Skip to content

Allow custom orgs for running govulncheck jobs#314

Merged
cert-manager-prow[bot] merged 1 commit into
cert-manager:mainfrom
SgtCoDFish:govulncheck-org
Aug 5, 2025
Merged

Allow custom orgs for running govulncheck jobs#314
cert-manager-prow[bot] merged 1 commit into
cert-manager:mainfrom
SgtCoDFish:govulncheck-org

Conversation

@SgtCoDFish
Copy link
Copy Markdown
Member

@SgtCoDFish SgtCoDFish commented Aug 5, 2025
edited
Loading

Repos outside the cert-manager org might want to use the govulncheck job; this could be other repos depending on makefile-modules, or forks of cert-manager org repos who want to run the job.

By setting govulncheck_generate_org in make/00_mod.mk users of makefile-modules will be able to use a custom org.

This does also change the generate-govulncheck job to only copy the govulncheck workflow file, rather than copying the whole modules/go/base directory, but the govulncheck file was the only one in that repo anyway (and it would be confusing to copy other files in a target called generate-govulncheck)

Testing

I've tested this with a local copy of trust-manager pointing at this branch and it worked as expected. Diff:

diff --git i/.github/workflows/govulncheck.yaml w/.github/workflows/govulncheck.yaml
index 25018fe..7eeeff9 100644
--- i/.github/workflows/govulncheck.yaml
+++ w/.github/workflows/govulncheck.yaml
@@ -17,7 +17,7 @@ jobs:
   govulncheck:
     runs-on: ubuntu-latest
 
-    if: github.repository_owner == 'cert-manager'
+    if: github.repository_owner == 'foobar'
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git i/make/00_mod.mk w/make/00_mod.mk
index 0da7d33..0024cdd 100644
--- i/make/00_mod.mk
+++ w/make/00_mod.mk
@@ -66,6 +66,8 @@ helm_labels_template_name := trust-manager.labels
 
 golangci_lint_config := .golangci.yaml
 
+govulncheck_generate_org := foobar
+
 define helm_values_mutation_function
 $(YQ) \
 	'( .image.repository = "$(oci_manager_image_name)" ) | \

@SgtCoDFish
allow custom orgs for running govulncheck jobs
59fa131 
Repos outside the cert-manager org might want to use the govulncheck job;
this could be other repos depending on makefile-modules, or forks of
cert-manager org repos who want to run the job.

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
@cert-manager-prow cert-manager-prow Bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Aug 5, 2025
@inteon
Copy link
Copy Markdown
Member

inteon commented Aug 5, 2025

Similar challenges apply to

makefile-modules/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml

Line 18 in c3d364a

if: github.repository_owner == 'cert-manager'
.

maelvls
maelvls approved these changes Aug 5, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@maelvls maelvls left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Thanks for testing this with trust-manager and showing the diff!

@cert-manager-prow cert-manager-prow Bot added the lgtm Indicates that a PR is ready to be merged. label Aug 5, 2025
@cert-manager-prow
Copy link
Copy Markdown
Contributor

cert-manager-prow Bot commented Aug 5, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 5, 2025
@cert-manager-prow cert-manager-prow Bot merged commit 684d99b into cert-manager:main Aug 5, 2025
4 checks passed
@SgtCoDFish SgtCoDFish deleted the govulncheck-org branch August 5, 2025 09:30
SgtCoDFish added a commit to jetstack/jetstack-secure that referenced this pull request Aug 5, 2025
@SgtCoDFish
fix: manual makefile modules upgrade for govulncheck
7b8fe70 
Previously the org name was hardcoded to "cert-manager" which prevented
the govulncheck Action being run on this repo. This commit does a manual
makefile modules upgrade to adopt the latest changes after [0] merged,
which should re-enable the govulncheck job.

[0]: cert-manager/makefile-modules#314

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
@SgtCoDFish SgtCoDFish mentioned this pull request Aug 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maelvls maelvls maelvls approved these changes

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SgtCoDFish @inteon @maelvls