jetstack · inteon · Apr 30, 2025 · Apr 15, 2025 · Apr 15, 2025 · Apr 29, 2025
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
@@ -17,6 +17,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
+    if: github.repository_owner == 'cert-manager'
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -1,35 +1,40 @@
-issues:
-  exclude-rules:
-    - linters:
-        - bodyclose
-        - dupword
-        - errcheck
-        - errchkjson
-        - forbidigo
-        - gci
-        - gocritic
-        - gofmt
-        - gosec
-        - gosimple
-        - govet
-        - misspell
-        - musttag
-        - nilerr
-        - staticcheck
-        - noctx
-        - unconvert
-        - unparam
-        - usestdlibvars
-        - predeclared
-      text: ".*"
+version: "2"
 linters:
-  # Explicitly define all enabled linters
-  disable-all: true
+  default: none
+  exclusions:
+    generated: lax
+    presets: [comments, common-false-positives, legacy, std-error-handling]
+    rules:
+      - linters:
+          - bodyclose
+          - dupword
+          - errcheck
+          - errchkjson
+          - forbidigo
+          - gocritic
+          - gosec
+          - govet
+          - misspell
+          - musttag
+          - nilerr
+          - noctx
+          - predeclared
+          - staticcheck
+          - unconvert
+          - unparam
+          - usestdlibvars
+        text: .*
+    paths: [third_party$, builtin$, examples$]
+    warn-unused: true
+  settings:
+    staticcheck:
+      checks: ["all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008"]
   enable:
     - asasalint
     - asciicheck
     - bidichk
     - bodyclose
+    - canonicalheader
     - contextcheck
     - copyloopvar
     - decorder
@@ -40,23 +45,22 @@ linters:
     - errchkjson
     - errname
     - exhaustive
+    - exptostd
     - forbidigo
-    - gci
     - ginkgolinter
     - gocheckcompilerdirectives
     - gochecksumtype
     - gocritic
-    - gofmt
     - goheader
     - goprintffuncname
     - gosec
-    - gosimple
     - gosmopolitan
     - govet
     - grouper
     - importas
     - ineffassign
     - interfacebloat
+    - intrange
     - loggercheck
     - makezero
     - mirror
@@ -74,19 +78,23 @@ linters:
     - sloglint
     - staticcheck
     - tagalign
-    - tenv
     - testableexamples
-    - typecheck
     - unconvert
     - unparam
     - unused
     - usestdlibvars
+    - usetesting
     - wastedassign
-linters-settings:
-  gci:
-    sections:
-      - standard # Standard section: captures all standard packages.
-      - default # Default section: contains all imports that could not be matched to another section type.
-      - prefix(github.com/jetstack/preflight) # Custom section: groups all imports with the specified Prefix.
-      - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
-      - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+formatters:
+  enable: [gci, gofmt]
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(github.com/jetstack/preflight) # Custom section: groups all imports with the specified Prefix.
+        - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+        - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+  exclusions:
+    generated: lax
+    paths: [third_party$, builtin$, examples$]
diff --git a/api/cluster_test.go b/api/cluster_test.go
@@ -43,15 +43,15 @@ func TestClusterSummaryUnmarshalJSON(t *testing.T) {
 			FailureCount: 4,
 			SuccessCount: 1,
 			Reports: []*ReportSummary{
-				&ReportSummary{
+				{
 					ID:           "exampleReport1",
 					Package:      "examplePackage.ID.1",
 					Cluster:      "exampleCluster",
 					Timestamp:    Time{Time: ts},
 					FailureCount: 2,
 					SuccessCount: 1,
 				},
-				&ReportSummary{
+				{
 					ID:           "exampleReport2",
 					Package:      "examplePackage.ID.2",
 					Cluster:      "exampleCluster",

diff --git a/klone.yaml b/klone.yaml
@@ -10,50 +10,50 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 7740a28745d013a286c0573a180d0aa53ff0aa6a
+      repo_hash: 01f8036da297256be41f6cc520cb248cb0f609fc
       repo_path: modules/tools
diff --git a/make/_shared/generate-verify/util/verify.sh b/make/_shared/generate-verify/util/verify.sh
@@ -53,7 +53,7 @@ trap "cleanup" EXIT SIGINT
 # 2. rsync on macOS 15.4 and newer is actually openrsync, which has different permissions and throws errors when copying git objects
 #
 # So, we use find to list all files except _bin, and then copy each in turn
-find . -maxdepth 1 -not \( -path "./_bin" -prune \) | xargs -I% cp -af "${projectdir}/%" "${tmp}/"
+find . -maxdepth 1 -not \( -path "./_bin" \) -not \( -path "." \) | xargs -I% cp -af "${projectdir}/%" "${tmp}/"
 
 pushd "${tmp}" >/dev/null
 

diff --git a/make/_shared/go/.golangci.override.yaml b/make/_shared/go/.golangci.override.yaml
@@ -1,11 +1,20 @@
+version: "2"
 linters:
-  # Explicitly define all enabled linters
-  disable-all: true
+  default: none
+  exclusions:
+    generated: lax
+    presets: [ comments, common-false-positives, legacy, std-error-handling ]
+    paths: [ third_party$, builtin$, examples$ ]
+    warn-unused: true
+  settings:
+    staticcheck:
+      checks: [ "all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008" ]
   enable:
     - asasalint
     - asciicheck
     - bidichk
     - bodyclose
+    - canonicalheader
     - contextcheck
     - copyloopvar
     - decorder
@@ -16,23 +25,22 @@ linters:
     - errchkjson
     - errname
     - exhaustive
+    - exptostd
     - forbidigo
-    - gci
     - ginkgolinter
     - gocheckcompilerdirectives
     - gochecksumtype
     - gocritic
-    - gofmt
     - goheader
     - goprintffuncname
     - gosec
-    - gosimple
     - gosmopolitan
     - govet
     - grouper
     - importas
     - ineffassign
     - interfacebloat
+    - intrange
     - loggercheck
     - makezero
     - mirror
@@ -50,19 +58,23 @@ linters:
     - sloglint
     - staticcheck
     - tagalign
-    - tenv
     - testableexamples
-    - typecheck
     - unconvert
     - unparam
     - unused
     - usestdlibvars
+    - usetesting
     - wastedassign
-linters-settings:
-  gci:
-    sections:
-      - standard # Standard section: captures all standard packages.
-      - default # Default section: contains all imports that could not be matched to another section type.
-      - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix.
-      - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
-      - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+formatters:
+  enable: [ gci, gofmt ]
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix({{REPO-NAME}}) # Custom section: groups all imports with the specified Prefix.
+        - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+        - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+  exclusions:
+    generated: lax
+    paths: [ third_party$, builtin$, examples$ ]
diff --git a/make/_shared/go/01_mod.mk b/make/_shared/go/01_mod.mk
@@ -101,7 +101,12 @@ ifdef golangci_lint_config
 .PHONY: generate-golangci-lint-config
 ## Generate a golangci-lint configuration file
 ## @category [shared] Generate/ Verify
-generate-golangci-lint-config: | $(NEEDS_YQ) $(bin_dir)/scratch
+generate-golangci-lint-config: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
+	if [ "$$($(YQ) eval 'has("version") | not' $(golangci_lint_config))" == "true" ]; then \
+		$(GOLANGCI-LINT) migrate -c $(golangci_lint_config); \
+		rm $(basename $(golangci_lint_config)).bck$(suffix $(golangci_lint_config)); \
+	fi
+
 	cp $(golangci_lint_config) $(bin_dir)/scratch/golangci-lint.yaml.tmp
 	$(YQ) -i 'del(.linters.enable)' $(bin_dir)/scratch/golangci-lint.yaml.tmp
 	$(YQ) eval-all -i '. as $$item ireduce ({}; . * $$item)' $(bin_dir)/scratch/golangci-lint.yaml.tmp $(golangci_lint_override)
@@ -119,9 +124,9 @@ verify-golangci-lint: | $(NEEDS_GO) $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir
 	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
 				target=$$(dirname $${d}); \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout)' in directory '$${target}'"; \
+				echo "Running 'GOVERSION=$(VENDORED_GO_VERSION) $(bin_dir)/tools/golangci-lint run -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout)' in directory '$${target}'"; \
 				pushd "$${target}" >/dev/null; \
-				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout) || exit; \
+				GOVERSION=$(VENDORED_GO_VERSION) $(GOLANGCI-LINT) run -c $(CURDIR)/$(golangci_lint_config) --timeout $(golangci_lint_timeout) || exit; \
 				popd >/dev/null; \
 				echo ""; \
 			done
@@ -132,21 +137,12 @@ shared_verify_targets_dirty += verify-golangci-lint
 ## Fix all Go modules using golangci-lint
 ## @category [shared] Generate/ Verify
 fix-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(NEEDS_GCI) $(bin_dir)/scratch
-	$(GCI) write \
-		--skip-generated \
-		--skip-vendor \
-		-s "standard" \
-		-s "default" \
-		-s "prefix($(repo_name))" \
-		-s "blank" \
-		-s "dot" .
-
 	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
 		| while read d; do \
 				target=$$(dirname $${d}); \
-				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix' in directory '$${target}'"; \
+				echo "Running 'GOVERSION=$(VENDORED_GO_VERSION) $(bin_dir)/tools/golangci-lint fmt -c $(CURDIR)/$(golangci_lint_config)' in directory '$${target}'"; \
 				pushd "$${target}" >/dev/null; \
-				$(GOLANGCI-LINT) run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config) --fix || exit; \
+				GOVERSION=$(VENDORED_GO_VERSION) $(GOLANGCI-LINT) fmt -c $(CURDIR)/$(golangci_lint_config) || exit; \
 				popd >/dev/null; \
 				echo ""; \
 			done

diff --git a/make/_shared/go/base/.github/workflows/govulncheck.yaml b/make/_shared/go/base/.github/workflows/govulncheck.yaml
@@ -17,6 +17,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
+    if: github.repository_owner == 'cert-manager'
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         # Adding `fetch-depth: 0` makes sure tags are also fetched. We need

diff --git a/make/_shared/helm/helm.mk b/make/_shared/helm/helm.mk
@@ -178,3 +178,16 @@ verify-helm-lint: $(helm_chart_archive) | $(NEEDS_HELM)
 	$(HELM) lint $(helm_chart_archive)
 
 shared_verify_targets_dirty += verify-helm-lint
+
+.PHONY: verify-helm-kubeconform
+## Verify that the Helm chart passes a strict check using kubeconform
+## @category [shared] Generate/ Verify
+verify-helm-kubeconform: $(helm_chart_archive) | $(NEEDS_KUBECONFORM)
+	@$(HELM) template $(helm_chart_archive) $(INSTALL_OPTIONS) \
+	| $(KUBECONFORM) \
+		-schema-location default \
+		-schema-location "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.NormalizedKubernetesVersion}}/{{.ResourceKind}}.json" \
+		-schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json" \
+		-strict
+
+shared_verify_targets_dirty += verify-helm-kubeconform
diff --git a/make/_shared/kind/00_kind_image_versions.mk b/make/_shared/kind/00_kind_image_versions.mk
@@ -25,6 +25,8 @@ kind_image_kube_1.31_amd64 := docker.io/kindest/node:v1.31.6@sha256:37d52dc19f59
 kind_image_kube_1.31_arm64 := docker.io/kindest/node:v1.31.6@sha256:4e6223faa19178922d30e7b62546c5464fdf9bc66a3df64073424a51ab44f2ab
 kind_image_kube_1.32_amd64 := docker.io/kindest/node:v1.32.2@sha256:a37b679ad8c1cfa7c64aca1734cc4299dc833258d6c131ed0204c8cd2bd56ff7
 kind_image_kube_1.32_arm64 := docker.io/kindest/node:v1.32.2@sha256:4d0e1b60f1da0d1349996a9778f8bace905189af5e05e04618eae0a155dd9f9c
+kind_image_kube_1.33_amd64 := docker.io/kindest/node:v1.33.0@sha256:c9ec7bf998c310c5a6c903d66c2e595fb3e2eb53fb626cd53d07a3a5499de412
+kind_image_kube_1.33_arm64 := docker.io/kindest/node:v1.33.0@sha256:96ae3b980f87769e0117c2a89ec74fc660b84eedb573432abd2a682af3eccc02
 
-kind_image_latest_amd64 := $(kind_image_kube_1.32_amd64)
-kind_image_latest_arm64 := $(kind_image_kube_1.32_arm64)
+kind_image_latest_amd64 := $(kind_image_kube_1.33_amd64)
+kind_image_latest_arm64 := $(kind_image_kube_1.33_arm64)