fix: upgrade klone, vendor govulncheck workflow

.github/workflows/govulncheck.yaml

@@ -1,5 +1,9 @@
-# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
-# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead.
+# This file is MANUALLY maintained, but was originally based on the makefile-modules govulncheck workflow. See the original:
+# https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml
+
+# This file is separated from the upstream file so we can add additional auth for pulling
+# private dependencies. Govulncheck doesn't seem to be able to support skipping private
+# dependencies.
 
 # Run govulncheck at midnight every night on the main branch,
 # to alert us to recent vulnerabilities which affect the Go code in this
@@ -26,6 +30,12 @@ jobs:
         # see https://github.com/actions/checkout/issues/701 for extra info about this option
         with: { fetch-depth: 0 }
 
+      # NOTE: This step is the change from the upstream workflow.
+      # We need credentials to pull the private dependency.
+      - uses: ./.github/actions/repo_access
+        with:
+          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}
+
       - id: go-version
         run: |
           make print-go-version >> "$GITHUB_OUTPUT"

klone.yaml

@@ -10,55 +10,55 @@ targets:
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/klone
     - folder_name: licenses
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/licenses
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 684d99b0a6378fb3625c188bc5a0081ae9d2bbdc
+      repo_hash: 563ddf86f3e68085fbf926eb2cc7a4ec0c6d58cd
       repo_path: modules/tools

make/00_mod.mk

@@ -42,7 +42,9 @@ helm_chart_image_name := quay.io/jetstack/charts/venafi-kubernetes-agent
 helm_chart_version := $(VERSION)
 helm_labels_template_name := preflight.labels
 
-govulncheck_generate_org := jetstack
+# We skip using the upstream govulncheck targets because we need to customise the workflow YAML
+# locally. We provide the targets in this repo instead, and manually maintain the workflow.
+govulncheck_skip := true
 
 # Allows us to replace the Helm values.yaml's image.repository and image.tag
 # with the right values.

make/02_mod.mk

@@ -64,3 +64,24 @@ test-helm: | $(NEEDS_HELM-UNITTEST)
 ## @category Testing
 test-helm-snapshot: | $(NEEDS_HELM-UNITTEST)
 	$(HELM-UNITTEST) ./deploy/charts/venafi-kubernetes-agent/ -u
+
+
+.PHONY: verify-govulncheck
+## Verify all Go modules for vulnerabilities using govulncheck Copied from makefile-modules
+## @category [shared] Generate/ Verify
+#
+# Runs `govulncheck` on all Go modules related to the project.
+# Ignores Go modules among the temporary build artifacts in _bin, to avoid
+# scanning the code of the vendored Go, after running make vendor-go.
+# Ignores Go modules in make/_shared, because those will be checked in centrally
+# in the makefile_modules repository.
+verify-govulncheck: | $(NEEDS_GOVULNCHECK)
+	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) \
+		| while read d; do \
+				target=$$(dirname $${d}); \
+				echo "Running 'GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(bin_dir)/tools/govulncheck ./...' in directory '$${target}'"; \
+				pushd "$${target}" >/dev/null; \
+				GOTOOLCHAIN=go$(VENDORED_GO_VERSION) $(GOVULNCHECK) ./... || exit; \
+				popd >/dev/null; \
+				echo ""; \
+			done

make/_shared/go/01_mod.mk

@@ -57,6 +57,8 @@ generate-go-mod-tidy: | $(NEEDS_GO)
 
 shared_generate_targets += generate-go-mod-tidy
 
+ifndef govulncheck_skip
+
 default_govulncheck_generate_base_dir := $(dir $(lastword $(MAKEFILE_LIST)))/base/
 # The base directory used to copy the govulncheck GH action from. This can be
 # overwritten with an action with extra authentication or with a totally different
@@ -101,6 +103,8 @@ verify-govulncheck: | $(NEEDS_GOVULNCHECK)
 				echo ""; \
 			done
 
+endif # govulncheck_skip
+
 ifdef golangci_lint_config
 
 .PHONY: generate-golangci-lint-config

make/_shared/tools/00_mod.mk

@@ -172,7 +172,7 @@ ADDITIONAL_TOOLS ?=
 tools += $(ADDITIONAL_TOOLS)
 
 # https://go.dev/dl/
-VENDORED_GO_VERSION := 1.24.5
+VENDORED_GO_VERSION := 1.24.6
 
 # Print the go version which can be used in GH actions
 .PHONY: print-go-version
@@ -394,10 +394,10 @@ $(call for_each_kv,go_dependency,$(go_dependencies))
 # File downloads #
 ##################
 
-go_linux_amd64_SHA256SUM=10ad9e86233e74c0f6590fe5426895de6bf388964210eac34a6d83f38918ecdc
-go_linux_arm64_SHA256SUM=0df02e6aeb3d3c06c95ff201d575907c736d6c62cfa4b6934c11203f1d600ffa
-go_darwin_amd64_SHA256SUM=2fe5f3866b8fbcd20625d531f81019e574376b8a840b0a096d8a2180308b1672
-go_darwin_arm64_SHA256SUM=92d30a678f306c327c544758f2d2fa5515aa60abe9dba4ca35fbf9b8bfc53212
+go_linux_amd64_SHA256SUM=bbca37cc395c974ffa4893ee35819ad23ebb27426df87af92e93a9ec66ef8712
+go_linux_arm64_SHA256SUM=124ea6033a8bf98aa9fbab53e58d134905262d45a022af3a90b73320f3c3afd5
+go_darwin_amd64_SHA256SUM=4a8d7a32052f223e71faab424a69430455b27b3fff5f4e651f9d97c3e51a8746
+go_darwin_arm64_SHA256SUM=4e29202c49573b953be7cc3500e1f8d9e66ddd12faa8cf0939a4951411e09a2a
 
 .PRECIOUS: $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz
 $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(DOWNLOAD_DIR)/tools