Grouped CI related cherry-picks

- Add args to golangci-lint to show lines number #2180
- Align github actions with upstream CAPI #2167
- flavorgen generates all flavors by default #2172
  - only CI parts
- Add verify-govulncheck target and integrate to scan action #2174
- Use shellcheck binary instead of self-built docker image #2211
- Add doctoc and generate + verify targets #2147
  - only CI parts

.github/dependabot.yml

@@ -0,0 +1,34 @@
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+version: 2
+updates:
+# GitHub Actions
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+      interval: "weekly"
+  commit-message:
+      prefix: ":seedling:"
+  labels:
+    - "ok-to-test"
+
+# Go
+- package-ecosystem: "gomod"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+    day: "monday"
+  ignore:
+  # Ignore controller-runtime as its upgraded manually.
+  - dependency-name: "sigs.k8s.io/controller-runtime"
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+    # Ignore k8s and its transitives modules as they are upgraded manually
+    # together with controller-runtime.
+  - dependency-name: "k8s.io/*"
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+  - dependency-name: "sigs.k8s.io/cluster-api/test"
+    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+  commit-message:
+    prefix: ":seedling:"
+  labels:
+    - "ok-to-test"

.github/workflows/golangci-lint.yaml → .github/workflows/pr-golangci-lint.yaml

@@ -1,4 +1,4 @@
-name: golangci-lint
+name: PR golangci-lint
 
 on:
   pull_request:
@@ -17,10 +17,11 @@ jobs:
         id: vars
         run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
       - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # tag=v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
         with:
           go-version: ${{ steps.vars.outputs.go_version }}
       - name: golangci-lint
         uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # tag=v3.6.0
         with:
-          version: v1.53.3
+          version: v1.53.3
+          args: --out-format=colored-line-number

.github/workflows/pr-md-link-check.yaml

@@ -0,0 +1,23 @@
+name: PR check Markdown links
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+    paths:
+      - '**.md'
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  markdown-link-check:
+    name: Broken Links
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+    - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # tag=v1
+      with:
+        use-quiet-mode: 'yes'
+        config-file: .markdownlinkcheck.json
+        check-modified-files-only: 'yes'
+        base-branch: main

.github/workflows/verify-pr.yml → .github/workflows/pr-verify.yaml

@@ -1,4 +1,4 @@
-name: Verify PR
+name: PR Verify
 
 on:
   pull_request_target:
@@ -14,6 +14,6 @@ jobs:
     steps:
       - name: Verifier action
         id: verifier
-        uses: kubernetes-sigs/[email protected]
+        uses: kubernetes-sigs/kubebuilder-release-tools@4f3d1085b4458a49ed86918b4b55505716715b77 # tag=v0.3.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yaml

@@ -23,7 +23,7 @@ jobs:
       - name: Calculate go version
         run: echo "go_version=$(make go-version)" >> $GITHUB_ENV
       - name: Set up Go
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # tag=v4.0.1
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
         with:
           go-version: ${{ env.go_version }}
       - name: generate release artifacts

.github/workflows/weekly-md-link-check.yaml

@@ -0,0 +1,26 @@
+name: Weekly check all Markdown links
+
+on:
+  schedule:
+    # Cron for every Monday at 12:00 UTC.
+    - cron: "0 12 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  markdown-link-check:
+    name: Broken Links
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+        with:
+          ref: ${{ matrix.branch }}
+      - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # tag=v1
+        with:
+          use-quiet-mode: 'yes'
+          config-file: .markdownlinkcheck.json

.github/workflows/weekly-security-scan.yaml

@@ -0,0 +1,32 @@
+name: Weekly security scan
+
+on:
+  schedule:
+    # Cron for every Monday at 12:00 UTC.
+    - cron: "0 12 * * 1"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  scan:
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+      with:
+        ref: ${{ matrix.branch }}
+    - name: Calculate go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+    - name: Set up Go
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    - name: Run verify security target
+      run: make verify-security

.github/workflows/weekly-test-release.yaml

@@ -0,0 +1,40 @@
+name: Weekly release test
+
+# Note: This workflow does not build for releases. It attempts to build release binaries periodically to ensure the repo
+# release machinery is in a good state.
+
+on:
+  schedule:
+    # Cron for every day at 12:00 UTC.
+    - cron: "0 12 * * *"
+
+# Remove all permissions from GITHUB_TOKEN except metadata.
+permissions: {}
+
+jobs:
+  weekly-test-release:
+    name: Test release
+    strategy:
+      fail-fast: false
+      matrix:
+        branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
+        with:
+          ref: ${{ matrix.branch }}
+          fetch-depth: 0
+      - name: Set env
+        run:  echo "RELEASE_TAG=v9.9.9-fake" >> $GITHUB_ENV
+      - name: Set fake tag for release
+        run: |
+          git tag ${{ env.RELEASE_TAG }}
+      - name: Calculate go version
+        run: echo "go_version=$(make go-version)" >> $GITHUB_ENV
+      - name: Set up Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
+        with:
+          go-version: ${{ env.go_version }}
+      - name: Test release
+        run: |
+          make release

.markdownlinkcheck.json

@@ -0,0 +1,17 @@
+{
+    "ignorePatterns": [{
+        "pattern": "^http://localhost"
+    }],
+    "httpHeaders": [{
+        "comment": "Workaround as suggested here: https://github.com/tcort/markdown-link-check/issues/201",
+        "urls": ["https://docs.github.com/"],
+        "headers": {
+            "Accept-Encoding": "zstd, br, gzip, deflate"
+        }
+    }],
+    "timeout": "10s",
+    "retryOn429": true,
+    "retryCount": 5,
+    "fallbackRetryDelay": "30s",
+    "aliveStatusCodes": [200, 206]
+}