Mass-update dependencies #42
Conversation
dtantsur
force-pushed
the
deps
branch
2 times, most recently
from
130e6a6
to
12418dc
Compare
|
/assign @tuminoid Could you make sure I'm not undoing any of your security fixes? |
You should be bumping to Go 1.22.3, 1.22.2 has 3 vulnerabilities open. Otherwise the tree is clean. 👍 |
|
@tuminoid done as you suggested |
metal3-io-bot
added
the
size/L
|
@tuminoid looks like github actions only have 1.22.2 on their ubuntu runners :( |
Yeah, let me take a look, if we can fix that. We have other repos working fine, so I think we need to add the go-setup step here as well. We also need to merge this for the gomod to pass: metal3-io/project-infra#783 |
OK, so if we merge #43 and then rebase this, and also merge the project-infra PR for the gomod test, then I think this should pass. |
|
Also edit /test gomod |
dtantsur
force-pushed
the
deps
branch
2 times, most recently
from
3c5525a
to
92ad61b
Compare
hack/gomod.sh
Outdated
| "${CONTAINER_RUNTIME}" run --rm \ | ||
| --env IS_CONTAINER=TRUE \ | ||
| --volume "${PWD}:/workdir:ro,z" \ | ||
| --entrypoint sh \ | ||
| --workdir /workdir \ | ||
| docker.io/golang:1.21 \ | ||
| docker.io/golang:${GO_VERSION} \ |
There was a problem hiding this comment.
This works, but it is diverging what project-infra/CI tests vs what you locally test.
CI uses golang:1.22, so that is suggested to be used here as well.
There was a problem hiding this comment.
Well, it's a bit annoying to hardcode different variations of the same thing everywhere. Should we maybe have a text file that will provide a version that the CI uses? Or somehow de-duplicate it?
There was a problem hiding this comment.
Golang bump is the least annoying and least coupled of them all, since you need to bump it once per minor version of golang, ie. once every six months.
Project-infra vs repository coupling is annoying I agree, as I've done multiple non-compatible bumps to other linters etc and it requires a lot of juggling and coordination. So far we've deemed it to happen rarely enough to use time and effort to replace it as its how the Prow testing works right now with a dozen repos structure we have in place.
We're about to pick up active development here again, let's make sure to work with the latest stuff to avoid accidentally depending on old and incompatible versions (looking at you, controller-runtime). Forces bumping the Go version to 1.22 (using 1.22.3/4 to avoid reverting the fix for https://osv.dev/vulnerability/GO-2024-2687). Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
|
@tuminoid: adding LGTM is restricted to approvers and reviewers in OWNERS files. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
It was about dependencies initially, Go is sort of forced on me :) /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtantsur The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
metal3-io-bot
added
the
approved
We're about to pick up active development here again, let's make sure
to work with the latest stuff to avoid accidentally depending on old and
incompatible versions (looking at you, controller-runtime).
Forces bumping the Go version to 1.22 (using 1.22.2 to avoid reverting
the fix for https://osv.dev/vulnerability/GO-2024-2687).