chore: updated go-to-protobuf

[isubasinghe]

Fixes #13620

Motivation

The k8s.io code gen tool needs to be updated.

Modifications

• Wrote a small tool to support exporting and vendoring in our proto files.
• We run most tools with -mod=mod but unfortunately go-to-protobuf is still reliant upon mutating the vendor folder, so we also perform some resetting of the vendor directory.

Verification

All make targets work as expected.

Documentation

Summary by CodeRabbit

• Chores
  • Enhanced protocol buffer dependency management with new build tooling configuration.
  • Improved build system infrastructure for better module and dependency handling.
  • Updated internal dependency declarations for consistent module path references.

[isubasinghe]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR implements a new proto dependency management system using Buf. It introduces argo-proto.yaml for declaring proto dependencies, a proto-export tool to manage and export those dependencies, updates Makefile to support proto_vendor targeting, and rewires protocol buffer type references to use absolute package paths for Kubernetes API compatibility.

Changes

Cohort / File(s)	Summary
Build Configuration .gitignore, go.mod, Makefile, hack/manifests/crdgen.sh	Added ignore patterns for proto vendors; changed gopkg.in/yaml.v3 to direct dependency; substantially refactored Makefile to introduce TOOL_BUF, proto_vendor target, updated protoc rules to use proto_vendor, updated go-to-protobuf to v0.33.1, and enforced GOFLAGS=-mod=mod across build tools; applied GOFLAGS=-mod=mod to crdgen script.
Proto Dependency Configuration argo-proto.yaml	New Buf manifest declaring versioned proto dependencies (gogo/protobuf, Kubernetes API bundles, googleapis, argo-events, protobufs well-known types) with specific refs for each dependency group.
Proto Export Tool hack/proto-export/config.go, hack/proto-export/main.go, hack/proto-export/vendor.go	New tool suite for exporting proto dependencies: config.go defines ArgoProto, DependencyConfig, BufConfig, BundleConfig types; main.go implements bundling and exporting passes with git-based dependency cloning and buf export orchestration; vendor.go provides package declaration.
Protocol Buffer Definitions pkg/apis/workflow/v1alpha1/generated.proto	Updated go_package option to absolute path (github.com/argoproj/argo-workflows/v3/...); rewired all Kubernetes API proto type references from unqualified form (e.g., k8s.io.api.core.v1.SecretKeySelector) to dot-prefixed form (.k8s.io.api.core.v1.SecretKeySelector) across numerous message definitions including Workflow, WorkflowSpec, WorkflowStatus, Template, and related types.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Suggested labels

area/contributing

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: updated go-to-protobuf' directly reflects the main objective of updating the go-to-protobuf tool to resolve issue #13620.
Description check	✅ Passed	The PR description follows the template structure with all required sections: Motivation (k8s.io codegen tool update), Modifications (vendoring tool, mod flags), Verification (make targets work), and issue reference (Fixes #13620).
Linked Issues check	✅ Passed	The changes comprehensively address issue #13620 objectives: updated go-to-protobuf workflow, introduced proto-vendor management to prevent permission denied errors, and adjusted module handling with -mod=mod flags.
Out of Scope Changes check	✅ Passed	All changes directly support the go-to-protobuf update and proto vendoring objectives. The .gitignore, go.mod, and generated.proto changes are necessary supporting modifications for the tool update.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: unknown linters: 'modernize', run 'golangci-lint help linters' to see the list of supported linters
The command is terminated due to an error: unknown linters: 'modernize', run 'golangci-lint help linters' to see the list of supported linters

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@hack/proto-export/main.go`:
- Around line 47-107: The function bundleDependencies has mixed tabs/spaces and
inconsistent indentation making it hard to read; run gofmt (or an equivalent
formatter) and normalize indentation so each nesting level uses a single tab (or
gofmt default) across the function, including blocks that create
vendorDir/moduleDir, write buf.yaml (bufConfigFile), iterate dep.Bundle and the
git steps slice (steps) and loop; ensure the for _, args := range steps loop and
the nested exec.Command handling match the surrounding indentation and remove
any stray extra spaces/tabs so the whole function compiles with gofmt
formatting.
- Around line 109-223: The exportDependencies function has excessive blank lines
and inconsistent indentation making control flow hard to read; run gofmt and
remove unnecessary blank lines and align blocks (particularly around the if
dep.Buf != nil / else if len(dep.Bundle) > 0 branches, the target/source
assignments, the os.MkdirAll error handling, and the cmd := exec.Command(...) +
cmd.Stdout/Stderr blocks) so indentation is consistent and each logical
statement group is compact; ensure braces and nested blocks for
exportDependencies, dep.Buf, dep.Bundle, os.MkdirAll(target,...), and cmd.Run()
are properly indented and no superfluous empty lines remain.

In `@Makefile`:
- Around line 185-190: The proto_vendor Makefile target (proto_vendor) runs "go
run hack/proto-export/*.go" without forcing module mode; prefix that invocation
with GOFLAGS=-mod=mod (same pattern used elsewhere) so the command becomes
GOFLAGS=-mod=mod go run hack/proto-export/*.go to avoid picking up a vendor-mode
GOPATH/vendor or stale vendor dir and ensure dependencies like gopkg.in/yaml.v3
resolve correctly; update the proto_vendor target where TOOL_BUF and the touch
proto_vendor line appear.

🧹 Nitpick comments (8)

.gitignore (1)

57-59: Consider adding a brief comment above these entries for future maintainers.

The relationship between these patterns and the hack/proto-export tool isn't obvious at a glance:

• .*-vendor catches bundle vendor dirs like .k8s.io-vendor
• .github.com catches the nested .github.com/…-vendor trees created when dependency keys contain github.com/…
• proto_vendor is the export output directory

This is fine functionally, but note that if a new dependency is added with a different domain prefix (e.g., gitlab.com/…), a new gitignore entry would be needed.

hack/proto-export/vendor.go (1)

1-1: Empty file — remove or populate.

This file contains only package main with no declarations, imports, or build tags. Both main.go and config.go already declare the same package, so this file is redundant. If vendor-related logic was planned, consider adding a TODO; otherwise, remove it to avoid confusion.

argo-proto.yaml (2)

22-22: Consider adding a comment for the opaque buf ref.

The googleapis ref 004180b77378443887d3b55cabc00384 is a BSR commit hash, which is harder to audit or update compared to semantic version tags. A comment documenting what this corresponds to (e.g., a date or upstream version) would help future maintainers.

---

25-25: The empty-string bundle key "" is functional but non-obvious.

This causes the repo to be cloned directly into the module directory itself (since filepath.Join(moduleDir, "") returns moduleDir). A brief inline comment explaining this convention would improve readability.

hack/proto-export/main.go (3)

89-103: Consider cleaning up .git directories after checkout.

The shallow-clone sequence leaves a .git directory inside each bundle target. While these directories are gitignored, they consume unnecessary disk space and could confuse tools that walk the directory tree. Adding rm -rf .git as a final step (or os.RemoveAll(filepath.Join(targetDir, ".git"))) after checkout would keep the vendor directories lean.

Proposed fix

 			for _, args := range steps {
 				cmd := exec.Command(args[0], args[1:]...)
 				cmd.Dir = targetDir
 				if output, err := cmd.CombinedOutput(); err != nil {
 					return fmt.Errorf("git command %v failed in %s: %s: %w", args, targetDir, string(output), err)
 				}
 			}
+			// Remove .git directory to save space in vendored output
+			if err := os.RemoveAll(filepath.Join(targetDir, ".git")); err != nil {
+				return fmt.Errorf("failed to remove .git in %s: %w", targetDir, err)
+			}
 		}

---

131-141: Simplify the sub-path detection logic.

The dual-branch separator check is unnecessarily complex. Since the YAML config always uses forward slashes and filepath.Base works correctly on forward-slash paths even on Windows, this can be simplified:

Proposed simplification

-		if filepath.Separator == '/' && (filepath.Base(key) != key) {
-			target = filepath.Join(outDir, key)
-		} else if filepath.Separator != '/' && (filepath.ToSlash(key) != key) {
-			// Handle windows if necessary, though key is usually forward-slash
-			target = filepath.Join(outDir, key)
-		}
+		if strings.Contains(key, "/") {
+			target = filepath.Join(outDir, key)
+		}

This would require adding "strings" to the imports.

---

18-18: Hardcoded config path "argo-proto.yaml" assumes the tool is always run from the repo root.

This is fine given the Makefile always invokes it from the root (go run hack/proto-export/*.go), but consider accepting the config path as a flag for flexibility, or at minimum add a comment documenting this assumption.

Makefile (1)

241-258: Symlink creation should be idempotent — verify github.com/argoproj doesn't collide with repo content.

Lines 245–247 create github.com/argoproj/argo-workflows symlink and a v3 symlink. Line 257 cleans them up. This is fine for the protoc define, but note that the same pattern is also used in the generated.proto target (Lines 478–480) and the openapi_generated.go target (Line 756). If these targets run concurrently (e.g., via make -j), the shared symlinks could cause races.

Given that these targets have sequential dependencies in practice, this is likely safe — but worth being aware of.