tool: script to update the golang version #1283
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1283 +/- ##
=======================================
Coverage 48.70% 48.70%
=======================================
Files 224 224
Lines 19852 19852
=======================================
Hits 9669 9669
Misses 9675 9675
Partials 508 508
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Sentry.
|
There was a problem hiding this comment.
Thanks, approving with a minor update suggested per the documentation style guide
clamoriniere
force-pushed
the
clamoriniere/update-golang-auto
branch
from
6060b72 to
2aa3b92
Compare
clamoriniere
force-pushed
the
clamoriniere/update-golang-auto
branch
5 times, most recently
from
ac0a4f6 to
e39fe54
Compare
* Add tooling to update golang version in all the places that it is defined. * Use the go ersion present in go.work to update the version everywhere. * Update the go.mod files to use the go workspace. * Fix some issues is the makefile * Add in the CI a job to verify that the golang version in properly sync everywhere.
clamoriniere
force-pushed
the
clamoriniere/update-golang-auto
branch
from
e39fe54 to
9394316
Compare
levan-m
force-pushed
the
clamoriniere/update-golang-auto
branch
4 times, most recently
from
db5d75c to
ad0c415
Compare
levan-m
force-pushed
the
clamoriniere/update-golang-auto
branch
from
ad0c415 to
cd57616
Compare
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| files: cover.out,cover_integration_v1.out,cover_integration_v2.out | ||
| flags: unittests | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v1 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).
No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.
Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.
Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.
| go-version: ${{ env.GO_VERSION }} | ||
| id: go | ||
| - name: install required packages | ||
| uses: mstksg/get-package@v1 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).
No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.
Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.
Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.
| - name: run unit tests and E2E tests (fake cluster) | ||
| run: | | ||
| make test | ||
| - uses: codecov/codecov-action@v2 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).
No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.
Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.
Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.
| with: | ||
| apt-get: mercurial jq build-essential | ||
| - name: Check out code into the Go module directory | ||
| uses: actions/checkout@v1 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag (...read more)
When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).
No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.
Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.
Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.
* test skopeo install and rh bundle * go work sync * update publish_community_operators job
levan-m
force-pushed
the
clamoriniere/update-golang-auto
branch
from
a84f748 to
001dd2c
Compare
* automate golang version update * Add tooling to update golang version in all the places that it is defined. * Use the go ersion present in go.work to update the version everywhere. * Update the go.mod files to use the go workspace. * Fix some issues is the makefile * Add in the CI a job to verify that the golang version in properly sync everywhere. * only use minor version for go version go.mod * Test skopeo build in gitlab ci * fix go.work * Fix publish community PRs job (#1474) * test skopeo install and rh bundle * go work sync * update publish_community_operators job * remove test-skopeo job * sync workspace * go mod tidy * e2e, go mod tidy --------- Co-authored-by: Levan Machablishvili <levan.machablishvili@datadoghq.com> Co-authored-by: Fanny Jiang <fanny.jiang@datadoghq.com> Co-authored-by: levan-m <116471169+levan-m@users.noreply.github.com>
* automate golang version update * Add tooling to update golang version in all the places that it is defined. * Use the go ersion present in go.work to update the version everywhere. * Update the go.mod files to use the go workspace. * Fix some issues is the makefile * Add in the CI a job to verify that the golang version in properly sync everywhere. * only use minor version for go version go.mod * Test skopeo build in gitlab ci * fix go.work * Fix publish community PRs job (#1474) * test skopeo install and rh bundle * go work sync * update publish_community_operators job * remove test-skopeo job * sync workspace * go mod tidy * e2e, go mod tidy --------- Co-authored-by: Cedric Lamoriniere <cedric.lamoriniere@datadoghq.com> Co-authored-by: Fanny Jiang <fanny.jiang@datadoghq.com>
What does this PR do?
Provide a script to safely update the golang version.
This script is taking the golang version in
go.workfile and path all the files that contain the golang version.defined.
everywhere.
Motivation
Simplify golang version update
Additional Notes
Anything else we should know when reviewing?
Minimum Agent Versions
Are there minimum versions of the Datadog Agent and/or Cluster Agent required?
Describe your test plan
Write there any instructions and details you may have to test your PR.
Checklist
bug,enhancement,refactoring,documentation,tooling, and/ordependenciesqa/skip-qalabel