From 10d05d8f7277a0e8673204d76b8ea007b3ec4c46 Mon Sep 17 00:00:00 2001 From: lootek Date: Mon, 27 Mar 2023 14:46:21 +0200 Subject: [PATCH 1/7] govulncheck as a separate job/workflow/step - let's see which would be the best --- .github/workflows/build-and-test.yml | 20 +++++++++++++++++++ .github/workflows/govulncheck.yml | 29 ++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 .github/workflows/govulncheck.yml diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index f642ec837f9c..fdfa0f92a7c3 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -130,6 +130,22 @@ jobs: echo "One or more matrix jobs failed." false fi + govulncheck: + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Install Go + uses: actions/setup-go@v3 + with: + cache: true + check-latest: true + go-version: ${{ env.GO_VERSION }} + - name: Install `govulncheck` + run: go install golang.org/x/vuln/cmd/govulncheck@latest + - name: Run `govulncheck` + run: govulncheck ./... checks: runs-on: ubuntu-latest needs: [setup-environment] @@ -173,6 +189,10 @@ jobs: run: | make gotidy git diff --exit-code || (echo 'go.mod/go.sum deps changes detected, please run "make gotidy" and commit the changes in this PR.' && exit 1) + - name: Check for go vulnerabilities + run: | + make govulncheck + git diff --exit-code || (echo 'Some vulnerable dependencies are in use, this most likely means you need to updated stuff in go.mod/go.sum and/or bump the Go compiler version itself.' && exit 1) - name: Gen genotelcontribcol run: | make genotelcontribcol diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 000000000000..c52433d25f2a --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,29 @@ +name: govulncheck +on: + push: + branches: [ main ] + tags: + - 'v[0-9]+.[0-9]+.[0-9]+*' + pull_request: + +jobs: + govulncheck: + runs-on: ubuntu-latest + timeout-minutes: 5 + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install Go + uses: actions/setup-go@v3 + with: + cache: true + check-latest: true + go-version: ${{ env.GO_VERSION }} + + - name: Install `govulncheck` + run: go install golang.org/x/vuln/cmd/govulncheck@latest + + - name: Run `govulncheck` + run: govulncheck ./... From 6b1e4f423679f651f1d93ba85cfffab5d9c1861d Mon Sep 17 00:00:00 2001 From: lootek Date: Mon, 27 Mar 2023 16:03:08 +0200 Subject: [PATCH 2/7] align go version --- .github/workflows/build-and-test.yml | 2 +- .github/workflows/govulncheck.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index fdfa0f92a7c3..e9d270abe89d 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -141,7 +141,7 @@ jobs: with: cache: true check-latest: true - go-version: ${{ env.GO_VERSION }} + go-version: ~1.19.7 - name: Install `govulncheck` run: go install golang.org/x/vuln/cmd/govulncheck@latest - name: Run `govulncheck` diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index c52433d25f2a..8188e4562298 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -20,7 +20,7 @@ jobs: with: cache: true check-latest: true - go-version: ${{ env.GO_VERSION }} + go-version: ~1.19.7 - name: Install `govulncheck` run: go install golang.org/x/vuln/cmd/govulncheck@latest From c23cf583565e60ba25d9e28074de41a6643fd445 Mon Sep 17 00:00:00 2001 From: lootek Date: Mon, 27 Mar 2023 16:11:33 +0200 Subject: [PATCH 3/7] try fixing govulncheck workflow --- .github/workflows/govulncheck.yml | 33 ++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index 8188e4562298..7d462b922af0 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -12,18 +12,27 @@ jobs: timeout-minutes: 5 steps: - - name: Checkout + - name: Collect Workflow Telemetry + if: always() + uses: runforesight/foresight-workflow-kit-action@v1 + with: + api_key: ${{ secrets.FORESIGHT_API_KEY }} + - name: Checkout Repo uses: actions/checkout@v3 - - - name: Install Go + - name: Setup Go uses: actions/setup-go@v3 with: - cache: true - check-latest: true - go-version: ~1.19.7 - - - name: Install `govulncheck` - run: go install golang.org/x/vuln/cmd/govulncheck@latest - - - name: Run `govulncheck` - run: govulncheck ./... + go-version: 1.19 + - name: Cache Go + id: go-cache + uses: actions/cache@v3 + with: + path: | + ~/go/bin + ~/go/pkg/mod + key: go-cache-${{ runner.os }}-${{ hashFiles('**/go.sum') }} + - name: Install Tools + if: steps.go-cache.outputs.cache-hit != 'true' + run: make install-tools + - name: Run govulncheck + run: make govulncheck From f2a369834015e06d580b4f794b70c84dd358f333 Mon Sep 17 00:00:00 2001 From: lootek Date: Wed, 29 Mar 2023 10:04:33 +0200 Subject: [PATCH 4/7] Choose option 1 --- .github/workflows/build-and-test.yml | 27 ++++++++++++-------- .github/workflows/govulncheck.yml | 38 ---------------------------- 2 files changed, 16 insertions(+), 49 deletions(-) delete mode 100644 .github/workflows/govulncheck.yml diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index e9d270abe89d..c0b48788f080 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -134,18 +134,27 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - name: Checkout + - name: Checkout Repo uses: actions/checkout@v3 - - name: Install Go + - name: Setup Go uses: actions/setup-go@v3 with: - cache: true - check-latest: true go-version: ~1.19.7 - - name: Install `govulncheck` - run: go install golang.org/x/vuln/cmd/govulncheck@latest + - name: Cache Go + id: go-cache + uses: actions/cache@v3 + with: + path: | + ~/go/bin + ~/go/pkg/mod + key: go-cache-${{ runner.os }}-${{ hashFiles('**/go.sum') }} + - name: Install Tools + if: steps.go-cache.outputs.cache-hit != 'true' + run: make install-tools - name: Run `govulncheck` - run: govulncheck ./... + run: | + make govulncheck + git diff --exit-code || (echo 'Some vulnerable dependencies are in use, this most likely means you need to updated stuff in go.mod/go.sum and/or bump the Go compiler version itself.' && exit 1) checks: runs-on: ubuntu-latest needs: [setup-environment] @@ -189,10 +198,6 @@ jobs: run: | make gotidy git diff --exit-code || (echo 'go.mod/go.sum deps changes detected, please run "make gotidy" and commit the changes in this PR.' && exit 1) - - name: Check for go vulnerabilities - run: | - make govulncheck - git diff --exit-code || (echo 'Some vulnerable dependencies are in use, this most likely means you need to updated stuff in go.mod/go.sum and/or bump the Go compiler version itself.' && exit 1) - name: Gen genotelcontribcol run: | make genotelcontribcol diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml deleted file mode 100644 index 7d462b922af0..000000000000 --- a/.github/workflows/govulncheck.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: govulncheck -on: - push: - branches: [ main ] - tags: - - 'v[0-9]+.[0-9]+.[0-9]+*' - pull_request: - -jobs: - govulncheck: - runs-on: ubuntu-latest - timeout-minutes: 5 - - steps: - - name: Collect Workflow Telemetry - if: always() - uses: runforesight/foresight-workflow-kit-action@v1 - with: - api_key: ${{ secrets.FORESIGHT_API_KEY }} - - name: Checkout Repo - uses: actions/checkout@v3 - - name: Setup Go - uses: actions/setup-go@v3 - with: - go-version: 1.19 - - name: Cache Go - id: go-cache - uses: actions/cache@v3 - with: - path: | - ~/go/bin - ~/go/pkg/mod - key: go-cache-${{ runner.os }}-${{ hashFiles('**/go.sum') }} - - name: Install Tools - if: steps.go-cache.outputs.cache-hit != 'true' - run: make install-tools - - name: Run govulncheck - run: make govulncheck From c5fe82150eabc6d7774d5bb04d4d7b36c154968a Mon Sep 17 00:00:00 2001 From: lootek Date: Wed, 29 Mar 2023 12:02:48 +0200 Subject: [PATCH 5/7] empty commit to re-trigger build pipelines From 5485ccd4b1dc28fe87dc70b2fd7b004f26123b08 Mon Sep 17 00:00:00 2001 From: lootek Date: Tue, 11 Apr 2023 17:09:27 +0200 Subject: [PATCH 6/7] [CR] Cleanup --- .github/workflows/build-and-test.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index c0b48788f080..2d3e6611e2cd 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -152,9 +152,7 @@ jobs: if: steps.go-cache.outputs.cache-hit != 'true' run: make install-tools - name: Run `govulncheck` - run: | - make govulncheck - git diff --exit-code || (echo 'Some vulnerable dependencies are in use, this most likely means you need to updated stuff in go.mod/go.sum and/or bump the Go compiler version itself.' && exit 1) + run: make govulncheck checks: runs-on: ubuntu-latest needs: [setup-environment] From 6bf2fe65b368d51c58f27f8edc42f86117c766b4 Mon Sep 17 00:00:00 2001 From: lootek Date: Tue, 11 Apr 2023 17:09:53 +0200 Subject: [PATCH 7/7] Bump Go SDK a patch version up to 1.19.8 (CVE fixes) --- .github/workflows/build-and-test-windows.yml | 2 +- .github/workflows/build-and-test.yml | 2 +- .github/workflows/changelog.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/create-dependabot-pr.yml | 2 +- .github/workflows/prepare-release.yml | 2 +- .github/workflows/prometheus-compliance-tests.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-and-test-windows.yml b/.github/workflows/build-and-test-windows.yml index 996ba335bdcc..58c87e9f960b 100644 --- a/.github/workflows/build-and-test-windows.yml +++ b/.github/workflows/build-and-test-windows.yml @@ -52,7 +52,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v3 with: - go-version: ~1.19.7 + go-version: ~1.19.8 - name: Cache Go id: go-mod-cache uses: actions/cache@v3 diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 2d3e6611e2cd..d064aab0f585 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -139,7 +139,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v3 with: - go-version: ~1.19.7 + go-version: ~1.19.8 - name: Cache Go id: go-cache uses: actions/cache@v3 diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 1fab9a502ff9..81a9871c79f8 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -33,7 +33,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v3 with: - go-version: ~1.19.7 + go-version: ~1.19.8 - name: Cache Go id: go-cache uses: actions/cache@v3 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c43b8c88f531..716beb259359 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,7 +26,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v3 with: - go-version: ~1.19.7 + go-version: ~1.19.8 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/create-dependabot-pr.yml b/.github/workflows/create-dependabot-pr.yml index a6e6f1e25d41..5ee8e9042607 100644 --- a/.github/workflows/create-dependabot-pr.yml +++ b/.github/workflows/create-dependabot-pr.yml @@ -11,7 +11,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v3 with: - go-version: ~1.19.7 + go-version: ~1.19.8 - name: Run dependabot-pr.sh run: ./.github/workflows/scripts/dependabot-pr.sh env: diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index 8db877c7d6ff..d9c0a181eab6 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -27,7 +27,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v3 with: - go-version: ~1.19.7 + go-version: ~1.19.8 - name: Prepare release for contrib working-directory: opentelemetry-collector-contrib env: diff --git a/.github/workflows/prometheus-compliance-tests.yml b/.github/workflows/prometheus-compliance-tests.yml index 598ca47d7099..09709d78e294 100644 --- a/.github/workflows/prometheus-compliance-tests.yml +++ b/.github/workflows/prometheus-compliance-tests.yml @@ -32,7 +32,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v3 with: - go-version: ~1.19.7 + go-version: ~1.19.8 - name: Cache Go id: go-cache uses: actions/cache@v3