feat: Use ghcr.io instead of docker hub for images

.github/workflows/checks.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Install asdf
-        uses: asdf-vm/actions/setup@v1
+        uses: asdf-vm/actions/setup@master
 
       - name: Run unit tests
         run: make test
@@ -44,7 +44,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Install asdf
-        uses: asdf-vm/actions/setup@v1
+        uses: asdf-vm/actions/setup@master
 
       - name: Run e2e tests
         run: make e2e-test
@@ -80,7 +80,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Install asdf
-        uses: asdf-vm/actions/setup@v1
+        uses: asdf-vm/actions/setup@master
 
       - uses: pre-commit/[email protected]
         with:

.github/workflows/codeql-analysis.yml

@@ -31,7 +31,7 @@ jobs:
         languages: ${{ matrix.language }}
 
     - name: Install tools via asdf
-      uses: asdf-vm/actions/install@v1
+      uses: asdf-vm/actions/setup@master
 
     - name: Build
       run: make build-snapshot

.github/workflows/release-main.yaml

@@ -8,11 +8,16 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+  packages: write
+  pull-requests: write
+
 jobs:
   release-please:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - uses: google-github-actions/release-please-action@v3.5
+      - uses: google-github-actions/release-please-action@v3.7
         id: release-please
         with:
           release-type: go
@@ -30,11 +35,12 @@ jobs:
         uses: asdf-vm/actions/install@v1
 
       - if: ${{ steps.release-please.outputs.release_created }}
-        name: Login to Docker Hub
+        name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.actor  }}
+          password: ${{ secrets.GITHUB_TOKEN  }}
 
       - if: ${{ steps.release-please.outputs.release_created }}
         name: Release

.go-tools

@@ -1,4 +1,4 @@
 github.com/oligot/[email protected]
-gotest.tools/[email protected]
 github.com/segmentio/[email protected]
-github.com/containers/skopeo/cmd/[email protected] # FREEZE
+gotest.tools/[email protected]
+github.com/google/go-containerregistry/cmd/[email protected]

.golangci.yml

@@ -3,7 +3,6 @@
 
 run:
   timeout: 5m
-  go: '1.17'
   build-tags:
     - e2e
 

.goreleaser.yml

@@ -61,12 +61,12 @@ dockers:
   - image_templates:
       # Specify the image tag including `-amd64` suffix if the build is not a snapshot build or is not being built on
       # arm64 machine. This allows for using the snapshot image build without the archtecture specific suffix
-      # consistently on local machines, i.e. can always use `mesosphere/toml-merge:v<VERSION>` on the machine the snapshot
+      # consistently on local machines, i.e. can always use `ghcr.io/mesosphere/toml-merge:v<VERSION>` on the machine the snapshot
       # is built on.
       #
       # For a release build the `-amd64` suffix will always be included and the `docker_manifests` specification below
       # will create the final multiplatform manifest to be pushed to the registry.
-      - 'mesosphere/toml-merge:v{{trimprefix .Version "v"}}{{ if or (not .IsSnapshot) (not (eq .Runtime.Goarch "amd64")) }}-amd64{{ end }}'
+      - 'ghcr.io/mesosphere/toml-merge:v{{trimprefix .Version "v"}}{{ if or (not .IsSnapshot) (not (eq .Runtime.Goarch "amd64")) }}-amd64{{ end }}'
     use: buildx
     dockerfile: Dockerfile
     build_flag_templates:
@@ -80,12 +80,12 @@ dockers:
   - image_templates:
       # Specify the image tag including `-amd64v8` suffix if the build is not a snapshot build or is not being built on
       # arm64 machine. This allows for using the snapshot image build without the archtecture specific suffix
-      # consistently on local machines, i.e. can always use `mesosphere/toml-merge:v<VERSION>` on the machine the snapshot
+      # consistently on local machines, i.e. can always use `ghcr.io/mesosphere/toml-merge:v<VERSION>` on the machine the snapshot
       # is built on.
       #
       # For a release build the `-amd64v8` suffix will always be included and the `docker_manifests` specification below
       # will create the final multiplatform manifest to be pushed to the registry.
-    - 'mesosphere/toml-merge:v{{trimprefix .Version "v"}}{{ if or (not .IsSnapshot) (not (eq .Runtime.Goarch "arm64")) }}-arm64v8{{ end }}'
+    - 'ghcr.io/mesosphere/toml-merge:v{{trimprefix .Version "v"}}{{ if or (not .IsSnapshot) (not (eq .Runtime.Goarch "arm64")) }}-arm64v8{{ end }}'
     use: buildx
     goarch: arm64
     dockerfile: Dockerfile
@@ -98,10 +98,10 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.source={{.GitURL}}"
 docker_manifests:
-  - name_template: mesosphere/toml-merge:v{{trimprefix .Version "v"}}
+  - name_template: ghcr.io/mesosphere/toml-merge:v{{trimprefix .Version "v"}}
     image_templates:
-    - mesosphere/toml-merge:v{{trimprefix .Version "v"}}-amd64
-    - mesosphere/toml-merge:v{{trimprefix .Version "v"}}-arm64v8
+    - ghcr.io/mesosphere/toml-merge:v{{trimprefix .Version "v"}}-amd64
+    - ghcr.io/mesosphere/toml-merge:v{{trimprefix .Version "v"}}-arm64v8
 checksum:
   name_template: 'checksums.txt'
 snapshot:

.tool-versions

@@ -1,5 +1,5 @@
-golangci-lint 1.50.1
-goreleaser 1.12.3
-golang 1.19.2
-pre-commit 2.20.0
-ginkgo 2.4.0
+ginkgo 2.8.3
+golangci-lint 1.51.2
+goreleaser 1.15.2
+golang 1.20.1
+pre-commit 3.0.4

make/all.mk

@@ -13,5 +13,4 @@ include $(INCLUDE_DIR)pre-commit.mk
 include $(INCLUDE_DIR)go.mk
 include $(INCLUDE_DIR)goreleaser.mk
 include $(INCLUDE_DIR)docker.mk
-include $(INCLUDE_DIR)ci.mk
 include $(INCLUDE_DIR)tag.mk

make/docker.mk

@@ -10,10 +10,10 @@ endif
 endif
 
 .PHONY: update-distroless-base-image
-update-distroless-base-image: install-tool.gcloud install-tool.gojq install-tool.go.skopeo; $(info $(M) updating distroless base image)
+update-distroless-base-image: install-tool.gcloud install-tool.gojq install-tool.go.crane; $(info $(M) updating distroless base image)
 	LATEST_DISTROLESS_NONROOT_DIGEST="$$(gcloud container images list-tags gcr.io/distroless/static --format=json | gojq -r '.[] | select(.tags | index("nonroot")) | .digest')"; \
-	DISTROLESS_AMD64_DIGEST="$$(skopeo inspect --raw docker://gcr.io/distroless/static@$${LATEST_DISTROLESS_NONROOT_DIGEST} | gojq -r '.manifests[] | select(.platform.os == "linux" and .platform.architecture == "amd64").digest')"; \
-	DISTROLESS_ARM64_DIGEST="$$(skopeo inspect --raw docker://gcr.io/distroless/static@$${LATEST_DISTROLESS_NONROOT_DIGEST} | gojq -r '.manifests[] | select(.platform.os == "linux" and .platform.architecture == "arm64").digest')"; \
-	sed -i -e "s|^\(FROM --platform=linux/amd64 \).\+$$|\1gcr.io/distroless/static@$${DISTROLESS_AMD64_DIGEST} as linux-amd64|" \
-	       -e "s|^\(FROM --platform=linux/arm64 \).\+$$|\1gcr.io/distroless/static@$${DISTROLESS_ARM64_DIGEST} as linux-arm64|" \
+	DISTROLESS_AMD64_DIGEST="$$(crane manifest gcr.io/distroless/static@$${LATEST_DISTROLESS_NONROOT_DIGEST} | gojq -r '.manifests[] | select(.platform.os == "linux" and .platform.architecture == "amd64").digest')"; \
+	DISTROLESS_ARM64_DIGEST="$$(crane manifest gcr.io/distroless/static@$${LATEST_DISTROLESS_NONROOT_DIGEST} | gojq -r '.manifests[] | select(.platform.os == "linux" and .platform.architecture == "arm64").digest')"; \
+	sed -i -e "s|^\(FROM --platform=linux/amd64 gcr.io/distroless/static@\).\+$$|\1$${DISTROLESS_AMD64_DIGEST} as linux-amd64|" \
+	       -e "s|^\(FROM --platform=linux/arm64 gcr.io/distroless/static@\).\+$$|\1$${DISTROLESS_ARM64_DIGEST} as linux-arm64|" \
 	       Dockerfile

make/go.mk

@@ -3,7 +3,7 @@
 
 # The GOPRIVATE environment variable controls which modules the go command considers
 # to be private (not available publicly) and should therefore not use the proxy or checksum database
-export GOPRIVATE ?= github.com/mesosphere
+export GOPRIVATE ?=
 
 ALL_GO_SUBMODULES := $(shell PATH='$(PATH)'; find -mindepth 2 -maxdepth 2 -name go.mod -printf '%P\n' | sort)
 GO_SUBMODULES_NO_TOOLS := $(filter-out $(addsuffix /go.mod,tools),$(ALL_GO_SUBMODULES))
@@ -69,7 +69,7 @@ endif
 
 .PHONY: bench.%
 bench.%: ## Runs go benchmarks for a specific module
-bench.%:; $(info $(M) running benchmarks$(if $(GOTEST_RUN), matching "$(GOTEST_RUN)") for $* module)
+bench.%: ; $(info $(M) running benchmarks$(if $(GOTEST_RUN), matching "$(GOTEST_RUN)") for $* module)
 	$(if $(filter-out root,$*),cd $* && )go test $(if $(GOTEST_RUN),-run "$(GOTEST_RUN)") -race -cover -v ./...
 
 E2E_PARALLEL_NODES ?= $(shell nproc --ignore=1)
@@ -82,7 +82,7 @@ e2e-test: install-tool.golang install-tool.ginkgo build-snapshot
 	ginkgo run \
 		--r \
 		--race \
-		--progress \
+		--show-node-events \
 		--trace \
 		--randomize-all \
 		--randomize-suites \
@@ -156,9 +156,9 @@ go-clean.%: install-tool.golang; $(info $(M) running go clean for $* module)
 .PHONY: go-generate
 go-generate: ## Runs go generate
 go-generate: install-tool.golang ; $(info $(M) running go generate)
-	go generate ./...
+	go generate -x ./...
 
 .PHONY: go-mod-upgrade
 go-mod-upgrade: ## Interactive check for direct module dependency upgrades
-go-mod-upgrade: install-tool.golang ; $(info $(M) checking for direct module dependency upgrades)
+go-mod-upgrade: install-tool.go.go-mod-upgrade; $(info $(M) checking for direct module dependency upgrades)
 	go-mod-upgrade

make/goreleaser.mk

@@ -14,7 +14,7 @@ build-snapshot: dockerauth install-tool.goreleaser ; $(info $(M) building snapsh
 	goreleaser --debug=$(GORELEASER_DEBUG) \
 		build \
 		--snapshot \
-		--rm-dist \
+		--clean \
 		--parallelism=$(GORELEASER_PARALLELISM) \
 		--single-target \
 		--skip-post-hooks
@@ -24,7 +24,7 @@ release: ## Builds a release with goreleaser
 release: dockerauth install-tool.goreleaser ; $(info $(M) building release $*)
 	goreleaser --debug=$(GORELEASER_DEBUG) \
 		release \
-		--rm-dist \
+		--clean \
 		--parallelism=$(GORELEASER_PARALLELISM) \
 		$(GORELEASER_FLAGS)
 
@@ -35,6 +35,6 @@ release-snapshot: dockerauth install-tool.goreleaser ; $(info $(M) building snap
 		release \
 		--snapshot \
 		--skip-publish \
-		--rm-dist \
+		--clean \
 		--parallelism=$(GORELEASER_PARALLELISM) \
 		$(GORELEASER_FLAGS)

make/tools.mk

@@ -13,7 +13,7 @@ export PATH := $(GOBIN):$(PATH)
 ifneq ($(wildcard $(GO_TOOLS_FILE)),)
 define install_go_tool
 	mkdir -p $(GOBIN)
-	CGO_ENABLED=0 go install -tags containers_image_openpgp -v $$(grep -Eo '^.+$1[^ \t]*' $(GO_TOOLS_FILE))
+	CGO_ENABLED=0 go install -v $$(grep -Eo '^.+$1[^ ]+' $(GO_TOOLS_FILE))
 endef
 
 .PHONY:
@@ -80,8 +80,18 @@ upgrade-tools: upgrade-go-tools; $(info $(M) upgrading all tools to latest avail
 upgrade-go-tools: ## Upgrades all go tools to latest available versions
 upgrade-go-tools: install-tool.golang; $(info $(M) upgrading all go tools to latest available versions)
 	grep -v '# FREEZE' .go-tools | \
-		grep -Eo '^[^#]\S+' | \
-		sed 's/@.\+$$/@latest/' | \
-			xargs -I {} bash -ec '\
-				export LATEST_VERSION=$$(go list -m {}) && \
-				sed -i "s|$${LATEST_VERSION%% *}@.\+$$|$${LATEST_VERSION/ /@}|" .go-tools'
+		grep -Eo '^[^#][^@]+' | \
+			xargs -I {} bash -ec ' \
+				original_module_path={}; \
+				module_path={}; \
+				while [ "$${module_path}" != "." ]; do \
+					LATEST_VERSION=$$(go list -m $${module_path}@latest 2>/dev/null || echo ""); \
+					if [ -n "$${LATEST_VERSION}" ]; then \
+						sed -i "s|$${original_module_path}@.\+$$|$${original_module_path}@$${LATEST_VERSION#* }|" .go-tools; \
+						exit; \
+					else \
+						module_path=$$(dirname $${module_path}); \
+					fi; \
+				done; \
+				echo "Failed to find latest module version for $${original_module_path}"; \
+				exit 1'