kind_image_kube_1.27_arm64 := docker.io/kindest/node:v1.27.16@sha256:2c6de687b6ea20b385c0b18b85d4e55e214882b3cbde857974ccfe010f4a90a9
-kind_image_kube_1.28_amd64 := docker.io/kindest/node:v1.28.13@sha256:d97df9fff48099bf9a94c92fdc39adde65bec2aa1d011f84233b96172c1003c9
-kind_image_kube_1.28_arm64 := docker.io/kindest/node:v1.28.13@sha256:ddef612bb93a9aa3a989f9d3d4e01c0a7c4d866a4b949264146c182cd202d738
-kind_image_kube_1.29_amd64 := docker.io/kindest/node:v1.29.8@sha256:b69a150f9951ef41158ec76de381a920df2be3582fd16fc19cf4757eef0dded9
-kind_image_kube_1.29_arm64 := docker.io/kindest/node:v1.29.8@sha256:0d5623800cf6290edbc1007ca8a33a5f7e2ad92b41dc7022b4d20a66447db23c
-kind_image_kube_1.30_amd64 := docker.io/kindest/node:v1.30.4@sha256:34cb98a38a57a3357fde925a41d61232bbbbeb411b45a25c0d766635d6c3b975
-kind_image_kube_1.30_arm64 := docker.io/kindest/node:v1.30.4@sha256:6becd630a18e77730e31f3833f0b129bbcc9c09ee49c3b88429b3c1fdc30bfc4
-kind_image_kube_1.31_amd64 := docker.io/kindest/node:v1.31.0@sha256:919a65376fd11b67df05caa2e60802ad5de2fca250c9fe0c55b0dce5c9591af3
-kind_image_kube_1.31_arm64 := docker.io/kindest/node:v1.31.0@sha256:0ccfb11dc66eae4abc20c30ee95687bab51de8aeb04e325e1c49af0890646548
+kind_image_kube_1.29_amd64 := docker.io/kindest/node:v1.29.12@sha256:c1b696872c6d4d41889c1c7ca460d6c6349665061e6dd2a9cc5abda7dd8e21bc
+kind_image_kube_1.29_arm64 := docker.io/kindest/node:v1.29.12@sha256:a29e3189829c4784b31507c793b5d186914a6ed81d2296c39d32543988911f36
+kind_image_kube_1.30_amd64 := docker.io/kindest/node:v1.30.8@sha256:da9368e0cfa74ca1a7e2c6d6c7abf890e627a94d9c8300dd9d951f63947a456c
+kind_image_kube_1.30_arm64 := docker.io/kindest/node:v1.30.8@sha256:27b247e13bac7271e013ea4118843f8072e5a4f1fa8ce2c5c47018e6b2d45cce
+kind_image_kube_1.31_amd64 := docker.io/kindest/node:v1.31.4@sha256:29370cbe44fd9798ac1e47e7ad04e53c375c0c683a25cc0cc7db331ad07c9952
+kind_image_kube_1.31_arm64 := docker.io/kindest/node:v1.31.4@sha256:496ab674cddaa72e97f2aa70729df5b403f46ee5834fb9a44773284998fea6d5
+kind_image_kube_1.32_amd64 := docker.io/kindest/node:v1.32.0@sha256:dd45e7e76478f76d2881cf031e64512f51be63dcb61420307982a24913badf8f
+kind_image_kube_1.32_arm64 := docker.io/kindest/node:v1.32.0@sha256:eff24f9d99bc56271a456484d87cd6e6fc0beec7d4418958d589804703c00588
 
-kind_image_latest_amd64 := $(kind_image_kube_1.31_amd64)
-kind_image_latest_arm64 := $(kind_image_kube_1.31_arm64)
+kind_image_latest_amd64 := $(kind_image_kube_1.32_amd64)
+kind_image_latest_arm64 := $(kind_image_kube_1.32_arm64)

make/_shared/oci-build/00_mod.mk

@@ -16,14 +16,15 @@ oci_platforms ?= linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
 
 # Use distroless as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static:latest"
-base_image_static := quay.io/jetstack/base-static@sha256:6dd468efaceafb7d2b5ba437bb81500636237bac747fd751b75b0cb375600fae
+base_image_static := quay.io/jetstack/base-static@sha256:9202d031a2bf364519a07629e51daca08233e3096936563ea5f35f0e19003853
 
 # Use custom apko-built image as minimal base image to package the manager binary
 # To get latest SHA run "crane digest quay.io/jetstack/base-static-csi:latest"
-base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:b88c19bfe28a83799e08817ffb7205a3aac1b99ad07739a5433a7fb554b4d223
+base_image_csi-static := quay.io/jetstack/base-static-csi@sha256:2e159b417e03b3d454c202f8281922784ef7153873dc5a62bdb5e456de9dc6db
 
 # Utility functions
 fatal_if_undefined = $(if $(findstring undefined,$(origin $1)),$(error $1 is not set))
+fatal_if_deprecated_defined = $(if $(findstring undefined,$(origin $1)),,$(error $1 is deprecated, use $2 instead))
 
 # Validate globals that are required
 $(call fatal_if_undefined,bin_dir)
@@ -37,9 +38,13 @@ GOEXPERIMENT ?=  # empty by default
 #
 # $1 - build_name
 define default_per_build_variables
-cgo_enabled_$1 ?= $(CGO_ENABLED)
-goexperiment_$1 ?= $(GOEXPERIMENT)
-oci_additional_layers_$1 ?= 
+go_$1_cgo_enabled ?= $(CGO_ENABLED)
+go_$1_goexperiment ?= $(GOEXPERIMENT)
+go_$1_flags ?= -tags=
+oci_$1_additional_layers ?= 
+oci_$1_linux_capabilities ?= 
+oci_$1_image_annotation ?= 
+oci_$1_image_label ?= 
 endef
 
 $(foreach build_name,$(build_names),$(eval $(call default_per_build_variables,$(build_name))))
@@ -48,6 +53,11 @@ $(foreach build_name,$(build_names),$(eval $(call default_per_build_variables,$(
 #
 # $1 - build_name
 define check_per_build_variables
+# Validate deprecated variables
+$(call fatal_if_deprecated_defined,cgo_enabled_$1,go_$1_cgo_enabled)
+$(call fatal_if_deprecated_defined,goexperiment_$1,go_$1_goexperiment)
+$(call fatal_if_deprecated_defined,oci_additional_layers_$1,oci_$1_additional_layers)
+
 # Validate required config exists
 $(call fatal_if_undefined,go_$1_ldflags)
 $(call fatal_if_undefined,go_$1_main_dir)

make/_shared/oci-build/01_mod.mk

@@ -22,7 +22,10 @@ IMAGE_TOOL := $(CURDIR)/$(bin_dir)/tools/image_tool
 NEEDS_IMAGE_TOOL := $(bin_dir)/tools/image_tool
 $(NEEDS_IMAGE_TOOL): $(wildcard $(image_tool_dir)/*.go) | $(NEEDS_GO)
 	cd $(image_tool_dir) && GOWORK=off GOBIN=$(CURDIR)/$(dir $@) $(GO) install .
-	
+
+$(bin_dir)/scratch/image:
+	@mkdir -p $@
+
 define ko_config_target
 .PHONY: $(ko_config_path_$1:$(CURDIR)/%=%)
 $(ko_config_path_$1:$(CURDIR)/%=%): | $(NEEDS_YQ) $(bin_dir)/scratch/image
@@ -31,11 +34,13 @@ $(ko_config_path_$1:$(CURDIR)/%=%): | $(NEEDS_YQ) $(bin_dir)/scratch/image
 		$(YQ) '.builds[0].id = "$1"' | \
 		$(YQ) '.builds[0].dir = "$(go_$1_mod_dir)"' | \
 		$(YQ) '.builds[0].main = "$(go_$1_main_dir)"' | \
-		$(YQ) '.builds[0].env[0] = "CGO_ENABLED=$(cgo_enabled_$1)"' | \
-		$(YQ) '.builds[0].env[1] = "GOEXPERIMENT=$(goexperiment_$1)"' | \
+		$(YQ) '.builds[0].env[0] = "CGO_ENABLED=$(go_$1_cgo_enabled)"' | \
+		$(YQ) '.builds[0].env[1] = "GOEXPERIMENT=$(go_$1_goexperiment)"' | \
 		$(YQ) '.builds[0].ldflags[0] = "-s"' | \
 		$(YQ) '.builds[0].ldflags[1] = "-w"' | \
-		$(YQ) '.builds[0].ldflags[2] = "{{.Env.LDFLAGS}}"' \
+		$(YQ) '.builds[0].ldflags[2] = "{{.Env.LDFLAGS}}"' | \
+		$(YQ) '.builds[0].flags[0] = "$(go_$1_flags)"' | \
+		$(YQ) '.builds[0].linux_capabilities = "$(oci_$1_linux_capabilities)"' \
 		> $(CURDIR)/$(oci_layout_path_$1).ko_config.yaml
 
 ko-config-$1: $(ko_config_path_$1:$(CURDIR)/%=%)
@@ -58,6 +63,8 @@ $(oci_build_targets): oci-build-%: ko-config-% | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS
 	LDFLAGS="$(go_$*_ldflags)" \
 	$(KO) build $(go_$*_mod_dir)/$(go_$*_main_dir) \
 		--platform=$(oci_platforms) \
+		--image-annotation=$(oci_$*_image_annotation) \
+		--image-label=$(oci_$*_image_label) \
 		--oci-layout-path=$(oci_layout_path_$*) \
 		--sbom-dir=$(CURDIR)/$(oci_layout_path_$*).sbom \
 		--sbom=spdx \
@@ -66,7 +73,7 @@ $(oci_build_targets): oci-build-%: ko-config-% | $(NEEDS_KO) $(NEEDS_GO) $(NEEDS
 
 	$(IMAGE_TOOL) append-layers \
 		$(CURDIR)/$(oci_layout_path_$*) \
-		$(oci_additional_layers_$*)
+		$(oci_$*_additional_layers)
 
 	$(IMAGE_TOOL) list-digests \
 		$(CURDIR)/$(oci_layout_path_$*) \