diff --git a/.circleci/config.yml b/.circleci/config.yml index f329e4a9..451790b3 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -9,7 +9,7 @@ parameters: # override it in any parameterized builds, but just as a convenient shareable constant go-release-version: type: string - default: "1.19.2" + default: "1.19.4" # We use a remote Docker host in some CI jobs that need to run Docker containers. # As of 2022-04-15, the default Docker daemon version was 17.09.0-ce, which started diff --git a/.ldrelease/config.yml b/.ldrelease/config.yml index 15386979..45657238 100644 --- a/.ldrelease/config.yml +++ b/.ldrelease/config.yml @@ -38,7 +38,7 @@ repo: jobs: - docker: - image: cimg/go:1.19.2 # See "Runtime platform versions" in CONTRIBUTING.md + image: cimg/go:1.19.4 # See "Runtime platform versions" in CONTRIBUTING.md copyGitHistory: true template: name: go diff --git a/Dockerfile b/Dockerfile index 16b197e7..8f4149d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # This is a standalone Dockerfile that does not depend on goreleaser building the binary # It is NOT the version that is pushed to dockerhub -FROM golang:1.19.2-alpine3.16 as builder +FROM golang:1.19.4-alpine3.16 as builder # See "Runtime platform versions" in CONTRIBUTING.md RUN apk --no-cache add \ @@ -21,7 +21,7 @@ ENV GOPATH=/go RUN go build -a -o ldr . -FROM alpine:3.16.2 +FROM alpine:3.16.3 RUN addgroup -g 1000 -S ldr-user && \ adduser -u 1000 -S ldr-user -G ldr-user && \ diff --git a/Dockerfile.goreleaser b/Dockerfile.goreleaser index bd811452..fa6b5f0d 100644 --- a/Dockerfile.goreleaser +++ b/Dockerfile.goreleaser @@ -2,7 +2,7 @@ # See .ldrelease/config.yml for an explanation of the build/release process. -FROM alpine:3.16.2 +FROM alpine:3.16.3 # See "Runtime platform versions" in CONTRIBUTING.md RUN apk add --no-cache \ diff --git a/Makefile b/Makefile index ef13230b..4b16cc75 100644 --- a/Makefile +++ b/Makefile @@ -70,10 +70,10 @@ RELEASE_CMD=curl -sL https://git.io/goreleaser | GOPATH=$(mktemp -d) VERSION=$(G # because during a release, we may need to run this command under another account and we # don't want to mess up file permissions in the regular GOPATH. publish: - $(RELEASE_CMD) + ./scripts/run-goreleaser.sh $(GORELEASER_VERSION) products-for-release: - $(RELEASE_CMD) --skip-publish --skip-validate + ./scripts/run-goreleaser.sh $(GORELEASER_VERSION) --skip-publish --skip-validate DOCKER_COMPOSE_TEST=docker-compose -f docker-compose.test.yml diff --git a/scripts/run-goreleaser.sh b/scripts/run-goreleaser.sh new file mode 100755 index 00000000..26b287e8 --- /dev/null +++ b/scripts/run-goreleaser.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +# run-goreleaser.sh ... +# +# Builds the Docker image and all other executables that we intend to publish. +# This also pushes the image to DockerHub unless we have specifically told it not to with +# the --skip-publish option. + +GORELEASER_VERSION=$1 +if [[ -z "${GORELEASER_VERSION}" ]]; then + echo "Must set GORELEASER_VERSION before calling this script" + exit 1 +fi +shift + +# Get the lines added to the most recent changelog update (minus the first 2 lines) +RELEASE_NOTES=`(GIT_EXTERNAL_DIFF='bash -c "diff --unchanged-line-format=\"\" $2 $5" || true' git log --ext-diff -1 --pretty= -p CHANGELOG.md)` + +# Temporarily add a package override to go.mod to fix CVE-2022-41717. In our 6.x releases, we can't just +# have this override in go.mod all the time because it isn't compatible with Go 1.16. But we never use +# Go 1.16 to build our published executables and we do want the fix in those. +cp go.mod go.mod.bak +cp go.sum go.sum.bak +trap "mv go.mod.bak go.mod; mv go.sum.bak go.sum" EXIT +go get golang.org/x/net@v0.4.0 +go mod tidy + +curl -sL https://git.io/goreleaser | GOPATH=`mktemp -d` VERSION=${GORELEASER_VERSION} bash -s -- \ + --rm-dist --release-notes <(echo "${RELEASE_NOTES}") $@