Skip to content

- Updated to Go 1.21.9 to address CVE-2023-45288 #78

- Updated to Go 1.21.9 to address CVE-2023-45288

- Updated to Go 1.21.9 to address CVE-2023-45288 #78

Workflow file for this run

name: Release Build
on:
push:
tags:
- 'v[0-9].[0-9]+.[0-9]+'
env:
GO_VERSION: 1.21.9
jobs:
cache-deps:
name: cache-deps (linux)
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Setup dep cache
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Pull go deps
run: go mod download
lint:
name: lint (linux)
runs-on: ubuntu-20.04
needs: cache-deps
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Setup build tool cache
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Lint
run: make lint
- name: Tidy check
run: make tidy-check
- name: Generate check
run: make generate-check
- name: Shell check
run: shellcheck .github/workflows/scripts/*.sh
unit-test:
strategy:
matrix:
OS: [ubuntu-20.04, macos-latest]
runs-on: ${{ matrix.OS }}
needs: cache-deps
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Run unit tests
run: ./.github/workflows/scripts/run_unit_tests.sh
unit-test-race-detector:
name: unit-test (linux with race detection)
runs-on: ubuntu-20.04
needs: cache-deps
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Run unit tests
run: ./.github/workflows/scripts/run_unit_tests_under_race_detector.sh
artifacts:
name: artifacts (linux)
runs-on: ubuntu-20.04
needs: [cache-deps, images]
timeout-minutes: 30
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install regctl
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
- name: Download archived images
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: images
path: .
- name: Expand archived images
run: |
tar xvf images.tar.gz
- name: Build artifacts
run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
- name: Archive artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
with:
name: binaries-linux
path: ./artifacts/
images:
name: images (linux)
runs-on: ubuntu-20.04
needs: [cache-deps]
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Build images
run: TAG=${GITHUB_REF##refs/tags/v} make images-no-load
- name: Export images
run: tar -czvf images.tar.gz *-image.tar
- name: Archive images
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
with:
name: images
path: images.tar.gz
images-windows:
name: images (windows)
runs-on: windows-2022
needs: artifacts-windows
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Load cached executables
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ./bin/
key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
- name: Build images
run: make images-windows
- name: Export images
run: |
docker save spire-server-windows:latest-local spire-agent-windows:latest-local oidc-discovery-provider-windows:latest-local -o images-windows.tar
gzip images-windows.tar
- name: Archive images
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
with:
name: images-windows
path: images-windows.tar.gz
build-matrix:
name: Build matrix
runs-on: ubuntu-20.04
needs: [cache-deps]
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- id: set-matrix
name: Collect versions
run: |
json_array=$(bash ./.github/workflows/scripts/find_k8s.sh)
echo "test=$json_array" >> $GITHUB_OUTPUT
echo "Collected tests: $json_array"
outputs:
test: ${{ steps.set-matrix.outputs.test }}
integration:
name: integration (linux)
runs-on: ubuntu-20.04
needs: [cache-deps, images]
permissions:
contents: read
strategy:
fail-fast: false
matrix:
num_runners: [5]
runner_id: [1, 2, 3, 4, 5]
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
# The "upgrade" integration test needs the history to ensure
# that the version number in the source code has been bumped as
# expected. This action does not fetch tags unless we supply a
# fetch depth of zero.
fetch-depth: 0
# Even though we've just checked out the code, checkout@v2 has a bug
# where it overwrites the local annotated tag, dropping the annotation.
# The "upgrade" integration test is designed to only consider annotated
# tags as version tags. We don't really want to soften this stance, so
# instead we'll re-fetch the tags.
#
# See https://github.com/actions/checkout/issues/290
- name: Fix tag annotations
run: git fetch --tags --force
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install regctl
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Download archived images
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: images
path: .
- name: Load archived images
run: |
tar xvf images.tar.gz
make load-images
- name: Run integration tests
env:
NUM_RUNNERS: ${{ matrix.num_runners }}
THIS_RUNNER: ${{ matrix.runner_id }}
TERM: dumb
# We don't need to specify CICD_TARGET_BRANCH since the upgrade
# integration test will detect the annotated tag for version checking.
# CICD_TARGET_BRANCH:
run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh
integration-k8s:
name: integration-k8s
runs-on: ubuntu-20.04
needs: [cache-deps, images, build-matrix]
timeout-minutes: 45
permissions:
contents: read
strategy:
fail-fast: false
matrix:
num_runners: [1]
runner_id: [1]
#Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
test: ${{ fromJson(needs.build-matrix.outputs.test) }}
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
# The "upgrade" integration test needs the history to ensure
# that the version number in the source code has been bumped as
# expected. This action does not fetch tags unless we supply a
# fetch depth of zero.
fetch-depth: 0
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install regctl
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Download archived images
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: images
path: .
- name: Load archived images
run: |
tar xvf images.tar.gz
make load-images
- name: Run k8s integration
env:
NUM_RUNNERS: ${{ matrix.num_runners }}
THIS_RUNNER: ${{ matrix.runner_id }}
KUBECTLVERSION: ${{ matrix.test[0] }}
K8SIMAGE: ${{ matrix.test[1] }}
KINDVERSION: ${{ matrix.test[2] }}
TERM: dumb
CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
run: ./.github/workflows/scripts/split_k8s.sh | xargs ./test/integration/test-k8s.sh
integration-windows:
name: integration (windows)
runs-on: windows-2022
needs: images-windows
permissions:
contents: read
defaults:
run:
shell: msys2 {0}
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Install msys2
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0
with:
msystem: MINGW64
update: true
path-type: inherit
install: >-
git base-devel mingw-w64-x86_64-toolchain unzip
- name: Download archived images
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: images-windows
path: .
- name: Load archived images
run: docker load -i images-windows.tar.gz
- name: Run integration tests
# Run all tests for now
run: make integration-windows
cache-deps-windows:
name: cache-deps (windows)
runs-on: windows-2022
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Setup dep cache
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Pull go deps
run: go mod download
lint-windows:
name: lint (windows)
runs-on: windows-2022
needs: cache-deps-windows
permissions:
contents: read
defaults:
run:
shell: msys2 {0}
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Setup build tool cache
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Install msys2
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0
with:
msystem: MINGW64
update: true
install: >-
git base-devel mingw-w64-x86_64-toolchain unzip
- name: Lint
run: make lint-code
- name: Tidy check
run: make tidy-check
- name: Generate check
run: make generate-check
unit-test-windows:
name: unit-test (windows)
runs-on: windows-2022
needs: cache-deps-windows
permissions:
contents: read
defaults:
run:
shell: msys2 {0}
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Install msys2
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0
with:
msystem: MINGW64
update: true
install: >-
git base-devel mingw-w64-x86_64-toolchain unzip
- name: Run unit tests
run: ./.github/workflows/scripts/run_unit_tests.sh
artifacts-windows:
name: artifacts (windows)
runs-on: windows-2022
needs: cache-deps-windows
permissions:
contents: read
defaults:
run:
shell: msys2 {0}
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Load cached deps
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- name: Load cached build tools
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: .build
key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
- name: Install msys2
uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0
with:
msystem: MINGW64
update: true
install: >-
git base-devel mingw-w64-x86_64-toolchain zip unzip
- name: Build binaries
run: make build
- name: Build artifacts
run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
- name: Setup executables cache
uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
with:
path: ./bin/
key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
- name: Archive artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
with:
name: binaries-windows
path: ./artifacts/
publish-artifacts:
runs-on: ubuntu-20.04
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Download archived Linux artifacts
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: binaries-linux
path: ./artifacts/
- name: Download archived Windows artifacts
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: binaries-windows
path: ./artifacts/
- name: Create Release
env:
# GH_REPO is required for older releases of `gh`. Until we're
# reasonably confident that that the gh release is new enough,
# set GH_REPO to the repository to create the release in.
#
# See https://github.com/cli/cli/issues/3556
GH_REPO: ${{ github.repository }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Create the release using the version number as the title
run: gh release create "${GITHUB_REF#refs/tags/}" ./artifacts/*.zip ./artifacts/*.tar.gz ./artifacts/*.txt --title "${GITHUB_REF#refs/tags/}"
publish-images:
runs-on: ubuntu-20.04
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
with:
cosign-release: v2.2.3
- name: Install regctl
uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
- name: Download archived images
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: images
path: .
- name: Log in to GHCR
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push images
run: |
tar xzvf images.tar.gz
./.github/workflows/scripts/push-images.sh "${GITHUB_REF}"