improve Makefile generate and verify targets (make them parallelizable)

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

hack/k8s-codegen.sh

@@ -18,15 +18,13 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-go=$1
-
-clientgen=$2
-deepcopygen=$3
-informergen=$4
-listergen=$5
-defaultergen=$6
-conversiongen=$7
-openapigen=$8
+clientgen=$1
+deepcopygen=$2
+informergen=$3
+listergen=$4
+defaultergen=$5
+conversiongen=$6
+openapigen=$7
 
 # If the envvar "VERIFY_ONLY" is set, we only check if everything's up to date
 # and don't actually generate anything
@@ -124,18 +122,8 @@ clean() {
   find "$path" -name "$name" -delete
 }
 
-mkcp() {
-  src="$1"
-  dst="$2"
-  mkdir -p "$(dirname "$dst")"
-  cp "$src" "$dst"
-}
-
-# Export mkcp for use in sub-shells
-export -f mkcp
-
 gen-openapi-acme() {
-  clean pkg/acme/webhook/openapi '*.go'
+  clean pkg/acme/webhook/openapi 'zz_generated.openapi.go'
   echo "+++ ${VERB} ACME openapi..." >&2
   mkdir -p hack/openapi_reports
   "$openapigen" \

klone.yaml

@@ -10,35 +10,35 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 04f424fa90aa8ca570278cf0c07b18dea607b542
+      repo_hash: ad721163bbe8d8d755d54c88a2b2475aeb7c79de
       repo_path: modules/boilerplate
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 04f424fa90aa8ca570278cf0c07b18dea607b542
+      repo_hash: ad721163bbe8d8d755d54c88a2b2475aeb7c79de
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: fa9c9274d1d852de501461b9442f7206aaf74007
+      repo_hash: ad721163bbe8d8d755d54c88a2b2475aeb7c79de
       repo_path: modules/go
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 04f424fa90aa8ca570278cf0c07b18dea607b542
+      repo_hash: ad721163bbe8d8d755d54c88a2b2475aeb7c79de
       repo_path: modules/help
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 04f424fa90aa8ca570278cf0c07b18dea607b542
+      repo_hash: ad721163bbe8d8d755d54c88a2b2475aeb7c79de
       repo_path: modules/klone
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: e9363accaaee20a995bbf8f1c9cba2ea77da8935
+      repo_hash: ad721163bbe8d8d755d54c88a2b2475aeb7c79de
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: 04f424fa90aa8ca570278cf0c07b18dea607b542
+      repo_hash: ad721163bbe8d8d755d54c88a2b2475aeb7c79de
       repo_path: modules/tools

make/02_mod.mk

@@ -36,20 +36,29 @@ include make/e2e-setup.mk
 include make/scan.mk
 include make/ko.mk
 
+.PHONY: go-workspace
+go-workspace: export GOWORK?=$(abspath go.work)
+## Create a go.work file in the repository root (or GOWORK)
+##
+## @category Development
+go-workspace: | $(NEEDS_GO)
+	@rm -f $(GOWORK)
+	$(GO) work init
+	$(GO) work use . ./cmd/acmesolver ./cmd/cainjector ./cmd/controller ./cmd/startupapicheck ./cmd/webhook ./test/integration ./test/e2e
 
 .PHONY: tidy
 ## Run "go mod tidy" on each module in this repo
 ##
 ## @category Development
-tidy:
-	go mod tidy
-	cd cmd/acmesolver && go mod tidy
-	cd cmd/cainjector && go mod tidy
-	cd cmd/controller && go mod tidy
-	cd cmd/startupapicheck && go mod tidy
-	cd cmd/webhook && go mod tidy
-	cd test/integration && go mod tidy
-	cd test/e2e && go mod tidy
+tidy: | $(NEEDS_GO)
+	$(GO) mod tidy
+	cd cmd/acmesolver && $(GO) mod tidy
+	cd cmd/cainjector && $(GO) mod tidy
+	cd cmd/controller && $(GO) mod tidy
+	cd cmd/startupapicheck && $(GO) mod tidy
+	cd cmd/webhook && $(GO) mod tidy
+	cd test/integration && $(GO) mod tidy
+	cd test/e2e && $(GO) mod tidy
 
 .PHONY: update-base-images
 update-base-images: | $(NEEDS_CRANE)

make/_shared/generate-verify/00_mod.mk

@@ -13,5 +13,6 @@
 # limitations under the License.
 
 shared_generate_targets ?=
+shared_generate_targets_dirty ?=
 shared_verify_targets ?=
 shared_verify_targets_dirty ?=

make/_shared/generate-verify/02_mod.mk

@@ -16,18 +16,24 @@
 ## Generate all generate targets.
 ## @category [shared] Generate/ Verify
 generate: $$(shared_generate_targets)
+	@echo "The following targets cannot be run simultaniously with each other or other generate scripts:"
+	$(foreach TARGET,$(shared_generate_targets_dirty), $(MAKE) $(TARGET))
 
 verify_script := $(dir $(lastword $(MAKEFILE_LIST)))/util/verify.sh
 
 # Run the supplied make target argument in a temporary workspace and diff the results.
 verify-%: FORCE
-	$(verify_script) $(MAKE) -s $*
+	+$(verify_script) $(MAKE) $*
 
 verify_generated_targets = $(shared_generate_targets:%=verify-%)
+verify_generated_targets_dirty = $(shared_generate_targets_dirty:%=verify-%)
+
+verify_targets = $(sort $(verify_generated_targets) $(shared_verify_targets))
+verify_targets_dirty = $(sort $(verify_generated_targets_dirty) $(shared_verify_targets_dirty))
 
 .PHONY: verify
 ## Verify code and generate targets.
 ## @category [shared] Generate/ Verify
-verify: $$(verify_generated_targets) $$(shared_verify_targets)
+verify: $$(verify_targets)
 	@echo "The following targets create temporary files in the current directory, that is why they have to be run last:"
-	$(MAKE) noop $(shared_verify_targets_dirty)
+	$(foreach TARGET,$(verify_targets_dirty), $(MAKE) $(TARGET))

make/_shared/generate-verify/util/verify.sh

@@ -45,6 +45,7 @@ cleanup() {
 trap "cleanup" EXIT SIGINT
 
 cp -a "${projectdir}/." "${tmp}"
+rm -rf "${tmp}/_bin" # clear all cached files
 pushd "${tmp}" >/dev/null
 
 "$@"

make/_shared/go/01_mod.mk

@@ -72,7 +72,7 @@ shared_generate_targets += generate-golangci-lint-config
 .PHONY: verify-golangci-lint
 ## Verify all Go modules using golangci-lint
 ## @category [shared] Generate/ Verify
-verify-golangci-lint: | $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
+verify-golangci-lint: | $(NEEDS_GO) $(NEEDS_GOLANGCI-LINT) $(NEEDS_YQ) $(bin_dir)/scratch
 	@find . -name go.mod -not \( -path "./$(bin_dir)/*" -or -path "./make/_shared/*" \) -printf '%h\n' \
 		| while read d; do \
 				echo "Running '$(bin_dir)/tools/golangci-lint run --go $(VENDORED_GO_VERSION) -c $(CURDIR)/$(golangci_lint_config)' in directory '$${d}'"; \

make/_shared/tools/00_mod.mk

@@ -18,10 +18,17 @@ endif
 
 ##########################################
 
-$(bin_dir)/scratch/image $(bin_dir)/tools $(bin_dir)/downloaded $(bin_dir)/downloaded/tools:
+export DOWNLOAD_DIR ?= $(CURDIR)/$(bin_dir)/downloaded
+export GOVENDOR_DIR ?= $(CURDIR)/$(bin_dir)/go_vendor
+
+$(bin_dir)/scratch/image $(bin_dir)/tools $(DOWNLOAD_DIR)/tools:
 	@mkdir -p $@
 
 checkhash_script := $(dir $(lastword $(MAKEFILE_LIST)))/util/checkhash.sh
+lock_script := $(dir $(lastword $(MAKEFILE_LIST)))/util/lock.sh
+
+# $outfile is a variable in the lock script
+outfile := $$outfile
 
 for_each_kv = $(foreach item,$2,$(eval $(call $1,$(word 1,$(subst =, ,$(item))),$(word 2,$(subst =, ,$(item))))))
 
@@ -140,7 +147,7 @@ ADDITIONAL_TOOLS ?=
 TOOLS += $(ADDITIONAL_TOOLS)
 
 # https://go.dev/dl/
-VENDORED_GO_VERSION := 1.21.9
+VENDORED_GO_VERSION := 1.22.2
 
 # Print the go version which can be used in GH actions
 .PHONY: print-go-version
@@ -206,8 +213,8 @@ $(call UC,$1)_VERSION ?= $2
 NEEDS_$(call UC,$1) := $$(bin_dir)/tools/$1
 $(call UC,$1) := $$(CURDIR)/$$(bin_dir)/tools/$1
 
-$$(bin_dir)/tools/$1: $$(bin_dir)/scratch/$(call UC,$1)_VERSION | $$(bin_dir)/downloaded/tools/$1@$$($(call UC,$1)_VERSION)_$$(HOST_OS)_$$(HOST_ARCH) $$(bin_dir)/tools
-	cd $$(dir $$@) && $$(LN) $$(patsubst $$(bin_dir)/%,../%,$$(word 1,$$|)) $$(notdir $$@)
+$$(bin_dir)/tools/$1: $$(bin_dir)/scratch/$(call UC,$1)_VERSION | $$(DOWNLOAD_DIR)/tools/$1@$$($(call UC,$1)_VERSION)_$$(HOST_OS)_$$(HOST_ARCH) $$(bin_dir)/tools
+	@cd $$(dir $$@) && $$(LN) $$(patsubst $$(bin_dir)/%,../%,$$(word 1,$$|)) $$(notdir $$@)
 	@touch $$@ # making sure the target of the symlink is newer than *_VERSION
 endef
 
@@ -229,13 +236,14 @@ TOOLS_PATHS := $(TOOL_NAMES:%=$(bin_dir)/tools/%)
 # or when "make vendor-go" was previously run, in which case $(NEEDS_GO) is set
 # to $(bin_dir)/tools/go, since $(bin_dir)/tools/go is a prerequisite of
 # any target depending on Go when "make vendor-go" was run.
-NEEDS_GO := $(if $(findstring vendor-go,$(MAKECMDGOALS))$(shell [ -f $(bin_dir)/tools/go ] && echo yes), $(bin_dir)/tools/go,)
+export NEEDS_GO ?= $(if $(findstring vendor-go,$(MAKECMDGOALS))$(shell [ -f $(bin_dir)/tools/go ] && echo yes), $(bin_dir)/tools/go,)
 ifeq ($(NEEDS_GO),)
 GO := go
 else
 export GOROOT := $(CURDIR)/$(bin_dir)/tools/goroot
 export PATH := $(CURDIR)/$(bin_dir)/tools/goroot/bin:$(PATH)
 GO := $(CURDIR)/$(bin_dir)/tools/go
+MAKE := $(MAKE) vendor-go
 endif
 
 .PHONY: vendor-go
@@ -262,25 +270,22 @@ which-go: | $(NEEDS_GO)
 	@echo "go binary used for above version information: $(GO)"
 
 $(bin_dir)/tools/go: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(bin_dir)/tools/goroot $(bin_dir)/tools
-	cd $(dir $@) && $(LN) ./goroot/bin/go $(notdir $@)
+	@cd $(dir $@) && $(LN) ./goroot/bin/go $(notdir $@)
 	@touch $@ # making sure the target of the symlink is newer than *_VERSION
 
 # The "_" in "_bin" prevents "go mod tidy" from trying to tidy the vendored goroot.
-$(bin_dir)/tools/goroot: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(bin_dir)/go_vendor/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH)/goroot $(bin_dir)/tools
+$(bin_dir)/tools/goroot: $(bin_dir)/scratch/VENDORED_GO_VERSION | $(GOVENDOR_DIR)/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH)/goroot $(bin_dir)/tools
 	@rm -rf $(bin_dir)/tools/goroot
-	cd $(dir $@) && $(LN) $(patsubst $(bin_dir)/%,../%,$(word 1,$|)) $(notdir $@)
+	@cd $(dir $@) && $(LN) $(patsubst $(bin_dir)/%,../%,$(word 1,$|)) $(notdir $@)
 	@touch $@ # making sure the target of the symlink is newer than *_VERSION
 
-# Extract the tar to the _bin/go directory, this directory is not cached across CI runs.
-$(bin_dir)/go_vendor/go@$(VENDORED_GO_VERSION)_%/goroot: | $(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz
-	@rm -rf $@ && mkdir -p $(dir $@)
-	tar xzf $| -C $(dir $@)
-	mv $(dir $@)/go $(dir $@)/goroot
-
-# Keep the downloaded tar so it is cached across CI runs.
-.PRECIOUS: $(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz
-$(bin_dir)/downloaded/tools/go@$(VENDORED_GO_VERSION)_%.tar.gz: | $(bin_dir)/downloaded/tools
-	$(CURL) https://go.dev/dl/go$(VENDORED_GO_VERSION).$(subst _,-,$*).tar.gz -o $@
+# Extract the tar to the $(GOVENDOR_DIR) directory, this directory is not cached across CI runs.
+$(GOVENDOR_DIR)/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH)/goroot: | $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz
+	@source $(lock_script) $@; \
+		mkdir -p $(outfile).dir; \
+		tar xzf $| -C $(outfile).dir; \
+		mv $(outfile).dir/go $(outfile); \
+		rm -rf $(outfile).dir
 
 ###################
 # go dependencies #
@@ -340,228 +345,220 @@ go_tags_defs = go_tags_$1 += $2
 $(call for_each_kv,go_tags_defs,$(GO_TAGS))
 
 define go_dependency
-$$(bin_dir)/downloaded/tools/$1@$($(call UC,$1)_VERSION)_%: | $$(NEEDS_GO) $$(bin_dir)/downloaded/tools
-	GOWORK=off GOBIN=$$(CURDIR)/$$(dir $$@) $$(GO) install --tags "$(strip $(go_tags_$1))" $2@$($(call UC,$1)_VERSION)
-	@mv $$(CURDIR)/$$(dir $$@)/$1 $$@
+$$(DOWNLOAD_DIR)/tools/$1@$($(call UC,$1)_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $$(NEEDS_GO) $$(DOWNLOAD_DIR)/tools
+	@source $$(lock_script) $$@; \
+		mkdir -p $$(outfile).dir; \
+		GOWORK=off GOBIN=$$(outfile).dir $$(GO) install --tags "$(strip $(go_tags_$1))" $2@$($(call UC,$1)_VERSION); \
+		mv $$(outfile).dir/$1 $$(outfile); \
+		rm -rf $$(outfile).dir
 endef
 $(call for_each_kv,go_dependency,$(GO_DEPENDENCIES))
 
-########
-# Helm #
-########
+##################
+# File downloads #
+##################
+
+GO_linux_amd64_SHA256SUM=5901c52b7a78002aeff14a21f93e0f064f74ce1360fce51c6ee68cd471216a17
+GO_linux_arm64_SHA256SUM=4d169d9cf3dde1692b81c0fd9484fa28d8bc98f672d06bf9db9c75ada73c5fbc
+GO_darwin_amd64_SHA256SUM=c0599a349b8d4a1afa3a1721478bb21136ab96c0d75b5f0a0b5fdc9e3b736880
+GO_darwin_arm64_SHA256SUM=3411600bd7596c57ae29cfdb4978e5d45cafa3f428a44a526ad5a2d5ad870506
+
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz
+$(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://go.dev/dl/go$(VENDORED_GO_VERSION).$(HOST_OS)-$(HOST_ARCH).tar.gz -o $(outfile); \
+		$(checkhash_script) $(outfile) $(GO_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM)
 
 HELM_linux_amd64_SHA256SUM=f43e1c3387de24547506ab05d24e5309c0ce0b228c23bd8aa64e9ec4b8206651
 HELM_linux_arm64_SHA256SUM=b29e61674731b15f6ad3d1a3118a99d3cc2ab25a911aad1b8ac8c72d5a9d2952
 HELM_darwin_amd64_SHA256SUM=804586896496f7b3da97f56089ea00f220e075e969b6fdf6c0b7b9cdc22de120
 HELM_darwin_arm64_SHA256SUM=c2f36f3289a01c7c93ca11f84d740a170e0af1d2d0280bd523a409a62b8dfa1d
 
-$(bin_dir)/downloaded/tools/helm@$(HELM_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) https://get.helm.sh/helm-$(HELM_VERSION)-$(subst _,-,$*).tar.gz -o $@.tar.gz
-	$(checkhash_script) $@.tar.gz $(HELM_$*_SHA256SUM)
-	@# O writes the specified file to stdout
-	tar xfO $@.tar.gz $(subst _,-,$*)/helm > $@
-	chmod +x $@
-	rm -f $@.tar.gz
-
-###########
-# kubectl #
-###########
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/helm@$(HELM_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/helm@$(HELM_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://get.helm.sh/helm-$(HELM_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $(outfile).tar.gz; \
+		$(checkhash_script) $(outfile).tar.gz $(HELM_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		tar xfO $(outfile).tar.gz $(HOST_OS)-$(HOST_ARCH)/helm > $(outfile); \
+		chmod +x $(outfile); \
+		rm -f $(outfile).tar.gz
 
 KUBECTL_linux_amd64_SHA256SUM=69ab3a931e826bf7ac14d38ba7ca637d66a6fcb1ca0e3333a2cafdf15482af9f
 KUBECTL_linux_arm64_SHA256SUM=96d6dc7b2bdcd344ce58d17631c452225de5bbf59b83fd3c89c33c6298fb5d8b
 KUBECTL_darwin_amd64_SHA256SUM=c4da86e5c0fc9415db14a48d9ef1515b0b472346cbc9b7f015175b6109505d2c
 KUBECTL_darwin_arm64_SHA256SUM=c31b99d7bf0faa486a6554c5f96e36af4821a488e90176a12ba18298bc4c8fb0
 
-$(bin_dir)/downloaded/tools/kubectl@$(KUBECTL_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/$(subst _,/,$*)/kubectl -o $@
-	$(checkhash_script) $@ $(KUBECTL_$*_SHA256SUM)
-	chmod +x $@
-
-########
-# kind #
-########
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/kubectl@$(KUBECTL_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/kubectl@$(KUBECTL_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://dl.k8s.io/release/$(KUBECTL_VERSION)/bin/$(HOST_OS)/$(HOST_ARCH)/kubectl -o $(outfile); \
+		$(checkhash_script) $(outfile) $(KUBECTL_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		chmod +x $(outfile)
 
 KIND_linux_amd64_SHA256SUM=513a7213d6d3332dd9ef27c24dab35e5ef10a04fa27274fe1c14d8a246493ded
 KIND_linux_arm64_SHA256SUM=639f7808443559aa30c3642d9913b1615d611a071e34f122340afeda97b8f422
 KIND_darwin_amd64_SHA256SUM=bffd8fb2006dc89fa0d1dde5ba6bf48caacb707e4df8551528f49145ebfeb7ad
 KIND_darwin_arm64_SHA256SUM=8df041a5cae55471f3b039c3c9942226eb909821af63b5677fc80904caffaabf
 
-$(bin_dir)/downloaded/tools/kind@$(KIND_VERSION)_%: | $(bin_dir)/downloaded/tools $(bin_dir)/tools
-	$(CURL) -sSfL https://github.com/kubernetes-sigs/kind/releases/download/$(KIND_VERSION)/kind-$(subst _,-,$*) -o $@
-	$(checkhash_script) $@ $(KIND_$*_SHA256SUM)
-	chmod +x $@
-
-#########
-# vault #
-#########
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/kind@$(KIND_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/kind@$(KIND_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools $(bin_dir)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/kubernetes-sigs/kind/releases/download/$(KIND_VERSION)/kind-$(HOST_OS)-$(HOST_ARCH) -o $(outfile); \
+		$(checkhash_script) $(outfile) $(KIND_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		chmod +x $(outfile)
 
 VAULT_linux_amd64_SHA256SUM=f42f550713e87cceef2f29a4e2b754491697475e3d26c0c5616314e40edd8e1b
 VAULT_linux_arm64_SHA256SUM=79aee168078eb8c0dbb31c283e1136a7575f59fe36fccbb1f1ef6a16e0b67fdb
 VAULT_darwin_amd64_SHA256SUM=a9d7c6e76d7d5c9be546e9a74860b98db6486fc0df095d8b00bc7f63fb1f6c1c
 VAULT_darwin_arm64_SHA256SUM=4bf594a231bef07fbcfbf7329c8004acb8d219ce6a7aff186e0bac7027a0ab25
 
-$(bin_dir)/downloaded/tools/vault@$(VAULT_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) https://releases.hashicorp.com/vault/$(VAULT_VERSION)/vault_$(VAULT_VERSION)_$*.zip -o $@.zip
-	$(checkhash_script) $@.zip $(VAULT_$*_SHA256SUM)
-	unzip -qq -c $@.zip > $@
-	chmod +x $@
-	rm -f $@.zip
-
-########
-# azwi #
-########
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/vault@$(VAULT_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/vault@$(VAULT_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://releases.hashicorp.com/vault/$(VAULT_VERSION)/vault_$(VAULT_VERSION)_$(HOST_OS)_$(HOST_ARCH).zip -o $(outfile).zip; \
+		$(checkhash_script) $(outfile).zip $(VAULT_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		unzip -qq -c $(outfile).zip > $(outfile); \
+		chmod +x $(outfile); \
+		rm -f $(outfile).zip
 
 AZWI_linux_amd64_SHA256SUM=d2ef0f27609b7157595fe62b13c03381a481f833c1e1b6290df560454890d337
 AZWI_linux_arm64_SHA256SUM=72e34bc96611080095e90ecce58a72e50debf846106b13976f2972bf06ae12df
 AZWI_darwin_amd64_SHA256SUM=2be5f18c0acfb213a22db5a149dd89c7d494690988cb8e8a785dd6915f7094d0
 AZWI_darwin_arm64_SHA256SUM=d0b01768102dd472c72c98bb51ae990af8779e811c9f7ab1db48ccefc9988f4c
 
-$(bin_dir)/downloaded/tools/azwi@$(AZWI_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) https://github.com/Azure/azure-workload-identity/releases/download/$(AZWI_VERSION)/azwi-$(AZWI_VERSION)-$(subst _,-,$*).tar.gz -o $@.tar.gz
-	$(checkhash_script) $@.tar.gz $(AZWI_$*_SHA256SUM)
-	@# O writes the specified file to stdout
-	tar xfO $@.tar.gz azwi > $@ && chmod 775 $@
-	rm -f $@.tar.gz
-
-############################
-# kubebuilder-tools assets #
-# kube-apiserver / etcd    #
-############################
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/azwi@$(AZWI_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/azwi@$(AZWI_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/Azure/azure-workload-identity/releases/download/$(AZWI_VERSION)/azwi-$(AZWI_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $(outfile).tar.gz; \
+		$(checkhash_script) $(outfile).tar.gz $(AZWI_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		tar xfO $(outfile).tar.gz azwi > $(outfile) && chmod 775 $(outfile); \
+		rm -f $(outfile).tar.gz
 
 KUBEBUILDER_TOOLS_linux_amd64_SHA256SUM=e9899574fb92fd4a4ca27539d15a30f313f8a482b61b46cb874a07f2ba4f9bcb
 KUBEBUILDER_TOOLS_linux_arm64_SHA256SUM=ef22e16c439b45f3e116498f7405be311bab92c3345766ab2142e86458cda92e
 KUBEBUILDER_TOOLS_darwin_amd64_SHA256SUM=e5796637cc8e40029f0def639bbe7d99193c1872555c919d2b76c32e0e34378f
 KUBEBUILDER_TOOLS_darwin_arm64_SHA256SUM=9734b90206f17a46f4dd0a7e3bb107d44aec9e79b7b135c6eb7c8a250ffd5e03
 
-$(bin_dir)/downloaded/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_%: $(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(bin_dir)/downloaded/tools
-	$(checkhash_script) $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM)
-	@# O writes the specified file to stdout
-	tar xfO $< kubebuilder/bin/etcd > $@ && chmod 775 $@
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz
+$(DOWNLOAD_DIR)/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$(KUBEBUILDER_ASSETS_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $(outfile); \
+		$(checkhash_script) $(outfile) $(KUBEBUILDER_TOOLS_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM)
 
-$(bin_dir)/downloaded/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_%: $(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_%.tar.gz | $(bin_dir)/downloaded/tools
-	$(checkhash_script) $< $(KUBEBUILDER_TOOLS_$*_SHA256SUM)
-	@# O writes the specified file to stdout
-	tar xfO $< kubebuilder/bin/kube-apiserver > $@ && chmod 775 $@
+$(DOWNLOAD_DIR)/tools/etcd@$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH): $(DOWNLOAD_DIR)/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		tar xfO $< kubebuilder/bin/etcd > $(outfile) && chmod 775 $(outfile)
 
-$(bin_dir)/downloaded/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(bin_dir)/downloaded/tools
-	$(CURL) https://storage.googleapis.com/kubebuilder-tools/kubebuilder-tools-$(KUBEBUILDER_ASSETS_VERSION)-$(HOST_OS)-$(HOST_ARCH).tar.gz -o $@
-
-###########
-# kyverno #
-###########
+$(DOWNLOAD_DIR)/tools/kube-apiserver@$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH): $(DOWNLOAD_DIR)/tools/kubebuilder_tools_$(KUBEBUILDER_ASSETS_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		tar xfO $< kubebuilder/bin/kube-apiserver > $(outfile) && chmod 775 $(outfile)
 
 KYVERNO_linux_amd64_SHA256SUM=08cf3640b847e3bbd41c5014ece4e0aa6c39915f5c199eeac8d80267955676e6
 KYVERNO_linux_arm64_SHA256SUM=31805a52e98733b390c60636f209e0bda3174bd09e764ba41fa971126b98d2fc
 KYVERNO_darwin_amd64_SHA256SUM=21fa0733d1a73d510fa0e30ac10310153b7124381aa21224b54fe34a38239542
 KYVERNO_darwin_arm64_SHA256SUM=022bc2640f05482cab290ca8cd28a67f55b24c14b93076bd144c37a1732e6d7e
 
-$(bin_dir)/downloaded/tools/kyverno@$(KYVERNO_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) https://github.com/kyverno/kyverno/releases/download/$(KYVERNO_VERSION)/kyverno-cli_$(KYVERNO_VERSION)_$(subst amd64,x86_64,$*).tar.gz	-fsSL -o $@.tar.gz
-	$(checkhash_script) $@.tar.gz $(KYVERNO_$*_SHA256SUM)
-	@# O writes the specified file to stdout
-	tar xfO $@.tar.gz kyverno > $@
-	chmod +x $@
-	rm -f $@.tar.gz
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/kyverno@$(KYVERNO_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/kyverno@$(KYVERNO_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	$(eval ARCH := $(subst amd64,x86_64,$(HOST_ARCH)))
 
-######
-# yq #
-######
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/kyverno/kyverno/releases/download/$(KYVERNO_VERSION)/kyverno-cli_$(KYVERNO_VERSION)_$(HOST_OS)_$(ARCH).tar.gz -o $(outfile).tar.gz; \
+		$(checkhash_script) $(outfile).tar.gz $(KYVERNO_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		tar xfO $(outfile).tar.gz kyverno > $(outfile); \
+		chmod +x $(outfile); \
+		rm -f $(outfile).tar.gz
 
 YQ_linux_amd64_SHA256SUM=cfbbb9ba72c9402ef4ab9d8f843439693dfb380927921740e51706d90869c7e1
 YQ_linux_arm64_SHA256SUM=a8186efb079673293289f8c31ee252b0d533c7bb8b1ada6a778ddd5ec0f325b6
 YQ_darwin_amd64_SHA256SUM=fdc42b132ac460037f4f0f48caea82138772c651d91cfbb735210075ddfdbaed
 YQ_darwin_arm64_SHA256SUM=9f1063d910698834cb9176593aa288471898031929138d226c2c2de9f262f8e5
 
-$(bin_dir)/downloaded/tools/yq@$(YQ_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$* -o $@
-	$(checkhash_script) $@ $(YQ_$*_SHA256SUM)
-	chmod +x $@
-
-######
-# ko #
-######
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/yq@$(YQ_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/yq@$(YQ_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$(HOST_OS)_$(HOST_ARCH) -o $(outfile); \
+		$(checkhash_script) $(outfile) $(YQ_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		chmod +x $(outfile)
 
 KO_linux_amd64_SHA256SUM=5b06079590371954cceadf0ddcfa8471afb039c29a2e971043915957366a2f39
 KO_linux_arm64_SHA256SUM=fcbb736f7440d686ca1cf8b4c3f6b9b80948eb17d6cef7c14242eddd275cab42
 KO_darwin_amd64_SHA256SUM=4f388a4b08bde612a20d799045a57a9b8847483baf1a1590d3c32735e7c30c16
 KO_darwin_arm64_SHA256SUM=45f2c1a50fdadb7ef38abbb479897d735c95238ec25c4f505177d77d60ed91d6
 
-$(bin_dir)/downloaded/tools/ko@$(KO_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) https://github.com/ko-build/ko/releases/download/v$(KO_VERSION)/ko_$(KO_VERSION)_$(subst linux,Linux,$(subst darwin,Darwin,$(subst amd64,x86_64,$*))).tar.gz -o $@.tar.gz
-	$(checkhash_script) $@.tar.gz $(KO_$*_SHA256SUM)
-	tar xfO $@.tar.gz ko > $@
-	chmod +x $@
-	rm -f $@.tar.gz
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/ko@$(KO_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/ko@$(KO_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	$(eval OS := $(subst linux,Linux,$(subst darwin,Darwin,$(HOST_OS))))
+	$(eval ARCH := $(subst amd64,x86_64,$(HOST_ARCH)))
 
-##########
-# protoc #
-##########
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/ko-build/ko/releases/download/v$(KO_VERSION)/ko_$(KO_VERSION)_$(OS)_$(ARCH).tar.gz -o $(outfile).tar.gz; \
+		$(checkhash_script) $(outfile).tar.gz $(KO_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		tar xfO $(outfile).tar.gz ko > $(outfile); \
+		chmod +x $(outfile); \
+		rm -f $(outfile).tar.gz
 
 PROTOC_linux_amd64_SHA256SUM=78ab9c3288919bdaa6cfcec6127a04813cf8a0ce406afa625e48e816abee2878
 PROTOC_linux_arm64_SHA256SUM=07683afc764e4efa3fa969d5f049fbc2bdfc6b4e7786a0b233413ac0d8753f6b
 PROTOC_darwin_amd64_SHA256SUM=5fe89993769616beff1ed77408d1335216379ce7010eee80284a01f9c87c8888
 PROTOC_darwin_arm64_SHA256SUM=8822b090c396800c96ac652040917eb3fbc5e542538861aad7c63b8457934b20
 
-$(bin_dir)/downloaded/tools/protoc@$(PROTOC_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) https://github.com/protocolbuffers/protobuf/releases/download/v$(PROTOC_VERSION)/protoc-$(PROTOC_VERSION)-$(subst darwin,osx,$(subst arm64,aarch_64,$(subst amd64,x86_64,$(subst _,-,$*)))).zip -o $@.zip
-	$(checkhash_script) $@.zip $(PROTOC_$*_SHA256SUM)
-	unzip -qq -c $@.zip bin/protoc > $@
-	chmod +x $@
-	rm -f $@.zip
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/protoc@$(PROTOC_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/protoc@$(PROTOC_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	$(eval OS := $(subst darwin,osx,$(HOST_OS)))
+	$(eval ARCH := $(subst arm64,aarch_64,$(subst amd64,x86_64,$(HOST_ARCH))))
 
-#########
-# trivy #
-#########
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/protocolbuffers/protobuf/releases/download/v$(PROTOC_VERSION)/protoc-$(PROTOC_VERSION)-$(OS)-$(ARCH).zip -o $(outfile).zip; \
+		$(checkhash_script) $(outfile).zip $(PROTOC_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		unzip -qq -c $(outfile).zip bin/protoc > $(outfile); \
+		chmod +x $(outfile); \
+		rm -f $(outfile).zip
 
 TRIVY_linux_amd64_SHA256SUM=b9785455f711e3116c0a97b01ad6be334895143ed680a405e88a4c4c19830d5d
 TRIVY_linux_arm64_SHA256SUM=a192edfcef8766fa7e3e96a6a5faf50cd861371785891857471548e4af7cb60b
 TRIVY_darwin_amd64_SHA256SUM=997622dee1d07de0764f903b72d16ec4314daaf202d91c957137b4fd1a2f73c3
 TRIVY_darwin_arm64_SHA256SUM=68aa451f395fa5418f5af59ce4081ef71075c857b95a297dc61da49c6a229a45
 
-$(bin_dir)/downloaded/tools/trivy@$(TRIVY_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(eval OS_AND_ARCH := $(subst darwin,macOS,$*))
-	$(eval OS_AND_ARCH := $(subst linux,Linux,$(OS_AND_ARCH)))
-	$(eval OS_AND_ARCH := $(subst arm64,ARM64,$(OS_AND_ARCH)))
-	$(eval OS_AND_ARCH := $(subst amd64,64bit,$(OS_AND_ARCH)))
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/trivy@$(TRIVY_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/trivy@$(TRIVY_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	$(eval OS := $(subst linux,Linux,$(subst darwin,macOS,$(HOST_OS))))
+	$(eval ARCH := $(subst amd64,64bit,$(subst arm64,ARM64,$(HOST_ARCH))))
 
-	$(CURL) https://github.com/aquasecurity/trivy/releases/download/$(TRIVY_VERSION)/trivy_$(patsubst v%,%,$(TRIVY_VERSION))_$(subst _,-,$(OS_AND_ARCH)).tar.gz -o $@.tar.gz
-	$(checkhash_script) $@.tar.gz $(TRIVY_$*_SHA256SUM)
-	tar xfO $@.tar.gz trivy > $@
-	chmod +x $@
-	rm $@.tar.gz
-
-#######
-# ytt #
-#######
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/aquasecurity/trivy/releases/download/$(TRIVY_VERSION)/trivy_$(patsubst v%,%,$(TRIVY_VERSION))_$(OS)-$(ARCH).tar.gz -o $(outfile).tar.gz; \
+		$(checkhash_script) $(outfile).tar.gz $(TRIVY_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		tar xfO $(outfile).tar.gz trivy > $(outfile); \
+		chmod +x $(outfile); \
+		rm $(outfile).tar.gz
 
 YTT_linux_amd64_SHA256SUM=9bf62175c7cc0b54f9731a5b87ee40250f0457b1fce1b0b36019c2f8d96db8f8
 YTT_linux_arm64_SHA256SUM=cbfc85f11ffd8e61d63accf799b8997caaebe46ee046290cc1c4d05ed1ab145b
 YTT_darwin_amd64_SHA256SUM=2b6d173dec1b6087e22690386474786fd9a2232c4479d8975cc98ae8160eea76
 YTT_darwin_arm64_SHA256SUM=3e6f092bfe7a121d15126a0de6503797818c6b6745fbc97213f519d35fab08f9
 
-$(bin_dir)/downloaded/tools/ytt@$(YTT_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(CURL) -sSfL https://github.com/vmware-tanzu/carvel-ytt/releases/download/$(YTT_VERSION)/ytt-$(subst _,-,$*) -o $@
-	$(checkhash_script) $@ $(YTT_$*_SHA256SUM)
-	chmod +x $@
-
-##########
-# rclone #
-##########
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/ytt@$(YTT_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/ytt@$(YTT_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	@source $(lock_script) $@; \
+		$(CURL) -sSfL https://github.com/vmware-tanzu/carvel-ytt/releases/download/$(YTT_VERSION)/ytt-$(HOST_OS)-$(HOST_ARCH) -o $(outfile); \
+		$(checkhash_script) $(outfile) $(YTT_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		chmod +x $(outfile)
 
 RCLONE_linux_amd64_SHA256SUM=7ebdb680e615f690bd52c661487379f9df8de648ecf38743e49fe12c6ace6dc7
 RCLONE_linux_arm64_SHA256SUM=b5a6cb3aef4fd1a2165fb8c21b1b1705f3cb754a202adc81931b47cd39c64749
 RCLONE_darwin_amd64_SHA256SUM=9ef83833296876f3182b87030b4f2e851b56621bad4ca4d7a14753553bb8b640
 RCLONE_darwin_arm64_SHA256SUM=9183f495b28acb12c872175c6af1f6ba8ca677650cb9d2774caefea273294c8a
 
-$(bin_dir)/downloaded/tools/rclone@$(RCLONE_VERSION)_%: | $(bin_dir)/downloaded/tools
-	$(eval OS_AND_ARCH := $(subst darwin,osx,$*))
-	$(CURL) https://github.com/rclone/rclone/releases/download/$(RCLONE_VERSION)/rclone-$(RCLONE_VERSION)-$(subst _,-,$(OS_AND_ARCH)).zip -o $@.zip
-	$(checkhash_script) $@.zip $(RCLONE_$*_SHA256SUM)
-	@# -p writes to stdout, the second file arg specifies the sole file we
-	@# want to extract
-	unzip -p $@.zip rclone-$(RCLONE_VERSION)-$(subst _,-,$(OS_AND_ARCH))/rclone > $@
-	chmod +x $@
-	rm -f $@.zip
+.PRECIOUS: $(DOWNLOAD_DIR)/tools/rclone@$(RCLONE_VERSION)_$(HOST_OS)_$(HOST_ARCH)
+$(DOWNLOAD_DIR)/tools/rclone@$(RCLONE_VERSION)_$(HOST_OS)_$(HOST_ARCH): | $(DOWNLOAD_DIR)/tools
+	$(eval OS := $(subst darwin,osx,$(HOST_OS)))
+
+	@source $(lock_script) $@; \
+		$(CURL) https://github.com/rclone/rclone/releases/download/$(RCLONE_VERSION)/rclone-$(RCLONE_VERSION)-$(OS)-$(HOST_ARCH).zip -o $(outfile).zip; \
+		$(checkhash_script) $(outfile).zip $(RCLONE_$(HOST_OS)_$(HOST_ARCH)_SHA256SUM); \
+		unzip -p $(outfile).zip rclone-$(RCLONE_VERSION)-$(OS)-$(HOST_ARCH)/rclone > $(outfile); \
+		chmod +x $(outfile); \
+		rm -f $(outfile).zip
 
 #################
 # Other Targets #
@@ -606,6 +603,11 @@ tools-learn-sha: | $(bin_dir)
 	HOST_OS=linux HOST_ARCH=arm64 $(MAKE) tools
 	HOST_OS=darwin HOST_ARCH=amd64 $(MAKE) tools
 	HOST_OS=darwin HOST_ARCH=arm64 $(MAKE) tools
+	
+	HOST_OS=linux HOST_ARCH=amd64 $(MAKE) vendor-go
+	HOST_OS=linux HOST_ARCH=arm64 $(MAKE) vendor-go
+	HOST_OS=darwin HOST_ARCH=amd64 $(MAKE) vendor-go
+	HOST_OS=darwin HOST_ARCH=arm64 $(MAKE) vendor-go
 
 	while read p; do \
 		sed -i "$$p" $(self_file); \

make/_shared/tools/util/lock.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -eu -o pipefail
+
+# This script is used to lock a file while it is being downloaded. It prevents
+# multiple processes from downloading the same file at the same time or from reading
+# a half-downloaded file.
+# We need this solution because we have recursive $(MAKE) calls in our makefile
+# which each will try to download a set of tools. To prevent them from all downloading
+# the same files, we re-use the same downloads folder for all $(MAKE) invocations and
+# use this script to deduplicate the download processes.
+
+finalfile="$1"
+lockfile="$finalfile.lock"
+# Timeout in seconds.
+timeout=60
+
+# On OSX, flock is not installed, we just skip locking in that case,
+# this means that running verify in parallel without downloading all
+# tools first will not work.
+flock_installed=$(command -v flock >/dev/null && echo "yes" || echo "no")
+
+if [[ "$flock_installed" == "yes" ]]; then
+  mkdir -p "$(dirname "$lockfile")"
+  touch "$lockfile"
+  exec {FD}<>"$lockfile"
+
+  # wait for the file to be unlocked
+  if ! flock -x -w $timeout $FD; then
+    echo "Failed to obtain a lock for $lockfile within $timeout seconds"
+    exit 1
+  fi
+fi
+
+# now that we have the lock, check if file is already there
+if [[ -e "$finalfile" ]]; then
+  exit 0
+fi
+
+# use a temporary file to prevent Make from thinking the file is ready
+# while in reality is is only a partial download
+# shellcheck disable=SC2034
+outfile="$finalfile.tmp"
+
+finish() {
+  rv=$?
+  if [[ $rv -eq 0 ]]; then
+    mv "$outfile" "$finalfile"
+    echo "[info]: downloaded $finalfile"
+  else
+    rm -rf "$outfile" || true
+    rm -rf "$finalfile" || true
+  fi
+  rm -rf "$lockfile" || true
+  exit $rv
+}
+trap finish EXIT

make/ci.mk

@@ -44,10 +44,11 @@ generate-crds: | $(NEEDS_CONTROLLER-GEN)
 
 shared_generate_targets += generate-crds
 
-.PHONY: verify-codegen
-verify-codegen: | $(NEEDS_GO) $(NEEDS_CLIENT-GEN) $(NEEDS_DEEPCOPY-GEN) $(NEEDS_INFORMER-GEN) $(NEEDS_LISTER-GEN) $(NEEDS_DEFAULTER-GEN) $(NEEDS_CONVERSION-GEN) $(NEEDS_OPENAPI-GEN)
+# Overwrite the verify-generate-codegen target with this
+# optimised target.
+.PHONY: verify-generate-codegen
+verify-generate-codegen: | $(NEEDS_CLIENT-GEN) $(NEEDS_DEEPCOPY-GEN) $(NEEDS_INFORMER-GEN) $(NEEDS_LISTER-GEN) $(NEEDS_DEFAULTER-GEN) $(NEEDS_CONVERSION-GEN) $(NEEDS_OPENAPI-GEN)
 	VERIFY_ONLY="true" ./hack/k8s-codegen.sh \
-		$(GO) \
 		$(CLIENT-GEN) \
 		$(DEEPCOPY-GEN) \
 		$(INFORMER-GEN) \
@@ -56,12 +57,11 @@ verify-codegen: | $(NEEDS_GO) $(NEEDS_CLIENT-GEN) $(NEEDS_DEEPCOPY-GEN) $(NEEDS_
 		$(CONVERSION-GEN) \
 		$(OPENAPI-GEN)
 
-shared_verify_targets += verify-codegen
+shared_verify_targets += verify-generate-codegen
 
 .PHONY: generate-codegen
-generate-codegen: | $(NEEDS_GO) $(NEEDS_CLIENT-GEN) $(NEEDS_DEEPCOPY-GEN) $(NEEDS_INFORMER-GEN) $(NEEDS_LISTER-GEN) $(NEEDS_DEFAULTER-GEN) $(NEEDS_CONVERSION-GEN) $(NEEDS_OPENAPI-GEN)
+generate-codegen: | $(NEEDS_CLIENT-GEN) $(NEEDS_DEEPCOPY-GEN) $(NEEDS_INFORMER-GEN) $(NEEDS_LISTER-GEN) $(NEEDS_DEFAULTER-GEN) $(NEEDS_CONVERSION-GEN) $(NEEDS_OPENAPI-GEN)
 	./hack/k8s-codegen.sh \
-		$(GO) \
 		$(CLIENT-GEN) \
 		$(DEEPCOPY-GEN) \
 		$(INFORMER-GEN) \
@@ -70,7 +70,7 @@ generate-codegen: | $(NEEDS_GO) $(NEEDS_CLIENT-GEN) $(NEEDS_DEEPCOPY-GEN) $(NEED
 		$(CONVERSION-GEN) \
 		$(OPENAPI-GEN)
 
-shared_generate_targets += generate-codegen
+shared_generate_targets_dirty += generate-codegen
 
 .PHONY: generate-helm-docs
 generate-helm-docs: deploy/charts/cert-manager/README.template.md deploy/charts/cert-manager/values.yaml | $(NEEDS_HELM-TOOL)
@@ -87,8 +87,7 @@ shared_generate_targets += generate-helm-docs
 ## request or change is merged.
 ##
 ## @category CI
-ci-presubmit: $(NEEDS_GO)
-	$(MAKE) -j1 verify
+ci-presubmit: verify
 
 .PHONY: generate-all
 ## Update CRDs, code generation and licenses to the latest versions.

make/util.mk

@@ -32,13 +32,3 @@ print-sources:
 .PHONY: print-source-dirs
 print-source-dirs:
 	@echo $(SOURCE_DIRS)
-
-.PHONY: go-workspace
-go-workspace: export GOWORK?=$(abspath go.work)
-## Create a go.work file in the repository root (or GOWORK)
-##
-## @category Development
-go-workspace:
-	@rm -f $(GOWORK)
-	go work init
-	go work use . ./cmd/acmesolver ./cmd/cainjector ./cmd/controller ./cmd/startupapicheck ./cmd/webhook ./test/integration ./test/e2e