Update to Go 1.22

Signed-off-by: Rick Lane <[email protected]>

.dockerignore

@@ -7,4 +7,3 @@ DEPENDENCY_LICENSES.md
 .git
 .github
 actions
-tools

.github/workflows/qa.yml

@@ -11,37 +11,38 @@ jobs:
           - macos-latest
           #- windows-latest
         go_version:
-          - '1.18.0'
-          - '1.19.0'
-          - '1.20.0'
           - '1.21.0'
+          - '1.22.0'
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: '~${{ matrix.go_version }}'
           cache: true
       - run: |
           if [[ "${{runner.debug}}" == "1" ]]; then
             DEBUG_FLAGS="-v"
           fi
-          
+
           go test -race ${DEBUG_FLAGS} ./...
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           # Specify the most recent (1.Y.Z) Y release
           go-version-file: go.mod
           cache: true
-      - run: make lint
+      - uses: golangci/golangci-lint-action@v5
+        with:
+          version: latest
+          args: --timeout=10m
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true

.github/workflows/test-action.yml

@@ -12,12 +12,12 @@ jobs:
     name: "Generate dependency information"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Go environment
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
@@ -37,14 +37,14 @@ jobs:
           : > DEPENDENCY_LICENSES.md
           : > DEPENDENCIES.md
           git add DEPENDENCY_LICENSES.md DEPENDENCIES.md
-          
+
           # Generate license information
           export GO_IMAGE=$(grep -e 'FROM golang:' "build-aux/docker/go_builder.dockerfile" | cut -d ' ' -f2 )
 
           #Copy test data to another folder since it can't be used from there
           cp -a ./test-data ./ui
           export NPM_PACKAGES=$( echo -e "./ui/package.json\n./ui/package-lock.json" )
-          
+
           mkdir -p "${BUILD_TMP}"
           build-aux/generate.sh --unparsable-packages ./unparsable-packages.yaml
 
@@ -58,7 +58,7 @@ jobs:
       - name: "Check that action didn't do any changes"
         run: |
           if [[ "${{ steps.changed-by-dependabot.outputs.is_dirty }}"  == 'true' ]]; then
-            echo "::error:: Action indicates that the repo was dirty" 
+            echo "::error:: Action indicates that the repo was dirty"
             exit 1
           fi
 
@@ -74,18 +74,18 @@ jobs:
         if: github.ref_type == 'branch'
         run: |
           if [[ "${{ steps.changed-by-dependabot2.outputs.license_information_committed }}"  != 'true' ]]; then
-            echo "::error:: Action indicates that the repo was not dirty" 
+            echo "::error:: Action indicates that the repo was not dirty"
             exit 1
           fi
 
           DESTINATION_BRANCH="${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}"
           DIFF=$(git diff --stat --cached  origin/${DESTINATION_BRANCH})
           if [[ -z "${DIFF}" ]]; then
-            echo "::error:: There weren't any files committed." 
+            echo "::error:: There weren't any files committed."
             exit 1
           fi
 
           if ! grep -e '^\s*DEPENDENCY_LICENSES.md' <(echo "${DIFF}") > /dev/null; then
-            echo "::error:: File DEPENDENCY_LICENSES.md was not modified, but it should have been." 
+            echo "::error:: File DEPENDENCY_LICENSES.md was not modified, but it should have been."
             exit 1
           fi

Makefile

@@ -13,13 +13,6 @@ generate:
 	go generate ./...
 .PHONY: generate
 
-lint: tools/bin/golangci-lint
-	tools/bin/golangci-lint run ./...
-.PHONY: lint
-
-tools/bin/%: tools/src/%/pin.go tools/src/%/go.mod
-	cd $(<D) && GOOS= GOARCH= go build -o $(abspath $@) $$(sed -En 's,^import "(.*)".*,\1,p' pin.go)
-
 .DELETE_ON_ERROR:
 .PHONY: FORCE
 FORCE:

README.md

@@ -1,6 +1,9 @@
+# go-mkopensource
+
 ## Command line tool Docs
-* [go-mkopensource](/cmd/go-mkopensource/README.md)
-* [js-mkopensource](/cmd/js-mkopensource/README.md)
+
+- [go-mkopensource](/cmd/go-mkopensource/README.md)
+- [js-mkopensource](/cmd/js-mkopensource/README.md)
 
 ## Building
 
@@ -18,87 +21,87 @@ package is good at detecting the licenses in a file
 ## Design
 
 There are many existing packages to do license detection, such as
-[go-license-detector][] or GitHub's [licensee][].  The reason these
+[go-license-detector][] or GitHub's [licensee][]. The reason these
 are not used is that they are meant to be _informative_, they provide
 "best effort" identification of the license.
 
-`go-mkopensource` isn't meant to just be _informative_, it is meant to
-be used for _compliance_, if it has any reason at all to be even a
+`go-mkopensource` isn't meant to just be informative, it is meant to
+be used for compliance; if it has any reason at all to be even a
 little skeptical of a result, rather than returning its best guess, it
-blows up in your face, asking a human to verify the result.
+asks a human to verify the result.
 
 [go-license-detector]: https://github.com/go-enry/go-license-detector
 [licensee]: https://github.com/licensee/licensee
 
 ## License scanning scripts
 
-Folder `/build-aux` contains scripts to scan licenses for Go, Python 
-and Node.Js. Script will generate both `DEPENDENCY_LICENSES.md` and 
+Folder `/build-aux` contains scripts to scan licenses for Go, Python
+and Node.Js. Script will generate both `DEPENDENCY_LICENSES.md` and
 `DEPENDENCIES.md`
 
-The following environment variables are used to configure the 
+The following environment variables are used to configure the
 application behaviour.
 
-* `APPLICATION`: Required. Name of the application being scanned.
+- `APPLICATION`: Required. Name of the application being scanned.
   It's used in the header of the license files.
 
-* `APPLICATION_TYPE`: Required. Where will the application being 
-  scanned run.    
-  `internal` is used for anything running on Ambassador Labs servers, 
-  and `external` for anything that's deployed to customer machines. 
+- `APPLICATION_TYPE`: Required. Where will the application being
+  scanned run.
+  `internal` is used for anything running on Ambassador Labs servers,
+  and `external` for anything that's deployed to customer machines.
 
-* `BUILD_HOME` Required. Location of the root folder of the repo to 
+- `BUILD_HOME` Required. Location of the root folder of the repo to
   scan.
 
-* `BUILD_TMP`: Required. Folder to use for storing temporary files.
+- `BUILD_TMP`: Required. Folder to use for storing temporary files.
 
-* `GIT_TOKEN` Required. Git token with permissions to pull 
+- `GIT_TOKEN` Required. Git token with permissions to pull
   repositories
 
-* `GO_IMAGE` Required. Image to use for generating Go
+- `GO_IMAGE` Required. Image to use for generating Go
   dependencies.
 
-* `PYTHON_PACKAGES`: Optional. List of requirement.txt files to scan.
-  Paths should be relative to `BUILD_HOME`.      
+- `PYTHON_PACKAGES`: Optional. List of requirement.txt files to scan.
+  Paths should be relative to `BUILD_HOME`.
   Example:
 
   `export PYTHON_PACKAGES="./python/requirements.txt ./builder/requirements.txt"`
 
-* `PYTHON_IMAGE`: Required. Image to use for generating Python 
+- `PYTHON_IMAGE`: Required. Image to use for generating Python
   dependencies.
 
-* `NPM_PACKAGES`: Optional. List of package.json and package-lock.json 
-  files to scan. Paths should be relative to `BUILD_HOME`.  
+- `NPM_PACKAGES`: Optional. List of package.json and package-lock.json
+  files to scan. Paths should be relative to `BUILD_HOME`.
   Example:
 
   `export NPM_PACKAGES="./tools/sandbox/grpc_web/package.json ./tools/sandbox/grpc_web/package-lock.json"`
 
-* `EXCLUDED_PKG`: Optional. Semicolon separated list of npm packages names that we want to exclude for the validation.
-  *Important*: it will restrict the output to the packages (package@version) from being reported in DEPENDENCIES.md and DEPENDENCY_LICENSES.md,
+- `EXCLUDED_PKG`: Optional. Semicolon separated list of npm packages names that we want to exclude for the validation.
+  _Important_: it will restrict the output to the packages (package@version) from being reported in DEPENDENCIES.md and DEPENDENCY_LICENSES.md,
   before to use it, confirm if it is absolutely necessary.
-  
+
   Example:
 
   `export EXCLUDED_PKG="[email protected];internal-2"`
 
-* `NODE_IMAGE`: Required when `NPM_PACKAGES` is defined. Version 
+- `NODE_IMAGE`: Required when `NPM_PACKAGES` is defined. Version
   of Node.JS to use when running npm dependency scan. Only valid
-  version numbers (X.Y.Z) are allowed.  
+  version numbers (X.Y.Z) are allowed.
   Example:
 
   `NODE_IMAGE=node:14.13.1-alpine`
 
-* `SCRIPTS_HOME`: Required. Location where `go-mkopensource` repo is 
-  checked out, relative to  `BUILD_HOME`
+- `SCRIPTS_HOME`: Required. Location where `go-mkopensource` repo is
+  checked out, relative to `BUILD_HOME`
 
-To update license information files, set the environment variables 
+To update license information files, set the environment variables
 described above and run `build-aux/generate.sh`
 
 Tips:
 
-* Add a .dockerignore at the root of your repository and exclude any files that are not necessary for generating depdency 
-  information, including DEPENDENCIES.md, DEPENDENCY_INFORMATION.md and temporary folders. See the 
-  [saas_app .dockerignore](https://github.com/datawire/saas_app/blob/master/.dockerignore) for a list of suggested exclussions.  
+- Add a .dockerignore at the root of your repository and exclude any files that are not necessary for generating depdency
+  information, including DEPENDENCIES.md, DEPENDENCY_INFORMATION.md and temporary folders. See the
+  [saas_app .dockerignore](https://github.com/datawire/saas_app/blob/master/.dockerignore) for a list of suggested exclussions.
 
 ## When scanning fails
 
@@ -124,7 +127,7 @@ fatal: 2 license-detection errors:
 ```
 
 A quick look at the package reveals that it uses an Apache License, but adds extra text at the top of the actual LICENSE
-file indicating that it also uses files from golang/encoding/json. We know that golang uses a 3-clause BSD license.  So we consult the [SPDX License List](https://spdx.org/licenses/) to get the canonical
+file indicating that it also uses files from golang/encoding/json. We know that golang uses a 3-clause BSD license. So we consult the [SPDX License List](https://spdx.org/licenses/) to get the canonical
 identifiers for the licenses, and add them to an `unparsable-packages.yaml` file to our build system
 with the following contents:
 
@@ -146,28 +149,29 @@ the list of all the packages in the file "vendor/modules.txt" using the command
 #26 18.24 go: downloading github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59
 #26 18.28 go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
 #26 36.85 github.com/datawire/saas_app/internal/pkg/kubernetes imports
-#26 36.85 	k8s.io/client-go/rest imports
-#26 36.85 	k8s.io/apimachinery/pkg/util/clock: no required module provides package k8s.io/apimachinery/pkg/util/clock; to add it:
-#26 36.85 	go get k8s.io/apimachinery/pkg/util/clock
+#26 36.85   k8s.io/client-go/rest imports
+#26 36.85   k8s.io/apimachinery/pkg/util/clock: no required module provides package k8s.io/apimachinery/pkg/util/clock; to add it:
+#26 36.85   go get k8s.io/apimachinery/pkg/util/clock
 #26 36.85 /scripts/go-mkopensource: fatal: ["go" "mod" "vendor"]: exit status 1
 #26 ERROR: executor failed running [/bin/sh -c /scripts/scan-go.sh]: exit code: 1
 ```
 
-Now the scanner is smart enough to follow the indications of the "go mod vendor"  install the dependencies, and then 
+Now the scanner will follow the indications of the "go mod vendor", install the dependencies, and then
 get the list of packages from the file ''vendor/modules.txt"
 
-Sometimes it isn't possible to install the dependecies sugested by the "go mod vendor" command. 
+Sometimes it isn't possible to install the dependencies suggested by the "go mod vendor" command.
 The scanner will complain with the message "Error installing dependency". In this case the project will require human intervention to solve the problem.
 
-Another reason that may cause a failure is the use of our proprietary packages, like `github.com/datawire/telepresence-pro/rpc/proconnector`. 
-The error will message will be similar to this one: 
+Another reason that may cause a failure is the use of our proprietary packages, like `github.com/datawire/telepresence-pro/rpc/proconnector`.
+The error will message will be similar to this one:
 
 ```bash
 /scripts/go-mkopensource: fatal: 1 license-detection errors:
   1. Package "github.com/datawire/telepresence-pro/rpc/proconnector": could not identify a license for all sources (had no global LICENSE file)
 ```
 
-Fo exclude these packages, add a yaml file like this
+To exclude these packages, add a yaml file like this:
+
 ```yaml
 - github.com/datawire/telepresence-pro/rpc/userdaemon
 - github.com/datawire/telepresence-pro/rpc/proconnector
@@ -180,19 +184,17 @@ And pass it to the generate.sh script using the argument `--proprietary-packages
 ./generate.sh" --proprietary-packages proprietary-packages.yaml;
 ```
 
-### Remember to always create a ticket!
-When a problem arise, remember to always create a ticket so that the problem can be fixed. This will help all users
-of the `go-mkopensource` tool and in many cases also make the owner of the failing component aware of the problem.
-
 ## Dependabot PRs
 
 When dependabot creates a PR, it's possible that license scanning will fail due so several factors:
+
 1. A Go package is unavailable in the new version of a module
 2. Dependency information is out of date.
 
 To reduce friction merging dependabot PRs, there is an action (`save-dependabot-changes`) that will update a PR created by dependabot.
 
 Use the action in a workflow as follows:
+
 ```yaml
 name: "Verify licenses"
 on: push
@@ -207,7 +209,7 @@ jobs:
         id: changed-by-dependabot
         uses: datawire/go-mkopensource/actions/[email protected]
         with:
-          branches_to_skip: 'master'
+          branches_to_skip: "master"
       - name: Abort if dependencies changed
         if: steps.changed-by-dependabot.outputs.license_information_committed == 'true'
         run: |
@@ -216,10 +218,11 @@ jobs:
       # Continue with other steps
 ```
 
-*Notes*:
-- The GitHub token GITHUB_TOKEN should have at least `contents:write` and `actions: write` 
+**Notes**:
+
+- The GitHub token GITHUB_TOKEN should have at least `contents:write` and `actions: write`
   [privileges](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
-- The workflow that invokes the action should have a `workflow_dispatch` 
+- The workflow that invokes the action should have a `workflow_dispatch`
   [trigger](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch).
 
 ### Testing changes to the `save-dependabot-changes` action
@@ -231,5 +234,5 @@ to point to the new version of the action.
 uses: datawire/go-mkopensource/actions/save-dependabot-changes@<VERSION>
 ```
 
-Note: If you want to test your changes before they are complete, you could use a branch in the action reference, and 
-update it to a tag once you're ready to release.  
+Note: If you want to test your changes before they are complete, you could use a branch in the action reference, and
+update it to a tag once you're ready to release.

build-aux/docker/go_builder.dockerfile

@@ -2,7 +2,7 @@
 # Go dependency scanner
 ########################################
 ARG GO_IMAGE="base-image-unknown"
-FROM golang:1.20.12-alpine3.19 as builder
+FROM golang:1.22.4-alpine3.20 as builder
 
 ENV GOCACHE=/root/.cache/go-build
 RUN mkdir -p "${GOCACHE}"

build-aux/docker/js_builder.dockerfile

@@ -2,7 +2,7 @@
 # builder for Js scanning
 ######################################################################
 ARG NODE_IMAGE="need-a-base-image"
-FROM golang:1.19-alpine3.15 as builder
+FROM golang:1.22.4-alpine3.20 as builder
 
 ENV GOCACHE=/root/.cache/go-build
 RUN mkdir -p "${GOCACHE}"

build-aux/docker/py_builder.dockerfile

@@ -2,7 +2,7 @@
 # Python dependency scanner
 ########################################
 ARG PYTHON_IMAGE="need-a-base-image"
-FROM golang:1.19-alpine3.15 as builder
+FROM golang:1.22.4-alpine3.20 as builder
 
 WORKDIR /src
 COPY . ./