upgrade makefile modules to the latest version

- Ran make upgrade-klone
- Removed the boilerplate module because none of the files currently have the header
- Ran make generate-base

Signed-off-by: Richard Wall <[email protected]>

Author: wallrj-cyberark

.github/chainguard/make-self-upgrade.sts.yaml

@@ -0,0 +1,10 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/make-self-upgrade.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:jetstack/preflight:ref:refs/heads/(main|master)$
+
+permissions:
+  contents: write
+  pull_requests: write
+  workflows: write

.github/chainguard/renovate.sts.yaml

@@ -0,0 +1,14 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/chainguard/renovate.sts.yaml instead.
+
+issuer: https://token.actions.githubusercontent.com
+subject_pattern: ^repo:jetstack/preflight:ref:refs/heads/(main|master)$
+
+permissions:
+  administration: read
+  contents: write
+  issues: write
+  pull_requests: write
+  security_events: read
+  statuses: write
+  workflows: write

.github/dependabot.yaml

@@ -9,12 +9,12 @@ updates:
   schedule:
     interval: daily
   groups:
-    all:
+    all-go-deps:
       patterns: ["*"]
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: daily
   groups:
-    all:
+    all-gh-actions:
       patterns: ["*"]

.github/renovate.json5

@@ -0,0 +1,6 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'github>cert-manager/renovate-config:default.json5',
+  ],
+}

.github/workflows/govulncheck.yaml

@@ -21,10 +21,10 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'jetstack'
+    if: github.repository == 'jetstack/preflight'
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option

.github/workflows/make-self-upgrade.yaml

@@ -15,11 +15,10 @@ jobs:
   self_upgrade:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'cert-manager'
+    if: github.repository == 'jetstack/preflight'
 
     permissions:
-      contents: write
-      pull-requests: write
+      id-token: write
 
     env:
       SOURCE_BRANCH: "${{ github.ref_name }}"
@@ -32,17 +31,26 @@ jobs:
           echo "This workflow should not be run on a non-branch-head."
           exit 1
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+        id: octo-sts
+        with:
+          scope: 'jetstack/preflight'
+          identity: make-self-upgrade
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
         # the tags so `git describe` returns a valid version.
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
-        with: { fetch-depth: 0 }
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
 
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
 
-      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: ${{ steps.go-version.outputs.result }}
 
@@ -73,8 +81,9 @@ jobs:
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
+          github-token: ${{ steps.octo-sts.outputs.token }}
           script: |
             const { repo, owner } = context.repo;
             const pulls = await github.rest.pulls.list({
@@ -100,6 +109,6 @@ jobs:
                 owner,
                 repo,
                 issue_number: result.data.number,
-                labels: ['skip-review']
+                labels: ['ok-to-test', 'skip-review', 'release-note-none', 'kind/cleanup']
               });
             }

.github/workflows/renovate.yaml

@@ -0,0 +1,62 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/renovate.yaml instead.
+
+name: Renovate
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 2 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+
+    if: github.repository == 'jetstack/preflight'
+
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Fail if branch is not head of branch.
+        if: ${{ !startsWith(github.ref, 'refs/heads/') && env.SOURCE_BRANCH != '' && env.SELF_UPGRADE_BRANCH != '' }}
+        run: |
+          echo "This workflow should not be run on a non-branch-head."
+          exit 1
+
+      - name: Octo STS Token Exchange
+        uses: octo-sts/action@e480437973a6f6ac2e9caa40ecabedc870d76395 # v1.0.1
+        id: octo-sts
+        with:
+          scope: 'jetstack/preflight'
+          identity: renovate
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with:
+          fetch-depth: 0
+          token: ${{ steps.octo-sts.outputs.token }}
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@7876d7a812254599d262d62b6b2c2706018258a2 # v43.0.10
+        with:
+          configurationFile: .github/renovate.json5
+          token: ${{ steps.octo-sts.outputs.token }}
+        env:
+          RENOVATE_REPOSITORIES: '["${{ github.repository }}"]'
+          RENOVATE_ONBOARDING: "false"
+          RENOVATE_PLATFORM: "github"
+          LOG_LEVEL: "debug"
+          RENOVATE_ALLOWED_COMMANDS: '[".*"]'

Makefile

@@ -39,7 +39,7 @@
 # For details on some of these "prelude" settings, see:
 # https://clarkgrubb.com/makefile-style-guide
 MAKEFLAGS += --warn-undefined-variables --no-builtin-rules
-SHELL := /usr/bin/env bash
+SHELL := /usr/bin/env PS1="" bash
 .SHELLFLAGS := -uo pipefail -c
 .DEFAULT_GOAL := help
 .DELETE_ON_ERROR:

klone.yaml

@@ -10,55 +10,55 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
+      repo_hash: c6780c07eac8a92586f59b7e02195c49a94013e6
       repo_path: modules/tools

make/00_mod.mk

@@ -42,9 +42,9 @@ helm_chart_image_name := quay.io/jetstack/charts/venafi-kubernetes-agent
 helm_chart_version := $(VERSION)
 helm_labels_template_name := preflight.labels
 
-# We skip using the upstream govulncheck targets because we need to customise the workflow YAML
+# We skip using the upstream govulncheck generate target because we need to customise the workflow YAML
 # locally. We provide the targets in this repo instead, and manually maintain the workflow.
-govulncheck_skip := true
+dont_generate_govulncheck := true
 
 helm_image_name ?= $(oci_preflight_image_name)
 helm_image_tag ?= $(oci_preflight_image_tag)