Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Bump k8s.io/* from 0.29.3 to 0.30.1 #15383

Merged
merged 2 commits into from
May 24, 2024
Merged

chore(deps): Bump k8s.io/* from 0.29.3 to 0.30.1 #15383

merged 2 commits into from
May 24, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 20, 2024

Bumps k8s.io/apimachinery from 0.29.3 to 0.30.1.

Commits
  • 37988e5 Merge remote-tracking branch 'origin/master' into release-1.30
  • c857a38 Update x/net for CVE-2023-45288
  • 0407311 followup to allow special characters
  • 25164f7 Merge pull request #123435 from tallclair/apparmor-ga
  • cbfe0a1 Merge pull request #123758 from liggitt/protobump
  • 21d26b6 Bump github.com/golang/protobuf v1.5.4, google.golang.org/protobuf v1.33.0
  • 0c29f84 Merge pull request #123385 from HirazawaUi/allow-special-characters
  • 60d24f2 Merge pull request #123708 from p0lyn0mial/upstream-const-watchlist-bookmark-...
  • 513d23a apimachinery/meta/types.go: define InitialEventsAnnotationKey const
  • 67cb3a8 Merge pull request #123413 from seans3/tunneling-spdy-websockets
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
k8s.io/apimachinery [>= 0.26.a, < 0.27]

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
---
de03cc7 
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 20, 2024
@telegraf-tiger telegraf-tiger bot added the chore label May 20, 2024
@powersj
Copy link
Contributor

powersj commented May 20, 2024

We closed the previous update PR, while waiting for kubernetes/kubernetes#124385 to land, except that one was closed :\

There were some updates as I can push a change which updates the go version to include the minor version:

go 1.22.3

Need to re-read what we found out last night if this is actually the right thing to do or not.

@powersj powersj changed the title chore(deps): Bump k8s.io/apimachinery from 0.29.3 to 0.30.1 chore(deps): Bump k8s.io/* from 0.29.3 to 0.30.1 May 23, 2024
@powersj powersj self-assigned this May 23, 2024
@telegraf-tiger
Copy link
Contributor

Download PR build artifacts for linux_amd64.tar.gz, darwin_arm64.tar.gz, and windows_amd64.zip.
Downloads for additional architectures and packages are available below.

⚠️ This pull request increases the Telegraf binary size by 1.31 % for linux amd64 (new size: 240.8 MB, nightly size 237.7 MB)

📦 Click here to get additional PR build artifacts

Artifact URLs

DEB RPM TAR GZ ZIP
amd64.deb aarch64.rpm darwin_amd64.tar.gz windows_amd64.zip
arm64.deb armel.rpm darwin_arm64.tar.gz windows_arm64.zip
armel.deb armv6hl.rpm freebsd_amd64.tar.gz windows_i386.zip
armhf.deb i386.rpm freebsd_armv7.tar.gz
i386.deb ppc64le.rpm freebsd_i386.tar.gz
mips.deb riscv64.rpm linux_amd64.tar.gz
mipsel.deb s390x.rpm linux_arm64.tar.gz
ppc64el.deb x86_64.rpm linux_armel.tar.gz
riscv64.deb linux_armhf.tar.gz
s390x.deb linux_i386.tar.gz
linux_mips.tar.gz
linux_mipsel.tar.gz
linux_ppc64le.tar.gz
linux_riscv64.tar.gz
linux_s390x.tar.gz

@powersj
Copy link
Contributor

powersj commented May 23, 2024

@srebhan, @DStrand1, @jdstrand,

This dependency PR changes the go entry in go.mod. From go 1.22 to go 1.22.0. It appears that the K8s dependencies declare this and it is causing go mod tidy to either accept this change or have us add a workspace entry to our go.mod.

As we do not have multiple workspaces in our project it did not seem prudent to adopt the workspace flag to avoid confusion and reduce complexity.

The update should be the same as before, in that the project requires at least the initial release of Go 1.22. While we could update this for every security update when we update the CI image, I don't think that is entirely necessary as we do not require the security updates to build Telegraf, instead any release of 1.22 should continue to work.

Thoughts?

@jdstrand
Copy link
Contributor

@srebhan, @DStrand1, @jdstrand,

This dependency PR changes the go entry in go.mod. From go 1.22 to go 1.22.0. It appears that the K8s dependencies declare this and it is causing go mod tidy to either accept this change or have us add a workspace entry to our go.mod.

As we do not have multiple workspaces in our project it did not seem prudent to adopt the workspace flag to avoid confusion and reduce complexity.

The update should be the same as before, in that the project requires at least the initial release of Go 1.22. While we could update this for every security update when we update the CI image, I don't think that is entirely necessary as we do not require the security updates to build Telegraf, instead any release of 1.22 should continue to work.

Thoughts?

I agree. go.mod is the minimum version and isn't what we're using to track what to compile with (so, 1.MM.N is the same as us doing 1.MM up until now). As such I have no problem with 1.22 -> 1.22.0. I also don't have a problem with 1.22.0 -> 1.22.3 (or whatever) either if you want to do it, but I also don't think that is required for our security needs (I always look at the built binaries with go version /path/to/telegraf) as the source of truth. Put simply, from security's perspective, use 1.MM or 1.MM.N however you see fit.

From a developer perspective, I wouldn't want to conflate the go minimum version on what is required to compile the software at all with an outside requirement (even if it is well-intentioned like for security minimum version) as that isn't strictly what the field is designed for.

@powersj powersj added the ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review. label May 23, 2024
@powersj powersj assigned DStrand1 and srebhan and unassigned powersj May 23, 2024
This was referenced May 23, 2024
Closed
Closed
srebhan
srebhan approved these changes May 24, 2024
View reviewed changes
Copy link
Member

@srebhan srebhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for diving into this @powersj! Looks good to me including the go-patch-version addition.

@srebhan srebhan removed their assignment May 24, 2024
@powersj powersj merged commit aa45c7c into master May 24, 2024
30 checks passed
@powersj powersj deleted the dependabot/go_modules/k8s.io/apimachinery-0.30.1 branch May 24, 2024 13:15
@github-actions github-actions bot added this to the v1.31.0 milestone May 24, 2024
@BrewTestBot BrewTestBot mentioned this pull request Jun 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srebhan srebhan srebhan approved these changes

@jdstrand jdstrand jdstrand approved these changes

@DStrand1 DStrand1 Awaiting requested review from DStrand1

Assignees

@DStrand1 DStrand1

Labels
chore dependencies Pull requests that update a dependency file ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review.
Projects
None yet
Milestone
v1.31.0
Development

Successfully merging this pull request may close these issues.
4 participants
@powersj @jdstrand @srebhan @DStrand1