Introduce go-makefile-maker

.envrc

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2019–2020 Target, Copyright 2021 The Nix Community
+# SPDX-License-Identifier: Apache-2.0
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv)"
+elif type -P nix &>/dev/null; then
+  use nix
+else
+  echo "Found no nix binary. Skipping activating nix-shell..."
+fi

.github/renovate.json

@@ -3,14 +3,50 @@
   "extends": [
     "config:recommended",
     "default:pinDigestsDisabled",
-    "mergeConfidence:all-badges"
+    "mergeConfidence:all-badges",
+    "docker:disable"
   ],
+  "assignees": [
+    "kayrus"
+  ],
+  "commitMessageAction": "Renovate: Update",
+  "constraints": {
+    "go": "1.24"
+  },
   "dependencyDashboardOSVVulnerabilitySummary": "all",
   "osvVulnerabilityAlerts": true,
   "postUpdateOptions": [
     "gomodTidy",
     "gomodUpdateImportPaths"
   ],
+  "packageRules": [
+    {
+      "matchPackageNames": [
+        "golang"
+      ],
+      "allowedVersions": "1.24.x"
+    },
+    {
+      "matchPackageNames": [
+        "/^github\\.com\\/sapcc\\/.*/"
+      ],
+      "automerge": true,
+      "groupName": "github.com/sapcc"
+    },
+    {
+      "matchPackageNames": [
+        "!/^github\\.com\\/sapcc\\/.*/",
+        "/.*/"
+      ],
+      "groupName": "External dependencies"
+    },
+    {
+      "matchPackageNames": [
+        "/^k8s.io\\//"
+      ],
+      "allowedVersions": "0.28.x"
+    }
+  ],
   "prHourlyLimit": 0,
   "schedule": [
     "before 8am on Friday"

.github/workflows/checks.yaml

@@ -0,0 +1,52 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
+name: Checks
+"on":
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - '*'
+  workflow_dispatch: {}
+permissions:
+  checks: write
+  contents: read
+jobs:
+  checks:
+    name: Checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version: 1.24.0
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+      - name: Dependency Licenses Review
+        run: make check-dependency-licenses
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      - name: Run govulncheck
+        run: govulncheck -format text ./...
+      - name: Check for spelling errors
+        uses: reviewdog/action-misspell@v1
+        with:
+          exclude: ./vendor/*
+          fail_on_error: true
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          ignore: importas
+          reporter: github-check
+      - name: Check if source code files have license header
+        run: make check-license-headers

.github/workflows/ci.yaml

@@ -0,0 +1,59 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
+name: CI
+"on":
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    branches:
+      - '*'
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch: {}
+permissions:
+  contents: read
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version: 1.24.0
+      - name: Build all binaries
+        run: make build-all
+  test:
+    name: Test
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version: 1.24.0
+      - name: Run tests and generate coverage report
+        run: make build/cover.out
+      - name: Upload coverage report to Coveralls
+        env:
+          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GIT_BRANCH: ${{ github.head_ref }}
+        run: |
+          go install github.com/mattn/goveralls@latest
+          goveralls -service=github -coverprofile=build/cover.out

.github/workflows/codeql.yaml

@@ -1,3 +1,11 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
 name: CodeQL
 "on":
   push:
@@ -8,6 +16,7 @@ name: CodeQL
       - master
   schedule:
     - cron: '00 07 * * 1'
+  workflow_dispatch: {}
 permissions:
   actions: read
   contents: read
@@ -23,7 +32,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: 1.23.0
+          go-version: 1.24.0
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:

.golangci.yaml

@@ -0,0 +1,175 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+# Copyright 2024 SAP SE
+# SPDX-License-Identifier: Apache-2.0
+
+run:
+  timeout: 3m # 1m by default
+  modules-download-mode: readonly
+
+output:
+  # Do not print lines of code with issue.
+  print-issued-lines: false
+
+issues:
+  exclude:
+    # It is idiomatic Go to reuse the name 'err' with ':=' for subsequent errors.
+    # Ref: https://go.dev/doc/effective_go#redeclaration
+    - 'declaration of "err" shadows declaration at'
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - bodyclose
+        - dupl
+  # '0' disables the following options.
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+linters-settings:
+  dupl:
+    # Tokens count to trigger issue, 150 by default.
+    threshold: 100
+  errcheck:
+    # Report about assignment of errors to blank identifier.
+    check-blank: true
+    # Do not report about not checking of errors in type assertions.
+    # This is not as dangerous as skipping error values because an unchecked type assertion just immediately panics.
+    # We disable this because it makes a ton of useless noise esp. in test code.
+    check-type-assertions: false
+  forbidigo:
+    analyze-types: true # required for pkg:
+    forbid:
+      # ioutil package has been deprecated: https://github.com/golang/go/issues/42026
+      - ^ioutil\..*$
+      # Using http.DefaultServeMux is discouraged because it's a global variable that some packages silently and magically add handlers to (esp. net/http/pprof).
+      # Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
+      - ^http\.DefaultServeMux$
+      - ^http\.Handle(?:Func)?$
+      # Forbid usage of old and archived square/go-jose
+      - pkg: ^gopkg\.in/square/go-jose\.v2$
+        msg: "gopk.in/square/go-jose is archived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
+      - pkg: ^github.com/coreos/go-oidc$
+        msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
+
+      - pkg: ^github.com/howeyc/gopass$
+        msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
+  goconst:
+    ignore-tests: true
+    min-occurrences: 5
+  gocritic:
+    enabled-checks:
+      - boolExprSimplify
+      - builtinShadow
+      - emptyStringTest
+      - evalOrder
+      - httpNoBody
+      - importShadow
+      - initClause
+      - methodExprCall
+      - paramTypeCombine
+      - preferFilepathJoin
+      - ptrToRefParam
+      - redundantSprint
+      - returnAfterHttpError
+      - stringConcatSimplify
+      - timeExprSimplify
+      - truncateCmp
+      - typeAssertChain
+      - typeUnparen
+      - unnamedResult
+      - unnecessaryBlock
+      - unnecessaryDefer
+      - weakCond
+      - yodaStyleExpr
+  goimports:
+    # Put local imports after 3rd-party packages.
+    local-prefixes: github.com/sapcc/digicert-issuer
+  gomoddirectives:
+    go-version-pattern: '1\.\d+(\.0)?$'
+    replace-allow-list:
+      # for go-pmtud
+      - github.com/mdlayher/arp
+    toolchain-forbidden: true
+  gosec:
+    excludes:
+      # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/)
+      - G112
+      # created file permissions are restricted by umask if necessary
+      - G306
+  govet:
+    enable-all: true
+    disable:
+      - fieldalignment
+  nolintlint:
+    require-specific: true
+  stylecheck:
+    dot-import-whitelist:
+      - github.com/majewsky/gg/option
+      - github.com/onsi/ginkgo/v2
+      - github.com/onsi/gomega
+  usestdlibvars:
+    constant-kind: true
+    crypto-hash: true
+    default-rpc-path: true
+    http-method: true
+    http-status-code: true
+    sql-isolation-level: true
+    time-layout: true
+    time-month: true
+    time-weekday: true
+    tls-signature-scheme: true
+  usetesting:
+    os-temp-dir: true
+  whitespace:
+    # Enforce newlines (or comments) after multi-line function signatures.
+    multi-func: true
+
+linters:
+  # We use 'disable-all' and enable linters explicitly so that a newer version
+  # does not introduce new linters unexpectedly.
+  disable-all: true
+  enable:
+    - bodyclose
+    - containedctx
+    - copyloopvar
+    - dupl
+    - dupword
+    - durationcheck
+    - errcheck
+    - errname
+    - errorlint
+    - exptostd
+    - forbidigo
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - goconst
+    - gocritic
+    - gofmt
+    - goimports
+    - gomoddirectives
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - intrange
+    - misspell
+    - nilerr
+    - noctx
+    - nolintlint
+    - nosprintfhostport
+    - perfsprint
+    - predeclared
+    - rowserrcheck
+    - sqlclosecheck
+    - staticcheck
+    - stylecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - usetesting
+    - whitespace

.license-scan-overrides.jsonl

@@ -0,0 +1,8 @@
+{"name": "github.com/chzyer/logex", "licenceType": "MIT"}
+{"name": "github.com/hashicorp/vault/api/auth/approle", "licenceType": "MPL-2.0"}
+{"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"}
+{"name": "github.com/miekg/dns", "licenceType": "BSD-3-Clause"}
+{"name": "github.com/spdx/tools-golang", "licenceTextOverrideFile": "vendor/github.com/spdx/tools-golang/LICENSE.code"}
+{"name": "github.com/xeipuuv/gojsonpointer", "licenceType": "Apache-2.0"}
+{"name": "github.com/xeipuuv/gojsonreference", "licenceType": "Apache-2.0"}
+{"name": "github.com/xeipuuv/gojsonschema", "licenceType": "Apache-2.0"}