[Snyk] Security upgrade golang from latest to 1.22.4 #3522
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image CI Build | |
| # Any change in triggers needs to be reflected in the concurrency group. | |
| on: | |
| pull_request_target: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| push: | |
| branches: | |
| - master | |
| - ft/master/** | |
| # If the cache was cleaned we should re-build the cache with the latest commit | |
| workflow_run: | |
| workflows: | |
| - "Image CI Cache Cleaner" | |
| branches: | |
| - master | |
| - ft/master/** | |
| types: | |
| - completed | |
| permissions: read-all | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-and-push-prs: | |
| runs-on: ubuntu-20.04 | |
| strategy: | |
| matrix: | |
| include: | |
| - name: cilium | |
| dockerfile: ./images/cilium/Dockerfile | |
| - name: operator-aws | |
| dockerfile: ./images/operator/Dockerfile | |
| - name: operator-azure | |
| dockerfile: ./images/operator/Dockerfile | |
| - name: operator-alibabacloud | |
| dockerfile: ./images/operator/Dockerfile | |
| - name: operator-generic | |
| dockerfile: ./images/operator/Dockerfile | |
| - name: hubble-relay | |
| dockerfile: ./images/hubble-relay/Dockerfile | |
| - name: clustermesh-apiserver | |
| dockerfile: ./images/clustermesh-apiserver/Dockerfile | |
| - name: docker-plugin | |
| dockerfile: ./images/cilium-docker-plugin/Dockerfile | |
| steps: | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 | |
| - name: Login to quay.io for CI | |
| uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME_CI }} | |
| password: ${{ secrets.QUAY_PASSWORD_CI }} | |
| - name: Getting image tag | |
| id: tag | |
| run: | | |
| if [ ${{ github.event.pull_request.head.sha }} != "" ]; then | |
| echo ::set-output name=tag::${{ github.event.pull_request.head.sha }} | |
| else | |
| echo ::set-output name=tag::${{ github.sha }} | |
| fi | |
| - name: Checkout Source Code | |
| uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ steps.tag.outputs.tag }} | |
| # Load Golang cache build from GitHub | |
| - name: Load ${{ matrix.name }} Golang cache build from GitHub | |
| uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed | |
| id: cache | |
| with: | |
| path: /tmp/.cache/${{ matrix.name }} | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}- | |
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}- | |
| ${{ runner.os }}-go- | |
| - name: Create ${{ matrix.name }} cache directory | |
| if: ${{ steps.cache.outputs.cache-hit != 'true' }} | |
| shell: bash | |
| run: | | |
| mkdir -p /tmp/.cache/${{ matrix.name }} | |
| # Import GitHub's cache build to docker cache | |
| - name: Copy ${{ matrix.name }} Golang cache to docker cache | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| with: | |
| context: /tmp/.cache/${{ matrix.name }} | |
| file: ./images/cache/Dockerfile | |
| push: false | |
| platforms: linux/amd64 | |
| target: import-cache | |
| # master branch pushes | |
| - name: CI Build ${{ matrix.name }} | |
| if: ${{ github.event_name != 'pull_request_target' }} | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| id: docker_build_ci_master | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| # Only push when the event name was a GitHub push, this is to avoid | |
| # re-pushing the image tags when we only want to re-create the Golang | |
| # docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
| push: ${{ github.event_name == 'push' }} | |
| platforms: linux/amd64,linux/arm64 | |
| tags: | | |
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest | |
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
| build-args: | | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI race detection Build ${{ matrix.name }} | |
| if: ${{ github.event_name != 'pull_request_target' }} | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| id: docker_build_ci_master_detect_race_condition | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| # Only push when the event name was a GitHub push, this is to avoid | |
| # re-pushing the image tags when we only want to re-create the Golang | |
| # docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
| push: ${{ github.event_name == 'push' }} | |
| platforms: linux/amd64 | |
| tags: | | |
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest-race | |
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
| build-args: | | |
| BASE_IMAGE=quay.io/cilium/cilium-runtime:514cbfc3fccb32fb67193b4b686f508b2fa26621@sha256:30cf45c1feadd04d367c446d0a3e3530d85be1b1e86f166f2862fdc09950f6a0 | |
| LOCKDEBUG=1 | |
| RACE=1 | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI Image Releases digests | |
| if: ${{ github.event_name != 'pull_request_target' }} | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest@${{ steps.docker_build_ci_master.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest-race@${{ steps.docker_build_ci_master_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_master.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_master_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| # PR updates | |
| - name: CI Build ${{ matrix.name }} | |
| if: ${{ github.event_name == 'pull_request_target' }} | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| id: docker_build_ci_pr | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: | | |
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }} | |
| build-args: | | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI Image Releases digests | |
| if: ${{ github.event_name == 'pull_request_target' }} | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
| - name: CI race detection Build ${{ matrix.name }} | |
| if: ${{ github.event_name == 'pull_request_target' }} | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| id: docker_build_ci_pr_detect_race_condition | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| push: true | |
| platforms: linux/amd64 | |
| tags: | | |
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race | |
| build-args: | | |
| BASE_IMAGE=quay.io/cilium/cilium-runtime:514cbfc3fccb32fb67193b4b686f508b2fa26621@sha256:30cf45c1feadd04d367c446d0a3e3530d85be1b1e86f166f2862fdc09950f6a0 | |
| LOCKDEBUG=1 | |
| RACE=1 | |
| OPERATOR_VARIANT=${{ matrix.name }} | |
| - name: CI Image Releases digests | |
| if: ${{ github.event_name == 'pull_request_target' }} | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}@${{ steps.docker_build_ci_pr.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ steps.tag.outputs.tag }}-race@${{ steps.docker_build_ci_pr_detect_race_condition.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| # Upload artifact digests | |
| - name: Upload artifact digests | |
| uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 | |
| with: | |
| name: image-digest ${{ matrix.name }} | |
| path: image-digest | |
| retention-days: 1 | |
| # Store docker's golang's cache build locally only on the main branch | |
| - name: Store ${{ matrix.name }} Golang cache build locally | |
| if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' }} | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| with: | |
| context: . | |
| file: ./images/cache/Dockerfile | |
| push: false | |
| outputs: type=local,dest=/tmp/docker-cache-${{ matrix.name }} | |
| platforms: linux/amd64 | |
| target: export-cache | |
| # Store docker's golang's cache build locally only on the main branch | |
| - name: Store ${{ matrix.name }} Golang cache in GitHub cache path | |
| if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' }} | |
| shell: bash | |
| run: | | |
| mkdir -p /tmp/.cache/${{ matrix.name }}/ | |
| if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz ]; then | |
| cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ | |
| fi | |
| if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz ]; then | |
| cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ | |
| fi | |
| # we need to build cilium-test separately | |
| # this is caused by running apt while building the image | |
| # which requires qemu setup in order to avoid x86/arm64 binaries mixups | |
| # note: we only build on pushes to master branch | |
| build-and-push-with-qemu: | |
| if: ${{ github.event_name == 'push' }} | |
| runs-on: ubuntu-20.04 | |
| strategy: | |
| matrix: | |
| include: | |
| - name: cilium-test | |
| dockerfile: ./images/cilium-test/Dockerfile | |
| steps: | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 | |
| - name: Login to quay.io for CI | |
| uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME_CI }} | |
| password: ${{ secrets.QUAY_PASSWORD_CI }} | |
| - name: Checkout Source Code | |
| uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 | |
| with: | |
| persist-credentials: false | |
| ref: ${{ github.sha }} | |
| # Load Golang cache build from GitHub | |
| - name: Load ${{ matrix.name }} Golang cache build from GitHub | |
| uses: actions/cache@937d24475381cd9c75ae6db12cb4e79714b926ed | |
| id: cache | |
| with: | |
| path: /tmp/.cache/${{ matrix.name }} | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ matrix.name }}- | |
| ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}- | |
| ${{ runner.os }}-go- | |
| - name: Create ${{ matrix.name }} cache directory | |
| if: ${{ steps.cache.outputs.cache-hit != 'true' }} | |
| shell: bash | |
| run: | | |
| mkdir -p /tmp/.cache/${{ matrix.name }} | |
| # Import GitHub's cache build to docker cache | |
| - name: Copy ${{ matrix.name }} Golang cache to docker cache | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| with: | |
| context: /tmp/.cache/${{ matrix.name }} | |
| file: ./images/cache/Dockerfile | |
| push: false | |
| platforms: linux/amd64 | |
| target: import-cache | |
| - name: CI Build ${{ matrix.name }} | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| id: docker_build_ci_master | |
| with: | |
| context: . | |
| file: ${{ matrix.dockerfile }} | |
| # Only push when the event name was a GitHub push, this is to avoid | |
| # re-pushing the image tags when we only want to re-create the Golang | |
| # docker cache after the workflow "Image CI Cache Cleaner" was terminated. | |
| push: ${{ github.event_name == 'push' }} | |
| platforms: linux/amd64,linux/arm64 | |
| tags: | | |
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest | |
| quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ github.sha }} | |
| - name: CI Image Releases digests | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:latest@${{ steps.docker_build_ci_master.outputs.digest }}" > image-digest/${{ matrix.name }}.txt | |
| echo "quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci:${{ github.sha }}@${{ steps.docker_build_ci_master.outputs.digest }}" >> image-digest/${{ matrix.name }}.txt | |
| # Upload artifact digests | |
| - name: Upload artifact digests | |
| uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 | |
| with: | |
| name: image-digest ${{ matrix.name }} | |
| path: image-digest | |
| retention-days: 1 | |
| # Store docker's golang's cache build locally only on the main branch | |
| - name: Store ${{ matrix.name }} Golang cache build locally | |
| if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' }} | |
| uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b | |
| with: | |
| context: . | |
| file: ./images/cache/Dockerfile | |
| push: false | |
| outputs: type=local,dest=/tmp/docker-cache-${{ matrix.name }} | |
| platforms: linux/amd64 | |
| target: export-cache | |
| # Store docker's golang's cache build locally only on the main branch | |
| - name: Store ${{ matrix.name }} Golang cache in GitHub cache path | |
| if: ${{ github.event_name != 'pull_request_target' && steps.cache.outputs.cache-hit != 'true' }} | |
| shell: bash | |
| run: | | |
| mkdir -p /tmp/.cache/${{ matrix.name }}/ | |
| if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz ]; then | |
| cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-build-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ | |
| fi | |
| if [ -f /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz ]; then | |
| cp /tmp/docker-cache-${{ matrix.name }}/tmp/go-pkg-cache.tar.gz /tmp/.cache/${{ matrix.name }}/ | |
| fi | |
| - name: Send slack notification | |
| if: ${{ !success() && (github.event_name == 'schedule' || github.event_name == 'push') }} | |
| uses: 8398a7/action-slack@a74b761b4089b5d730d813fbedcd2ec5d394f3af | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,message,commit,author,action,eventName,ref,workflow,job,took # selectable (default: repo,message) | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| image-digests: | |
| if: ${{ always() && | |
| (needs.build-and-push-with-qemu.result == 'success' || needs.build-and-push-with-qemu.result == 'skipped') }} | |
| name: Display Digests | |
| runs-on: ubuntu-20.04 | |
| needs: [build-and-push-prs, build-and-push-with-qemu] | |
| steps: | |
| - name: Downloading Image Digests | |
| shell: bash | |
| run: | | |
| mkdir -p image-digest/ | |
| - name: Download digests of all images built | |
| uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
| with: | |
| path: image-digest/ | |
| - name: Image Digests Output | |
| shell: bash | |
| run: | | |
| cd image-digest/ | |
| find -type f | sort | xargs -d '\n' cat |