Open-Source Wikis

/

Vault

/

How to contribute

/

Tooling

hashicorp/vault

Tooling

Vault relies on a layered tool stack: Make for orchestration, golangci-lint for static analysis, copywrite for license headers, code generators for protobuf and enums, and the tools/ workspace for everything that doesn't fit cleanly elsewhere.

Build orchestration

Makefile (and make.bat for Windows) is the only build entrypoint that's safe to use. Inside it:

  • make devscripts/build.shgo build with sane flags.
  • make static-dist dev-ui → builds ui/, copies the dist into http/web_ui/, then builds the binary with the UI embedded.
  • make bin → release-style build (no dev flags).
  • make release → invoked by the CI release workflow.

Variables you can override: GOOS, GOARCH, CGO_ENABLED, BUILD_TAGS, TEST (test path), TESTARGS (test args), VAULT_BINARY (for cluster tests).

Lint and format

  • make fmt runs gofmt -s -w and goimports -w over the tree.
  • make fmtcheck runs the same checks read-only and fails on diffs.
  • make lint invokes golangci-lint run, configured by .golangci.yml.
  • make proto-lint runs buf lint against the .proto files declared in buf.yaml.

The Go lint config enables errcheck, goimports, gofmt, gocyclo, and a small allowlist of project-specific checks. enos-lint.yml and actionlint.yml cover Enos files and GitHub Actions respectively.

Code generators

What How Where
Protobufs make proto (uses buf + protoc-gen-go) vault/*.proto, sdk/logical/*.proto, physical/raft/*.proto, …
Enum stringers go generate ./... *_enumer.go files (around 10 of them)
OpenAPI spec vault openapi (runtime command) sdk/framework/openapi.go builds this from the framework backends
UI dist make ember-disthttp/web_ui/ UI bundle embedded into binary
Copywrite headers copywrite headers governed by .copywrite.hcl

tools/

The tools/ directory is a Go module containing the build-time tools that Vault pins via go install. make bootstrap installs them. Notable members:

  • tools/codechecker/ — internal lint plugin used by golangci-lint.
  • tools/dep-overrides/ — generates DEP_OVERRIDE_REPORT.md describing replace directives.
  • tools/copywrite/ — wrapper around the upstream tool.

If you need a new build tool, add it to tools/tools.go so go install picks it up reproducibly.

CI workflows

The 33 GitHub Actions workflows under .github/workflows/ cover everything from PR linting to nightly Enos scenarios. The most important ones for contributors:

Workflow Trigger Purpose
ci.yml PR Top-level orchestrator that calls everything below.
test-go.yml PR Sharded Go unit tests.
test-ui.yml PR Ember tests, lint, prettier.
code-checker.yml PR gofmt, license headers, file-name policies.
oss.yml PR Verifies no Enterprise files are accidentally committed to OSS.
changelog-checker.yml PR Validates changelog/<PR>.txt.
build.yml merge to main and tag Cross-platform build artifacts.
enos-release-testing-oss.yml release End-to-end Enos scenarios.

Some workflows are auto-merged via add-hashicorp-contributed-label.yml and the dependency-update bot.

Local pre-commit

.hooks/pre-commit (installed via git config core.hooksPath .hooks) runs:

  • gofmt
  • goimports
  • copywrite headers --plan (warning-only)

It is intentionally fast; the heavy lifting is left to CI.

OpenAPI generation

vault read sys/internal/specs/openapi returns the generated OpenAPI 3 spec. The same logic is used by the auto-completion in the CLI (command/base_predict.go). Code is in sdk/framework/openapi.go (46k lines) — much of it is reflective handling of framework.Path definitions.

Security tooling

scan.hcl configures HashiCorp's security-scanner (a wrapper around gosec, govulncheck, and others) used by .github/workflows/security-scan.yml. The mend-pr-scan.yml workflow runs the Mend (formerly Whitesource) license/dependency scan.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Tooling – Vault wiki | Factory