Move commands to separate modules

Make each helper command its own module to avoid maintaining every
tool's dependencies in a single go.mod.

Also remove update-deps.sh and update-codegen.sh which weren't used
anywhere.

Signed-off-by: Colleen Murphy <[email protected]>

Author: cmurphy

.github/dependabot.yml

@@ -22,7 +22,10 @@ updates:
     - "cloud-sql-proxy"
 
 - package-ecosystem: gomod
-  directory: "/"
+  directories:
+    - "/"
+    - "/tools/*"
+    - "/hack/"
   schedule:
     interval: weekly
   open-pull-requests-limit: 10

.github/workflows/add-remove-new-fulcio.yaml

@@ -203,7 +203,7 @@ jobs:
 
     - name: Verify both Fulcio certs are there
       run: |
-        go run ./cmd/ctlog/verifyfulcio/main.go \
+        go run ./tools/ctlog/cmd/ctlog/verifyfulcio/main.go \
         --ctlog-url ${CTLOG_URL} \
         --log-prefix sigstorescaffolding \
         --fulcio ${FULCIO_URL} \
@@ -232,7 +232,7 @@ jobs:
 
     - name: Verify that only new Fulcio cert is there
       run: |
-        go run ./cmd/ctlog/verifyfulcio/main.go \
+        go run ./tools/ctlog/cmd/ctlog/verifyfulcio/main.go \
         --ctlog-url ${CTLOG_URL} \
         --log-prefix sigstorescaffolding \
         --fulcio ${NEW_FULCIO_URL}

.github/workflows/codeql-analysis.yml

@@ -39,11 +39,11 @@ jobs:
           filters: |
             gocode:
               - 'pkg/**'
-              - 'cmd/**'
+              - 'tools/**'
 
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: 'go.mod'
+          go-version: stable
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/create-tink-keyset-test.yml

@@ -5,7 +5,7 @@ on:
     branches:
       - main
     paths:
-    - 'cmd/create-tink-keyset/**'
+    - 'tools/create-tink-keyset/cmd/create-tink-keyset/**'
 
 permissions:
   contents: read
@@ -23,9 +23,9 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: './tools/create-tink-keyset/go.mod'
           check-latest: true
 
       - name: Create Tink Keyset build
         id: create-tink-keyset-test
-        run: go build ./cmd/create-tink-keyset
+        run: go build ./tools/create-tink-keyset/cmd/create-tink-keyset

.github/workflows/prober-test.yml

@@ -6,12 +6,12 @@ on:
     branches:
       - main
     paths:
-    - 'cmd/prober/**'
+    - 'tools/prober/cmd/prober/**'
   pull_request:
     branches:
       - main
     paths:
-    - 'cmd/prober/**'
+    - 'tools/prober/cmd/prober/**'
 
 permissions:
   contents: read
@@ -40,11 +40,11 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: './tools/prober/go.mod'
           check-latest: true
 
       - name: Build prober test
-        run: go build ./cmd/prober
+        run: go build ./tools/prober/cmd/prober
 
       - name: Get test OIDC token
         uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main

.github/workflows/release.yaml

@@ -30,7 +30,7 @@ jobs:
 
     - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
-        go-version-file: ./src/github.com/${{ github.repository }}/go.mod
+        go-version: stable
         check-latest: true
 
     - name: Install ko

.github/workflows/verify.yml

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: 'go.mod'
+          go-version: stable
           check-latest: true
           cache: true
 
@@ -42,20 +42,37 @@ jobs:
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
 
+  detect-modules:
+    runs-on: ubuntu-latest
+    outputs:
+      modules: ${{ steps.set-modules.outputs.modules }}
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version: stable
+      - id: set-modules
+        run: echo "modules=$(go list -m -json | jq -s 'del(.[] | select(.Path == "github.com/sigstore/scaffolding/hack"))' | jq -c '[.[].Dir]')" >> $GITHUB_OUTPUT
+
   golangci:
     name: lint
+    needs: detect-modules
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        modules: ${{ fromJSON(needs.detect-modules.outputs.modules) }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          go-version-file: 'go.mod'
+          go-version: stable
           check-latest: true
 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@0a35821d5c230e903fcfe077583637dea1b27b47 # v9.0.0
         with:
           version: v2.4
+          working-directory: ${{ matrix.modules }}

.gitignore

@@ -5,7 +5,6 @@ release-*.yaml
 testrelease.yaml
 kind.yaml
 .vscode/*
-prober
 /cloudsqlproxy
 /createcertchain
 /createcerts

.ko.yaml

@@ -1,11 +1,11 @@
 ---
 defaultBaseImage: gcr.io/distroless/static-debian12:nonroot
 baseImageOverrides:
-  github.com/sigstore/scaffolding/cmd/cloudsqlproxy: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.19.0-alpine
+  github.com/sigstore/scaffolding/tools/cloudsqlproxy/cmd/cloudsqlproxy: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.19.0-alpine
 
 builds:
   - id: ctlog-createctconfig
-    dir: .
+    dir: ./tools/ctlog/
     main: ./cmd/ctlog/createctconfig
     env:
       - CGO_ENABLED=0
@@ -20,7 +20,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: ctlog-managectroots
-    dir: .
+    dir: ./tools/ctlog/
     main: ./cmd/ctlog/managectroots
     env:
       - CGO_ENABLED=0
@@ -35,7 +35,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: ctlog-verifyfulcio
-    dir: .
+    dir: ./tools/ctlog/
     main: ./cmd/ctlog/verifyfulcio
     env:
       - CGO_ENABLED=0
@@ -50,7 +50,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: fulcio-createcerts
-    dir: .
+    dir: ./tools/fulcio/
     main: ./cmd/fulcio/createcerts
     env:
       - CGO_ENABLED=0
@@ -65,7 +65,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: tuf-createsecret
-    dir: .
+    dir: ./tools/tuf/
     main: ./cmd/tuf/createsecret
     env:
       - CGO_ENABLED=0
@@ -80,7 +80,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: tuf-server
-    dir: .
+    dir: ./tools/tuf/
     main: ./cmd/tuf/server
     env:
       - CGO_ENABLED=0
@@ -95,7 +95,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: trillian-createtree
-    dir: .
+    dir: ./tools/trillian/
     main: ./cmd/trillian/createtree
     env:
       - CGO_ENABLED=0
@@ -110,7 +110,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: trillian-createdb
-    dir: .
+    dir: ./tools/trillian/
     main: ./cmd/trillian/createdb
     env:
       - CGO_ENABLED=0
@@ -125,7 +125,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: trillian-updatetree
-    dir: .
+    dir: ./tools/trillian/
     main: ./cmd/trillian/updatetree
     env:
       - CGO_ENABLED=0
@@ -140,7 +140,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: cloudsqlproxy
-    dir: .
+    dir: ./tools/cloudsqlproxy/
     main: ./cmd/cloudsqlproxy
     env:
       - CGO_ENABLED=0
@@ -155,7 +155,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: getoidctoken
-    dir: .
+    dir: ./tools/getoidctoken/
     main: ./cmd/getoidctoken
     env:
       - CGO_ENABLED=0
@@ -170,7 +170,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: prober
-    dir: .
+    dir: ./tools/prober/
     main: ./cmd/prober
     env:
       - CGO_ENABLED=0
@@ -185,7 +185,7 @@ builds:
       - "{{ .Env.LDFLAGS }}"
 
   - id: rekor-createsecret
-    dir: .
+    dir: ./tools/rekor/
     main: ./cmd/rekor/rekor-createsecret
     env:
       - CGO_ENABLED=0

Makefile

@@ -5,11 +5,14 @@ LDFLAGS=-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_TAG) -X
 
 KO_DOCKER_REPO ?= ghcr.io/sigstore/scaffolding
 
-TRILLIAN_VERSION=$(shell go list -m -f '{{ .Version }}' github.com/google/trillian)
+TRILLIAN_VERSION=$(shell cd hack && go list -m -f '{{ .Version }}' github.com/google/trillian)
 
-OMNIWITNESS_VERSION=$(shell go list -m -f '{{ .Version }}' github.com/transparency-dev/witness)
+OMNIWITNESS_VERSION=$(shell cd hack && go list -m -f '{{ .Version }}' github.com/transparency-dev/witness)
 
-TESSERACT_VERSION=$(shell go list -m -f '{{ .Version }}' github.com/transparency-dev/tesseract)
+TESSERACT_VERSION=$(shell cd hack && go list -m -f '{{ .Version }}' github.com/transparency-dev/tesseract)
+
+lint:
+	go list -f '{{.Dir}}/...' -m | xargs golangci-lint run
 
 # These are the subdirs under config that we'll turn into separate artifacts.
 artifacts := trillian ctlog fulcio rekor tsa tuf prober
@@ -23,7 +26,7 @@ ko-resolve:
 	--image-refs imagerefs-$(artifact) > release-$(artifact).yaml )) \
 	# "Building cloudsqlproxy wrapper"
 	LDFLAGS="$(LDFLAGS)" KO_DOCKER_REPO=$(KO_DOCKER_REPO) \
-	ko build --base-import-paths --platform=all --tags $(GIT_TAG),latest --image-refs imagerefs-cloudsqlproxy ./cmd/cloudsqlproxy
+	ko build --base-import-paths --platform=all --tags $(GIT_TAG),latest --image-refs imagerefs-cloudsqlproxy ./tools/cloudsqlproxy/cmd/cloudsqlproxy
 	# "Building trillian_log_server"
 	LDFLAGS="$(LDFLAGS)" KO_DOCKER_REPO=$(KO_DOCKER_REPO) \
 	ko build --base-import-paths --platform=all --tags $(TRILLIAN_VERSION),$(GIT_TAG),latest --image-refs imagerefs-trillian_log_server github.com/google/trillian/cmd/trillian_log_server
@@ -66,7 +69,7 @@ release-images: ko-resolve ko-resolve-testdata
 
 .PHONY: prober
 prober:
-	go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/prober
+	go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./tools/prober/cmd/prober
 
 ### Testing
 
@@ -130,52 +133,52 @@ build: build-tuf-server build-cloudsqlproxy build-ctlog-createctconfig build-ctl
 
 .PHONY: build-cloudsqlproxy
 build-cloudsqlproxy:
-	go build -trimpath ./cmd/cloudsqlproxy
+	go build -trimpath ./tools/cloudsqlproxy/cmd/cloudsqlproxy
 
 .PHONY: build-ctlog-createctconfig
 build-ctlog-createctconfig:
-	go build -trimpath ./cmd/ctlog/createctconfig
+	go build -trimpath ./tools/ctlog/cmd/ctlog/createctconfig
 
 .PHONY: build-ctlog-managectroots
 build-ctlog-managectroots:
-	go build -trimpath ./cmd/ctlog/managectroots
+	go build -trimpath ./tools/ctlog/cmd/ctlog/managectroots
 
 .PHONY: build-ctlog-verifyfulcio
 build-ctlog-verifyfulcio:
-	go build -trimpath ./cmd/ctlog/verifyfulcio
+	go build -trimpath ./tools/ctlog/cmd/ctlog/verifyfulcio
 
 .PHONY: build-fulcio-createcerts
 build-fulcio-createcerts:
-	go build -trimpath ./cmd/fulcio/createcerts
+	go build -trimpath ./tools/fulcio/cmd/fulcio/createcerts
 
 .PHONY: build-getoidctoken
 build-getoidctoken:
-	go build -trimpath ./cmd/getoidctoken
+	go build -trimpath ./tools/getoidctoken/cmd/getoidctoken
 
 .PHONY: build-rekor-createsecret
 build-rekor-createsecret:
-	go build -trimpath ./cmd/rekor/rekor-createsecret
+	go build -trimpath ./tools/rekor/cmd/rekor/rekor-createsecret
 
 .PHONY: build-trillian-createdb
 build-trillian-createdb:
-	go build -trimpath ./cmd/trillian/createdb
+	go build -trimpath ./tools/trillian/cmd/trillian/createdb
 
 .PHONY: build-trillian-createtree
 build-trillian-createtree:
-	go build -trimpath ./cmd/trillian/createtree
+	go build -trimpath ./tools/trillian/cmd/trillian/createtree
 
 .PHONY: build-trillian-updatetree
 build-trillian-updatetree:
-	go build -trimpath ./cmd/trillian/updatetree
+	go build -trimpath ./tools/trillian/cmd/trillian/updatetree
 
 .PHONY: build-tsa-createcertchain
 build-tsa-createcertchain:
-	go build -trimpath ./cmd/tsa/createcertchain
+	go build -trimpath ./tools/tsa/cmd/tsa/createcertchain
 
 .PHONY: build-tuf-createsecret
 build-tuf-createsecret:
-	go build -trimpath ./cmd/tuf/createsecret
+	go build -trimpath ./tools/tuf/cmd/tuf/createsecret
 
 .PHONY: build-tuf-server
 build-tuf-server:
-	go build -trimpath ./cmd/tuf/server
+	go build -trimpath ./tools/tuf/cmd/tuf/server