Merge pull request #4484 from kubernetes-sigs/conflicts-metrics-md

📖 Update docs with release v4.4.0

Author: k8s-ci-robot

.github/SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policy
+
+## Security Announcements
+
+Join the [kubernetes-security-announce] group for security and vulnerability announcements related to the Kubernetes ecosystem.
+
+You can also subscribe to an RSS feed of these announcements using [this link][kubernetes-security-announce-rss].
+
+## Reporting a Vulnerability
+
+Instructions for reporting a vulnerability can be found on the [Kubernetes Security and Disclosure Information] page.
+
+## Supported Versions
+
+Kubebuilder is tested against the latest three Kubernetes releases, in alignment with the [Kubernetes version and version skew support policy](https://kubernetes.io/docs/setup/release/version-skew-policy/).
+
+However, each version is only tested with the dependencies used for its release. For detailed information, please refer to the [compatibility and support policy on GitHub][compatibility-policy].
+
+## Release Policy
+
+Kubebuilder maintains a policy of releasing updates for the latest CLI version (currently v4). Older versions (v1, v2, v3) are no longer supported, and no releases will be produced for them. It is recommended to ensure that any project scaffolded by Kubebuilder remains aligned with the latest release.
+
+## Automated Vulnerability Scanning
+
+Kubebuilder employs automated scanning via Dependabot and GitHub Actions within its CI/CD pipeline. This process detects vulnerabilities in dependencies and configurations, generating daily or weekly reports prioritized for the latest supported versions.
+
+- **Dependabot Configuration**: You can review the setup in `.github/dependabot.yml`.
+- **Security Checks**: Security checks are enabled in the Kubebuilder repository settings.
+- **Code Scanning**: The `.github/workflows/codeql.yml` workflow scans the `master` and `book-v4` branches, which typically contain the latest release code. Other release branches may not be scanned.
+
+## Production-Grade Security
+
+Projects generated by Kubebuilder are designed for ease of development and are **not** configured with production-grade security settings. For example, default configurations do not enable cert-manager or perform proper certificate validation, which may not be suitable for production environments. Ensure that you make the necessary adjustments to security settings before releasing your solution for production.
+
+[kubernetes-security-announce]: https://groups.google.com/forum/#!forum/kubernetes-security-announce
+[kubernetes-security-announce-rss]: https://groups.google.com/forum/feed/kubernetes-security-announce/msgs/rss_v2_0.xml?num=50
+[Kubernetes version and version skew support policy]: https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions
+[Kubernetes Security and Disclosure Information]: https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability
+[compatibility-policy]: ./../README.md#versions-compatibility-and-supportability
+[project-upgrade-assistant]: https://book.kubebuilder.io/reference/rescaffold
+[testdata-directory]: https://github.com/kubernetes-sigs/kubebuilder/tree/master/testdata
+[kubebuilder-releases]: https://github.com/kubernetes-sigs/kubebuilder/releases

.github/workflows/apidiff.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: "~1.22"
+          go-version-file: go.mod
       - name: Execute go-apidiff
         uses: joelanford/[email protected]
         with:

.github/workflows/codeql.yml

@@ -25,7 +25,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version-file: go.mod
 
       - name: Build and install Kubebuilder CLI
         run: make install

.github/workflows/external-plugin.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22.3'
+          go-version-file: docs/book/src/simple-external-plugin-tutorial/testdata/sampleexternalplugin/v1/go.mod
 
       - name: Build Sample External Plugin
         working-directory: docs/book/src/simple-external-plugin-tutorial/testdata/sampleexternalplugin/v1

.github/workflows/legacy-webhook-path.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22.3'
+          go-version-file: go.mod
       - name: Run make test-legacy
         run: make test-legacy
 

.github/workflows/lint-sample.yml

@@ -11,23 +11,34 @@ on:
 jobs:
   lint-samples:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        folder: [
+          "testdata/project-v4",
+          "testdata/project-v4-with-plugins",
+          "testdata/project-v4-multigroup"
+        ]
     if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository)
     steps:
       - name: Clone the code
         uses: actions/checkout@v4
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.22'
+          go-version-file: go.mod
+      - name: Prepare ${{ matrix.folder }}
+        working-directory: ${{ matrix.folder }}
+        run: go mod tidy
+      - name: Check linter configuration
+        working-directory: ${{ matrix.folder }}
+        run: make lint-config
       - name: Run linter
         uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.59
-          working-directory: testdata/project-v4
-          args: --config .golangci.yml ./...
-      - name: Run linter
-        uses: golangci/golangci-lint-action@v6
-        with:
-          version: v1.59
-          working-directory: testdata/project-v4-with-plugins
+          version: v1.62.2
+          working-directory: ${{ matrix.folder }}
           args: --config .golangci.yml ./...
+      - name: Run linter via makefile target
+        working-directory: ${{ matrix.folder }}
+        run: make lint
+

.github/workflows/lint.yml

@@ -15,16 +15,18 @@ jobs:
     # Pull requests from the same repository won't trigger this checks as they were already triggered by the push
     if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository)
     steps:
+      - name: Clone the code
+        uses: actions/checkout@v4
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.22'
-      - name: Clone the code
-        uses: actions/checkout@v4
+          go-version-file: go.mod
+      - name: Check linter configuration
+        run: make lint-config
       - name: Run linter
         uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.61
+          version: v1.62.2
 
   yamllint:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.22'
+          go-version-file: go.mod
       - name: Clean dist directory
         run: rm -rf dist || true
       - name: Install Syft to generate SBOMs

.github/workflows/test-devcontainer.yaml renamed to .github/workflows/test-devcontainer.yml

@@ -15,10 +15,10 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Setup Go 1.22.x
+      - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.22.x"
+          go-version-file: go.mod
 
       - name: Setup NodeJS 20.x
         uses: actions/setup-node@v4

.github/workflows/test-e2e-book.yml

@@ -15,10 +15,16 @@ on:
       - '.github/workflows/test-e2e-book.yml'
 
 jobs:
-  e2e-getting-started:
+  e2e:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
+      matrix:
+        folder: [
+          "docs/book/src/getting-started/testdata/project",
+          "docs/book/src/cronjob-tutorial/testdata/project",
+          "docs/book/src/multiversion-tutorial/testdata/project"
+        ]
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
     steps:
       - name: Checkout repository
@@ -27,7 +33,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '~1.22'
+          go-version-file: go.mod
 
       - name: Install the latest version of kind
         run: |
@@ -41,67 +47,6 @@ jobs:
       - name: Create kind cluster
         run: kind create cluster
 
-      - name: Running make test-e2e for Getting Started tutorial sample
-        working-directory: docs/book/src/getting-started/testdata/project
+      - name: Running make test-e2e for ${{ matrix.folder }}
+        working-directory: ${{ matrix.folder }}
         run: make test-e2e
-
-  e2e-cronjob-tutorial:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '~1.22'
-
-      - name: Install the latest version of kind
-        run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-
-      - name: Verify kind installation
-        run: kind version
-
-      - name: Create kind cluster
-        run: kind create cluster
-
-      - name: Running make test-e2e for Cronjob tutorial sample
-        working-directory: docs/book/src/cronjob-tutorial/testdata/project
-        run: make test-e2e
-
-  e2e-multiversion-tutorial:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '~1.22'
-
-      - name: Install the latest version of kind
-        run: |
-          curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-
-      - name: Verify kind installation
-        run: kind version
-
-      - name: Create kind cluster
-        run: kind create cluster
-
-      - name: Running make test-e2e for Multiversion tutorial sample
-        working-directory: docs/book/src/multiversion-tutorial/testdata/project
-        run: make test-e2e
-