From 7a69a7b5691f53dfe29195493ed6155ed818ef78 Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@cyberark.com>
Date: Thu, 7 Aug 2025 10:15:41 +0100
Subject: [PATCH] fix: add credentials for pulling private dependency with
 govulncheck

It seems difficult to stop govulncheck attempting to pull and analyse
private dependencies. We still want to run it, so the simplest thing to
do is diverge from upstream makefile-modules and maintain the
govulncheck workflow by hand in this repo.

This requires changes to the govulncheck workflow itself, and means we
have to disable the upstream govulncheck targets and copy them locally.

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
---
 .github/workflows/govulncheck.yaml | 14 ++++++++++++--
 klone.yaml                         | 22 +++++++++++-----------
 make/00_mod.mk                     |  4 +++-
 make/02_mod.mk                     | 21 +++++++++++++++++++++
 make/_shared/go/01_mod.mk          |  4 ++++
 make/_shared/tools/00_mod.mk       | 10 +++++-----
 6 files changed, 56 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
index d34a096c..9843ecf2 100644
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -1,5 +1,9 @@
-# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
-# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead.
+# This file is MANUALLY maintained, but was originally based on the makefile-modules govulncheck workflow. See the original:
+# https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml
+
+# This file is separated from the upstream file so we can add additional auth for pulling
+# private dependencies. Govulncheck doesn't seem to be able to support skipping private
+# dependencies.
 
 # Run govulncheck at midnight every night on the main branch,
 # to alert us to recent vulnerabilities which affect the Go code in this
@@ -26,6 +30,12 @@ jobs:
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
         with: { fetch-depth: 0 }
 
+      # NOTE: This step is the change from the upstream workflow.
+      # We need credentials to pull the private dependency.
+      - uses: ./.github/actions/repo_access
+        with:
+          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
+
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"
diff --git a/klone.yaml b/klone.yaml
index 0099d75d..c2305371 100644
--- a/klone.yaml
+++ b/klone.yaml
@@ -10,55 +10,55 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/tools
diff --git a/make/00_mod.mk b/make/00_mod.mk
index 4f549c51..232c5796 100644
--- a/make/00_mod.mk
+++ b/make/00_mod.mk
@@ -42,7 +42,9 @@ helm_chart_image_name := quay.io/jetstack/charts/venafi-kubernetes-agent
 helm_chart_version := $(VERSION)
 helm_labels_template_name := preflight.labels
 
-govulncheck_generate_org := jetstack
+# We skip using the upstream govulncheck targets because we need to customise the workflow YAML
+# locally. We provide the targets in this repo instead, and manually maintain the workflow.
+govulncheck_skip := true
 
 # Allows us to replace the Helm values.yaml's image.repository and image.tag
 # with the right values.
diff --git a/make/02_mod.mk b/make/02_mod.mk
index 7ebd45cf..5bd58aee 100644
--- a/make/02_mod.mk
+++ b/make/02_mod.mk
@@ -64,3 +64,24 @@ test-helm: | $(NEEDS_HELM-UNITTEST)
 ## @category Testing
 test-helm-snapshot: | $(NEEDS_HELM-UNITTEST)
 	$(HELM-UNITTEST) ./deploy/charts/venafi-kubernetes-agent/ -u
+
+
+.PHONY: verify-govulncheck
+## Verify all Go modules for vulnerabilities using govulncheck Copied from makefile-modules
+## @category [shared] Generate/ Verify
+#
+# Runs `govulncheck` on all Go modules related to the project.
+# Ignores Go modules among the temporary build artifacts in _bin, to avoid
+# scanning the code of the vendored Go, after running make vendor-go.
+# Ignores Go modules in make/_shared, because those will be checked in centrally
+# in the makefile_modules repository.
+verify-govulncheck: | $(NEEDS_GOVULNCHECK)
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
+		| while read d; do \
+				target=$$(dirname $${d}); \
+				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
+				GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(GOVULNCHECK) ./... || exit; \
+				popd >/dev/null; \
+				echo ""; \
+			done
diff --git a/make/_shared/go/01_mod.mk b/make/_shared/go/01_mod.mk
index 226dc0f7..bc260b2b 100644
--- a/make/_shared/go/01_mod.mk
+++ b/make/_shared/go/01_mod.mk
@@ -57,6 +57,8 @@ generate-go-mod-tidy: | $(NEEDS_GO)
 
 shared_generate_targets += generate-go-mod-tidy
 
+ifndef govulncheck_skip
+
 default_govulncheck_generate_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
 # The base directory used to copy the govulncheck GH action from. This can be
 # overwritten with an action with extra authentication or with a totally different
@@ -101,6 +103,8 @@ verify-govulncheck: | $(NEEDS_GOVULNCHECK)
 				echo ""; \
 			done
 
+endif # govulncheck_skip
+
 ifdef golangci_lint_config
 
 .PHONY: generate-golangci-lint-config
diff --git a/make/_shared/tools/00_mod.mk b/make/_shared/tools/00_mod.mk
index 6a2e298a..b298f340 100644
--- a/make/_shared/tools/00_mod.mk
+++ b/make/_shared/tools/00_mod.mk
@@ -172,7 +172,7 @@ ADDITIONAL_TOOLS ?=
 tools += $(ADDITIONAL_TOOLS)
 
 # https://go.dev/dl/
-VENDORED_GO_VERSION := 1.24.5
+VENDORED_GO_VERSION := 1.24.6
 
 # Print the go version which can be used in GH actions
 .PHONY: print-go-version
@@ -394,10 +394,10 @@ $(call for_each_kv,go_dependency,$(go_dependencies))
 # File downloads #
 ##################
 
-go_linux_amd64_SHA256SUM=10ad9e86233e74c0f6590fe5426895de6bf388964210eac34a6d83f38918ecdc
-go_linux_arm64_SHA256SUM=0df02e6aeb3d3c06c95ff201d575907c736d6c62cfa4b6934c11203f1d600ffa
-go_darwin_amd64_SHA256SUM=2fe5f3866b8fbcd20625d531f81019e574376b8a840b0a096d8a2180308b1672
-go_darwin_arm64_SHA256SUM=92d30a678f306c327c544758f2d2fa5515aa60abe9dba4ca35fbf9b8bfc53212
+go_linux_amd64_SHA256SUM=bbca37cc395c974ffa4893ee35819ad23ebb27426df87af92e93a9ec66ef8712
+go_linux_arm64_SHA256SUM=124ea6033a8bf98aa9fbab53e58d134905262d45a022af3a90b73320f3c3afd5
+go_darwin_amd64_SHA256SUM=4a8d7a32052f223e71faab424a69430455b27b3fff5f4e651f9d97c3e51a8746
+go_darwin_arm64_SHA256SUM=4e29202c49573b953be7cc3500e1f8d9e66ddd12faa8cf0939a4951411e09a2a
 
 .PRECIOUS: $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz
 $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(DOWNLOAD_DIR)/tools