From dc559ac1001bf0ca429fac7987eb40dfed9958e1 Mon Sep 17 00:00:00 2001 From: Dmitri Fedotov Date: Wed, 18 Mar 2026 18:40:20 +0200 Subject: [PATCH 1/2] build image via go-m-m --- .claude/settings.local.json | 10 ++++ .github/renovate.json | 2 +- .github/workflows/checks.yaml | 15 ++--- .github/workflows/ci.yaml | 8 +-- .github/workflows/codeql.yaml | 2 +- .../workflows/container-registry-ghcr.yaml | 58 +++++++++++++++++++ .golangci.yaml | 15 ++++- .license-scan-overrides.jsonl | 1 + .typos.toml | 10 ++++ Makefile | 17 ++++-- Makefile.maker.yaml | 8 +++ go.mod | 2 +- shell.nix | 3 +- 13 files changed, 128 insertions(+), 23 deletions(-) create mode 100644 .claude/settings.local.json create mode 100644 .github/workflows/container-registry-ghcr.yaml create mode 100644 .typos.toml diff --git a/.claude/settings.local.json b/.claude/settings.local.json new file mode 100644 index 0000000..7690821 --- /dev/null +++ b/.claude/settings.local.json @@ -0,0 +1,10 @@ +{ + "permissions": { + "allow": [ + "Bash(gh pr:*)", + "WebFetch(domain:github.com)", + "WebFetch(domain:raw.githubusercontent.com)", + "Bash(curl:*)" + ] + } +} diff --git a/.github/renovate.json b/.github/renovate.json index e6ea588..04fabb4 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -11,7 +11,7 @@ ], "commitMessageAction": "Renovate: Update", "constraints": { - "go": "1.25" + "go": "1.26" }, "dependencyDashboardOSVVulnerabilitySummary": "all", "osvVulnerabilityAlerts": true, diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 07e2d39..ba3ea53 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -18,7 +18,6 @@ name: Checks permissions: checks: write contents: read - pull-requests: read jobs: checks: name: Checks @@ -30,7 +29,7 @@ jobs: uses: actions/setup-go@v6 with: check-latest: true - go-version: 1.25.5 + go-version: 1.26.1 - name: Run golangci-lint uses: golangci/golangci-lint-action@v9 with: @@ -42,13 +41,11 @@ jobs: - name: Dependency Licenses Review run: make check-dependency-licenses - name: Check for spelling errors - uses: reviewdog/action-misspell@v1 - with: - exclude: ./vendor/* - fail_on_error: true - github_token: ${{ secrets.GITHUB_TOKEN }} - ignore: importas - reporter: github-check + uses: crate-ci/typos@v1 + env: + CLICOLOR: "1" + - name: Delete typos binary + run: rm typos - name: Check if source code files have license header run: make check-addlicense - name: REUSE Compliance Check diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9da8f1d..edc522c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -32,7 +32,7 @@ jobs: uses: actions/setup-go@v6 with: check-latest: true - go-version: 1.25.5 + go-version: 1.26.1 - name: Build all binaries run: make build-all code_coverage: @@ -45,7 +45,7 @@ jobs: - name: Check out code uses: actions/checkout@v6 - name: Post coverage report - uses: fgrosse/go-coverage-report@v1.2.0 + uses: fgrosse/go-coverage-report@v1.3.0 with: coverage-artifact-name: code-coverage coverage-file-name: cover.out @@ -65,11 +65,11 @@ jobs: uses: actions/setup-go@v6 with: check-latest: true - go-version: 1.25.5 + go-version: 1.26.1 - name: Run tests and generate coverage report run: make build/cover.out - name: Archive code coverage results - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v7 with: name: code-coverage path: build/cover.out diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index f84b5c5..d9de56b 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -32,7 +32,7 @@ jobs: uses: actions/setup-go@v6 with: check-latest: true - go-version: 1.25.5 + go-version: 1.26.1 - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: diff --git a/.github/workflows/container-registry-ghcr.yaml b/.github/workflows/container-registry-ghcr.yaml new file mode 100644 index 0000000..2bc5d8c --- /dev/null +++ b/.github/workflows/container-registry-ghcr.yaml @@ -0,0 +1,58 @@ +################################################################################ +# This file is AUTOGENERATED with # +# Edit Makefile.maker.yaml instead. # +################################################################################ + +# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company +# SPDX-License-Identifier: Apache-2.0 + +name: Container Registry GHCR +"on": + push: + branches: + - master + workflow_dispatch: {} +permissions: + contents: read + packages: write +jobs: + build-and-push-image: + name: Push container to ghcr.io + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v6 + - name: Log in to the Container registry + uses: docker/login-action@v4 + with: + password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + username: ${{ github.actor }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v6 + with: + images: ghcr.io/${{ github.repository }} + tags: | + # https://github.com/docker/metadata-action#typeedge + type=edge + # https://github.com/docker/metadata-action#latest-tag + type=raw,value=latest,enable={{is_default_branch}} + # https://github.com/docker/metadata-action#typesemver + type=semver,pattern={{raw}} + type=semver,pattern=v{{major}}.{{minor}} + type=semver,pattern=v{{major}} + # https://github.com/docker/metadata-action#typesha + type=sha,format=long + - name: Set up QEMU + uses: docker/setup-qemu-action@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + - name: Build and push Docker image + uses: docker/build-push-action@v7 + with: + context: . + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64 + push: true + tags: ${{ steps.meta.outputs.tags }} diff --git a/.golangci.yaml b/.golangci.yaml index cc952a6..df0e816 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -56,7 +56,6 @@ linters: - ineffassign - intrange - iotamixing - - misspell - modernize - nilerr - nolintlint @@ -137,8 +136,20 @@ linters: excludes: # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/ - G112 + # if we put a password or token into a serialized payload, guess what, we probably did that on purpose + - G117 + # this triggers on net/http.Request.ParseForm() and its callers, e.g. net/http.Request.FormValue(), complaining about potential memory exhaustion from unbounded form parsing; + # but that is incorrect, ParseForm() by default never parses more than 10 MiB for this specific reason + - G120 # created file permissions are restricted by umask if necessary - G306 + # the following lints cause false-positives in many repositories, should be fixed with the next release. (see https://github.com/securego/gosec/issues/1500) + - G701 + - G702 + - G703 + - G704 + - G705 + - G706 govet: disable: - fieldalignment @@ -147,7 +158,7 @@ linters: require-specific: true modernize: disable: - # omitzero requires removing omitempty tags in kubernetes api struct types which are nested, which is intepreted by controller-gen and breaks the CRDs. + # omitzero requires removing omitempty tags in kubernetes api struct types which are nested, which is interpreted by controller-gen and breaks the CRDs. - omitzero perfsprint: # modernize generates nicer fix code diff --git a/.license-scan-overrides.jsonl b/.license-scan-overrides.jsonl index 2e279c1..faa62bc 100644 --- a/.license-scan-overrides.jsonl +++ b/.license-scan-overrides.jsonl @@ -6,6 +6,7 @@ {"name": "github.com/mattn/go-localereader", "licenceType": "MIT"} {"name": "github.com/miekg/dns", "licenceType": "BSD-3-Clause"} {"name": "github.com/pashagolub/pgxmock/v4", "licenceType": "BSD-3-Clause"} +{"name": "github.com/pashagolub/pgxmock/v5", "licenceType": "BSD-3-Clause"} {"name": "github.com/spdx/tools-golang", "licenceTextOverrideFile": "vendor/github.com/spdx/tools-golang/LICENSE.code"} {"name": "github.com/xeipuuv/gojsonpointer", "licenceType": "Apache-2.0"} {"name": "github.com/xeipuuv/gojsonreference", "licenceType": "Apache-2.0"} diff --git a/.typos.toml b/.typos.toml new file mode 100644 index 0000000..7dd0e8b --- /dev/null +++ b/.typos.toml @@ -0,0 +1,10 @@ +# SPDX-FileCopyrightText: 2025 SAP SE +# +# SPDX-License-Identifier: Apache-2.0 + +[default.extend-words] + +[files] +extend-exclude = [ + "go.mod", +] diff --git a/Makefile b/Makefile index 42dadde..a6b9976 100644 --- a/Makefile +++ b/Makefile @@ -43,7 +43,10 @@ install-golangci-lint: FORCE @if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest; fi install-shellcheck: FORCE - @if ! hash shellcheck 2>/dev/null; then printf "\e[1;36m>> Installing shellcheck...\e[0m\n"; SHELLCHECK_ARCH=$(shell uname -m); if [[ "$$SHELLCHECK_ARCH" == "arm64" ]]; then SHELLCHECK_ARCH=aarch64; fi; SHELLCHECK_OS=$(shell uname -s | tr '[:upper:]' '[:lower:]'); SHELLCHECK_VERSION="stable"; if command -v curl >/dev/null 2>&1; then GET="curl -sLo-"; elif command -v wget >/dev/null 2>&1; then GET="wget -O-"; else echo "Didn't find curl or wget to download shellcheck"; exit 2; fi; $$GET "https://github.com/koalaman/shellcheck/releases/download/$$SHELLCHECK_VERSION/shellcheck-$$SHELLCHECK_VERSION.$$SHELLCHECK_OS.$$SHELLCHECK_ARCH.tar.xz" | tar -Jxf -; BIN=$$(go env GOBIN); if [[ -z $$BIN ]]; then BIN=$$(go env GOPATH)/bin; fi; install -Dm755 shellcheck-$$SHELLCHECK_VERSION/shellcheck -t "$$BIN"; rm -rf shellcheck-$$SHELLCHECK_VERSION; fi + @set -eou pipefail; if ! hash shellcheck 2>/dev/null; then printf "\e[1;36m>> Installing shellcheck...\e[0m\n"; SHELLCHECK_ARCH=$$(uname -m); if [[ "$$SHELLCHECK_ARCH" == "arm64" ]]; then SHELLCHECK_ARCH=aarch64; fi; SHELLCHECK_OS=$$(uname -s | tr '[:upper:]' '[:lower:]'); SHELLCHECK_VERSION="stable"; if command -v curl >/dev/null 2>&1; then GET="curl -sLo-"; elif command -v wget >/dev/null 2>&1; then GET="wget -O-"; else echo "Didn't find curl or wget to download shellcheck"; exit 2; fi; $$GET "https://github.com/koalaman/shellcheck/releases/download/$$SHELLCHECK_VERSION/shellcheck-$$SHELLCHECK_VERSION.$$SHELLCHECK_OS.$$SHELLCHECK_ARCH.tar.xz" | tar -Jxf -; BIN=$$(go env GOBIN); if [[ -z $$BIN ]]; then BIN=$$(go env GOPATH)/bin; fi; install -Dm755 shellcheck-$$SHELLCHECK_VERSION/shellcheck -t "$$BIN"; rm -rf shellcheck-$$SHELLCHECK_VERSION; fi + +install-typos: FORCE + @set -eou pipefail; if ! hash typos 2>/dev/null; then printf "\e[1;36m>> Installing typos...\e[0m\n"; TYPOS_ARCH=$$(uname -m); if [[ "$$TYPOS_ARCH" == "arm64" ]]; then TYPOS_ARCH=aarch64; fi; if command -v curl >/dev/null 2>&1; then GET="curl $${GITHUB_TOKEN:+" -u \":$$GITHUB_TOKEN\""} -sLo-"; elif command -v wget >/dev/null 2>&1; then GET="wget $${GITHUB_TOKEN:+" --password \"$$GITHUB_TOKEN\""} -O-"; else echo "Didn't find curl or wget to download typos"; exit 2; fi; if command -v gh >/dev/null; then TYPOS_GET_RELEASE_JSON="gh api /repos/crate-ci/typos/releases"; else TYPOS_GET_RELEASE_JSON="$$GET https://api.github.com/repos/crate-ci/typos/releases"; fi; TYPOS_VERSION=$$($$TYPOS_GET_RELEASE_JSON | jq -r '.[0].name' ); if [[ $(UNAME_S) == Darwin ]]; then TYPOS_FILE="typos-$$TYPOS_VERSION-$$TYPOS_ARCH-apple-darwin.tar.gz"; elif [[ $(UNAME_S) == Linux ]]; then TYPOS_FILE="typos-$$TYPOS_VERSION-$$TYPOS_ARCH-unknown-linux-musl.tar.gz"; fi; mkdir -p typos; $$GET ""https://github.com/crate-ci/typos/releases/download/$$TYPOS_VERSION/$$TYPOS_FILE"" | tar -C typos -zxf -; BIN=$$(go env GOBIN); if [[ -z $$BIN ]]; then BIN=$$(go env GOPATH)/bin; fi; install -Dm755 typos/typos -t "$$BIN"; rm -rf typos/; fi install-go-licence-detector: FORCE @if ! hash go-licence-detector 2>/dev/null; then printf "\e[1;36m>> Installing go-licence-detector (this may take a while)...\e[0m\n"; go install go.elastic.co/go-licence-detector@latest; fi @@ -54,7 +57,7 @@ install-addlicense: FORCE install-reuse: FORCE @if ! hash reuse 2>/dev/null; then if ! hash pipx 2>/dev/null; then printf "\e[1;31m>> You are required to manually intervene to install reuse as go-makefile-maker cannot automatically resolve installing reuse on all setups.\e[0m\n"; printf "\e[1;31m>> The preferred way for go-makefile-maker to install python tools after nix-shell is pipx which could not be found. Either install pipx using your package manager or install reuse using your package manager if at least version 6 is available.\e[0m\n"; printf "\e[1;31m>> As your Python was likely installed by your package manager, just doing pip install --user sadly does no longer work as pip issues a warning about breaking your system. Generally running --break-system-packages with --user is safe to do but you should only run this command if you can resolve issues with it yourself: pip3 install --user --break-system-packages reuse\e[0m\n"; else printf "\e[1;36m>> Installing reuse...\e[0m\n"; pipx install reuse; fi; fi -prepare-static-check: FORCE install-goimports install-golangci-lint install-shellcheck install-go-licence-detector install-addlicense install-reuse +prepare-static-check: FORCE install-goimports install-golangci-lint install-shellcheck install-typos install-go-licence-detector install-addlicense install-reuse install-controller-gen: FORCE @if ! hash controller-gen 2>/dev/null; then printf "\e[1;36m>> Installing controller-gen (this may take a while)...\e[0m\n"; go install sigs.k8s.io/controller-tools/cmd/controller-gen@latest; fi @@ -76,7 +79,7 @@ build/cloud-profile-sync: FORCE generate env $(GO_BUILDENV) go build $(GO_BUILDFLAGS) -ldflags '-s -w $(GO_LDFLAGS)' -o build/cloud-profile-sync . DESTDIR = -ifeq ($(shell uname -s),Darwin) +ifeq ($(UNAME_S),Darwin) PREFIX = /usr/local else PREFIX = /usr @@ -116,6 +119,10 @@ run-shellcheck: FORCE install-shellcheck @printf "\e[1;36m>> shellcheck\e[0m\n" @find . -type f \( -name '*.bash' -o -name '*.ksh' -o -name '*.zsh' -o -name '*.sh' -o -name '*.shlib' \) -exec shellcheck {} + +run-typos: FORCE install-typos + @printf "\e[1;36m>> typos\e[0m\n" + @typos + build/cover.out: FORCE generate install-setup-envtest | build @printf "\e[1;36m>> Running tests\e[0m\n" KUBEBUILDER_ASSETS=$$(setup-envtest use 1.34 -p path) go run github.com/onsi/ginkgo/v2/ginkgo run --randomize-all -output-dir=build $(GO_BUILDFLAGS) -ldflags '-s -w $(GO_LDFLAGS)' -covermode=count -coverpkg=$(subst $(space),$(comma),$(GO_COVERPKGS)) $(GO_TESTFLAGS) $(GO_TESTPKGS) @@ -151,7 +158,7 @@ license-headers: FORCE install-addlicense install-reuse @printf "\e[1;36m>> addlicense (for license headers on source code files)\e[0m\n" @printf "%s\0" $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...)) | $(XARGS) -0 -I{} bash -c 'year="$$(grep 'Copyright' {} | head -n1 | grep -E -o '"'"'[0-9]{4}(-[0-9]{4})?'"'"')"; if [[ -z "$$year" ]]; then year=$$(date +%Y); fi; gawk -i inplace '"'"'{if (display) {print} else {!/^\/\*/ && !/^\*/}}; {if (!display && $$0 ~ /^(package |$$)/) {display=1} else { }}'"'"' {}; addlicense -c "SAP SE or an SAP affiliate company" -s=only -y "$$year" -- {}; $(SED) -i '"'"'1s+// Copyright +// SPDX-FileCopyrightText: +'"'"' {}; ' @printf "\e[1;36m>> reuse annotate (for license headers on other files)\e[0m\n" - @reuse lint -j | jq -r '.non_compliant.missing_licensing_info[]' | grep -vw vendor | $(XARGS) reuse annotate -c 'SAP SE or an SAP affiliate company' -l Apache-2.0 --skip-unrecognised + @reuse lint -j | jq -r '.non_compliant.missing_licensing_info[]' | sed '/\/d' | $(XARGS) reuse annotate -c 'SAP SE or an SAP affiliate company' -l Apache-2.0 --skip-unrecognised @printf "\e[1;36m>> reuse download --all\e[0m\n" @reuse download --all @printf "\e[1;35mPlease review the changes. If *.license files were generated, consider instructing go-makefile-maker to add overrides to REUSE.toml instead.\e[0m\n" @@ -194,6 +201,7 @@ help: FORCE @printf " \e[36minstall-goimports\e[0m Install goimports required by goimports/static-check\n" @printf " \e[36minstall-golangci-lint\e[0m Install golangci-lint required by run-golangci-lint/static-check\n" @printf " \e[36minstall-shellcheck\e[0m Install shellcheck required by run-shellcheck/static-check\n" + @printf " \e[36minstall-typos\e[0m Install typos required by run-typos/static-check\n" @printf " \e[36minstall-go-licence-detector\e[0m Install-go-licence-detector required by check-dependency-licenses/static-check\n" @printf " \e[36minstall-addlicense\e[0m Install addlicense required by check-license-headers/license-headers/static-check\n" @printf " \e[36minstall-reuse\e[0m Install reuse required by license-headers/check-reuse\n" @@ -211,6 +219,7 @@ help: FORCE @printf " \e[36mgenerate\e[0m Generate code for Kubernetes CRDs and deepcopy.\n" @printf " \e[36mrun-golangci-lint\e[0m Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n" @printf " \e[36mrun-shellcheck\e[0m Install and run shellcheck. Installing is used in CI, but you should probably install shellcheck using your package manager.\n" + @printf " \e[36mrun-typos\e[0m Check for spelling errors using typos.\n" @printf " \e[36mbuild/cover.out\e[0m Run tests and generate coverage report.\n" @printf " \e[36mbuild/cover.html\e[0m Generate an HTML file with source code annotations from the coverage report.\n" @printf " \e[36mcheck-addlicense\e[0m Check license headers in all non-vendored .go files with addlicense.\n" diff --git a/Makefile.maker.yaml b/Makefile.maker.yaml index f5ec492..5e2c63d 100644 --- a/Makefile.maker.yaml +++ b/Makefile.maker.yaml @@ -19,6 +19,14 @@ githubWorkflow: defaultBranch: master ci: enabled: true + pushContainerToGhcr: + enabled: true + platforms: "linux/amd64" + tagStrategy: + - edge + - latest + - semver + - sha renovate: enabled: true diff --git a/go.mod b/go.mod index 0dd1549..43b4eeb 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/cobaltcore-dev/cloud-profile-sync -go 1.25 +go 1.26 require ( github.com/blang/semver/v4 v4.0.0 diff --git a/shell.nix b/shell.nix index 84db48e..3b42cfd 100644 --- a/shell.nix +++ b/shell.nix @@ -9,13 +9,14 @@ mkShell { nativeBuildInputs = [ addlicense go-licence-detector - go_1_25 + go_1_26 golangci-lint gotools # goimports kubernetes-controller-tools # controller-gen renovate reuse setup-envtest + typos # keep this line if you use bash bashInteractive ]; From 38ebcaada86eafb6f855342551bbc206bd774ac4 Mon Sep 17 00:00:00 2001 From: Dmitri Fedotov Date: Wed, 18 Mar 2026 18:40:56 +0200 Subject: [PATCH 2/2] bump go in dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ed23100..ef67192 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 # Build the manager binary -FROM golang:1.25-alpine AS builder +FROM golang:1.26-alpine AS builder WORKDIR /workspace ENV GOTOOLCHAIN=local