upgrade go makefile maker, run

.dockerignore

@@ -1,18 +1,20 @@
-.dockerignore
+/.dockerignore
+.DS_Store
 # TODO: uncomment when applications no longer use git to get version information
 #.git/
-.github/
-.gitignore
-.goreleaser.yml
+/.github/
+/.gitignore
+/.goreleaser.yml
 /*.env*
-.golangci.yaml
-build/
-CONTRIBUTING.md
-Dockerfile
-docs/
-LICENSE*
-Makefile.maker.yaml
-README.md
-report.html
-shell.nix
+/.golangci.yaml
+/.vscode/
+/build/
+/CONTRIBUTING.md
+/Dockerfile
+/docs/
+/LICENSE*
+/Makefile.maker.yaml
+/README.md
+/report.html
+/shell.nix
 /testing/

.github/renovate.json

@@ -1,6 +1,7 @@
 {
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base",
+    "config:recommended",
     "default:pinDigestsDisabled",
     "mergeConfidence:all-badges",
     "docker:disable"
@@ -10,7 +11,7 @@
   ],
   "commitMessageAction": "Renovate: Update",
   "constraints": {
-    "go": "1.22"
+    "go": "1.23"
   },
   "dependencyDashboardOSVVulnerabilitySummary": "all",
   "osvVulnerabilityAlerts": true,
@@ -23,21 +24,19 @@
       "matchPackageNames": [
         "golang"
       ],
-      "allowedVersions": "1.22.x"
+      "allowedVersions": "1.23.x"
     },
     {
-      "matchPackagePatterns": [
-        "^github\\.com\\/sapcc\\/.*"
+      "matchPackageNames": [
+        "/^github\\.com\\/sapcc\\/.*/"
       ],
       "automerge": true,
       "groupName": "github.com/sapcc"
     },
     {
-      "excludePackagePatterns": [
-        "^github\\.com\\/sapcc\\/.*"
-      ],
-      "matchPackagePatterns": [
-        ".*"
+      "matchPackageNames": [
+        "!/^github\\.com\\/sapcc\\/.*/",
+        "/.*/"
       ],
       "groupName": "External dependencies"
     }

.github/workflows/checks.yaml

@@ -11,6 +11,7 @@ name: Checks
   pull_request:
     branches:
       - '*'
+  workflow_dispatch: {}
 permissions:
   checks: write
   contents: read
@@ -25,7 +26,15 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: "1.22"
+          go-version: 1.23.2
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+      - name: Dependency Licenses Review
+        run: make check-dependency-licenses
+      - name: Run govulncheck
+        uses: golang/govulncheck-action@v1
       - name: Check for spelling errors
         uses: reviewdog/action-misspell@v1
         with:
@@ -34,3 +43,5 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           ignore: importas
           reporter: github-check
+      - name: Check if source code files have license header
+        run: make check-license-headers

.github/workflows/ci.yaml

@@ -8,14 +8,19 @@ name: CI
   push:
     branches:
       - master
+    paths-ignore:
+      - '**.md'
   pull_request:
     branches:
       - '*'
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch: {}
 permissions:
   contents: read
 jobs:
-  buildAndLint:
-    name: Build & Lint
+  build:
+    name: Build
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
@@ -24,17 +29,13 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: "1.22"
+          go-version: 1.23.2
       - name: Build all binaries
         run: make build-all
-      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v4
-        with:
-          version: latest
   test:
     name: Test
     needs:
-      - buildAndLint
+      - build
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
@@ -43,7 +44,7 @@ jobs:
         uses: actions/setup-go@v5
         with:
           check-latest: true
-          go-version: "1.22"
+          go-version: 1.23.2
       - name: Run tests and generate coverage report
         run: make build/cover.out
       - name: Upload coverage report to Coveralls

.github/workflows/codeql.yaml

@@ -0,0 +1,41 @@
+################################################################################
+# This file is AUTOGENERATED with <https://github.com/sapcc/go-makefile-maker> #
+# Edit Makefile.maker.yaml instead.                                            #
+################################################################################
+
+name: CodeQL
+"on":
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  schedule:
+    - cron: '00 07 * * 1'
+  workflow_dispatch: {}
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+jobs:
+  analyze:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version: 1.23.2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: go
+          queries: security-extended
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

.golangci.yaml

@@ -16,10 +16,13 @@ issues:
     # It is idiomatic Go to reuse the name 'err' with ':=' for subsequent errors.
     # Ref: https://go.dev/doc/effective_go#redeclaration
     - 'declaration of "err" shadows declaration at'
+  exclude-dirs:
+    - pkg/api/ui/*
   exclude-rules:
     - path: _test\.go
       linters:
         - bodyclose
+        - dupl
   # '0' disables the following options.
   max-issues-per-linter: 0
   max-same-issues: 0
@@ -34,13 +37,25 @@ linters-settings:
     # Report about not checking of errors in type assertions.
     check-type-assertions: true
   forbidigo:
+    analyze-types: true # required for pkg:
     forbid:
       # ioutil package has been deprecated: https://github.com/golang/go/issues/42026
       - ^ioutil\..*$
       # Using http.DefaultServeMux is discouraged because it's a global variable that some packages silently and magically add handlers to (esp. net/http/pprof).
       # Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
       - ^http\.DefaultServeMux$
       - ^http\.Handle(?:Func)?$
+      # Forbid usage of old and archived square/go-jose
+      - pkg: ^gopkg\.in/square/go-jose\.v2$
+        msg: "gopk.in/square/go-jose is archived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
+      - pkg: ^github.com/coreos/go-oidc$
+        msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
+
+      - pkg: ^github.com/howeyc/gopass$
+        msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
+  goconst:
+    ignore-tests: true
+    min-occurrences: 5
   gocritic:
     enabled-checks:
       - boolExprSimplify
@@ -76,8 +91,9 @@ linters-settings:
       # created file permissions are restricted by umask if necessary
       - G306
   govet:
-    # Report about shadowed variables.
-    check-shadowing: true
+    enable-all: true
+    disable:
+      - fieldalignment
   nolintlint:
     require-specific: true
   stylecheck:
@@ -90,12 +106,10 @@ linters-settings:
     default-rpc-path: true
     http-method: true
     http-status-code: true
-    os-dev-null: true
     sql-isolation-level: true
-    syslog-priority: true
-    time-weekday: true
-    time-month: true
     time-layout: true
+    time-month: true
+    time-weekday: true
     tls-signature-scheme: true
   whitespace:
     # Enforce newlines (or comments) after multi-line function signatures.
@@ -108,27 +122,32 @@ linters:
   enable:
     - bodyclose
     - containedctx
+    - copyloopvar
     - dupl
     - dupword
     - durationcheck
     - errcheck
+    - errname
     - errorlint
-    - exportloopref
     - forbidigo
     - ginkgolinter
     - gocheckcompilerdirectives
+    - goconst
     - gocritic
     - gofmt
     - goimports
     - gosec
     - gosimple
     - govet
     - ineffassign
+    - intrange
     - misspell
+    - nilerr
     - noctx
     - nolintlint
     - nosprintfhostport
     - perfsprint
+    - predeclared
     - rowserrcheck
     - sqlclosecheck
     - staticcheck

.license-scan-overrides.jsonl

@@ -2,3 +2,6 @@
 {"name": "github.com/hashicorp/vault/api/auth/approle", "licenceType": "MPL-2.0"}
 {"name": "github.com/jpillora/longestcommon", "licenceType": "MIT"}
 {"name": "github.com/spdx/tools-golang", "licenceTextOverrideFile": "vendor/github.com/spdx/tools-golang/LICENSE.code"}
+{"name": "github.com/xeipuuv/gojsonpointer", "licenceType": "Apache-2.0"}
+{"name": "github.com/xeipuuv/gojsonreference", "licenceType": "Apache-2.0"}
+{"name": "github.com/xeipuuv/gojsonschema", "licenceType": "Apache-2.0"}

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22.1-alpine3.19 as builder
+FROM golang:1.23.2-alpine3.20 AS builder
 
 RUN apk add --no-cache --no-progress ca-certificates gcc git make musl-dev
 
@@ -8,7 +8,7 @@ RUN make -C /src install PREFIX=/pkg GOTOOLCHAIN=local
 
 ################################################################################
 
-FROM alpine:3.19
+FROM alpine:3.20
 
 RUN addgroup -g 4200 appgroup \
   && adduser -h /home/appuser -s /sbin/nologin -G appgroup -D -u 4200 appuser

Makefile

@@ -22,6 +22,7 @@ build/maia: generate
 build-all: generate
 static-check: generate
 build/cover.out: generate
+prepare-static-check: generate
 
 generate: FORCE
 	if ! hash mockgen 2>/dev/null; then go install go.uber.org/mock/mockgen@latest; fi
@@ -46,11 +47,12 @@ prepare-static-check: FORCE
 GO_BUILDFLAGS =
 GO_LDFLAGS =
 GO_TESTENV =
+GO_BUILDENV =
 
 build-all: build/maia
 
 build/maia: FORCE
-	go build $(GO_BUILDFLAGS) -ldflags '-s -w $(GO_LDFLAGS)' -o build/maia .
+	@env $(GO_BUILDENV) go build $(GO_BUILDFLAGS) -ldflags '-s -w $(GO_LDFLAGS)' -o build/maia .
 
 DESTDIR =
 ifeq ($(shell uname -s),Darwin)
@@ -65,6 +67,9 @@ install: FORCE build/maia
 
 # which packages to test with test runner
 GO_TESTPKGS := $(shell go list -f '{{if or .TestGoFiles .XTestGoFiles}}{{.ImportPath}}{{end}}' ./...)
+ifeq ($(GO_TESTPKGS),)
+GO_TESTPKGS := ./...
+endif
 # which packages to measure coverage for
 GO_COVERPKGS := $(shell go list ./...)
 # to get around weird Makefile syntax restrictions, we need variables containing nothing, a space and comma
@@ -98,11 +103,11 @@ tidy-deps: FORCE
 
 license-headers: FORCE prepare-static-check
 	@printf "\e[1;36m>> addlicense\e[0m\n"
-	@addlicense -c "SAP SE"  -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+	@addlicense -c "SAP SE" -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
 
 check-license-headers: FORCE prepare-static-check
 	@printf "\e[1;36m>> addlicense --check\e[0m\n"
-	@addlicense --check  -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
+	@addlicense --check -- $(patsubst $(shell awk '$$1 == "module" {print $$2}' go.mod)%,.%/*.go,$(shell go list ./...))
 
 check-dependency-licenses: FORCE prepare-static-check
 	@printf "\e[1;36m>> go-licence-detector\e[0m\n"
@@ -113,6 +118,7 @@ clean: FORCE
 
 vars: FORCE
 	@printf "DESTDIR=$(DESTDIR)\n"
+	@printf "GO_BUILDENV=$(GO_BUILDENV)\n"
 	@printf "GO_BUILDFLAGS=$(GO_BUILDFLAGS)\n"
 	@printf "GO_COVERPKGS=$(GO_COVERPKGS)\n"
 	@printf "GO_LDFLAGS=$(GO_LDFLAGS)\n"
@@ -145,7 +151,7 @@ help: FORCE
 	@printf "\n"
 	@printf "\e[1mDevelopment\e[0m\n"
 	@printf "  \e[36mtidy-deps\e[0m                  Run go mod tidy and go mod verify.\n"
-	@printf "  \e[36mlicense-headers\e[0m            Add license headers to all non-vendored .go files.\n"
+	@printf "  \e[36mlicense-headers\e[0m            Add license headers to all non-vendored source code files.\n"
 	@printf "  \e[36mcheck-license-headers\e[0m      Check license headers in all non-vendored .go files.\n"
 	@printf "  \e[36mcheck-dependency-licenses\e[0m  Check all dependency licenses using go-licence-detector.\n"
 	@printf "  \e[36mclean\e[0m                      Run git clean.\n"