Update to Kubernetes v1.34.0 and Go 1.25.0

.github/workflows/build.yaml

@@ -1,5 +1,6 @@
 name: build
 on:
+  workflow_dispatch:
   pull_request:
   push:
     branches: [ 'main', 'release/**' ]
@@ -16,31 +17,26 @@ jobs:
     - name: Setup Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
-        go-version: 1.24.x
+        go-version: 1.25.x
         cache-dependency-path: |
           **/go.sum
           **/go.mod
+    - name: Setup QEMU
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+    - name: Setup Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
     - name: Run tests
       run: make test
     - name: Verify
       run: make verify
-
-  kind-linux-arm64:
-    runs-on:
-      group: "ARM64"
-    steps:
-      - name: checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-        with:
-          go-version: 1.24.x
-          cache-dependency-path: |
-            **/go.sum
-            **/go.mod
-      - name: Run tests
-        run: make test
-        env:
-          SKIP_COSIGN_VERIFICATION: true
-      - name: Verify
-        run: make verify
+    - name: Build multi-arch container image
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      with:
+        push: false
+        builder: ${{ steps.buildx.outputs.name }}
+        context: .
+        file: ./Dockerfile
+        platforms: linux/amd64,linux/arm/v7,linux/arm64
+        tags: |
+          ${{ github.repository }}:latest

.github/workflows/cifuzz.yaml

@@ -15,7 +15,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.24.x
+          go-version: 1.25.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod

.github/workflows/scan.yml

@@ -35,7 +35,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
-          go-version: 1.24.x
+          go-version: 1.25.x
           cache-dependency-path: |
             **/go.sum
             **/go.mod

DEVELOPMENT.md

@@ -15,7 +15,7 @@ There are a number of dependencies required to be able to run the controller and
 
 The following dependencies are also used by some of the `make` targets:
 
-- `controller-gen` (v0.7.0)
+- `controller-gen` (v0.19.0)
 - `gen-crd-api-reference-docs` (v0.3.0)
 - `setup-envtest` (latest)
 
@@ -24,7 +24,7 @@ If any of the above dependencies are not present on your system, the first invoc
 ## How to run the test suite
 
 Prerequisites:
-* Go >= 1.24
+* Go >= 1.25
 
 You can run the test suite by simply doing
 

Dockerfile

@@ -1,30 +1,16 @@
-ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.24
+ARG GO_VERSION=1.25
 ARG XX_VERSION=1.6.1
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} AS gostable
-
-FROM gostable AS go-linux
-
-# Build-base consists of build platform dependencies and xx.
-# These will be used at current arch to yield execute the cross compilations.
-FROM go-${TARGETOS} AS build-base
-
-RUN apk add clang lld
+# Docker buildkit multi-arch build requires golang alpine
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS builder
 
+# Copy the build utilities.
 COPY --from=xx / /
 
-# build can still be cached at build platform architecture.
-FROM build-base AS build
-
 ARG TARGETPLATFORM
 
-# Some dependencies have to installed for the target platform:
-# https://github.com/tonistiigi/xx#go--cgo
-RUN xx-apk add musl-dev gcc
-
 # Configure workspace
 WORKDIR /workspace
 
@@ -45,28 +31,17 @@ COPY internal/ internal/
 ARG TARGETPLATFORM
 ARG TARGETARCH
 
-# Reasons why CGO is in use:
-# - The SHA1 implementation (sha1cd) used by go-git depends on CGO for
-#   performance reasons. See: https://github.com/pjbgf/sha1cd/issues/15
-ENV CGO_ENABLED=1
-
-RUN export CGO_LDFLAGS="-static -fuse-ld=lld" && \
-  xx-go build  \
-  -ldflags "-s -w" \
-  -tags 'netgo,osusergo,static_build' \
-  -o /image-automation-controller -trimpath main.go;
-
-# Ensure that the binary was cross-compiled correctly to the target platform.
-RUN xx-verify --static /image-automation-controller
+# build without specifing the arch
+ENV CGO_ENABLED=0
+RUN xx-go build -trimpath -a -o image-automation-controller main.go
 
-FROM alpine:3.21
+FROM alpine:3.22
 
 ARG TARGETPLATFORM
 RUN apk --no-cache add ca-certificates \
   && update-ca-certificates
 
-# Copy over binary from build
-COPY --from=build /image-automation-controller /usr/local/bin/
+COPY --from=builder /workspace/image-automation-controller /usr/local/bin/
 
 USER 65534:65534
 ENTRYPOINT [ "image-automation-controller" ]

Makefile

@@ -15,9 +15,6 @@ BUILD_PLATFORMS ?= linux/amd64,linux/arm64,linux/arm/v7
 # Allows for defining additional Go test args, e.g. '-tags integration'.
 GO_TEST_ARGS ?= -race
 
-# Defines whether cosign verification should be skipped.
-SKIP_COSIGN_VERIFICATION ?= false
-
 # Directory with versioned, downloaded things
 CACHE := cache
 
@@ -37,16 +34,8 @@ BUILD_DIR := $(REPOSITORY_ROOT)/build
 # each fuzzer should run for.
 FUZZ_TIME ?= 1m
 
-ifeq ($(shell uname -s),Darwin)
-GO_STATIC_FLAGS=-ldflags "-s -w" -tags 'netgo,osusergo,static_build'
-endif
-
-ifeq ($(shell uname -s),Linux)
-	GO_STATIC_FLAGS=-ldflags "-s -w" -tags 'netgo,osusergo,static_build'
-endif
-
 # API (doc) generation utilities
-CONTROLLER_GEN_VERSION ?= v0.16.1
+CONTROLLER_GEN_VERSION ?= v0.19.0
 GEN_API_REF_DOCS_VERSION ?= e327d0730470cbd61b06300f81c5fcf91c23c113
 
 # If gobin not set, create one on ./build and add to path.
@@ -103,15 +92,10 @@ ${CACHE}/imagepolicies_${REFLECTOR_VER}.yaml:
 	curl -s --fail https://raw.githubusercontent.com/fluxcd/image-reflector-controller/${REFLECTOR_VER}/config/crd/bases/image.toolkit.fluxcd.io_imagepolicies.yaml \
 		-o ${CACHE}/imagepolicies_${REFLECTOR_VER}.yaml
 
-check-deps:
-ifeq ($(shell uname -s),Darwin)
-	if ! command -v pkg-config &> /dev/null; then echo "pkg-config is required"; exit 1; fi
-endif
-
 KUBEBUILDER_ASSETS?="$(shell $(ENVTEST) --arch=$(ENVTEST_ARCH) use -i $(ENVTEST_KUBERNETES_VERSION) --bin-dir=$(ENVTEST_ASSETS_DIR) -p path)"
 test: tidy test-api test_deps generate fmt vet manifests api-docs install-envtest ## Run tests
 	KUBEBUILDER_ASSETS=$(KUBEBUILDER_ASSETS) \
-	go test $(GO_STATIC_FLAGS) $(GO_TEST_ARGS) ./... -coverprofile cover.out
+	go test $(GO_TEST_ARGS) ./... -coverprofile cover.out
 
 test-api:	## Run api tests
 	cd api; go test $(GO_TEST_ARGS) ./... -coverprofile cover.out
@@ -120,7 +104,7 @@ manager: generate fmt vet	## Build manager binary
 	go build -o $(BUILD_DIR)/bin/manager ./main.go
 
 run: generate fmt vet manifests	# Run against the configured Kubernetes cluster in ~/.kube/config
-	go run $(GO_STATIC_FLAGS) ./main.go --log-level=${LOG_LEVEL} --log-encoding=console
+	go run ./main.go --log-level=${LOG_LEVEL} --log-encoding=console
 
 install: manifests	## Install CRDs into a cluster
 	kustomize build config/crd | kubectl apply -f -
@@ -146,8 +130,8 @@ api-docs: gen-crd-api-reference-docs	## Generate API reference documentation
 	$(GEN_CRD_API_REFERENCE_DOCS) -api-dir=./api/v1beta2 -config=./hack/api-docs/config.json -template-dir=./hack/api-docs/template -out-file=./docs/api/v1beta2/image-automation.md
 
 tidy:	## Run go mod tidy
-	cd api; rm -f go.sum; go mod tidy -compat=1.24
-	rm -f go.sum; go mod tidy -compat=1.24
+	cd api; rm -f go.sum; go mod tidy -compat=1.25
+	rm -f go.sum; go mod tidy -compat=1.25
 
 fmt:	## Run go fmt against code
 	go fmt ./...
@@ -236,9 +220,6 @@ rm -rf $$TMP_DIR ;\
 }
 endef
 
-update-attributions:
-	./hack/update-attributions.sh
-
 verify:
 ifneq (, $(shell git status --porcelain --untracked-files=no))
 	@{ \

api/go.mod

@@ -1,33 +1,34 @@
 module github.com/fluxcd/image-automation-controller/api
 
-go 1.24.0
+go 1.25.0
 
 require (
-	github.com/fluxcd/pkg/apis/meta v1.17.0
-	github.com/fluxcd/source-controller/api v1.6.1
-	k8s.io/apimachinery v0.33.2
-	sigs.k8s.io/controller-runtime v0.21.0
+	github.com/fluxcd/pkg/apis/meta v1.20.0
+	github.com/fluxcd/source-controller/api v1.6.2
+	k8s.io/apimachinery v0.34.0
+	sigs.k8s.io/controller-runtime v0.22.0
 )
 
 require (
 	github.com/fluxcd/pkg/apis/acl v0.7.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/spf13/pflag v1.0.7 // indirect
+	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
-	sigs.k8s.io/yaml v1.5.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )