next-stack · pull · Apr 12, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/.bazelignore b/.bazelignore
diff --git a/.bazelrc b/.bazelrc
diff --git a/.clomonitor.yml b/.clomonitor.yml
@@ -0,0 +1,9 @@
+# License scanning information
+licenseScanning:
+  # URL with the repository's license scanning results
+  #
+  # CLOMonitor can extract license scanning results from FOSSA and Snyk badges
+  # in the repository README.md file automatically. If your repository uses a
+  # different scanning solution, this url can be set to pass the corresponding
+  # check.
+  url: https://github.com/cert-manager/cert-manager/blob/master/LICENSES
diff --git a/.github/ISSUE_TEMPLATE/bug.md b/.github/ISSUE_TEMPLATE/bug.md
@@ -7,7 +7,7 @@ about: Report a bug to help us improve cert-manager
 <!--
 Bugs should be filed for issues encountered whilst operating cert-manager.
 You should first attempt to resolve your issues through the community support
-channels, e.g. Slack, in order to rule out individual configuration errors.
+channels, e.g., Slack, in order to rule out individual configuration errors.
 Please provide as much detail as possible. 
 -->
 
@@ -30,10 +30,10 @@ gain an understanding of the problem.-->
 
 **Anything else we need to know?**:
 
-**Environment details:**:
+**Environment details**:
 - Kubernetes version:
 - Cloud-provider/provisioner:
 - cert-manager version: 
-- Install method: e.g. helm/static manifests
+- Install method: e.g., helm/static manifests
 
 /kind bug
diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md
@@ -20,7 +20,7 @@ about: Suggest an idea to improve cert-manager
 - Kubernetes version:
 - Cloud-provider/provisioner:
 - cert-manager version: 
-- Install method: e.g. helm/static manifests
+- Install method: e.g., helm/static manifests
 
 
 /kind feature
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -18,9 +18,14 @@ Thanks for opening a pull request! Here are some tips to get everything merged s
 
 ### Kind
 
+<!--
+The kind(s) listed after "kind" after this comment will be used by a bot to add labels when the PR is opened.
+If omitted at PR creation, someone will need to make a new comment with them later (editing the description after the fact will not trigger the bot).
+-->
+/kind
 <!--
 
-Pick a kind which best describes your PR from the following list:
+Pick the kind(s) which best describe your PR from the following list:
 
 	<cleanup | bug | feature | documentation | design | flake>
 

diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -0,0 +1,93 @@
+{
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
+  extends: [
+    'github>cert-manager/makefile-modules:renovate-config.json5'
+  ],
+  baseBranchPatterns: [
+    'master',
+    'release-1.20',
+    'release-1.19',
+  ],
+  addLabels: [
+    'kind/cleanup',
+    'release-note-none',
+  ],
+  customManagers: [
+    {
+      customType: 'regex',
+      managerFilePatterns: [
+        'make/base_images.mk',
+      ],
+      matchStrings: [
+        '(?<depName>gcr\\.io\/[^@]+)@(?<currentDigest>sha256:[a-f0-9]{64})',
+      ],
+      datasourceTemplate: 'docker',
+      // this tag must match the tag used in hack/latest-base-images.sh
+      currentValueTemplate: 'nonroot'
+    },
+    {
+      customType: 'regex',
+      managerFilePatterns: [
+        'hack/latest-kind-images.sh',
+        'make/02_mod.mk',
+      ],
+      matchStrings: [
+        "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+packageName=(?<packageName>\\S+)\\s*\\n(?<varName>[A-Za-z0-9_]+)\\s*(?::=|\\?=|=)\\s*(?<currentValue>\\S+)"
+      ]
+    },
+  ],
+  packageRules: [
+    {
+      description: 'Ungroup all updates on release branches',
+      matchBaseBranches: [
+        '/^release-.*/',
+      ],
+      groupName: null,
+    },
+    {
+      groupName: 'Base Images',
+      matchManagers: [
+        'custom.regex',
+      ],
+      matchFileNames: [
+        'make/base_images.mk',
+      ],
+    },
+    {
+      groupName: null,
+      matchManagers: [
+        'custom.regex',
+      ],
+      matchPackageNames: [
+        'kubernetes-sigs/kind',
+      ],
+      postUpgradeTasks: {
+        commands: [
+          'hack/latest-kind-images.sh',
+        ],
+      },
+    },
+    {
+      description: 'Ignore misc files on release branches',
+      matchBaseBranches: [
+        '/^release-.*/'
+      ],
+      matchFileNames: [
+        '.github/workflows/*', // No workflow updates
+        'klone.yaml', // No makefile-modules updates
+      ],
+      enabled: false
+    },
+    {
+      description: 'Ignore major and minor updates on release branches',
+      matchBaseBranches: [
+        '/^release-.*/',
+      ],
+      matchUpdateTypes: [
+        'major',
+        'minor',
+      ],
+      enabled: false,
+    },
+  ],
+}
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
@@ -0,0 +1,37 @@
+# THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
+# Edit https://github.com/cert-manager/makefile-modules/blob/main/modules/go/base/.github/workflows/govulncheck.yaml instead.
+
+# Run govulncheck at midnight every night on the main branch,
+# to alert us to recent vulnerabilities which affect the Go code in this
+# project.
+name: govulncheck
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  govulncheck:
+    runs-on: ubuntu-latest
+
+    if: github.repository == 'cert-manager/cert-manager'
+
+    steps:
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        # Adding `fetch-depth: 0` makes sure tags are also fetched. We need
+        # the tags so `git describe` returns a valid version.
+        # see https://github.com/actions/checkout/issues/701 for extra info about this option
+        with: { fetch-depth: 0 }
+
+      - id: go-version
+        run: |
+          make print-go-version >> "$GITHUB_OUTPUT"
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ steps.go-version.outputs.result }}
+
+      - run: make verify-govulncheck
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -0,0 +1,55 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '43 13 * * 6'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    if: github.ref_name == github.event.repository.default_branch
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge.
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: results.sarif
diff --git a/.gitignore b/.gitignore
@@ -8,13 +8,14 @@
 /hack/build/dockerfiles/cert-manager-*_*_*
 .vscode
 .venv
-bazel-*
 /.settings/
 /.project
 _artifacts/
 /vendor/
 bin/
 _bin/
 .bin/
-user.bazelrc
 *.bak
+/go.work.sum
+**/go.work
+.claude
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -0,0 +1,95 @@
+version: "2"
+linters:
+  default: none
+  settings:
+    dogsled:
+      # Checks assignments with too many blank identifiers.
+      # Default: 2
+      max-blank-identifiers: 4
+    exhaustive:
+      default-signifies-exhaustive: true
+    gosec:
+      excludes:
+        - G101 # Look for hardcoded credentials
+        - G204 # Audit use of command execution
+        - G306 # Poor file permissions used when writing to a file
+    staticcheck:
+      checks: ["all", "-ST1000", "-ST1001", "-ST1003", "-ST1005", "-ST1012", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-QF1001", "-QF1003", "-QF1008"]
+  exclusions:
+    generated: lax
+    presets: [comments, common-false-positives, legacy, std-error-handling]
+    paths: [third_party, builtin$, examples$]
+    warn-unused: true
+  disable:
+    - nilnil
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - canonicalheader
+    - contextcheck
+    - copyloopvar
+    - decorder
+    - dogsled
+    - dupword
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - exhaustive
+    - exptostd
+    - forbidigo
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocritic
+    - goheader
+    - goprintffuncname
+    - gosec
+    - gosmopolitan
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - interfacebloat
+    - intrange
+    - loggercheck
+    - makezero
+    - mirror
+    - misspell
+    - modernize
+    - musttag
+    - nakedret
+    - nilerr
+    - nilnil
+    - noctx
+    - nosprintfhostport
+    - predeclared
+    - promlinter
+    - protogetter
+    - reassign
+    - sloglint
+    - staticcheck
+    - tagalign
+    - testableexamples
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - usetesting
+    - wastedassign
+formatters:
+  enable: [gci, gofmt]
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard packages.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - localmodule # Local module section: contains all local packages. This section is not present unless explicitly enabled.
+        - blank # Blank section: contains all blank imports. This section is not present unless explicitly enabled.
+        - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
+      custom-order: true
+  exclusions:
+    generated: lax
+    paths: [third_party, builtin$, examples$]