hashicorp/vault
Tooling
Vault relies on a layered tool stack: Make for orchestration, golangci-lint for static analysis, copywrite for license headers, code generators for protobuf and enums, and the tools/ workspace for everything that doesn't fit cleanly elsewhere.
Build orchestration
Makefile (and make.bat for Windows) is the only build entrypoint that's safe to use. Inside it:
make dev→scripts/build.sh→go buildwith sane flags.make static-dist dev-ui→ buildsui/, copies the dist intohttp/web_ui/, then builds the binary with the UI embedded.make bin→ release-style build (nodevflags).make release→ invoked by the CI release workflow.
Variables you can override: GOOS, GOARCH, CGO_ENABLED, BUILD_TAGS, TEST (test path), TESTARGS (test args), VAULT_BINARY (for cluster tests).
Lint and format
make fmtrunsgofmt -s -wandgoimports -wover the tree.make fmtcheckruns the same checks read-only and fails on diffs.make lintinvokesgolangci-lint run, configured by.golangci.yml.make proto-lintrunsbuf lintagainst the.protofiles declared inbuf.yaml.
The Go lint config enables errcheck, goimports, gofmt, gocyclo, and a small allowlist of project-specific checks. enos-lint.yml and actionlint.yml cover Enos files and GitHub Actions respectively.
Code generators
| What | How | Where |
|---|---|---|
| Protobufs | make proto (uses buf + protoc-gen-go) |
vault/*.proto, sdk/logical/*.proto, physical/raft/*.proto, … |
| Enum stringers | go generate ./... |
*_enumer.go files (around 10 of them) |
| OpenAPI spec | vault openapi (runtime command) |
sdk/framework/openapi.go builds this from the framework backends |
| UI dist | make ember-dist → http/web_ui/ |
UI bundle embedded into binary |
| Copywrite headers | copywrite headers |
governed by .copywrite.hcl |
tools/
The tools/ directory is a Go module containing the build-time tools that Vault pins via go install. make bootstrap installs them. Notable members:
tools/codechecker/— internal lint plugin used by golangci-lint.tools/dep-overrides/— generatesDEP_OVERRIDE_REPORT.mddescribing replace directives.tools/copywrite/— wrapper around the upstream tool.
If you need a new build tool, add it to tools/tools.go so go install picks it up reproducibly.
CI workflows
The 33 GitHub Actions workflows under .github/workflows/ cover everything from PR linting to nightly Enos scenarios. The most important ones for contributors:
| Workflow | Trigger | Purpose |
|---|---|---|
ci.yml |
PR | Top-level orchestrator that calls everything below. |
test-go.yml |
PR | Sharded Go unit tests. |
test-ui.yml |
PR | Ember tests, lint, prettier. |
code-checker.yml |
PR | gofmt, license headers, file-name policies. |
oss.yml |
PR | Verifies no Enterprise files are accidentally committed to OSS. |
changelog-checker.yml |
PR | Validates changelog/<PR>.txt. |
build.yml |
merge to main and tag |
Cross-platform build artifacts. |
enos-release-testing-oss.yml |
release | End-to-end Enos scenarios. |
Some workflows are auto-merged via add-hashicorp-contributed-label.yml and the dependency-update bot.
Local pre-commit
.hooks/pre-commit (installed via git config core.hooksPath .hooks) runs:
gofmtgoimportscopywrite headers --plan(warning-only)
It is intentionally fast; the heavy lifting is left to CI.
OpenAPI generation
vault read sys/internal/specs/openapi returns the generated OpenAPI 3 spec. The same logic is used by the auto-completion in the CLI (command/base_predict.go). Code is in sdk/framework/openapi.go (46k lines) — much of it is reflective handling of framework.Path definitions.
Security tooling
scan.hcl configures HashiCorp's security-scanner (a wrapper around gosec, govulncheck, and others) used by .github/workflows/security-scan.yml. The mend-pr-scan.yml workflow runs the Mend (formerly Whitesource) license/dependency scan.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.