Squashed 'release-tools/' changes from dc4d0ae..4967685

4967685 Merge pull request #254 from bells17/add-github-actions
d9bd160 Update skip list in codespell GitHub Action
adb3af9 Merge pull request #252 from bells17/update-go-version
f5aebfc Add GitHub Actions workflows
b82ee38 Merge pull request #253 from bells17/fix-typo
c317456 Fix typo
0a78505 Bump to Go 1.22.3
edd89ad Merge pull request #251 from jsafrane/add-logcheck
043fd09 Add test-logcheck target
d7535ae Merge pull request #250 from jsafrane/go-1.22
b52e7ad Update go to 1.22.2
14fdb6f Merge pull request #247 from msau42/prow
9b4352e Update release playbook
c7bb972 Fix release notes script to use fixed tags
463a0e9 Add script to update specific go modules

git-subtree-dir: release-tools
git-subtree-split: 4967685

Author: humblec

.github/dependabot.yaml

@@ -0,0 +1,12 @@
+version: 2
+enable-beta-ecosystems: true
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+      interval: "daily"
+  labels:
+    - "area/dependency"
+    - "release-note-none"
+    - "ok-to-test"
+  open-pull-requests-limit: 10

.github/workflows/codespell.yml

@@ -0,0 +1,15 @@
+# GitHub Action to automate the identification of common misspellings in text files.
+# https://github.com/codespell-project/actions-codespell
+# https://github.com/codespell-project/codespell
+name: codespell
+on: [push, pull_request]
+jobs:
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: codespell-project/actions-codespell@master
+        with:
+          check_filenames: true
+          skip: "*.png,*.jpg,*.svg,*.sum,./.git,./.github/workflows/codespell.yml,./prow.sh"

.github/workflows/trivy.yaml

@@ -0,0 +1,29 @@
+name: Run Trivy scanner for Go version vulnerabilities
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  trivy:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go version
+        id: go-version
+        run: |
+          GO_VERSION=$(cat prow.sh  | grep "configvar CSI_PROW_GO_VERSION_BUILD" | awk '{print $3}' | sed 's/"//g')
+          echo "version=$GO_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Run Trivy scanner for Go version vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'golang:${{ steps.go-version.outputs.version }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'library'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'

SIDECAR_RELEASE_PROCESS.md

@@ -46,9 +46,12 @@ naming convention `<hostpath-deployment-version>-on-<kubernetes-version>`.
 ## Release Process
 1. Identify all issues and ongoing PRs that should go into the release, and
   drive them to resolution.
-1. Update dependencies for sidecars via
-   [go-modules-update.sh](https://github.com/kubernetes-csi/csi-driver-host-path/blob/HEAD/release-tools/go-modules-update.sh),
-  and get PRs approved and merged.
+1. Update dependencies for sidecars
+    1. For new minor versions, use
+   [go-modules-update.sh](https://github.com/kubernetes-csi/csi-release-tools/blob/HEAD/go-modules-update.sh),
+    1. For CVE fixes on patch versions, use
+   [go-modules-targeted-update.sh](https://github.com/kubernetes-csi/csi-release-tools/blob/HEAD/go-modules-targeted-update.sh),
+       Read the instructions at the top of the script.
 1. Check that all [canary CI
   jobs](https://testgrid.k8s.io/sig-storage-csi-ci) are passing,
   and that test coverage is adequate for the changes that are going into the release.

build.make

@@ -322,3 +322,10 @@ test-spelling:
 test-boilerplate:
 	@ echo; echo "### $@:"
 	@ ./release-tools/verify-boilerplate.sh "$(pwd)"
+
+# Test klog usage. This test is optional and must be explicitly added to `test` target in the main Makefile:
+# test: test-logcheck
+.PHONY: test-logcheck
+test-logcheck:
+	@ echo; echo "### $@:"
+	@ ./release-tools/verify-logcheck.sh

generate_patch_release_notes.sh renamed to generate-patch-release-notes.sh

@@ -48,7 +48,7 @@ function gen_patch_relnotes() {
   rm out.md || true
   rm -rf /tmp/k8s-repo || true
   GITHUB_TOKEN="$CSI_RELEASE_TOKEN" \
-  release-notes --discover=patch-to-latest --branch="$2" \
+  release-notes --start-rev="$3" --end-rev="$2" --branch="$2" \
     --org=kubernetes-csi --repo="$1" \
     --required-author="" --markdown-links --output out.md
 }
@@ -57,11 +57,14 @@ for rel in "${releases[@]}"; do
   read -r repo version <<< "$rel"
 
   # Parse minor version
-  minorPattern="(^[[:digit:]]+\.[[:digit:]]+)\."
-  [[ "$version" =~ $minorPattern ]]
+  minorPatchPattern="(^[[:digit:]]+\.[[:digit:]]+)\.([[:digit:]]+)"
+  [[ "$version" =~ $minorPatchPattern ]]
   minor="${BASH_REMATCH[1]}"
+  patch="${BASH_REMATCH[2]}"
 
-  echo "$repo" "$version" "$minor"
+  echo "$repo $version $minor $patch"
+  prevPatch="$((patch-1))"
+  prevVer="v$minor.$prevPatch"
 
   pushd "$repo/CHANGELOG"
 
@@ -74,7 +77,7 @@ for rel in "${releases[@]}"; do
   git checkout --track "upstream/release-$minor" -b "$branch"
 
   # Generate release notes
-  gen_patch_relnotes "$repo" "release-$minor"
+  gen_patch_relnotes "$repo" "release-$minor" "$prevVer"
   cat > tmp.md <<EOF
 # Release notes for v$version
 
@@ -84,6 +87,7 @@ EOF
 
   cat out.md >> tmp.md
   echo >> tmp.md
+  rm out.md
 
   file="CHANGELOG-$minor.md"
   cat "$file" >> tmp.md

go-modules-targeted-update.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+
+# Copyright 2023 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# Usage: go-modules-targeted-update.sh
+#
+# Batch update specific dependencies for sidecars.
+#
+# Required environment variables
+# CSI_RELEASE_TOKEN: Github token needed for generating release notes
+# GITHUB_USER: Github username to create PRs with
+#
+# Instructions:
+# 1. Login with "gh auth login"
+# 2. Copy this script to the Github org directory (one directory above the
+# repos)
+# 3. Change $modules, $releases and $org if needed.
+# 4. Set environment variables
+# 5. Run script from the Github org directory
+#
+# Caveats:
+# - This script doesn't handle interface incompatibility of updates.
+#   You need to resolve interface incompatibility case by case. The
+#   most frequent case is to update the interface(new parameters,  
+#   name change of the method, etc.)in the sidecar repo and make sure
+#   the build and test pass.
+
+
+set -e
+set -x
+
+org="kubernetes-csi"
+
+modules=(
+"github.com/kubernetes-csi/[email protected]"
+)
+
+releases=(
+#"external-attacher release-4.4"
+#"external-provisioner release-3.6"
+#"external-resizer release-1.9"
+#"external-snapshotter release-6.3"
+#"node-driver-registrar release-2.9"
+)
+
+for rel in "${releases[@]}"; do
+
+    read -r repo branch <<< "$rel"
+    if [ "$repo" != "#" ]; then
+    (
+        cd "$repo"
+        git fetch upstream
+
+        if [ "$(git rev-parse --verify "module-update-$branch" 2>/dev/null)" ]; then
+            git checkout master && git branch -D "module-update-$branch"
+        fi
+        git checkout -B "module-update-$branch" "upstream/$branch"
+
+        for mod in "${modules[@]}"; do
+          go get "$mod"
+        done
+        go mod tidy
+        go mod vendor
+
+        git add --all
+        git commit -m "Update go modules"
+        git push origin "module-update-$branch" --force
+
+            # Create PR
+prbody=$(cat <<EOF
+Updated the following go modules:
+
+${modules[@]}
+
+\`\`\`release-note
+NONE
+\`\`\`
+EOF
+)
+        gh pr create --title="[$branch] Update go modules" --body "$prbody"  --head "$GITHUB_USER:module-update-$branch" --base "$branch" --repo="$org/$repo"
+    )
+    fi
+done

prow.sh

@@ -86,7 +86,7 @@ configvar CSI_PROW_BUILD_PLATFORMS "linux amd64 amd64; linux ppc64le ppc64le -pp
 # which is disabled with GOFLAGS=-mod=vendor).
 configvar GOFLAGS_VENDOR "$( [ -d vendor ] && echo '-mod=vendor' )" "Go flags for using the vendor directory"
 
-configvar CSI_PROW_GO_VERSION_BUILD "1.21.5" "Go version for building the component" # depends on component's source code
+configvar CSI_PROW_GO_VERSION_BUILD "1.22.3" "Go version for building the component" # depends on component's source code
 configvar CSI_PROW_GO_VERSION_E2E "" "override Go version for building the Kubernetes E2E test suite" # normally doesn't need to be set, see install_e2e
 configvar CSI_PROW_GO_VERSION_SANITY "${CSI_PROW_GO_VERSION_BUILD}" "Go version for building the csi-sanity test suite" # depends on CSI_PROW_SANITY settings below
 configvar CSI_PROW_GO_VERSION_KIND "${CSI_PROW_GO_VERSION_BUILD}" "Go version for building 'kind'" # depends on CSI_PROW_KIND_VERSION below

verify-logcheck.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script uses the logcheck tool to analyze the source code
+# for proper usage of klog contextual logging.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+LOGCHECK_VERSION=${1:-0.8.2}
+
+# This will canonicalize the path
+CSI_LIB_UTIL_ROOT=$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd -P)
+
+# Create a temporary directory for installing logcheck and
+# set up a trap command to remove it when the script exits.
+CSI_LIB_UTIL_TEMP=$(mktemp -d 2>/dev/null || mktemp -d -t csi-lib-utils.XXXXXX)
+trap 'rm -rf "${CSI_LIB_UTIL_TEMP}"' EXIT
+
+echo "Installing logcheck to temp dir: sigs.k8s.io/logtools/logcheck@v${LOGCHECK_VERSION}"
+GOBIN="${CSI_LIB_UTIL_TEMP}" go install "sigs.k8s.io/logtools/logcheck@v${LOGCHECK_VERSION}"
+echo "Verifying logcheck: ${CSI_LIB_UTIL_TEMP}/logcheck -check-contextual ${CSI_LIB_UTIL_ROOT}/..."
+"${CSI_LIB_UTIL_TEMP}/logcheck" -check-contextual -check-with-helpers "${CSI_LIB_UTIL_ROOT}/..."