Merge pull request #680 from jetstack/makefile-modules-govulncheck

fix: manual makefile modules upgrade for govulncheck

Author: SgtCoDFish

.github/workflows/govulncheck.yaml

@@ -17,7 +17,7 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'cert-manager'
+    if: github.repository_owner == 'jetstack'
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

klone.yaml

@@ -10,55 +10,55 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 2a0b032b3a629076796e8760c59c29428c60ce0d
+      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
       repo_path: modules/tools

make/00_mod.mk

@@ -42,6 +42,8 @@ helm_chart_image_name := quay.io/jetstack/charts/venafi-kubernetes-agent
 helm_chart_version := $(VERSION)
 helm_labels_template_name := preflight.labels
 
+govulncheck_generate_org := jetstack
+
 # Allows us to replace the Helm values.yaml's image.repository and image.tag
 # with the right values.
 define helm_values_mutation_function

make/_shared/go/01_mod.mk

@@ -63,11 +63,16 @@ default_govulncheck_generate_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/bas
 # pipeline (eg. a GitLab pipeline).
 govulncheck_generate_base_dir ?= $(default_govulncheck_generate_base_dir)
 
+# The org name used in the govulncheck GH action. This is used to prevent the govulncheck job
+# being run on every fork of the repo.
+govulncheck_generate_org ?= cert-manager
+
 .PHONY: generate-govulncheck
 ## Generate base files in the repository
 ## @category [shared] Generate/ Verify
 generate-govulncheck:
-	cp -r $(govulncheck_generate_base_dir)/. ./
+	@mkdir -p ./.github/workflows
+	sed 's/ORGNAMEHERE/$(govulncheck_generate_org)/g' $(govulncheck_generate_base_dir)/.github/workflows/govulncheck.yaml > .github/workflows/govulncheck.yaml
 
 shared_generate_targets += generate-govulncheck
 

make/_shared/go/base/.github/workflows/govulncheck.yaml

@@ -17,7 +17,7 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'cert-manager'
+    if: github.repository_owner == 'ORGNAMEHERE'
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

make/_shared/helm/crd.template.footer.yaml

@@ -1 +1 @@
-{{- end }}
+{{- end }}

make/_shared/helm/crd.template.header.yaml

@@ -8,4 +8,4 @@ metadata:
     helm.sh/resource-policy: keep
   {{- end }}
   labels:
-    {{- include "REPLACE_LABELS_TEMPLATE" . | nindent 4 }}
+    {{- include "REPLACE_LABELS_TEMPLATE" . | nindent 4 }}

make/_shared/helm/crds.mk

@@ -40,6 +40,15 @@ endif
 crds_dir ?= deploy/crds
 crds_dir_readme := $(dir $(lastword $(MAKEFILE_LIST)))/crds_dir.README.md
 crds_expression ?= .Values.crds.enabled
+crds_template_include_pattern := *.yaml
+# Space-separated list of basenames to exclude (e.g. foo.yaml *_test.yaml)
+crds_template_exclude_pattern ?=
+
+define filter-out-basenames
+  $(if $(strip $(2)), \
+    $(foreach f,$(1),$(if $(filter $(2),$(notdir $(f))),,$(f))), \
+    $(1))
+endef
 
 .PHONY: generate-crds
 ## Generate CRD manifests.
@@ -57,15 +66,20 @@ generate-crds: | $(NEEDS_CONTROLLER-GEN) $(NEEDS_YQ)
 
 	@echo "Updating CRDs with helm templating, writing to $(helm_chart_source_dir)/templates"
 
-	@for i in $$(ls $(crds_gen_temp)); do \
-		crd_name=$$($(YQ) eval '.metadata.name' $(crds_gen_temp)/$$i); \
-		cat $(crd_template_header) > $(helm_chart_source_dir)/templates/crd-$$i; \
-		echo "" >> $(helm_chart_source_dir)/templates/crd-$$i; \
-		$(sed_inplace) "s/REPLACE_CRD_EXPRESSION/$(crds_expression)/g" $(helm_chart_source_dir)/templates/crd-$$i; \
-		$(sed_inplace) "s/REPLACE_CRD_NAME/$$crd_name/g" $(helm_chart_source_dir)/templates/crd-$$i; \
-		$(sed_inplace) "s/REPLACE_LABELS_TEMPLATE/$(helm_labels_template_name)/g" $(helm_chart_source_dir)/templates/crd-$$i; \
-		$(YQ) -I2 '{"spec": .spec}' $(crds_gen_temp)/$$i >> $(helm_chart_source_dir)/templates/crd-$$i; \
-		cat $(crd_template_footer) >> $(helm_chart_source_dir)/templates/crd-$$i; \
+	$(eval crds_gen_temp_all_files := $(wildcard $(crds_gen_temp)/$(crds_template_include_pattern)))
+	$(eval crds_gen_temp_files := $(if $(crds_template_exclude_pattern), \
+		$(call filter-out-basenames,$(crds_gen_temp_all_files),$(crds_template_exclude_pattern)), \
+		$(crds_gen_temp_all_files)))
+
+	@for f in $(crds_gen_temp_files); do \
+		crd_name=$$($(YQ) eval '.metadata.name' $$f); \
+		crd_template_file="$(helm_chart_source_dir)/templates/crd-$$(basename $$f)"; \
+		cat $(crd_template_header) > $$crd_template_file; \
+		$(sed_inplace) "s/REPLACE_CRD_EXPRESSION/$(crds_expression)/g" $$crd_template_file; \
+		$(sed_inplace) "s/REPLACE_CRD_NAME/$$crd_name/g" $$crd_template_file; \
+		$(sed_inplace) "s/REPLACE_LABELS_TEMPLATE/$(helm_labels_template_name)/g" $$crd_template_file; \
+		$(YQ) -I2 '{"spec": .spec}' $$f >> $$crd_template_file; \
+		cat $(crd_template_footer) >> $$crd_template_file; \
 	done
 
 	@if [ -n "$$(ls $(crds_gen_temp) 2>/dev/null)" ]; then \