Merge pull request #9694 from dlorenc/bumper8

Convert 7 more packages to go/bump
wolfi-dev · Dec 9, 2023 · 035177c · 035177c
2 parents 2beb63e + 12d306a
commit 035177c
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 44 deletions.
diff --git a/cert-manager-1.11.yaml b/cert-manager-1.11.yaml
@@ -2,7 +2,7 @@ package:
   name: cert-manager-1.11
   # See https://cert-manager.io/docs/installation/supported-releases/ for upstream-supported versions
   version: 1.11.5
-  epoch: 7
+  epoch: 8
   description: Automatically provision and manage TLS certificates in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -29,23 +29,12 @@ pipeline:
 
   # the makefile hardcodes the requirement for some container runtime (CTR), even when we don't need it
   # to workaround, set CTR to anything $(command -v)able
-  - runs: |
-      # CVE-2023-39325 and CVE-2023-3978
-      go get golang.org/x/[email protected]
-
-      # CVE-2023-47108
-      go mod edit -replace=go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp=go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]
-      go get go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]
-      go get go.opentelemetry.io/[email protected]
-      go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected]
-      go get go.opentelemetry.io/otel/[email protected]
-
-      # GHSA-jq35-85cj-fj4p
-      go get github.com/docker/[email protected]
-      go get oras.land/[email protected]
-
-      go mod tidy
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected] go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected] go.opentelemetry.io/[email protected] go.opentelemetry.io/otel/exporters/otlp/otlptrace/[email protected] go.opentelemetry.io/otel/[email protected] github.com/docker/[email protected] oras.land/[email protected] github.com/cyphar/[email protected]
+      replaces: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp=go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]
 
+  - runs: |
       make CTR=make _bin/server/controller-linux-$(go env GOARCH)
       make CTR=make _bin/server/webhook-linux-$(go env GOARCH)
       make CTR=make _bin/server/cainjector-linux-$(go env GOARCH)

diff --git a/gatekeeper-3.14.yaml b/gatekeeper-3.14.yaml
@@ -1,7 +1,7 @@
 package:
   name: gatekeeper-3.14
   version: 3.14.0
-  epoch: 2
+  epoch: 3
   description: Gatekeeper - Policy Controller for Kubernetes
   copyright:
     - license: Apache-2.0
@@ -27,13 +27,13 @@ pipeline:
       expected-commit: 650f3de16e23534556d54a09f6d1a689f9148313
       destination: gatekeeper
 
+  - uses: go/bump
+    with:
+      deps: google.golang.org/[email protected]
+      modroot: gatekeeper
+
   - runs: |
       cd gatekeeper
-      # Mitigate GHSA-m425-mq94-257g
-      go mod edit -droprequire=google.golang.org/grpc
-      go get google.golang.org/[email protected]
-      go mod tidy
-      go mod vendor
       FRAMEWORKS_VERSION=$(go list -f '{{ .Version }}' -m github.com/open-policy-agent/frameworks/constraint)
       OPA_VERSION=$(go list -f '{{ .Version }}' -m github.com/open-policy-agent/opa)
       CGO_ENABLED=0 GO111MODULE=on go build -mod vendor -a -ldflags "-w -X github.com/open-policy-agent/gatekeeper/pkg/version.Version=v${{package.version}} -X main.frameworksVersion=${FRAMEWORKS_VERSION} -X main.opaVersion=${OPA_VERSION}" -o manager

diff --git a/keda.yaml b/keda.yaml
@@ -2,7 +2,7 @@ package:
   name: keda
   # See https://github.com/kedacore/keda/blob/main/SECURITY.md#supported-versions for upstream-supported versions
   version: 2.12.1
-  epoch: 1
+  epoch: 2
   description: KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
   copyright:
     - license: Apache-2.0
@@ -29,13 +29,11 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: dc76ca70f19c22e8f0c806f84d95256d771f3dc9
 
-  - runs: |
-      # GHSA-2c7c-3mj9-8fqh
-      go get github.com/go-jose/go-jose/[email protected]
+  - uses: go/bump
+    with:
+      deps: github.com/go-jose/go-jose/[email protected]
 
-      go mod tidy
-      go mod vendor
-      go clean -cache -modcache
+  - runs: |
       ARCH=$(go env GOARCH) make build
       mkdir -p "${{targets.destdir}}/usr/bin"
       mv bin/keda "${{targets.destdir}}/usr/bin"

diff --git a/metacontroller.yaml b/metacontroller.yaml
@@ -1,7 +1,7 @@
 package:
   name: metacontroller
   version: 4.11.7
-  epoch: 1
+  epoch: 2
   description: Writing kubernetes controllers can be simple
   copyright:
     - license: Apache-2.0
@@ -24,11 +24,14 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: a8eddf2059e7c70cb9e970d4f4614f619c4840d7
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected]
+
   - runs: |
       export PATH=$(go env GOPATH)/bin:$PATH
       # fix CVE-2023-39325 and CVE-2023-3978.
       go mod edit -dropreplace=golang.org/x/net
-      go get golang.org/x/[email protected]
       go mod tidy
       make build
       mkdir -p ${{targets.destdir}}/usr/bin

diff --git a/nodetaint.yaml b/nodetaint.yaml
@@ -1,7 +1,7 @@
 package:
   name: nodetaint
   version: 0.0.4
-  epoch: 9
+  epoch: 10
   description: Controller to manage taints for nodes in a k8s cluster.
   copyright:
     - license: Apache-2.0
@@ -21,15 +21,14 @@ pipeline:
       tag: v${{package.version}}
       expected-commit: 9f648717bd31a782696335450ee05a5ed79cd870
 
+  - uses: go/bump
+    with:
+      deps: golang.org/x/[email protected] k8s.io/[email protected] k8s.io/[email protected] k8s.io/[email protected] k8s.io/[email protected]
+
   - runs: |
       # Mitigate CVE-2023-39325, CVE-2023-3978, CVE-2023-44487
-      go get golang.org/x/[email protected]
 
       # CVE-2021-25736, CVE-2023-3676, CVE-2023-3955, GHSA-8cfg-vx93-jvxw
-      go get k8s.io/[email protected]
-      go get k8s.io/[email protected]
-      go get k8s.io/[email protected]
-      go get k8s.io/[email protected]
       go mod edit -replace=k8s.io/api=k8s.io/[email protected]
       go mod edit -replace=k8s.io/apiextensions-apiserver=k8s.io/[email protected]
       go mod edit -replace=k8s.io/apimachinery=k8s.io/[email protected]

diff --git a/pipelines/go/bump.yaml b/pipelines/go/bump.yaml
@@ -17,14 +17,16 @@ inputs:
   go-version:
     description: "The go version to set the go.mod syntax to"
     default: 1.20
+  replaces:
+    description: "The replaces to add to the go.mod file"
 
 pipeline:
   - runs: |
       # We have to run go mod tidy before and after in some cases (if old versions of go are used, we need to update the go.mod format)
       cd "${{inputs.modroot}}"
       go mod tidy -go=${{inputs.go-version}}
 
-      gobump -packages "${{inputs.deps}}"
+      gobump -packages "${{inputs.deps}}" -replaces "${{inputs.replaces}}"
 
       go mod tidy -go=${{inputs.go-version}}
       if [ -d "./vendor" ]; then

diff --git a/thanos-operator.yaml b/thanos-operator.yaml
@@ -1,7 +1,7 @@
 package:
   name: thanos-operator
   version: 0.3.7
-  epoch: 9
+  epoch: 10
   description: Kubernetes operator for deploying Thanos
   copyright:
     - license: Apache-2.0
@@ -20,15 +20,15 @@ pipeline:
       tag: ${{package.version}}
       expected-commit: 7b87b4f89dee6454ae46e9579b9a98d6d7a5e550
 
+  - uses: go/bump
+    with:
+      deps: github.com/prometheus/[email protected] golang.org/x/[email protected] gopkg.in/[email protected] golang.org/x/[email protected]
+
   - runs: |
       # Address  CVE-2022-21698  GHSA-69ch-w2m2-3vjp  GHSA-69cg-p879-7622
-      go get github.com/prometheus/[email protected]
-      go get golang.org/x/[email protected]
 
       # Mitigate CVE-2022-28948
-      go get gopkg.in/[email protected]
       # Mitigate CVE-2023-39325 and CVE-2023-3978
-      go get golang.org/x/[email protected]
 
       go mod tidy