kubernetes-sigs
diff --git a/‎.github/workflows/pr-dependabot.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/pr-dependabot.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/pr-golangci-lint.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/pr-golangci-lint.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/pr-md-link-check.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/pr-md-link-check.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/pr-verify.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/pr-verify.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/release.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/weekly-md-link-check.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/weekly-md-link-check.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/weekly-security-scan.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/weekly-security-scan.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/weekly-test-release.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/weekly-test-release.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎.golangci-kal.yml
Lines changed: 74 additions & 52 deletions b/‎.golangci-kal.yml
Lines changed: 74 additions & 52 deletions
@@ -19,15 +19,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code into the Go module directory
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
     - name: Calculate go version
       id: vars
       run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
     - name: Set up Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # tag=v5.5.0
       with:
         go-version: ${{ steps.vars.outputs.go_version }}
-    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # tag=v4.2.3
+    - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # tag=v4.2.4
       name: Restore go cache
       with:
         path: |
 
@@ -19,7 +19,7 @@ jobs:
           - test
           - hack/tools
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
       - name: Calculate go version
         id: vars
         run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
@@ -30,7 +30,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # tag=v8.0.0
         with:
-          version: v2.1.0
+          version: v2.3.0
           working-directory: ${{matrix.working-directory}}
       - name: Lint API
         run: make lint-api
@@ -14,7 +14,7 @@ jobs:
     name: Broken Links
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
     - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # tag=1.0.17
       with:
         use-quiet-mode: 'yes'
 
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
 
       - name: Check if PR title is valid
         env:
 
@@ -17,7 +17,7 @@ jobs:
       release_tag: ${{ steps.release-version.outputs.release_version }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
         with:
           fetch-depth: 0
       - name: Get changed files
@@ -88,7 +88,7 @@ jobs:
         env:
           RELEASE_TAG: ${{needs.push_release_tags.outputs.release_tag}}
       - name: checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
         with:
           fetch-depth: 0
           ref: ${{ env.RELEASE_TAG }}
 
@@ -14,10 +14,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        branch: [ main, release-1.10, release-1.9, release-1.8 ]
+        branch: [ main, release-1.11, release-1.10, release-1.9 ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
         with:
           ref: ${{ matrix.branch }}
       - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # tag=1.0.17
 
@@ -13,12 +13,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        branch: [ main, release-1.10, release-1.9, release-1.8 ]
+        branch: [ main, release-1.11, release-1.10, release-1.9 ]
     name: Trivy
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
       with:
         ref: ${{ matrix.branch }}
     - name: Calculate go version
 
@@ -17,10 +17,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        branch: [ main, release-1.10, release-1.9, release-1.8 ]
+        branch: [ main, release-1.11, release-1.10, release-1.9 ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # tag=v5.0.0
         with:
           ref: ${{ matrix.branch }}
           fetch-depth: 0
 
@@ -14,6 +14,7 @@ hack/tools/bin
 test/e2e/data/infrastructure-docker/**/cluster-template*.yaml
 !test/e2e/data/infrastructure-docker/**/clusterclass-quick-start.yaml
 !test/e2e/data/infrastructure-docker/**/clusterclass-quick-start-runtimesdk.yaml
+!test/e2e/data/infrastructure-docker/**/clusterclass-quick-start-runtimesdk-v1beta1.yaml
 !test/e2e/data/infrastructure-docker/**/cluster-template-in-memory.yaml
 !test/e2e/data/infrastructure-docker/**/clusterclass-in-memory.yaml
 test/e2e/data/infrastructure-docker/**/clusterclass-*.yaml
 
@@ -16,17 +16,23 @@ linters:
             enable:
               - "commentstart" # Ensure comments start with the serialized version of the field name.
               - "conditions" # Ensure conditions have the correct json tags and markers.
+              - "conflictingmarkers"
               - "duplicatemarkers" # Ensure there are no exact duplicate markers. for types and fields.
               - "integers" # Ensure only int32 and int64 are used for integers.
               - "jsontags" # Ensure every field has a json tag.
               - "maxlength" # Ensure all strings and arrays have maximum lengths/maximum items.
               - "nobools" # Bools do not evolve over time, should use enums instead.
               - "nofloats" # Ensure floats are not used.
               - "nomaps" # Ensure maps are not used.
+              - "notimestamp" # Prevents usage of 'Timestamp' fields
+              - "optionalfields" # Ensure that all fields marked as optional adhere to being pointers and
+                                 # having the `omitempty` value in their `json` tag where appropriate.
               - "optionalorrequired" # Every field should be marked as `+optional` or `+required`.
               - "requiredfields" # Required fields should not be pointers, and should not have `omitempty`.
+              - "ssatags" # Ensure array fields have the appropriate listType markers
               - "statusoptional" # Ensure all first children within status should be optional.
               - "statussubresource" # All root objects that have a `status` field should have a status subresource.
+              - "uniquemarkers" # Ensure that types and fields do not contain more than a single definition of a marker that should only be present once.
 
             # Per discussion in July 2024, we are keeping phase fields for now.
             # See https://github.com/kubernetes-sigs/cluster-api/pull/10897#discussion_r1685929508
@@ -37,17 +43,23 @@ linters:
             disable:
             - "*" # We will manually enable new linters after understanding the impact. Disable all by default.
           lintersConfig:
+            conflictingmarkers:
+              conflicts:
+              - name: "default_vs_required"
+                sets:
+                  - ["default", "kubebuilder:default"]
+                  - ["required", "kubebuilder:validation:Required", "k8s:required"]
+                description: "A field with a default value cannot be required"
             conditions:
               isFirstField: Warn # Require conditions to be the first field in the status struct.
-              usePatchStrategy: Forbid # Require conditions to be the first field in the status struct.
+              usePatchStrategy: Forbid # Forbid patchStrategy markers on the Conditions field.
               useProtobuf: Forbid # We don't use protobuf, so protobuf tags are not required.
-          # jsonTags:
-          #   jsonTagRegex: "^[a-z][a-z0-9]*(?:[A-Z][a-z0-9]*)*$" # The default regex is appropriate for our use case.
-          # optionalOrRequired:
-          #   preferredOptionalMarker: optional | kubebuilder:validation:Optional # The preferred optional marker to use, fixes will suggest to use this marker. Defaults to `optional`.
-          #   preferredRequiredMarker: required | kubebuilder:validation:Required # The preferred required marker to use, fixes will suggest to use this marker. Defaults to `required`.
-          # requiredFields:
-          #   pointerPolicy: Warn | SuggestFix # Defaults to `SuggestFix`. We want our required fields to not be pointers.
+            optionalfields:
+              pointers:
+                preference: WhenRequired # Always | WhenRequired # Whether to always require pointers, or only when required. Defaults to `Always`.
+                policy: SuggestFix # SuggestFix | Warn # The policy for pointers in optional fields. Defaults to `SuggestFix`.
+              omitempty:
+                policy: SuggestFix # SuggestFix | Warn | Ignore # The policy for omitempty in optional fields. Defaults to `SuggestFix`.
 
   exclusions:
     generated: strict
@@ -63,86 +75,96 @@ linters:
       linters:
         - kubeapilinter
 
-    ## Excludes that can be removed once v1alpha1/v1beta1 apiVersions are dropped
-
-    # .status.deprecated.v1beta1.conditions fields are using v1beta1.Condition types, these fields will be removed once v1alpha1/v1beta1 is removed.
-    - path: "api/addons/v1beta2/*|api/bootstrap/kubeadm/v1beta2/*|api/controlplane/kubeadm/v1beta2/*|api/core/v1beta2/*|api/ipam/v1beta2/*|api/runtime/v1beta2/*|api/addons/v1beta1/*|api/bootstrap/kubeadm/v1beta1/*|api/controlplane/kubeadm/v1beta1/*|api/core/v1beta1/*|api/ipam/v1beta1/*|api/ipam/v1alpha1/*|api/runtime/v1alpha1/*"
-      text: "Conditions field must be a slice of metav1.Condition"
+    ## Excludes for old apiVersions that can be removed once the apiVersions are dropped (we don't want to make any changes to these APIs).
+    - path: "api/addons/v1beta1|api/bootstrap/kubeadm/v1beta1|api/controlplane/kubeadm/v1beta1|api/core/v1beta1|api/ipam/v1beta1|api/ipam/v1alpha1|api/runtime/v1alpha1"
       linters:
         - kubeapilinter
-    - path: "api/core/v1beta2/*|api/core/v1beta1/*"
-      text: "field Conditions type Conditions must have a maximum items, add kubebuilder:validation:MaxItems marker"
+
+    ## Excludes for current apiVersions that can be removed once v1beta1 is removed.
+    # .status.deprecated.v1beta1.conditions fields are using v1beta1.Condition types.
+    - path: "api/addons/v1beta2|api/bootstrap/kubeadm/v1beta2|api/controlplane/kubeadm/v1beta2|api/core/v1beta2|api/ipam/v1beta2|api/runtime/v1beta2"
+      text: "Conditions field in .*V1Beta1DeprecatedStatus must be a slice of metav1.Condition"
       linters:
         - kubeapilinter
-    # excludes for v1alpha1/v1beta1 API packages
-    - path: "api/core/v1beta1/*"
-      text: "type ClusterIPFamily should not use an int, int8 or int16. Use int32 or int64 depending on bounding requirements"
+    - path: "api/addons/v1beta2|api/bootstrap/kubeadm/v1beta2|api/controlplane/kubeadm/v1beta2|api/core/v1beta2|api/ipam/v1beta2|api/runtime/v1beta2"
+      text: "ssatags: Conditions should have a listType marker for proper Server-Side Apply behavior"
       linters:
         - kubeapilinter
-    - path: "api/ipam/v1alpha1/*|api/ipam/v1beta1/*"
-      text: "field Prefix should not use an int, int8 or int16. Use int32 or int64 depending on bounding requirements"
+    - path: "api/core/v1beta2"
+      text: "field Conditions type Conditions must have a maximum items, add kubebuilder:validation:MaxItems marker"
       linters:
         - kubeapilinter
-    - path: "api/core/v1beta1/*"
-      text: "field Addresses type MachineAddresses must have a maximum items, add kubebuilder:validation:MaxItems marker"
+    - path: "api/core/v1beta2/condition_types.go"
+      text: "requiredfields: field (Type|Status|LastTransitionTime) should have the omitempty tag"
       linters:
         - kubeapilinter
-    - path: "api/bootstrap/kubeadm/v1beta1/*"
-      text: "nomaps: APIEndpoints should not use a map type, use a list type with a unique name/identifier instead"
+
+    ## Excludes for current clusterctl v1alpha3 and Runtime Hooks v1alpha1 apiVersions (can be fixed once we bump their apiVersion).
+    # Note: The types in api/runtime/hooks/v1alpha1 are not CRDs, so e.g. SSA markers don't make sense there.
+    - path: "cmd/clusterctl/api/v1alpha3|api/runtime/hooks/v1alpha1"
+      text: "optionalfields|requiredfields|maxlength|ssatags"
       linters:
         - kubeapilinter
-    - path: "api/core/v1beta1/*"
-      text: "nomaps: FailureDomains should not use a map type, use a list type with a unique name/identifier instead"
+
+    ## Excludes for JSONSchemaProps
+    # We want to align to the JSON tags of the CustomResourceDefinition fields.
+    - path: "api/core/v1beta2/clusterclass_types"
+      text: "field (XPreserveUnknownFields|XPreserveUnknownFields|XValidations|XMetadata|XIntOrString) json tag does not match pattern"
       linters:
         - kubeapilinter
-
-    ## Excludes for clusterctl and Runtime Hooks (can be fixed once we bump their apiVersion)
-    - path: "cmd/clusterctl/api/v1alpha3|api/runtime/hooks/v1alpha1"
-      text: "maxlength"
+    # We want to align Properties to the corresponding field in CustomResourceDefinitions.
+    - path: "api/core/v1beta2/clusterclass_types"
+      text: "Properties should not use a map type, use a list type with a unique name/identifier instead"
       linters:
         - kubeapilinter
-
-    ## controller-gen does not allow to add MaxItems to Schemaless fields
-    - path: "api/core/v1beta2/*|api/core/v1beta1/*"
-      text: "maxlength: field (AllOf|OneOf|AnyOf) must have a maximum items, add kubebuilder:validation:MaxItems marker"
+    # It's simpler to check these fields against nil vs. using reflect.DeepEqual everywhere.
+    - path: "api/core/v1beta2/clusterclass_types.go"
+      text: "optionalfields: field (AdditionalProperties|Items|Not) does not allow the zero value. (The field does not need to be a pointer|It must have the omitzero tag)"
       linters:
         - kubeapilinter
 
     ## Removal of bool fields of existing types requires further discussion
-    - path: "api/bootstrap/kubeadm/v1beta2/*|api/controlplane/kubeadm/v1beta2/*|api/core/v1beta2/*|api/addons/v1beta2/*|api/bootstrap/kubeadm/v1beta1/*|api/controlplane/kubeadm/v1beta1/*|api/v1alpha1/*|api/core/v1beta1/*|api/addons/v1beta1/*"
+    - path: "api/bootstrap/kubeadm/v1beta2|api/controlplane/kubeadm/v1beta2|api/core/v1beta2|api/addons/v1beta2"
       text: "nobools"
       linters:
         - kubeapilinter
 
-    ## Excludes for JSONSchemaProps
-    # We want to align to the JSON tags of the CustomResourceDefinition fields.
-    - path: "api/core/v1beta2/*|api/core/v1beta1/*"
-      text: "field (XPreserveUnknownFields|XPreserveUnknownFields|XValidations|XMetadata|XIntOrString) json tag does not match pattern"
+    ## Excludes for kubeadm types
+    # We want to align the FeatureGates field to the FeatureGates field in kubeadm.
+    - path: "api/bootstrap/kubeadm/v1beta2/kubeadm_types.go"
+      text: "nomaps: FeatureGates should not use a map type, use a list type with a unique name/identifier instead"
       linters:
         - kubeapilinter
-    # We want to align Properties to the corresponding field in CustomResourceDefinitions.
-    - path: "api/core/v1beta2/*|api/core/v1beta1/*"
-      text: "Properties should not use a map type, use a list type with a unique name/identifier instead"
+
+    ## Excludes for requiredfields
+    # Empty Bootstrap object is blocked via validating webhooks. This cannot be detected by KAL (same if we move the validation to CEL).
+    - path: "api/core/v1beta2/machine_types.go"
+      text: "requiredfields: field Bootstrap has a valid zero value \\({}\\), but the validation is not complete \\(e.g. min properties/adding required fields\\). The field should be a pointer to allow the zero value to be set. If the zero value is not a valid use case, complete the validation and remove the pointer."
       linters:
         - kubeapilinter
 
-    ## Excludes for kubeadm types
-    # We want to align the FeatureGates field to the FeatureGates field in kubeadm.
-    - path: "api/bootstrap/kubeadm/v1beta2/*|api/bootstrap/kubeadm/v1beta1/*"
-      text: "nomaps: FeatureGates should not use a map type, use a list type with a unique name/identifier instead"
+    ## Excludes for optionalfields
+    ## The ExtraEnvs field intentionally has type *[]EnvVar.
+    ## Today we have MinItems=1, but we might have to support MinItems=0 in the future if kubeadm starts supporting it.
+    - path: "api/bootstrap/kubeadm/v1beta2/kubeadm_types.go"
+      text: "optionalfields: field ExtraEnvs does not allow the zero value. The field does not need to be a pointer."
       linters:
         - kubeapilinter
 
-    ## TODO: The following rules are disabled until we migrate to the new API.
-    # Note: Maybe this has to stay a pointer for marshalling reasons.
-    - path: "api/bootstrap/kubeadm/v1beta2/kubeadm_types.go|api/bootstrap/kubeadm/v1beta1/kubeadm_types.go"
-      text: "field Token is marked as required, should not be a pointer"
+    # TODO: Excludes that should be removed once the corresponding issues in KAL are fixed
+    # KAL incorrectly reports that the Taints field doesn't have to be a pointer (it has to be to preserve []).
+    # See: https://github.com/kubernetes-sigs/kube-api-linter/issues/116
+    - path: "api/bootstrap/kubeadm/v1beta2/kubeadm_types.go"
+      text: "optionalfields: field Taints underlying type does not need to be a pointer. The pointer should be removed."
       linters:
         - kubeapilinter
-    - path: "api/core/v1beta2/clusterclass_types.go|api/core/v1beta1/clusterclass_types.go"
-      text: "field Ref is marked as required, should not be a pointer"
+     # KAL incorrectly reports that the zero value is valid
+     # See: https://github.com/kubernetes-sigs/kube-api-linter/issues/138
+    - path: "api/bootstrap/kubeadm/v1beta2/kubeadm_types.go"
+      text: "requiredfields: field Token has a valid zero value \\({\"\": \"\", \"\": \"\"}\\) and should be a pointer."
       linters:
         - kubeapilinter
+
 issues:
   max-same-issues: 0
   max-issues-per-linter: 0