Migrate to use Makefile modules

.github/dependabot.yaml

@@ -0,0 +1,20 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/dependabot.yaml instead.
+
+# Update Go dependencies and GitHub Actions dependencies weekly.
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: /
+  schedule:
+    interval: weekly
+  groups:
+    all:
+      patterns: ["*"]
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: weekly
+  groups:
+    all:
+      patterns: ["*"]

.github/workflows/e2e_tests.yml

@@ -1,44 +1,47 @@
-# This workflow runs priviledged e2e tests for trusted sources.
+# This workflow runs unpriviledged unit tests.
 name: e2e-tests
 on:
   push:
     branches:
       - main
-  schedule:
-    # At 03:23 on every 3rd day
-    - cron: "23 3 */3 * *"
+
+  pull_request:
+    branches:
+      - main
 
 jobs:
   run_e2e_tests:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
+
     steps:
-    - name: Install Go
-      uses: actions/setup-go@v3
+    - uses: actions/checkout@v3
       with:
-        go-version: '^1.19'
+        fetch-tags: true
+
+    - id: go-version
+      run: |
+        make print-go-version >> "$GITHUB_OUTPUT"
 
-    - name: Checkout
-      uses: actions/checkout@v3
+    - uses: actions/setup-go@v5
       with:
-        fetch-tags: true
+        go-version: ${{ steps.go-version.outputs.result }}
 
-    - id: 'auth'
-      name: 'Authenticate to Google Cloud'
-      uses: 'google-github-actions/auth@v0'
+    - id: auth
+      name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@v0
       with:
         workload_identity_provider: 'projects/874174494201/locations/global/workloadIdentityPools/google-cas-issuer-e2e/providers/google-cas-issuer-e2e'
         service_account: '[email protected]'
 
-    - name: Run e2e tests
-      run: make e2e
+    - run: make test-e2e
       env:
         TEST_GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }}
 
     - uses: actions/upload-artifact@v3
       if: always()
       with:
-        name: e2e-logs
-        path: _artifacts/e2e/logs
+        name: e2e-artifacts
+        path: _bin/artifacts

.github/workflows/make-self-upgrade.yaml

@@ -0,0 +1,86 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/repository-base/base/.github/workflows/make-self-upgrade.yaml instead.
+
+name: make-self-upgrade
+concurrency: make-self-upgrade
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  build_images:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Fail if branch is not main
+        if: github.ref != 'refs/heads/main'
+        run: |
+          echo "This workflow should not be run on a branch other than main."
+          exit 1
+
+      - uses: actions/checkout@v4
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - run: |
+          git checkout -B "self-upgrade"
+
+      - run: |
+          make -j upgrade-klone
+          make -j generate
+
+      - id: is-up-to-date
+        shell: bash
+        run: |
+          git_status=$(git status -s)
+          is_up_to_date="true"
+          if [ -n "$git_status" ]; then
+              is_up_to_date="false"
+              echo "The following changes will be committed:"
+              echo "$git_status"
+          fi
+          echo "result=$is_up_to_date" >> "$GITHUB_OUTPUT"
+
+      - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
+        run: |
+          git config --global user.name "jetstack-bot"
+          git config --global user.email "[email protected]"
+          git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff
+          git push -f origin self-upgrade
+
+      - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { repo, owner } = context.repo;
+            const pulls = await github.rest.pulls.list({
+              owner: owner,
+              repo: repo,
+              head: owner + ':self-upgrade',
+              base: 'main',
+              state: 'open',
+            });
+
+            if (pulls.data.length < 1) {
+              await github.rest.pulls.create({
+                title: '[CI] Merge self-upgrade into main',
+                owner: owner,
+                repo: repo,
+                head: 'self-upgrade',
+                base: 'main',
+                body: [
+                  'This PR is auto-generated to bump the Makefile modules.',
+                ].join('\n'),
+              });
+            }

.github/workflows/release.yaml

@@ -0,0 +1,85 @@
+name: release
+on:
+  push:
+    tags:
+      - "v*"
+
+env:
+  VERSION: ${{ github.ref_name }}
+
+jobs:
+  build_images:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read # needed for checkout
+      packages: write # needed for push images
+      id-token: write # needed for keyless signing
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - id: release
+        run: make release
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.release.outputs.RELEASE_HELM_CHART_NAME }}-${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }}.tgz
+          path: ${{ steps.release.outputs.RELEASE_HELM_CHART_TAR }}
+          if-no-files-found: error
+
+    outputs:
+      RELEASE_OCI_MANAGER_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_IMAGE }}
+      RELEASE_OCI_MANAGER_TAG: ${{ steps.release.outputs.RELEASE_OCI_MANAGER_TAG }}
+      RELEASE_HELM_CHART_NAME: ${{ steps.release.outputs.RELEASE_HELM_CHART_NAME }}
+      RELEASE_HELM_CHART_VERSION: ${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }}
+
+  github_release:
+    runs-on: ubuntu-latest
+
+    needs: build_images
+
+    permissions:
+      contents: write # needed for creating a PR
+      pull-requests: write # needed for creating a PR
+
+    steps:
+      - run: |
+          touch .notes-file
+          echo "OCI_MANAGER_IMAGE: ${{ needs.build_images.outputs.RELEASE_OCI_MANAGER_IMAGE }}" >> .notes-file
+          echo "OCI_MANAGER_TAG: ${{ needs.build_images.outputs.RELEASE_OCI_MANAGER_TAG }}" >> .notes-file
+          echo "HELM_CHART_NAME: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}" >> .notes-file
+          echo "HELM_CHART_VERSION: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file
+
+      - id: chart_download
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}-${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}.tgz
+
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create "$VERSION" \
+            --repo="$GITHUB_REPOSITORY" \
+            --title="${VERSION}" \
+            --draft \
+            --verify-tag \
+            --notes-file .notes-file
+
+          gh release upload "$VERSION" \
+            --repo="$GITHUB_REPOSITORY" \
+            "${{ steps.chart_download.outputs.download-path }}/${{ needs.build_images.outputs.RELEASE_HELM_CHART_NAME }}-${{ needs.build_images.outputs.RELEASE_HELM_CHART_VERSION }}.tgz"