CP-24703: tooling enhancements

There have been some improvements in the tooling in the cloudzero-insights-controller repository which should be brought over to cloudzero-agent-validator to avoid regressions (and smooth out the process) when we merge c-i-c.

This includes:

* Improvements to the Makefile
* Formatting non-Go code with Prettier
* Formatting Go code with gofumpt.
* Consistent copyright headers in every Go file.
* Adding lots of linters / static analysis and fixing the issues they uncover.
* Centralize CI checks in a single workflow.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,10 +1,9 @@
 ---
 name: Report an issue
 about: Create a bug report to fix an existing issue.
-title: ''
-labels: ''
-assignees: ''
-
+title: ""
+labels: ""
+assignees: ""
 ---
 
 **Please do not report security vulnerabilities here**. Please disclose all security issues to [security@cloudzero.com](mailto:security@cloudzero.com).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,10 +1,9 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
-title: ''
-labels: ''
-assignees: ''
-
+title: ""
+labels: ""
+assignees: ""
 ---
 
 **Is your feature request related to a problem? Please describe.**

.github/workflows/README.md

@@ -18,14 +18,14 @@ act allows you to simulate the GitHub Actions environment and execute the workfl
 
 **_Note - for the following commands, it is assumed you are in the base directory of the repository - and have the following environment variables set:_**
 
-* `GH_USER` - set to your github user name (such as josephbarnett)
-* `GH_PAT` - set to your github personal access token. This token should have repo write permissions, and package write permissions
+- `GH_USER` - set to your github user name (such as josephbarnett)
+- `GH_PAT` - set to your github personal access token. This token should have repo write permissions, and package write permissions
 
 Now, you can run the following workflow simulations.
 
 ### Manually Trigger the Merge Workflow
 
-The manual merge workflow [release-to-main.yml](release-to-main.yml) will perform a sync merge from the `develop` branch to `main`. 
+The manual merge workflow [release-to-main.yml](release-to-main.yml) will perform a sync merge from the `develop` branch to `main`.
 
 All releases are based on `main`, where as `develop` is incrementally changing until we are ready to release.
 
@@ -39,7 +39,7 @@ act --container-architecture linux/arm64 \
 
 ### Manually Trigger the DockerBuild Workflow:
 
-For the DockerBuild workflow [docker-build.yml](docker-build.yml), simulate a push to the main branch, develop branch, and a new release tag. It will automatically build a docker image from the repository code, scan it for security vulnerabilties, then if on main or develop - will publish the docker image to the public GHCR repository associated with the repository. 
+For the DockerBuild workflow [docker-build.yml](docker-build.yml), simulate a push to the main branch, develop branch, and a new release tag. It will automatically build a docker image from the repository code, scan it for security vulnerabilties, then if on main or develop - will publish the docker image to the public GHCR repository associated with the repository.
 
 The following sub-sections allow you to simulate these events and run each permuation.
 
@@ -73,5 +73,4 @@ act --container-architecture linux/arm64 \
     -j docker --eventpath .github/workflows/events/release-event.json
 ```
 
-
-By using these commands, you can test your workflows locally and verify their functionality before pushing them to GitHub. This ensures that your workflows are working correctly without needing to trigger them on the actual repository.
+By using these commands, you can test your workflows locally and verify their functionality before pushing them to GitHub. This ensures that your workflows are working correctly without needing to trigger them on the actual repository.

.github/workflows/docker-build.yml

@@ -5,7 +5,7 @@ on:
       - develop
       - main
     tags:
-      - '*'
+      - "*"
   # tag is pr-<number>
   pull_request:
   release:
@@ -36,7 +36,7 @@ jobs:
       - name: SETUP - Checkout
         id: checkout_code
         uses: actions/checkout@v4
-        
+
       - # Install buildx for multi-platform builds
         name: SETUP - Docker Buildx
         id: install_buildx
@@ -108,7 +108,7 @@ jobs:
           file: ${{ env.VALIDATOR_DOCKERFILE }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          platforms:  ${{ env.PLATFORMS }}
+          platforms: ${{ env.PLATFORMS }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |
@@ -126,11 +126,11 @@ jobs:
         uses: aquasecurity/trivy-action@0.29.0
         with:
           image-ref: ${{ env.REGISTRY_LOCAL_ADDR }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
-          format: 'table'
-          exit-code: '1'
+          format: "table"
+          exit-code: "1"
           ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
 
       ###########################################################################
       # PRODUCTION ONLY STEPS BEYOND THIS POINT
@@ -151,7 +151,7 @@ jobs:
               --user "${{ github.actor }}" \
               --pass-stdin
 
-      # Copy the image from the local registry 
+      # Copy the image from the local registry
       # to the production registry (retagging at the same time)
       # only allow on main, develop branches, or a version tag
       - name: PRODUCTION STEP - Publish Image to Production
@@ -167,4 +167,4 @@ jobs:
             regctl image copy \
               ${{ env.REGISTRY_LOCAL_ADDR }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} \
               ${{ env.REGISTRY_PROD_ADDR }}/${{ env.IMAGE_NAME }}:latest
-          fi
+          fi

.github/workflows/golang-ci.yml

@@ -0,0 +1,112 @@
+name: CI
+
+on: [push]
+
+jobs:
+  # Run tests
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Golang
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install dependencies
+        run: |
+          go mod download
+      - name: Run go tests
+        run: |
+          make test-integration
+
+  # Run golangci-lint
+  #
+  # golangci-lint is a linter for Go. It is a wrapper around a number of
+  # linters, and is the default linter for this project.
+  #
+  # Note that we intentionally do not use the golangci-lint GitHub Action here
+  # since there is a good chance it will get out of sync with the version used
+  # in the Makefile. By using the version in the Makefile we make it easy to
+  # make sure all developers are using the same version, and therefore finding
+  # the same issues.
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install golangci-lint
+        run: make install-tools-golangci-lint
+      - name: Run golangci-lint
+        run: make lint
+
+  # Run static analysis
+  analyze:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Golang
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install tools
+        run: make install-tools
+      - name: Run static analysis
+        run: make analyze
+
+  # Run govulncheck
+  #
+  # govulncheck checks for known vulnerabilities in Go dependencies. Typically
+  # it would make sense to run this in a separate pipeline, perhaps on a cron
+  # job, because if it fails it will potentially "break" the CI builds for
+  # issues unrelated to the commit in question. However, since govulncheck has
+  # an extremely low rate of false positives (it checks if the vulnerable code
+  # is actually used, as opposed to there just being a vulnerability somewhere
+  # in the dependency), I think it is appropriate to force us to fix issues it
+  # finds ASAP.
+  govulncheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - id: govulncheck
+        uses: golang/govulncheck-action@v1
+        with:
+          go-version-file: go.mod
+
+  # Format code and data
+  format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Golang
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install tools
+        run: make install-tools
+      - name: Format code
+        run: make format
+      - name: Check file format
+        run: git diff --exit-code --color
+
+  generate: # Generate code
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Golang
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Install tools
+        run: make install-tools
+      - name: Generate code
+        run: make generate
+      - name: Check for modified files
+        run: git diff --exit-code --color
+      - name: Debug
+        run: git ls-files --others
+      - name: Check for untracked files
+        run: test -z "$(git ls-files --others --exclude-standard)"

.github/workflows/release-to-main.yml

@@ -16,8 +16,8 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.head_ref }}   # checkout the correct branch name
-          fetch-depth: 0                # fetch the whole repo history
+          ref: ${{ github.head_ref }} # checkout the correct branch name
+          fetch-depth: 0 # fetch the whole repo history
 
       - name: Fetch all branches
         run: git fetch --all
@@ -50,17 +50,17 @@ jobs:
 
       - name: RELEASE - Create new version
         id: version
-        # outputs 
+        # outputs
         # new_tag - The value of the newly created tag.
         # old_tag - The value of the last semantic version tag before the version bump. Empty if no version bump is performed.
         # tag - The value of the latest tag after running this action.
         # part - The part of version which was bumped.
         uses: anothrNick/github-tag-action@1.71.0
         env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-            WITH_V: true
-            PRERELEASE: true
-            INITIAL_VERSION: ${{ env.LAST_TAG }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WITH_V: true
+          PRERELEASE: true
+          INITIAL_VERSION: ${{ env.LAST_TAG }}
 
       - name: GET CHANGES
         id: get_changes
@@ -91,4 +91,4 @@ jobs:
             Changes in this Release:
             ${{ steps.get_changes.outputs.changes }}
           draft: false
-          prerelease: true
+          prerelease: true

.github/workflows/scan-images.yml

@@ -4,7 +4,7 @@ name: Scan Docker Image Tags
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 1 * *' # Runs at midnight UTC on the first day of every month
+    - cron: "0 0 1 * *" # Runs at midnight UTC on the first day of every month
 
 env:
   CRANE_VERSION: v0.6.0
@@ -29,7 +29,7 @@ jobs:
           # Convert to a JSON array of strings
           tags_array=$(echo "$filtered_tags" | jq -R -s -c 'split("\n")[:-1]')
           # Set the output for the matrix job
-          echo "tags_matrix=$(jq -cn --argjson environments "$tags_array" '{tag: $environments}')" >> $GITHUB_OUTPUT 
+          echo "tags_matrix=$(jq -cn --argjson environments "$tags_array" '{tag: $environments}')" >> $GITHUB_OUTPUT
 
   scan-job:
     needs: list-tags

.gitignore

@@ -3,6 +3,8 @@ go.work
 go.work.sum
 .tool-versions
 
+/.local-config.mk
+
 # app configuration
 /.cloudzero-agent-validator.yaml