From c9b508703b0209ca45db11ac614eb6f00ad64279 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Wed, 6 May 2026 17:44:35 +0000 Subject: [PATCH 1/5] Update csctl-build-image to go-1.25. Being at it: - Updating alpine 3.23.0 -> 3.23.4 (latest patch update) - Lychee 0.15.1 -> 0.24.0 - golangci 2.7.2 -> 2.9.0 - trivy 0.68.2 -> 0.70.0 To get go-1.25, we had to switch from Bullseye (Debian 11) to Bookworm (12). That brought a few more changes: - skopeo 1.2.2 -> 1.9.3 - yamllint 1.37.1 -> 1.38.0 Signed-off-by: Kurt Garloff --- .builder-image-version.txt | 2 +- images/builder/Dockerfile | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.builder-image-version.txt b/.builder-image-version.txt index 71790396..53a75d67 100644 --- a/.builder-image-version.txt +++ b/.builder-image-version.txt @@ -1 +1 @@ -0.2.3 +0.2.6 diff --git a/images/builder/Dockerfile b/images/builder/Dockerfile index 229c2ee1..22df10a5 100644 --- a/images/builder/Dockerfile +++ b/images/builder/Dockerfile @@ -17,20 +17,20 @@ # If you make changes to this Dockerfile run `make builder-image-push`. # Install Lychee -FROM docker.io/library/alpine:3.23.0@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 as lychee +FROM docker.io/library/alpine:3.23.4@sha256:4d889c14e7d5a73929ab00be2ef8ff22437e7cbc545931e52554a7b00e123d8b as lychee # update: datasource=github-tags depName=lycheeverse/lychee versioning=semver -ENV LYCHEE_VERSION="v0.15.1" +ENV LYCHEE_VERSION="v0.24.2" # hadolint ignore=DL3018 RUN apk add --no-cache curl && \ - curl -L -o /tmp/lychee-${LYCHEE_VERSION}.tgz https://github.com/lycheeverse/lychee/releases/download/${LYCHEE_VERSION}/lychee-${LYCHEE_VERSION}-x86_64-unknown-linux-gnu.tar.gz && \ + curl -L -o /tmp/lychee-${LYCHEE_VERSION}.tgz https://github.com/lycheeverse/lychee/releases/download/lychee-${LYCHEE_VERSION}/lychee-x86_64-unknown-linux-gnu.tar.gz && \ tar -xz -C /tmp -f /tmp/lychee-${LYCHEE_VERSION}.tgz && \ - mv /tmp/lychee /usr/bin/lychee && \ + mv /tmp/lychee-x86_64-unknown-linux-gnu/lychee /usr/bin/lychee && \ rm -rf /tmp/linux-amd64 /tmp/lychee-${LYCHEE_VERSION}.tgz # Install Golang CI Lint -FROM docker.io/library/alpine:3.23.0@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 as golangci +FROM docker.io/library/alpine:3.23.4@sha256:4d889c14e7d5a73929ab00be2ef8ff22437e7cbc545931e52554a7b00e123d8b as golangci # update: datasource=github-tags depName=golangci/golangci-lint versioning=semver -ENV GOLANGCI_VERSION="v2.7.2" +ENV GOLANGCI_VERSION="v2.9.0" WORKDIR / # hadolint ignore=DL3018,DL4006 RUN apk add --no-cache curl && \ @@ -40,17 +40,17 @@ RUN apk add --no-cache curl && \ FROM docker.io/hadolint/hadolint:v2.14.0-alpine@sha256:7aba693c1442eb31c0b015c129697cb3b6cb7da589d85c7562f9deb435a6657c as hadolint # Install Trivy -FROM docker.io/aquasec/trivy:0.68.2@sha256:05d0126976bdedcd0782a0336f77832dbea1c81b9cc5e4b3a5ea5d2ec863aca7 as trivy +FROM docker.io/aquasec/trivy:0.70.0@sha256:be1190afcb28352bfddc4ddeb71470835d16462af68d310f9f4bca710961a41e as trivy ############################ # csctl Build Image Base # ############################ -FROM docker.io/library/golang:1.22-bullseye +FROM docker.io/library/golang:1.25-bookworm # update: datasource=repology depName=debian_11/skopeo versioning=loose -ENV SKOPEO_VERSION="1.2.2+dfsg1-1+b6" +ENV SKOPEO_VERSION="1.9.3+ds1-1+b10" # update: datasource=github-tags depName=adrienverge/yamllint versioning=semver -ENV YAMLLINT_VERSION="v1.37.1" +ENV YAMLLINT_VERSION="v1.38.0" # update: datasource=github-tags depName=opt-nc/yamlfixer versioning=semver ENV YAMLFIXER_VERSION="0.9.15" @@ -63,7 +63,7 @@ RUN apt-get update && \ protobuf-compiler libprotobuf-dev \ libsystemd-dev jq && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ - pip install --no-cache-dir \ + pip install --break-system-packages --no-cache-dir \ yamllint==${YAMLLINT_VERSION} \ yamlfixer-opt-nc==${YAMLFIXER_VERSION} From b693af6f0d67879b7fed399cbccec70680d30333 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Wed, 6 May 2026 20:17:33 +0000 Subject: [PATCH 2/5] Use kubebuilder-pr-verify directly rather than -release-tools. The latter is outdated and included a reference to grc.io that broke. So use directly a working container. Assisted-by: Qwen3.6 Signed-off-by: Kurt Garloff --- .github/workflows/pr-verify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml index 7246bd88..c96a27bf 100644 --- a/.github/workflows/pr-verify.yml +++ b/.github/workflows/pr-verify.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Verifier action id: verifier - uses: kubernetes-sigs/kubebuilder-release-tools@012269a88fa4c034a0acf1ba84c26b195c0dbab4 # v0.4.3 + uses: kubernetes-sigs/kubebuilder-pr-verifier:v0.4.4 with: github_token: ${{ secrets.GITHUB_TOKEN }} From 44e4c087cf7a2b4ee6154ac5e00e647c783ebc04 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Wed, 6 May 2026 20:21:01 +0000 Subject: [PATCH 3/5] Fix syntax. Signed-off-by: Kurt Garloff --- .github/workflows/pr-verify.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml index c96a27bf..318a9208 100644 --- a/.github/workflows/pr-verify.yml +++ b/.github/workflows/pr-verify.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Verifier action id: verifier - uses: kubernetes-sigs/kubebuilder-pr-verifier:v0.4.4 + uses: kubernetes-sigs/kubebuilder-pr-verifier@v0.4.4 with: github_token: ${{ secrets.GITHUB_TOKEN }} From 351012949374ba22cd5d16bc7df1f103e7f16c65 Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Wed, 6 May 2026 20:56:14 +0000 Subject: [PATCH 4/5] Old pr-verify won't work any more. Follow advice from https://github.com/kubernetes-sigs/kubebuilder-release-tools#pr-verification-github-action-deprecated Signed-off-by: Kurt Garloff --- .github/workflows/pr-verify.yml | 70 --------------------------------- .github/workflows/verifier.yml | 42 ++++++++++++++++++++ 2 files changed, 42 insertions(+), 70 deletions(-) delete mode 100644 .github/workflows/pr-verify.yml create mode 100644 .github/workflows/verifier.yml diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml deleted file mode 100644 index 318a9208..00000000 --- a/.github/workflows/pr-verify.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Verify Pull Request -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, edited, synchronize, reopened, ready_for_review] -# yamllint disable rule:line-length -jobs: - pr-verify: - runs-on: ubuntu-latest - name: Verify Pull Request - if: github.event_name != 'pull_request_target' || !github.event.pull_request.draft - steps: - - name: Verifier action - id: verifier - uses: kubernetes-sigs/kubebuilder-pr-verifier@v0.4.4 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - - - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Verify Boilerplate - run: make verify-boilerplate - - - name: Verify Shellcheck - run: make verify-shellcheck - - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - with: - node-version: "22" - - name: Install renovate - run: npm i -g renovate@35.54.0 # TODO update this via renovatebot - - - name: Validate config - run: | - for file in $(find . -name "*.json5"); do - renovate-config-validator ${file} - done - - - name: Generate Token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2 - id: generate-token - with: - app_id: ${{ secrets.SCS_APP_ID }} - private_key: ${{ secrets.SCS_APP_PRIVATE_KEY }} - - name: Generate Size - uses: pascalgn/size-label-action@f8edde36b3be04b4f65dcfead05dc8691b374348 # v0.5.5 - env: - GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} - with: - sizes: > - { - "0": "XS", - "20": "S", - "50": "M", - "200": "L", - "800": "XL", - "2000": "XXL" - } - - name: Generate Labels - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 - with: - configuration-path: .github/labeler.yaml - repo-token: ${{ steps.generate-token.outputs.token }} - - name: Sync Labels - uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2 - with: - config-file: .github/labels.yaml - token: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/verifier.yml b/.github/workflows/verifier.yml new file mode 100644 index 00000000..68febd41 --- /dev/null +++ b/.github/workflows/verifier.yml @@ -0,0 +1,42 @@ +name: "PR Title Verifier" + +on: + pull_request: + types: [opened, edited, synchronize, reopened] + +permissions: {} + +jobs: + verify: + permissions: + contents: read + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Validate PR Title Format + env: + TITLE: ${{ github.event.pull_request.title }} + run: | + if [[ -z "$TITLE" ]]; then + echo "Error: PR title cannot be empty." + exit 1 + fi + + if ! [[ "$TITLE" =~ ^($'\u26A0'|$'\u2728'|$'\U0001F41B'|$'\U0001F4D6'|$'\U0001F680'|$'\U0001F331') ]]; then + echo "Error: Invalid PR title format." + echo "Your PR title must start with one of the following indicators:" + echo "- Breaking change: ⚠ (U+26A0)" + echo "- Non-breaking feature: ✨ (U+2728)" + echo "- Patch fix: 🐛 (U+1F41B)" + echo "- Docs: 📖 (U+1F4D6)" + echo "- Release: 🚀 (U+1F680)" + echo "- Infra/Tests/Other: 🌱 (U+1F331)" + exit 1 + fi + + echo "PR title is valid: '$TITLE'" From 0a47a4d473400afe12f6742554bd59f9655c959e Mon Sep 17 00:00:00 2001 From: Kurt Garloff Date: Wed, 6 May 2026 22:05:04 +0000 Subject: [PATCH 5/5] Update golangci-lint to latest v2.12.2 Signed-off-by: Kurt Garloff --- images/builder/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/images/builder/Dockerfile b/images/builder/Dockerfile index 22df10a5..988a4c57 100644 --- a/images/builder/Dockerfile +++ b/images/builder/Dockerfile @@ -30,11 +30,12 @@ RUN apk add --no-cache curl && \ # Install Golang CI Lint FROM docker.io/library/alpine:3.23.4@sha256:4d889c14e7d5a73929ab00be2ef8ff22437e7cbc545931e52554a7b00e123d8b as golangci # update: datasource=github-tags depName=golangci/golangci-lint versioning=semver -ENV GOLANGCI_VERSION="v2.9.0" +ENV GOLANGCI_VERSION="v2.12.2" WORKDIR / # hadolint ignore=DL3018,DL4006 RUN apk add --no-cache curl && \ - curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s ${GOLANGCI_VERSION} + curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/main/install.sh | \ + sh -s ${GOLANGCI_VERSION} # Install Hadolint FROM docker.io/hadolint/hadolint:v2.14.0-alpine@sha256:7aba693c1442eb31c0b015c129697cb3b6cb7da589d85c7562f9deb435a6657c as hadolint