Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 20 additions & 24 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,14 @@
#
# Skaphos gitops-engine CI workflow. Modeled on the Keleustes CI job set,
# trimmed for a library (no envtest, no controller-gen drift, no
# `tools/` Taskfile delegation). Required jobs must pass; advisory jobs
# (lint, vuln) carry continue-on-error and exist to surface signal as we
# baseline the fork.
# `tools/` Taskfile delegation).
#
# Required jobs: DCO, REUSE, go vet, golangci-lint, staticcheck, test, build.
# Advisory job: govulncheck. Two server-side kube-apiserver CVEs
# (GO-2025-3547, GO-2025-3521) are reached transitively via
# admissionregistration scheme registration but never exercised by a
# client library like this one. We accept those as known false positives
# until upstream releases fixes; see commit history under SKA-421.
#
# Security stance:
# - Workflow-level `permissions: {}` (zero by default).
Expand Down Expand Up @@ -86,16 +91,9 @@ jobs:
run: go vet ./...

lint:
name: golangci-lint (advisory)
name: golangci-lint
runs-on: ubuntu-24.04
timeout-minutes: 15
# Advisory until the fork establishes its own .golangci.yaml. The
# upstream argo-cd config under which this code lints clean lives at
# argoproj/argo-cd/.golangci.yaml (root, outside this subtree) and we
# deliberately do not vendor it: every config we add here is a divergence
# we'd have to maintain against upstream forever. A dedicated ticket will
# baseline a minimal config when needed.
continue-on-error: true
permissions:
contents: read
steps:
Expand All @@ -109,16 +107,9 @@ jobs:
run: go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 run ./...

staticcheck:
name: Staticcheck (advisory)
name: Staticcheck
runs-on: ubuntu-24.04
timeout-minutes: 10
# Advisory: inherited upstream code carries pre-existing staticcheck
# findings (SA1019 deprecations on v1.EndpointSubset / corev1.Endpoints,
# U1000 unused helpers in vendor-borrowed files, SA4004 in pkg/cache).
# Fixing these here would diverge from upstream and complicate
# upstreaming. The findings will clear once upstream addresses them or
# we upstream the fixes ourselves.
continue-on-error: true
permissions:
contents: read
steps:
Expand Down Expand Up @@ -151,9 +142,14 @@ jobs:
name: govulncheck (advisory)
runs-on: ubuntu-24.04
timeout-minutes: 10
# Pre-existing baseline issue: k8s.io/api v0.34 ceiling per ADR 0006.
# Advisory only until the gitops-engine ceiling can be raised under
# SKA-421 (now scoped against the Skaphos fork).
# Two kube-apiserver server-side CVEs (GO-2025-3547, GO-2025-3521) are
# reached transitively from this client library's scheme registration
# of admissionregistration (which we keep because users ship
# ValidatingWebhookConfiguration / MutatingWebhookConfiguration
# manifests). The traces touch generated DeepCopyObject methods on
# those types, never the actual vulnerable kube-apiserver code paths.
# Both report Fixed in: N/A upstream. Kept advisory until upstream
# releases fixes (after which this job should be promoted to required).
continue-on-error: true
permissions:
contents: read
Expand Down Expand Up @@ -208,8 +204,8 @@ jobs:
echo "| --- | --- |"
echo "| reuse | ${REUSE_RESULT} |"
echo "| go vet | ${VET_RESULT} |"
echo "| golangci-lint (advisory) | ${LINT_RESULT} |"
echo "| staticcheck (advisory) | ${STATICCHECK_RESULT} |"
echo "| golangci-lint | ${LINT_RESULT} |"
echo "| staticcheck | ${STATICCHECK_RESULT} |"
echo "| test | ${TEST_RESULT} |"
echo "| vuln (advisory) | ${VULN_RESULT} |"
echo "| build | ${BUILD_RESULT} |"
Expand Down
51 changes: 51 additions & 0 deletions .golangci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# SPDX-FileCopyrightText: 2026 Skaphos
# SPDX-License-Identifier: Apache-2.0
#
# golangci-lint config for skaphos/gitops-engine.
#
# Deliberately minimal: this fork's stance is upstream-first, so we lint
# only what genuinely catches bugs and skip the QF* "quick fix" style
# nags that would create a huge upstreamable-but-noisy diff against
# argoproj/argo-cd. Tightening the config is a separate decision once
# upstreaming has run a cycle and we know what argoproj is willing to
# absorb.

version: "2"

run:
timeout: 5m
modules-download-mode: readonly

linters:
default: none
enable:
- errcheck
- govet
- ineffassign
- staticcheck
- unused

settings:
staticcheck:
# Enable only the SA* (Static Analysis / bug) family. We deliberately
# skip ST* (stylistic naming), S* (simplifications), QF* (quick fixes)
# so the lint signal stays focused on real defects rather than
# style nags that would create a noisy diff against upstream argo-cd.
checks:
- "SA*"

exclusions:
# We intentionally use the deprecated corev1.Endpoints /
# v1.EndpointSubset types in two places — diff normalization for
# user-provided legacy Endpoints, and a vendored sort helper for the
# same types. Suppress SA1019 only in those files; everywhere else
# SA1019 should still fire.
rules:
- path: internal/kubernetes_vendor/pkg/api/v1/endpoints/util\.go
linters:
- staticcheck
text: "SA1019: v1.EndpointSubset is deprecated"
- path: pkg/diff/diff\.go
linters:
- staticcheck
text: "SA1019: corev1.Endpoints is deprecated"
29 changes: 24 additions & 5 deletions UPSTREAMING.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,25 @@ upstream can absorb the work.

Skaphos commits that are ready to PR upstream but haven't been submitted yet.

| Our commit | Subject | Upstream target | Status |
| --- | --- | --- | --- |
| `eb643e2` | `chore(gitops-engine): drop dead autoscaling/v2beta1 and v2beta2 references` | `argoproj/argo-cd` | not yet submitted |
Listed roughly in dependency order — the bumps depend on the dead-code
removal, and the lint/staticcheck clean-ups depend on the bumps. When
upstreaming, prefer bundling 1+5+8 as a single "lift the k8s.io
ceiling" PR (they jointly unblock v0.35+) and the rest as their own
small PRs.

| # | Our commit | Subject | Upstream target | Status |
| --- | --- | --- | --- | --- |
| 1 | `eb643e2` | `chore(gitops-engine): drop dead autoscaling/v2beta1 and v2beta2 references` | `argoproj/argo-cd` | not yet submitted |
| 2 | `775d146` | `chore(deps): bump k8s.io to v0.35.5 (kubernetes v1.35.5)` | `argoproj/argo-cd` | not yet submitted |
| 3 | `626c831` | `chore(deps): bump k8s.io to v0.36.1 (kubernetes v1.36.1)` | `argoproj/argo-cd` | not yet submitted |
| 4 | `2c78077` | `chore: make hack/update_static_schema.sh portable` (BSD `sed -i ''` silently no-ops on GNU sed; the script never worked on Linux) | `argoproj/argo-cd` | not yet submitted |
| 5 | `4f1d275` | `chore(scheme): regenerate static parser from k8s.io/client-go@v0.36.1` (consequence of bumps; not standalone, lands with 2/3) | `argoproj/argo-cd` | not yet submitted |
| 6 | `30f94e0` | `chore: drop two unused helpers flagged by staticcheck (U1000)` (`max` predates Go 1.21 builtin; `newCRDVersionConverter` never wired in) | `argoproj/argo-cd` | not yet submitted |
| 7 | `2a52857` | `fix(cache): iterate all namespaces in checkPermission (SA4004)` (**real bug** — multi-namespace RBAC mode only ever inspected the first namespace; author had left `//FIXME`) | `argoproj/argo-cd` | not yet submitted |
| 8 | `04528bb` | `chore: clear SA1019 deprecations on Endpoints + FieldsV1` (migrates `FieldsV1.Raw` → `GetRawReader`/`SetRawBytes`; targeted ignores for intentional `corev1.Endpoints` usage) | `argoproj/argo-cd` | not yet submitted |
| 9 | `83bc966` | `fix(scheme,deps): prune runtime-only API groups + bump golang.org/x/net` (drops admission/authentication/authorization/imagepolicy install — never appear in manifests; bumps `x/net` to clear GO-2026-4918) | `argoproj/argo-cd` | not yet submitted |
| 10 | `42749e8` | `chore(lint): baseline minimal .golangci.yaml; fix errcheck + QF1008` (Skaphos-local `.golangci.yaml` plus two real fixes — `Fprintf` errcheck and `.Fake.` redundancy) | `argoproj/argo-cd` (config split: file is Skaphos-only, the two code fixes are upstreamable) | not yet submitted |
| 11 | `ee9f0ce` | `ci: promote lint + staticcheck from advisory to required` | **Skaphos-only** — relates to this fork's `.github/workflows/ci.yml`, no upstream analogue | n/a |

## Submitted upstream

Expand Down Expand Up @@ -55,5 +71,8 @@ Changes we intend to keep Skaphos-local indefinitely. Each entry needs a

| Our commit | Subject | Reason |
| --- | --- | --- |

_(empty)_
| `3669644` | `chore(module): rename to github.com/skaphos/gitops-engine` | The module rename is the fork mechanism itself; not applicable upstream. |
| `c76831d` | `chore: add NOTICE, UPSTREAM_SYNC, UPSTREAMING, REUSE, sync-upstream.sh` | Fork-specific dressing (this file, the sync script, the NOTICE attribution, the REUSE blanket-license config). |
| `7fbfc72` | `ci: add GitHub Actions CI + dependabot` | Fork-specific CI. Upstream argo-cd has its own pipeline. |
| `9c6cc5d` | `ci: mark staticcheck advisory pending upstream fixes` | Superseded by `ee9f0ce`'s promotion-to-required after upstream-side fixes were applied in this fork; no upstream relevance. |
| `ee9f0ce` | `ci: promote lint + staticcheck from advisory to required` | Fork-specific CI tuning. |
146 changes: 68 additions & 78 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -8,21 +8,21 @@ require (
github.com/go-logr/logr v1.4.3
github.com/google/gnostic-models v0.7.0
github.com/google/uuid v1.6.1-0.20241114170450-2d3c2a9cc518
github.com/spf13/cobra v1.10.1
github.com/spf13/cobra v1.10.2
github.com/stretchr/testify v1.11.1
golang.org/x/sync v0.17.0
google.golang.org/protobuf v1.36.9
k8s.io/api v0.34.0
k8s.io/apiextensions-apiserver v0.34.0
k8s.io/apimachinery v0.34.0
k8s.io/cli-runtime v0.34.0
k8s.io/client-go v0.34.0
k8s.io/klog/v2 v2.130.1
k8s.io/kube-aggregator v0.34.0
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b
k8s.io/kubectl v0.34.0
k8s.io/kubernetes v1.34.2
sigs.k8s.io/structured-merge-diff/v6 v6.3.1-0.20251003215857-446d8398e19c
golang.org/x/sync v0.20.0
google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af
k8s.io/api v0.36.1
k8s.io/apiextensions-apiserver v0.36.1
k8s.io/apimachinery v0.36.1
k8s.io/cli-runtime v0.36.1
k8s.io/client-go v0.36.1
k8s.io/klog/v2 v2.140.0
k8s.io/kube-aggregator v0.36.1
k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a
k8s.io/kubectl v0.36.1
k8s.io/kubernetes v1.36.1
sigs.k8s.io/structured-merge-diff/v6 v6.3.2
sigs.k8s.io/yaml v1.6.0
)

Expand All @@ -34,106 +34,96 @@ require (
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.3 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/emicklei/go-restful/v3 v3.12.2 // indirect
github.com/emicklei/go-restful/v3 v3.13.0 // indirect
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
github.com/fatih/camelcase v1.0.0 // indirect
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-errors/errors v1.5.1 // indirect
github.com/go-openapi/jsonpointer v0.21.1 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/swag v0.23.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jonboulle/clockwork v0.5.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/mailru/easyjson v0.9.0 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/moby/spdystream v0.5.0 // indirect
github.com/moby/term v0.5.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/onsi/ginkgo/v2 v2.22.0 // indirect
github.com/onsi/gomega v1.36.1 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_golang v1.23.2 // indirect
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.66.1 // indirect
github.com/prometheus/procfs v0.16.1 // indirect
github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/prometheus/common v0.67.5 // indirect
github.com/prometheus/procfs v0.19.2 // indirect
github.com/robfig/cron/v3 v3.0.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
github.com/spf13/pflag v1.0.10 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.opentelemetry.io/otel v1.41.0 // indirect
go.opentelemetry.io/otel/trace v1.41.0 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/net v0.44.0 // indirect
golang.org/x/oauth2 v0.31.0 // indirect
golang.org/x/sys v0.36.0 // indirect
golang.org/x/term v0.35.0 // indirect
golang.org/x/text v0.29.0 // indirect
golang.org/x/time v0.13.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
golang.org/x/net v0.53.0 // indirect
golang.org/x/oauth2 v0.34.0 // indirect
golang.org/x/sys v0.43.0 // indirect
golang.org/x/term v0.42.0 // indirect
golang.org/x/text v0.36.0 // indirect
golang.org/x/time v0.14.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiserver v0.34.0 // indirect
k8s.io/component-base v0.34.0 // indirect
k8s.io/component-helpers v0.34.0 // indirect
k8s.io/controller-manager v0.34.0 // indirect
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
sigs.k8s.io/kustomize/api v0.20.1 // indirect
sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect
k8s.io/apiserver v0.36.1 // indirect
k8s.io/component-base v0.36.1 // indirect
k8s.io/component-helpers v0.36.1 // indirect
k8s.io/controller-manager v0.36.1 // indirect
k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/kustomize/api v0.21.1 // indirect
sigs.k8s.io/kustomize/kyaml v0.21.1 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
)

replace (
// After bumping these versions, run hack/update_static_schema.sh in case the schema has changed.
k8s.io/api => k8s.io/api v0.34.0
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.34.0
k8s.io/apimachinery => k8s.io/apimachinery v0.34.0
k8s.io/apiserver => k8s.io/apiserver v0.34.0
k8s.io/cli-runtime => k8s.io/cli-runtime v0.34.0
k8s.io/client-go => k8s.io/client-go v0.34.0
k8s.io/cloud-provider => k8s.io/cloud-provider v0.34.0
k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.34.0
k8s.io/code-generator => k8s.io/code-generator v0.34.0
k8s.io/component-base => k8s.io/component-base v0.34.0
k8s.io/component-helpers => k8s.io/component-helpers v0.34.0
k8s.io/controller-manager => k8s.io/controller-manager v0.34.0
k8s.io/cri-api => k8s.io/cri-api v0.34.0
k8s.io/cri-client => k8s.io/cri-client v0.34.0
k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.34.0
k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.34.0
k8s.io/endpointslice => k8s.io/endpointslice v0.34.0
k8s.io/externaljwt => k8s.io/externaljwt v0.34.0
k8s.io/kms => k8s.io/kms v0.34.0
k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.34.0
k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.34.0
k8s.io/kube-proxy => k8s.io/kube-proxy v0.34.0
k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.34.0
k8s.io/kubectl => k8s.io/kubectl v0.34.0
k8s.io/kubelet => k8s.io/kubelet v0.34.0
k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.34.0
k8s.io/metrics => k8s.io/metrics v0.34.0
k8s.io/mount-utils => k8s.io/mount-utils v0.34.0
k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.34.0
k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.34.0
k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.34.0
k8s.io/sample-controller => k8s.io/sample-controller v0.34.0
k8s.io/api => k8s.io/api v0.36.1
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.36.1
k8s.io/apimachinery => k8s.io/apimachinery v0.36.1
k8s.io/apiserver => k8s.io/apiserver v0.36.1
k8s.io/cli-runtime => k8s.io/cli-runtime v0.36.1
k8s.io/client-go => k8s.io/client-go v0.36.1
k8s.io/cloud-provider => k8s.io/cloud-provider v0.36.1
k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.36.1
k8s.io/code-generator => k8s.io/code-generator v0.36.1
k8s.io/component-base => k8s.io/component-base v0.36.1
k8s.io/component-helpers => k8s.io/component-helpers v0.36.1
k8s.io/controller-manager => k8s.io/controller-manager v0.36.1
k8s.io/cri-api => k8s.io/cri-api v0.36.1
k8s.io/cri-client => k8s.io/cri-client v0.36.1
k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.36.1
k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.36.1
k8s.io/endpointslice => k8s.io/endpointslice v0.36.1
k8s.io/externaljwt => k8s.io/externaljwt v0.36.1
k8s.io/kms => k8s.io/kms v0.36.1
k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.36.1
k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.36.1
k8s.io/kube-proxy => k8s.io/kube-proxy v0.36.1
k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.36.1
k8s.io/kubectl => k8s.io/kubectl v0.36.1
k8s.io/kubelet => k8s.io/kubelet v0.36.1
k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.36.1
k8s.io/metrics => k8s.io/metrics v0.36.1
k8s.io/mount-utils => k8s.io/mount-utils v0.36.1
k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.36.1
k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.36.1
k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.36.1
k8s.io/sample-controller => k8s.io/sample-controller v0.36.1
)
Loading
Loading