prepare 6.6.3 release (#164)

.circleci/config.yml

@@ -3,6 +3,14 @@ version: 2.1
 orbs:
   go: circleci/go@1.6.0
 
+parameters:
+  # See "Runtime platform versions" in CONTRIBUTING.md
+  # We define go-release-version here as a pipeline parameter not because we intend to
+  # override it in any parameterized builds, but just as a convenient shareable constant
+  go-release-version:
+    type: string
+    default: "1.17.6"
+
 experimental:
   notify:
     branches:
@@ -60,28 +68,36 @@ workflows:
     when:
       equal: ["https://github.com/launchdarkly/ld-relay-private", <<pipeline.project.git_url>>]
 
-  # The daily-package-build-test job is temporarily disabled - we will re-enable it for Go 1.16 & 1.17
-  # once the latest public release no longer contains a replace directive in go.mod.
-  # daily-package-build-test:
-  #   triggers:
-  #   - schedule:
-  #       cron: "0 8 * * *"
-  #       filters:
-  #         branches:
-  #           only: v6
-  #   jobs:
-      # - package-build-test:
-      #     name: package build - Go latest
-      #     docker-image: circleci/golang:latest
-      #     use-go-install: true
-      # - package-build-test:
-      #     name: package build - Go 1.17
-      #     docker-image: cimg/go:1.17
-      #     use-go-install: true
-      # - package-build-test:
-      #     name: package build - Go 1.16
-      #     docker-image: cimg/go:1.16
-      #     use-go-install: true
+  daily-package-build-test:
+    triggers:
+    - schedule:
+        cron: "0 8 * * *"
+        filters:
+          branches:
+            only: v6
+    jobs:
+      - package-build-test:
+          name: package build - Go latest
+          docker-image: circleci/golang:latest
+          use-go-install: true
+      - package-build-test:
+          name: package build - Go 1.17
+          docker-image: cimg/go:1.17
+          use-go-install: true
+      - package-build-test:
+          name: package build - Go 1.16
+          docker-image: cimg/go:1.16
+          use-go-install: true
+
+  daily-security-scan:
+    triggers:
+    - schedule:
+        cron: "0 12 * * *"
+        filters:
+          branches:
+            only: v6
+    jobs:
+      - security-scan-only
 
 jobs:
   go-test:
@@ -100,16 +116,16 @@ jobs:
         environment: &environment
           CIRCLE_TEST_REPORTS: /tmp/circle-reports
           CIRCLE_ARTIFACTS: /tmp/circle-artifacts
-          COMMON_GO_PACKAGES: >
-            github.com/jstemmer/go-junit-report
           TAGS: redis_unit_tests,big_segment_external_store_tests
       - image: redis
       - image: amazon/dynamodb-local
 
     steps:
       - checkout
-      - run: go get -u $COMMON_GO_PACKAGES
       - run: go version && go env
+      - run:
+          name: install go-junit-report
+          command: go install github.com/jstemmer/go-junit-report@v0.9.1
       - when:
           condition: <<parameters.run-lint>>
           steps:
@@ -172,22 +188,18 @@ jobs:
       LD_CLIENT_SDK_URL: <<parameters.ld_client_sdk_url>>
       CIRCLE_TEST_REPORTS: /tmp/circle-reports
       CIRCLE_ARTIFACTS: /tmp/circle-artifacts
-      COMMON_GO_PACKAGES: >
-        github.com/jstemmer/go-junit-report
     steps:
       - checkout
       - go/install: # since we're using machine mode, we can't use a preinstalled Go Docker image
-          version: 1.16.10
+          version: <<pipeline.parameters.go-release-version>>
+          cache: false
       - run: go version && go env
-      - restore_cache:
-          keys: 
-            - deps-relay-i9ntest-{{ checksum "go.mod" }}    
-      - run: go get -u $COMMON_GO_PACKAGES
+      - go/load-cache
+      - run:
+          name: install go-junit-report
+          command: go install github.com/jstemmer/go-junit-report@v0.9.1
       - run: go test -tags integrationtests -i ./integrationtests # just install the dependencies for the tests
-      - save_cache:
-          key: deps-relay-i9ntest-{{ checksum "go.mod" }}    
-          paths:
-            - /home/circleci/.go_workspace
+      - go/save-cache
       - run: |
           mkdir -p $CIRCLE_TEST_REPORTS
           mkdir -p $CIRCLE_ARTIFACTS
@@ -249,9 +261,7 @@ jobs:
 
   docker-images-test:
     docker:
-      # We must keep this image tag in sync with the image that will really be used for releases,
-      # which is specified in .ldrelease/config.yml.
-      - image: cimg/go:1.16.10
+      - image: cimg/go:<<pipeline.parameters.go-release-version>>
         environment:
           <<: *environment
 
@@ -279,6 +289,41 @@ jobs:
       - run:
           name: Trivy security scan
           command: trivy image --exit-code 1 launchdarkly/ld-relay:latest
+          # Note that the "latest" here is not the latest published image in DockerHub;
+          # it's the one that was just built locally in the previous step.
 
       - store_artifacts:
           path: dist/
+
+  security-scan-only:
+    docker:
+      - image: cimg/go:<<pipeline.parameters.go-release-version>>
+        environment:
+          <<: *environment
+
+    steps:
+      - checkout
+      - setup_remote_docker  # start docker engine
+
+      - run:
+          name: add package source for Trivy
+          command: |
+            sudo apt-get install wget apt-transport-https gnupg lsb-release
+            wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+            echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+
+      - run:
+          name: install packages
+          command: |
+            sudo apt-get update
+            sudo apt-get install rpm trivy
+
+      - run:
+          name: build Docker images
+          command: make products-for-release
+
+      - run:
+          name: Trivy security scan
+          command: trivy image --exit-code 1 launchdarkly/ld-relay:latest
+          # Note that the "latest" here is not the latest published image in DockerHub;
+          # it's the one that was just built locally in the previous step.

.ldrelease/config.yml

@@ -38,7 +38,7 @@ repo:
 
 jobs:
   - docker:
-      image: cimg/go:1.16.10
+      image: cimg/go:1.17.6   # See "Runtime platform versions" in CONTRIBUTING.md
       copyGitHistory: true
     template:
       name: go

CONTRIBUTING.md

@@ -61,3 +61,17 @@ As this is a larger codebase than most LaunchDarkly open-source projects, we hav
 
 * No packages outside of `internal/` should export any symbols other than the ones that are necessary to support usage of the Relay Proxy [as a library](./docs/in-app.md). Anything else that is visible becomes part of the supported external API for this project and can't be changed without a new major version, so be careful not to export any irrelevant implementation details. Anything within `internal/` can safely be changed.
 * Package imports should be grouped as follows: 1. all built-in Go packages; 2. all packages that are part of this repository (`github.com/launchdarkly/ld-relay/...`); 3. all other LaunchDarkly packages (`github.com/launchdarkly/...`, `gopkg.in/launchdarkly/...`); 4. all third-party packages.
+
+### Runtime platform versions (Go and Alpine) for Docker
+
+The published `ld-relay` Docker image embeds specific versions of the Alpine OS and the Go runtime. We update these to take advantage of patch releases for both Alpine and Go.
+
+These versions are specified in several places. For the published `ld-relay` image:
+
+* The Alpine version is specified by the `FROM` line in `Dockerfile.goreleaser`.
+* The Go version is specified by the `image` property in `.ldrelease/config.yml`. Basically, we run a Docker container with some version of Go in it, and within that container we will be running `goreleaser`. Then the `goreleaser` tool will look at `Dockerfile.goreleaser` to provide the base image, and it will embed whatever version of the Go runtime it is running on in the published executable.
+
+When we change these versions, we should also update our test builds to match the versions we are releasing with:
+
+* In `.circleci/config.yml`, update the default value of `go-release-version`.
+* In `Dockerfile` (which is used for CI tests, not for the release), update the `FROM` line to an image in the format `golang:$(GO_VERSION)-alpine$(ALPINE_VERSION)`.

Dockerfile

@@ -1,6 +1,7 @@
 # This is a standalone Dockerfile that does not depend on goreleaser building the binary
 # It is NOT the version that is pushed to dockerhub
-FROM golang:1.16.10-alpine3.14 as builder
+FROM golang:1.17.6-alpine3.14 as builder
+# See "Runtime platform versions" in CONTRIBUTING.md
 
 RUN apk --no-cache add \
     libc-dev \

Dockerfile.goreleaser

@@ -3,6 +3,7 @@
 # See .ldrelease/config.yml for an explanation of the build/release process.
 
 FROM alpine:3.14.3
+# See "Runtime platform versions" in CONTRIBUTING.md
 
 RUN apk add --no-cache \
     curl \