Upgrade to go1.22 and other updates (#722)

* upgrade to go1.22 Signed-off-by: cpanato <[email protected]> * add job to build with gorelease to test the flow Signed-off-by: cpanato <[email protected]> * group dependabot updates Signed-off-by: cpanato <[email protected]> * drop job that is not useful Signed-off-by: cpanato <[email protected]> * fix lints Signed-off-by: cpanato <[email protected]> * update codeql ci Signed-off-by: cpanato <[email protected]> * bump golangci-lint to v1.58 Signed-off-by: cpanato <[email protected]> * move the build/push/sign images to after we successufuly built the binaries Signed-off-by: cpanato <[email protected]> * to release in fork for testing Signed-off-by: cpanato <[email protected]> --------- Signed-off-by: cpanato <[email protected]>
sigstore · May 14, 2024 · 0cf97a5 · 0cf97a5
1 parent 25a9bc6
commit 0cf97a5
Show file tree

Hide file tree

Showing 19 changed files with 98 additions and 55 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -19,15 +19,37 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    groups:
+      gomod:
+        update-types:
+          - "patch"
+
   - package-ecosystem: "gomod"
     directory: "./hack/tools"
     schedule:
       interval: "daily"
+    groups:
+      gomod-hack:
+        update-types:
+          - "minor"
+          - "patch"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
+
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "daily"
+    groups:
+      docker:
+        update-types:
+          - "minor"
+          - "patch"
diff --git a/.github/workflows/auto_merge.yaml b/.github/workflows/auto_merge.yaml
diff --git a/.github/workflows/build-snapshot.yaml b/.github/workflows/build-snapshot.yaml
@@ -0,0 +1,44 @@
+name: build-snapshot
+
+on:
+  pull_request:
+
+permissions: {}
+
+jobs:
+  snapshot:
+    permissions:
+      contents: read
+
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+      tag_name: ${{ steps.tag.outputs.tag_name }}
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: './go.mod'
+          check-latest: true
+
+      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
+      - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+
+      - name: Set LDFLAGS
+        id: ldflags
+        run: |
+           source ./release/ldflags.sh
+           goflags=$(ldflags)
+           echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
+
+      - name: Run GoReleaser
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        with:
+          version: latest
+          args: release --clean --skip=sign --snapshot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LDFLAGS: ${{ env.GO_FLAGS }}
diff --git a/.github/workflows/codeql_analysis.yaml b/.github/workflows/codeql_analysis.yaml
@@ -42,6 +42,11 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
 
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      with:
+        go-version-file: './go.mod'
+        check-latest: true
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -56,11 +56,14 @@ jobs:
           set -euo pipefail
           checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
           echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
-      
+
       - name: Set tag output
         id: tag
         run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
 
+      - name: build and sign images
+        run: make sign-container-release
+
   provenance:
     needs: [release]
     permissions:

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -95,5 +95,5 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
-          version: v1.54
-          args: --timeout=5m --verbose
+          version: v1.58
+          args: --timeout=10m --verbose
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -11,13 +11,9 @@ before:
   hooks:
     - go mod tidy
     - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
-# if running a release we will generate the images in this step
-# if running in the CI the CI env va is set by github action runner and we dont run the ko steps
-# this is needed because we are generating files that goreleaser was not aware to push to GH project release
-    - /bin/bash -c 'if [ -n "$CI" ]; then make sign-container-release; fi'
 
-gomod:
-  proxy: true
+# gomod:
+#   proxy: true
 
 sboms:
   - artifacts: binary
@@ -94,5 +90,5 @@ release:
   prerelease: auto
   draft: true # allow for manual edits
   github:
-    owner: sigstore
+    owner: cpanato
     name: timestamp-authority
diff --git a/Dockerfile b/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.21.6@sha256:7b575fe0d9c2e01553b04d9de8ffea6d35ca3ab3380d2a8db2acc8f0f1519a53 AS builder
+FROM golang:1.22.2@sha256:d5302d40dc5fbbf38ec472d1848a9d2391a13f93293a6a5b0b87c99dc0eaa6ae AS builder
 ENV APP_ROOT=/opt/app-root
 ENV GOPATH=$APP_ROOT
 
@@ -29,7 +29,7 @@ RUN go build -ldflags "${SERVER_LDFLAGS}" ./cmd/timestamp-server
 RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o timestamp-server_debug ./cmd/timestamp-server
 
 # Multi-Stage production build
-FROM golang:1.21.6@sha256:7b575fe0d9c2e01553b04d9de8ffea6d35ca3ab3380d2a8db2acc8f0f1519a53 as deploy
+FROM golang:1.22.2@sha256:d5302d40dc5fbbf38ec472d1848a9d2391a13f93293a6a5b0b87c99dc0eaa6ae as deploy
 
 # Retrieve the binary from the previous stage
 COPY --from=builder /opt/app-root/src/timestamp-server /usr/local/bin/timestamp-server
@@ -39,7 +39,7 @@ CMD ["timestamp-server", "serve"]
 
 # debug compile options & debugger
 FROM deploy as debug
-RUN go install github.com/go-delve/delve/cmd/dlv@v1.9.0
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.22.1
 
 # overwrite server and include debugger
 COPY --from=builder /opt/app-root/src/timestamp-server_debug /usr/local/bin/timestamp-server
diff --git a/Makefile b/Makefile
@@ -39,7 +39,7 @@ ifeq ($(DIFF), 1)
     GIT_TREESTATE = "dirty"
 endif
 
-KO_PREFIX ?= ghcr.io/sigstore
+KO_PREFIX ?= ghcr.io/cpanato
 export KO_DOCKER_REPO=$(KO_PREFIX)
 
 # Binaries

diff --git a/cmd/fetch-tsa-certs/fetch_tsa_certs.go b/cmd/fetch-tsa-certs/fetch_tsa_certs.go
@@ -85,7 +85,7 @@ func fetchCertificateChain(ctx context.Context, parent, intermediateKMSKey, leaf
 	if err != nil {
 		return nil, err
 	}
-	intermediateSigner, _, err := intermediateKMSSigner.CryptoSigner(ctx, func(err error) {})
+	intermediateSigner, _, err := intermediateKMSSigner.CryptoSigner(ctx, func(_ error) {})
 	if err != nil {
 		return nil, err
 	}
@@ -176,7 +176,7 @@ func fetchCertificateChain(ctx context.Context, parent, intermediateKMSKey, leaf
 		if err != nil {
 			return nil, err
 		}
-		leafKMSSigner, _, err = kmsSigner.CryptoSigner(ctx, func(err error) {})
+		leafKMSSigner, _, err = kmsSigner.CryptoSigner(ctx, func(_ error) {})
 		if err != nil {
 			return nil, err
 		}

diff --git a/cmd/timestamp-cli/app/format/wrap.go b/cmd/timestamp-cli/app/format/wrap.go
@@ -29,7 +29,7 @@ type CobraCmd func(cmd *cobra.Command, args []string)
 type formatCmd func(args []string) (interface{}, error)
 
 func WrapCmd(f formatCmd) CobraCmd {
-	return func(cmd *cobra.Command, args []string) {
+	return func(_ *cobra.Command, args []string) {
 		obj, err := f(args)
 		if err != nil {
 			log.CliLogger.Fatal(err)

diff --git a/cmd/timestamp-cli/app/inspect.go b/cmd/timestamp-cli/app/inspect.go
@@ -44,13 +44,13 @@ var inspectCmd = &cobra.Command{
 	Use:   "inspect",
 	Short: "Inspect timestamp",
 	Long:  "Inspect the signed timestamp response.",
-	PreRunE: func(cmd *cobra.Command, args []string) error {
+	PreRunE: func(cmd *cobra.Command, _ []string) error {
 		if err := viper.BindPFlags(cmd.Flags()); err != nil {
 			log.CliLogger.Fatal("Error initializing cmd line args: ", err)
 		}
 		return nil
 	},
-	Run: format.WrapCmd(func(args []string) (interface{}, error) {
+	Run: format.WrapCmd(func(_ []string) (interface{}, error) {
 		tsr := viper.GetString("timestamp")
 		tsrBytes, err := os.ReadFile(filepath.Clean(tsr))
 		if err != nil {

diff --git a/cmd/timestamp-cli/app/root.go b/cmd/timestamp-cli/app/root.go
@@ -32,7 +32,7 @@ var rootCmd = &cobra.Command{
 	Use:   "timestamp-cli",
 	Short: "Timestamp CLI",
 	Long:  `Timestamp command line interface tool`,
-	PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+	PersistentPreRunE: func(cmd *cobra.Command, _ []string) error {
 		return initConfig(cmd)
 	},
 }

diff --git a/cmd/timestamp-cli/app/timestamp.go b/cmd/timestamp-cli/app/timestamp.go
@@ -60,13 +60,13 @@ var timestampCmd = &cobra.Command{
 	Use:   "timestamp",
 	Short: "Signed timestamp command",
 	Long:  "Fetches a signed RFC 3161 timestamp. The timestamp response can be verified locally using a timestamp certificate chain.",
-	PreRunE: func(cmd *cobra.Command, args []string) error {
+	PreRunE: func(cmd *cobra.Command, _ []string) error {
 		if err := viper.BindPFlags(cmd.Flags()); err != nil {
 			log.CliLogger.Fatal("Error initializing cmd line args: ", err)
 		}
 		return nil
 	},
-	Run: format.WrapCmd(func(args []string) (interface{}, error) {
+	Run: format.WrapCmd(func(_ []string) (interface{}, error) {
 		return runTimestamp()
 	}),
 }

diff --git a/cmd/timestamp-cli/app/verify.go b/cmd/timestamp-cli/app/verify.go
@@ -60,13 +60,13 @@ var verifyCmd = &cobra.Command{
 	Use:   "verify",
 	Short: "Verify timestamp",
 	Long:  "Verify the timestamp response using a timestamp certificate chain.",
-	PreRunE: func(cmd *cobra.Command, args []string) error {
+	PreRunE: func(cmd *cobra.Command, _ []string) error {
 		if err := viper.BindPFlags(cmd.Flags()); err != nil {
 			log.CliLogger.Fatal("Error initializing cmd line args: ", err)
 		}
 		return nil
 	},
-	Run: format.WrapCmd(func(args []string) (interface{}, error) {
+	Run: format.WrapCmd(func(_ []string) (interface{}, error) {
 		return runVerify()
 	}),
 }

diff --git a/cmd/timestamp-server/app/serve.go b/cmd/timestamp-server/app/serve.go
@@ -33,7 +33,7 @@ var serveCmd = &cobra.Command{
 	Use:   "serve",
 	Short: "start http server with configured api",
 	Long:  `Starts a http server and serves the configured api`,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(cmd *cobra.Command, _ []string) {
 		if err := viper.BindPFlags(cmd.Flags()); err != nil {
 			log.Logger.Fatal(err)
 		}

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/timestamp-authority
 
-go 1.21
+go 1.22
 
 require (
 	cloud.google.com/go/security v1.16.1

diff --git a/hack/tools/go.mod b/hack/tools/go.mod
@@ -1,6 +1,6 @@
 module github.com/sigstore/timestamp-authority/hack/tools
 
-go 1.21
+go 1.22
 
 require github.com/go-swagger/go-swagger v0.30.5
 

diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go
@@ -49,7 +49,7 @@ func NewCryptoSigner(ctx context.Context, hash crypto.Hash, signer, kmsKey, tink
 		if err != nil {
 			return nil, err
 		}
-		s, _, err := signer.CryptoSigner(ctx, func(err error) {})
+		s, _, err := signer.CryptoSigner(ctx, func(_ error) {})
 		return s, err
 	case TinkScheme:
 		primaryKey, err := GetPrimaryKey(ctx, tinkKmsKey, hcVaultToken)