go makefile maker

.dockerignore

@@ -7,13 +7,10 @@
 # TODO: uncomment when applications no longer use git to get version information
 #.git/
 /.github/
-/.gitignore
-/.golangci.yaml
 /.goreleaser.yml
 /.vscode/
 /CONTRIBUTING.md
 /Dockerfile
-/LICENSE*
 /Makefile.maker.yaml
 /README.md
 /build/

.github/renovate.json

@@ -65,7 +65,7 @@
       "matchPackageNames": [
         "/^k8s.io\\//"
       ],
-      "allowedVersions": "0.28.x"
+      "allowedVersions": "0.33.x"
     }
   ],
   "prHourlyLimit": 0,

.github/workflows/checks.yaml

@@ -29,9 +29,9 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.25.3
+          go-version: 1.25.4
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           version: latest
       - name: Delete pre-installed shellcheck

.github/workflows/ci.yaml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.25.3
+          go-version: 1.25.4
       - name: Build all binaries
         run: make build-all
   code_coverage:
@@ -65,11 +65,11 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.25.3
+          go-version: 1.25.4
       - name: Run tests and generate coverage report
         run: make build/cover.out
       - name: Archive code coverage results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: code-coverage
           path: build/cover.out

.github/workflows/cleanup-ghcr.yaml.yml

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company
+# SPDX-License-Identifier: Apache-2.0
+
+name: Cleanup GHCR Images
+"on":
+  push:
+    branches:
+      - main
+  workflow_dispatch: {}
+permissions:
+  contents: read
+  packages: write
+jobs:
+  cleanup:
+    name: Cleanup old container images in GHCR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete untagged GHCR images
+        uses: actions/delete-package-versions@v5
+        with:
+          package-name: 'kvm-node-agent'
+          package-type: 'container'
+          min-versions-to-keep: 1
+          delete-only-untagged-versions: 'true'

.github/workflows/codeql.yaml

@@ -32,7 +32,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           check-latest: true
-          go-version: 1.25.3
+          go-version: 1.25.4
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4
         with:

.github/workflows/container-registry-ghcr.yaml

@@ -0,0 +1,56 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company
+# SPDX-License-Identifier: Apache-2.0
+
+name: Container Registry GHCR
+"on":
+  push:
+    branches:
+      - main
+  workflow_dispatch: {}
+permissions:
+  contents: read
+  packages: write
+jobs:
+  build-and-push-image:
+    name: Push container to ghcr.io
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          password: ${{ secrets.GITHUB_TOKEN }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            # https://github.com/docker/metadata-action#typeedge
+            type=edge
+            # https://github.com/docker/metadata-action#latest-tag
+            type=raw,value=latest,enable={{is_default_branch}}
+            # https://github.com/docker/metadata-action#typesemver
+            type=semver,pattern={{raw}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}

.github/workflows/publish-helm.yml

@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company
+# SPDX-License-Identifier: Apache-2.0
+
+name: Publish Helm Chart GHCR
+"on":
+  push:
+    branches:
+      - main
+    paths:
+      - 'charts/**'
+  workflow_dispatch: {}
+
+
+jobs:
+  publish-chart:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write # Required to push to GHCR
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Install Helm
+        uses: azure/[email protected]
+
+      - name: Package Helm chart
+        run: |
+          helm package ./charts/kvm-node-agent
+
+      - name: Log in to GHCR
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin
+
+      - name: Push Helm chart to GHCR
+        run: |
+          CHART_NAME=kvm-node-agent
+          CHART_VERSION=$(grep "version:" ./charts/${CHART_NAME}/Chart.yaml | awk '{print $2}')
+          helm push "${CHART_NAME}-${CHART_VERSION}.tgz" "oci://ghcr.io/${{ github.repository_owner }}"

.golangci.yaml

@@ -57,6 +57,7 @@ linters:
     - intrange
     - iotamixing
     - misspell
+    - modernize
     - nilerr
     - nolintlint
     - nosprintfhostport
@@ -144,6 +145,13 @@ linters:
       enable-all: true
     nolintlint:
       require-specific: true
+    modernize:
+      disable:
+        # omitzero requires removing omitempty tags in kubernetes api struct types which are nested, which is intepreted by controller-gen and breaks the CRDs.
+        - omitzero
+    perfsprint:
+      # modernize generates nicer fix code
+      concat-loop: false
     staticcheck:
       dot-import-whitelist:
         - github.com/majewsky/gg/option
@@ -168,13 +176,13 @@ linters:
   exclusions:
     generated: lax
     presets:
-      - comments
       - common-false-positives
       - legacy
       - std-error-handling
     rules:
       - linters:
           - bodyclose
+          - revive
         path: _test\.go
       # It is idiomatic Go to reuse the name 'err' with ':=' for subsequent errors.
       # Ref: https://go.dev/doc/effective_go#redeclaration

.license-scan-overrides.jsonl

@@ -1,4 +1,5 @@
 {"name": "github.com/chzyer/logex", "licenceType": "MIT"}
+{"name": "github.com/grpc-ecosystem/go-grpc-middleware/v2", "licenceType": "Apache-2.0"}
 {"name": "github.com/hashicorp/vault/api/auth/approle", "licenceType": "MPL-2.0"}
 {"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"}
 {"name": "github.com/logrusorgru/aurora", "licenceType": "Unlicense"}

Dockerfile

@@ -1,7 +1,7 @@
 # SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company
 # SPDX-License-Identifier: Apache-2.0
 
-FROM golang:1.25.3-alpine3.22 AS builder
+FROM golang:1.25.4-alpine3.22 AS builder
 
 RUN apk add --no-cache --no-progress ca-certificates gcc git make musl-dev
 
@@ -11,6 +11,39 @@ RUN make -C /src install PREFIX=/pkg GOTOOLCHAIN=local
 
 ################################################################################
 
+# To only build the tests run: docker build . --target test
+# We can't do `FROM builder AS test` here, as then make prepare-static-check would not be cached during interactive use when developing
+# and caching all the tools, especially golangci-lint, takes a few minutes.
+FROM golang:1.25.4-alpine3.22 AS test
+
+COPY Makefile /src/Makefile
+
+# used below by USER
+RUN addgroup -g 4200 appgroup \
+  && adduser -h /home/appuser -s /sbin/nologin -G appgroup -D -u 4200 appuser
+
+RUN apk add --no-cache --no-progress git make py3-pip \
+  && pip3 install --break-system-packages reuse \
+  && make -C /src prepare-static-check
+
+
+# We only copy here because we want the "prepare-static-check" to be cacheable.
+# It is not a problem that we are overwriting the go cache from the earlier steps because we do not need to rebuild those tools.
+COPY --from=builder /go /go
+COPY --from=builder /src /src
+
+RUN make -C /src static-check
+
+# Some things like postgres do not like to run as root. For simplicity, just always run as an unprivileged user,
+# but for it to be able to read the go cache, we need to allow it.
+RUN chown -R 4200:4200 /src/ /go/
+USER 4200:4200
+RUN cd /src \
+  && git config --global --add safe.directory /src \
+  && make build/cover.out
+
+################################################################################
+
 FROM alpine:3.22
 
 # upgrade all installed packages to fix potential CVEs in advance

Makefile

@@ -46,18 +46,15 @@ install-crds: generate ## Install CRDs into the K8s cluster specified in ~/.kube
 	kubectl kustomize config/crd | kubectl apply -f -
 
 .PHONY: helmify
-helm: manifests kustomize helmify
-	$(KUSTOMIZE) build config/default | $(HELMIFY) -crd-dir charts/kvm-node-agent
+helmify:
+	kubectl kustomize config/default | helmify -crd-dir charts/kvm-node-agent
 
 install-goimports: FORCE
 	@if ! hash goimports 2>/dev/null; then printf "\e[1;36m>> Installing goimports (this may take a while)...\e[0m\n"; go install golang.org/x/tools/cmd/goimports@latest; fi
 
 install-golangci-lint: FORCE
 	@if ! hash golangci-lint 2>/dev/null; then printf "\e[1;36m>> Installing golangci-lint (this may take a while)...\e[0m\n"; go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest; fi
 
-install-modernize: FORCE
-	@if ! hash modernize 2>/dev/null; then printf "\e[1;36m>> Installing modernize (this may take a while)...\e[0m\n"; go install golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest; fi
-
 install-shellcheck: FORCE
 	@if ! hash shellcheck 2>/dev/null; then printf "\e[1;36m>> Installing shellcheck...\e[0m\n"; SHELLCHECK_ARCH=$(shell uname -m); if [[ "$$SHELLCHECK_ARCH" == "arm64" ]]; then SHELLCHECK_ARCH=aarch64; fi; SHELLCHECK_OS=$(shell uname -s | tr '[:upper:]' '[:lower:]'); SHELLCHECK_VERSION="stable"; if command -v curl >/dev/null 2>&1; then GET="curl -sLo-"; elif command -v wget >/dev/null 2>&1; then GET="wget -O-"; else echo "Didn't find curl or wget to download shellcheck"; exit 2; fi; $$GET "https://github.com/koalaman/shellcheck/releases/download/$$SHELLCHECK_VERSION/shellcheck-$$SHELLCHECK_VERSION.$$SHELLCHECK_OS.$$SHELLCHECK_ARCH.tar.xz" | tar -Jxf -; BIN=$$(go env GOBIN); if [[ -z $$BIN ]]; then BIN=$$(go env GOPATH)/bin; fi; install -Dm755 shellcheck-$$SHELLCHECK_VERSION/shellcheck -t "$$BIN"; rm -rf shellcheck-$$SHELLCHECK_VERSION; fi
 
@@ -68,9 +65,9 @@ install-addlicense: FORCE
 	@if ! hash addlicense 2>/dev/null; then printf "\e[1;36m>> Installing addlicense (this may take a while)...\e[0m\n"; go install github.com/google/addlicense@latest; fi
 
 install-reuse: FORCE
-	@if ! hash reuse 2>/dev/null; then if ! hash pip3 2>/dev/null; then printf "\e[1;31m>> Cannot install reuse because no pip3 was found. Either install it using your package manager or install pip3\e[0m\n"; else printf "\e[1;36m>> Installing reuse...\e[0m\n"; pip3 install --user reuse; fi; fi
+	@if ! hash reuse 2>/dev/null; then if ! hash pipx 2>/dev/null; then printf "\e[1;31m>> You are required to manually intervene to install reuse as go-makefile-maker cannot automatically resolve installing reuse on all setups.\e[0m\n"; printf "\e[1;31m>> The preferred way for go-makefile-maker to install python tools after nix-shell is pipx which could not be found. Either install pipx using your package manager or install reuse using your package manager if at least version 6 is available.\e[0m\n"; printf "\e[1;31m>> As your Python was likely installed by your package manager, just doing pip install --user sadly does no longer work as pip issues a warning about breaking your system. Generally running --break-system-packages with --user is safe to do but you should only run this command if you can resolve issues with it yourself: pip3 install --user --break-system-packages reuse\e[0m\n"; else printf "\e[1;36m>> Installing reuse...\e[0m\n"; pipx install reuse; fi; fi
 
-prepare-static-check: FORCE install-golangci-lint install-modernize install-shellcheck install-go-licence-detector install-addlicense install-reuse
+prepare-static-check: FORCE install-goimports install-golangci-lint install-shellcheck install-go-licence-detector install-addlicense install-reuse
 
 install-controller-gen: FORCE
 	@if ! hash controller-gen 2>/dev/null; then printf "\e[1;36m>> Installing controller-gen (this may take a while)...\e[0m\n"; go install sigs.k8s.io/controller-tools/cmd/controller-gen@latest; fi
@@ -127,16 +124,13 @@ generate: install-controller-gen
 	@printf "\e[1;36m>> controller-gen\e[0m\n"
 	@controller-gen crd rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 	@controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
+	@controller-gen applyconfiguration paths="./..."
 
 run-golangci-lint: FORCE install-golangci-lint
 	@printf "\e[1;36m>> golangci-lint\e[0m\n"
 	@golangci-lint config verify
 	@golangci-lint run
 
-run-modernize: FORCE install-modernize
-	@printf "\e[1;36m>> modernize\e[0m\n"
-	@modernize $(GO_TESTPKGS)
-
 run-shellcheck: FORCE install-shellcheck
 	@printf "\e[1;36m>> shellcheck\e[0m\n"
 	@find .  -type f \( -name '*.bash' -o -name '*.ksh' -o -name '*.zsh' -o -name '*.sh' -o -name '*.shlib' \) -exec shellcheck  {} +
@@ -160,7 +154,7 @@ check-reuse: FORCE install-reuse
 
 check-license-headers: FORCE check-addlicense check-reuse
 
-__static-check: FORCE run-shellcheck run-golangci-lint run-modernize check-dependency-licenses check-license-headers
+__static-check: FORCE run-shellcheck run-golangci-lint check-dependency-licenses check-license-headers
 
 static-check: FORCE
 	@$(MAKE) --keep-going --no-print-directory __static-check
@@ -189,10 +183,6 @@ goimports: FORCE install-goimports
 	@printf "\e[1;36m>> goimports -w -local https://github.com/cobaltcore-dev/kvm-node-agent\e[0m\n"
 	@goimports -w -local github.com/cobaltcore-dev/kvm-node-agent $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
 
-modernize: FORCE install-modernize
-	@printf "\e[1;36m>> modernize -fix ./...\e[0m\n"
-	@modernize -fix ./...
-
 clean: FORCE
 	git clean -dxf build
 
@@ -225,7 +215,6 @@ help: FORCE
 	@printf "\e[1mPrepare\e[0m\n"
 	@printf "  \e[36minstall-goimports\e[0m            Install goimports required by goimports/static-check\n"
 	@printf "  \e[36minstall-golangci-lint\e[0m        Install golangci-lint required by run-golangci-lint/static-check\n"
-	@printf "  \e[36minstall-modernize\e[0m            Install modernize required by run-modernize/static-check\n"
 	@printf "  \e[36minstall-shellcheck\e[0m           Install shellcheck required by run-shellcheck/static-check\n"
 	@printf "  \e[36minstall-go-licence-detector\e[0m  Install-go-licence-detector required by check-dependency-licenses/static-check\n"
 	@printf "  \e[36minstall-addlicense\e[0m           Install addlicense required by check-license-headers/license-headers/static-check\n"
@@ -243,7 +232,6 @@ help: FORCE
 	@printf "  \e[36mcheck\e[0m                        Run the test suite (unit tests and golangci-lint).\n"
 	@printf "  \e[36mgenerate\e[0m                     Generate code for Kubernetes CRDs and deepcopy.\n"
 	@printf "  \e[36mrun-golangci-lint\e[0m            Install and run golangci-lint. Installing is used in CI, but you should probably install golangci-lint using your package manager.\n"
-	@printf "  \e[36mrun-modernize\e[0m                Install and run modernize. Installing is used in CI, but you should probably install modernize using your package manager.\n"
 	@printf "  \e[36mrun-shellcheck\e[0m               Install and run shellcheck. Installing is used in CI, but you should probably install shellcheck using your package manager.\n"
 	@printf "  \e[36mbuild/cover.out\e[0m              Run tests and generate coverage report.\n"
 	@printf "  \e[36mbuild/cover.html\e[0m             Generate an HTML file with source code annotations from the coverage report.\n"
@@ -257,7 +245,6 @@ help: FORCE
 	@printf "  \e[36mlicense-headers\e[0m              Add (or overwrite) license headers on all non-vendored source code files.\n"
 	@printf "  \e[36mcheck-dependency-licenses\e[0m    Check all dependency licenses using go-licence-detector.\n"
 	@printf "  \e[36mgoimports\e[0m                    Run goimports on all non-vendored .go files\n"
-	@printf "  \e[36mmodernize\e[0m                    Run modernize on all non-vendored .go files\n"
 	@printf "  \e[36mclean\e[0m                        Run git clean.\n"
 
 .PHONY: FORCE

Makefile.maker.yaml

@@ -36,6 +36,15 @@ githubWorkflow:
   securityChecks:
     enabled: true
     queries: security-extended
+  pushContainerToGhcr:
+    enabled: true
+    platforms: "linux/amd64,linux/arm64"
+    tagStrategy:
+      - edge
+      - latest
+      - semver
+  license:
+    enabled: true
 
 metadata:
   url: https://github.com/cobaltcore-dev/kvm-node-agent