Synchronize common files from prometheus/prometheus

.github/workflows/golangci-lint.yml

@@ -30,7 +30,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Install Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.26.x
       - name: Install snmp_exporter/generator dependencies

.github/workflows/govulncheck.yml

@@ -0,0 +1,26 @@
+---
+name: govulncheck
+on:
+  pull_request:
+    paths:
+      - VERSION
+      - .github/workflows/govulncheck.yml
+  push:
+    branches:
+      - main
+      - master
+  schedule:
+    - cron: '33 2 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+    name: Run govulncheck
+    steps:
+      - id: govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
+        env:
+          GOOS: ${{ contains(github.repository, 'windows_exporter') && 'windows' || '' }}

Makefile.common

@@ -61,7 +61,7 @@ PROMU_URL     := https://github.com/prometheus/promu/releases/download/v$(PROMU_
 SKIP_GOLANGCI_LINT :=
 GOLANGCI_LINT :=
 GOLANGCI_LINT_OPTS ?=
-GOLANGCI_LINT_VERSION ?= v2.10.1
+GOLANGCI_LINT_VERSION ?= v2.11.4
 GOLANGCI_FMT_OPTS ?=
 # golangci-lint only supports linux, darwin and windows platforms on i386/amd64/arm64.
 # windows isn't included here because of the path separator being different.
@@ -90,9 +90,7 @@ ifdef DOCKERFILE_PATH
 $(error DOCKERFILE_PATH is deprecated. Use DOCKERFILE_VARIANTS ?= $(DOCKERFILE_PATH) in the Makefile)
 endif
 
-DOCKER_ARCHS ?= amd64 armv7 arm64 ppc64le riscv64 s390x
-DOCKERFILE_ARCH_EXCLUSIONS ?=
-DOCKER_REGISTRY_ARCH_EXCLUSIONS ?= quay.io:riscv64
+DOCKER_ARCHS ?= amd64 arm64 armv7 ppc64le riscv64 s390x
 DOCKERFILE_VARIANTS     ?= $(wildcard Dockerfile Dockerfile.*)
 
 # Function to extract variant from Dockerfile label.
@@ -111,24 +109,6 @@ endif
 # Build variant:dockerfile pairs for shell iteration.
 DOCKERFILE_VARIANTS_WITH_NAMES := $(foreach df,$(DOCKERFILE_VARIANTS),$(call dockerfile_variant,$(df)):$(df))
 
-# Shell helper to check whether a dockerfile/arch pair is excluded.
-define dockerfile_arch_is_excluded
-case " $(DOCKERFILE_ARCH_EXCLUSIONS) " in \
-	*" $$dockerfile:$(1) "*) true ;; \
-	*) false ;; \
-esac
-endef
-
-# Shell helper to check whether a registry/arch pair is excluded.
-# Extracts registry from DOCKER_REPO (e.g., quay.io/prometheus -> quay.io)
-define registry_arch_is_excluded
-registry=$$(echo "$(DOCKER_REPO)" | cut -d'/' -f1); \
-case " $(DOCKER_REGISTRY_ARCH_EXCLUSIONS) " in \
-	*" $$registry:$(1) "*) true ;; \
-	*) false ;; \
-esac
-endef
-
 BUILD_DOCKER_ARCHS = $(addprefix common-docker-,$(DOCKER_ARCHS))
 PUBLISH_DOCKER_ARCHS = $(addprefix common-docker-publish-,$(DOCKER_ARCHS))
 TAG_DOCKER_ARCHS = $(addprefix common-docker-tag-latest-,$(DOCKER_ARCHS))
@@ -270,10 +250,6 @@ $(BUILD_DOCKER_ARCHS): common-docker-%:
 	@for variant in $(DOCKERFILE_VARIANTS_WITH_NAMES); do \
 		dockerfile=$${variant#*:}; \
 		variant_name=$${variant%%:*}; \
-		if $(call dockerfile_arch_is_excluded,$*); then \
-			echo "Skipping $$variant_name variant for linux-$* (excluded by DOCKERFILE_ARCH_EXCLUSIONS)"; \
-			continue; \
-		fi; \
 		distroless_arch="$*"; \
 		if [ "$*" = "armv7" ]; then \
 			distroless_arch="arm"; \
@@ -308,14 +284,6 @@ $(PUBLISH_DOCKER_ARCHS): common-docker-publish-%:
 	@for variant in $(DOCKERFILE_VARIANTS_WITH_NAMES); do \
 		dockerfile=$${variant#*:}; \
 		variant_name=$${variant%%:*}; \
-		if $(call dockerfile_arch_is_excluded,$*); then \
-			echo "Skipping push for $$variant_name variant on linux-$* (excluded by DOCKERFILE_ARCH_EXCLUSIONS)"; \
-			continue; \
-		fi; \
-		if $(call registry_arch_is_excluded,$*); then \
-			echo "Skipping push for $$variant_name variant on linux-$* to $(DOCKER_REPO) (excluded by DOCKER_REGISTRY_ARCH_EXCLUSIONS)"; \
-			continue; \
-		fi; \
 		if [ "$$dockerfile" != "Dockerfile" ] || [ "$$variant_name" != "default" ]; then \
 			echo "Pushing $$variant_name variant for linux-$*"; \
 			docker push "$(DOCKER_REPO)/$(DOCKER_IMAGE_NAME)-linux-$*:$(SANITIZED_DOCKER_IMAGE_TAG)-$$variant_name"; \
@@ -343,14 +311,6 @@ $(TAG_DOCKER_ARCHS): common-docker-tag-latest-%:
 	@for variant in $(DOCKERFILE_VARIANTS_WITH_NAMES); do \
 		dockerfile=$${variant#*:}; \
 		variant_name=$${variant%%:*}; \
-		if $(call dockerfile_arch_is_excluded,$*); then \
-			echo "Skipping tag for $$variant_name variant on linux-$* (excluded by DOCKERFILE_ARCH_EXCLUSIONS)"; \
-			continue; \
-		fi; \
-		if $(call registry_arch_is_excluded,$*); then \
-			echo "Skipping tag for $$variant_name variant on linux-$* for $(DOCKER_REPO) (excluded by DOCKER_REGISTRY_ARCH_EXCLUSIONS)"; \
-			continue; \
-		fi; \
 		if [ "$$dockerfile" != "Dockerfile" ] || [ "$$variant_name" != "default" ]; then \
 			echo "Tagging $$variant_name variant for linux-$* as latest"; \
 			docker tag "$(DOCKER_REPO)/$(DOCKER_IMAGE_NAME)-linux-$*:$(SANITIZED_DOCKER_IMAGE_TAG)-$$variant_name" "$(DOCKER_REPO)/$(DOCKER_IMAGE_NAME)-linux-$*:latest-$$variant_name"; \
@@ -372,14 +332,6 @@ common-docker-manifest:
 			echo "Creating manifest for $$variant_name variant"; \
 			refs=""; \
 			for arch in $(DOCKER_ARCHS); do \
-				if $(call dockerfile_arch_is_excluded,$$arch); then \
-					echo "  Skipping $$arch for $$variant_name (excluded by DOCKERFILE_ARCH_EXCLUSIONS)"; \
-					continue; \
-				fi; \
-				if $(call registry_arch_is_excluded,$$arch); then \
-					echo "  Skipping $$arch for $$variant_name on $(DOCKER_REPO) (excluded by DOCKER_REGISTRY_ARCH_EXCLUSIONS)"; \
-					continue; \
-				fi; \
 				refs="$$refs $(DOCKER_REPO)/$(DOCKER_IMAGE_NAME)-linux-$$arch:$(SANITIZED_DOCKER_IMAGE_TAG)-$$variant_name"; \
 			done; \
 			if [ -z "$$refs" ]; then \
@@ -393,14 +345,6 @@ common-docker-manifest:
 			echo "Creating default variant ($$variant_name) manifest"; \
 			refs=""; \
 			for arch in $(DOCKER_ARCHS); do \
-				if $(call dockerfile_arch_is_excluded,$$arch); then \
-					echo "  Skipping $$arch for default variant (excluded by DOCKERFILE_ARCH_EXCLUSIONS)"; \
-					continue; \
-				fi; \
-				if $(call registry_arch_is_excluded,$$arch); then \
-					echo "  Skipping $$arch for default variant on $(DOCKER_REPO) (excluded by DOCKER_REGISTRY_ARCH_EXCLUSIONS)"; \
-					continue; \
-				fi; \
 				refs="$$refs $(DOCKER_REPO)/$(DOCKER_IMAGE_NAME)-linux-$$arch:$(SANITIZED_DOCKER_IMAGE_TAG)"; \
 			done; \
 			if [ -z "$$refs" ]; then \
@@ -415,14 +359,6 @@ common-docker-manifest:
 				echo "Creating manifest for $$variant_name variant version tag"; \
 				refs=""; \
 				for arch in $(DOCKER_ARCHS); do \
-					if $(call dockerfile_arch_is_excluded,$$arch); then \
-						echo "  Skipping $$arch for $$variant_name version tag (excluded by DOCKERFILE_ARCH_EXCLUSIONS)"; \
-						continue; \
-					fi; \
-					if $(call registry_arch_is_excluded,$$arch); then \
-						echo "  Skipping $$arch for $$variant_name version tag on $(DOCKER_REPO) (excluded by DOCKER_REGISTRY_ARCH_EXCLUSIONS)"; \
-						continue; \
-					fi; \
 					refs="$$refs $(DOCKER_REPO)/$(DOCKER_IMAGE_NAME)-linux-$$arch:v$(DOCKER_MAJOR_VERSION_TAG)-$$variant_name"; \
 				done; \
 				if [ -z "$$refs" ]; then \
@@ -436,14 +372,6 @@ common-docker-manifest:
 				echo "Creating default variant version tag manifest"; \
 				refs=""; \
 				for arch in $(DOCKER_ARCHS); do \
-					if $(call dockerfile_arch_is_excluded,$$arch); then \
-						echo "  Skipping $$arch for default variant version tag (excluded by DOCKERFILE_ARCH_EXCLUSIONS)"; \
-						continue; \
-					fi; \
-					if $(call registry_arch_is_excluded,$$arch); then \
-						echo "  Skipping $$arch for default variant version tag on $(DOCKER_REPO) (excluded by DOCKER_REGISTRY_ARCH_EXCLUSIONS)"; \
-						continue; \
-					fi; \
 					refs="$$refs $(DOCKER_REPO)/$(DOCKER_IMAGE_NAME)-linux-$$arch:v$(DOCKER_MAJOR_VERSION_TAG)"; \
 				done; \
 				if [ -z "$$refs" ]; then \
@@ -497,9 +425,3 @@ $(1)_precheck:
 		exit 1; \
 	fi
 endef
-
-govulncheck: install-govulncheck
-	govulncheck ./...
-
-install-govulncheck:
-	command -v govulncheck > /dev/null || go install golang.org/x/vuln/cmd/govulncheck@latest

SECURITY.md

@@ -3,4 +3,4 @@
 The Prometheus security policy, including how to report vulnerabilities, can be
 found here:
 
-<https://prometheus.io/docs/operating/security/>
+[https://prometheus.io/docs/operating/security/](https://prometheus.io/docs/operating/security/)