Add presubmit jobs tests and linting for sig-security tool srctl

[Daniel-Giszpenc]

Issue: tooling: run tests and linters with prow for srctl #175

Assignment details: In the recent sig-security tooling meeting it was decided this issue was being re-assigned so it would get done and I would take this issue on if bleon-ethical did not express interest to pick it back up by today. I am a little early but if Benjamin comes on help would certainly be appreciated. Closing this PR should close PR #36409, PR #36431, and the above issue.

Work Done:

• created two presubmit jobs for when sig-security/sig-security-tooling/srctl dir is changed
• the official golang docker image mirrored on the aws public ecr registry was used
• the golang image was sha pinned to version 1.25
• golangci-lint was setup from source using go install

Special Note: The ecr golang image was used instead of the e2e kubekins image because that image is way oversized for the tasks here of running a few small golang unit tests and running a linting tool and the ecr doesn't impose the rate limiting problems that docker hub does on the kubernetes project. Oversized images mean more code surface for vulnerabilities as well as more resources to both fetch and use the image. The long term concern with this requiring manual image updating currently as the generic image auto-bumper won't work with this though a tool can be developed for this purpose and the manual work is very minimal.

Work Not Done:

• I have not test up a local prow testing environment yet so while I am confident the yaml is valid and the jobs seem to match up with existing jobs, until I do that I can't be 100% confident in the jobs.

I am leaving this a draft right now considering the lack of a testing run yet but the jobs should be good I think and review would be appreciated.

/assign

[k8s-ci-robot]

Welcome @Daniel-Giszpenc!

It looks like this is your first PR to kubernetes/test-infra 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/test-infra has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Daniel-Giszpenc
Once this PR has been reviewed and has the lgtm label, please assign tabbysable for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• config/jobs/kubernetes/sig-security/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @Daniel-Giszpenc. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mtardy]

maybe would be cool to have an image that already includes golangci-lint?

[Daniel-Giszpenc]

I could try figuring out where Kubernetes keeps their images and try that, it would fit well. I'll ask what the test-infra slack thinks.

[BenTheElder]

I would strongly encourage moving this into the sig security repo and generally putting test target definitions and verisons there, as breifly discussed in the slack thread

This makes it easier for contributors to reproduce, and makes it safe to iterate on the options and versions (because the PR that changes them will run the tests before merge)

[mtardy]

I've seen your comment

Special Note: The ecr golang image was used instead of the e2e kubekins image because that image is way oversized for the tasks here of running a few small golang unit tests and running a linting tool and the ecr doesn't impose the rate limiting problems that docker hub does on the kubernetes project. Oversized images mean more code surface for vulnerabilities as well as more resources to both fetch and use the image. The long term concern with this requiring manual image updating currently as the generic image auto-bumper won't work with this though a tool can be developed for this purpose and the manual work is very minimal.

Tbh I'll use whatever is maintained by sig test-infra and they think is a good image. Maybe it would be interesting to ask them what they think is a good image for our use case?

[Daniel-Giszpenc]

They told me the image I chose was fine.
https://kubernetes.slack.com/archives/C09QZ4DQB/p1776265122708969

On the flip side I do need to do some work on the golangci-lint side because the version for that that gets used should be decided in the source directory of srctl, not here in test-infra so I need to update that which means a PR over there combined with this PR being updated to take advantage of that.