Backport of security: Upgrade Go to 1.22.7 into release/1.1.x (#4317) #2627
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) HashiCorp, Inc. | |
name: build | |
on: | |
workflow_dispatch: | |
push: | |
# Sequence of patterns matched against refs/heads | |
branches: | |
# Push events on main branch | |
- main | |
# Push events to branches matching refs/heads/release/** | |
- "release/**" | |
env: | |
PKG_NAME: "consul-k8s" | |
jobs: | |
conditional-skip: | |
uses: ./.github/workflows/reusable-conditional-skip.yml | |
get-go-version: | |
# Cascades down to test jobs | |
needs: [ conditional-skip ] | |
if: needs.conditional-skip.outputs.skip-ci != 'true' | |
uses: ./.github/workflows/reusable-get-go-version.yml | |
get-product-version: | |
# Cascades down to test jobs | |
needs: [ conditional-skip ] | |
if: needs.conditional-skip.outputs.skip-ci != 'true' | |
runs-on: ubuntu-latest | |
outputs: | |
product-version: ${{ steps.get-product-version.outputs.product-version }} | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: get product version | |
id: get-product-version | |
run: | | |
make version | |
echo "product-version=$(make version)" >> $GITHUB_OUTPUT | |
generate-metadata-file: | |
needs: get-product-version | |
runs-on: ubuntu-latest | |
outputs: | |
filepath: ${{ steps.generate-metadata-file.outputs.filepath }} | |
steps: | |
- name: "Checkout directory" | |
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Generate metadata file | |
id: generate-metadata-file | |
uses: hashicorp/actions-generate-metadata@v1 | |
with: | |
version: ${{ needs.get-product-version.outputs.product-version }} | |
product: ${{ env.PKG_NAME }} | |
repositoryOwner: "hashicorp" | |
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: metadata.json | |
path: ${{ steps.generate-metadata-file.outputs.filepath }} | |
build: | |
needs: [get-go-version, get-product-version] | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
include: | |
# cli | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "386", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s.exe" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s.exe" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "amd64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "arm64", component: "cli", pkg_name: "consul-k8s", "bin_name": "consul-k8s" } | |
# control-plane | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "386", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "386", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
# solaris is only built for the control plane | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "solaris", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "386", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane.exe" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane.exe" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "amd64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "arm64", component: "control-plane", pkg_name: "consul-k8s-control-plane", "bin_name": "consul-k8s-control-plane" } | |
# consul-cni | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "386", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "freebsd", goarch: "amd64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "386", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "amd64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "linux", goarch: "arm64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "solaris", goarch: "amd64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "386", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni.exe" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "windows", goarch: "amd64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni.exe" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "amd64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
- {go: "${{ needs.get-go-version.outputs.go-version }}", goos: "darwin", goarch: "arm64", component: "control-plane/cni", pkg_name: "consul-cni", "bin_name": "consul-cni" } | |
fail-fast: true | |
name: Go ${{ matrix.go }} ${{ matrix.goos }} ${{ matrix.goarch }} ${{ matrix.component }} build | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- name: Setup go | |
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 | |
with: | |
go-version: ${{ matrix.go }} | |
- name: Build | |
env: | |
GOOS: ${{ matrix.goos }} | |
GOARCH: ${{ matrix.goarch }} | |
CGO_ENABLED: 0 | |
working-directory: ${{ matrix.component }} | |
run: | | |
mkdir -p dist out | |
cp $GITHUB_WORKSPACE/LICENSE dist/LICENSE.txt | |
export GIT_COMMIT=$(git rev-parse --short HEAD) | |
export GIT_DIRTY=$(test -n "$(git status --porcelain)" && echo "+CHANGES") | |
export GIT_IMPORT=github.com/hashicorp/consul-k8s/version | |
export GOLDFLAGS="-X ${GIT_IMPORT}.GitCommit=${GIT_COMMIT}${GIT_DIRTY} -X ${GIT_IMPORT}.GitDescribe=${{ needs.get-product-version.outputs.product-version }}" | |
CGO_ENABLED=0 go build -o dist/${{ matrix.bin_name }} -ldflags "${GOLDFLAGS}" . | |
zip -r -j out/${{ matrix.pkg_name }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip dist/ | |
- name: Upload built binaries | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: ${{ matrix.pkg_name }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip | |
path: ${{ matrix.component}}/out/${{ matrix.pkg_name }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip | |
- name: Copy license file | |
env: | |
LICENSE_DIR: ".release/linux/package/usr/share/doc/${{ env.PKG_NAME }}" | |
run: | | |
mkdir -p "$LICENSE_DIR" | |
cp $GITHUB_WORKSPACE/LICENSE "$LICENSE_DIR/LICENSE.txt" | |
- name: Package rpm and deb files | |
if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}} | |
uses: hashicorp/actions-packaging-linux@v1 | |
with: | |
name: consul-k8s | |
description: "consul-k8s provides a cli interface to first-class integrations between Consul and Kubernetes." | |
arch: ${{ matrix.goarch }} | |
version: ${{ needs.get-product-version.outputs.product-version }} | |
maintainer: "HashiCorp" | |
homepage: "https://github.com/hashicorp/consul-k8s" | |
license: "MPL-2.0" | |
binary: "${{ matrix.component }}/dist/${{ matrix.pkg_name }}" | |
deb_depends: "openssl" | |
rpm_depends: "openssl" | |
config_dir: ".release/linux/package/" | |
- name: Set package names | |
if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}} | |
run: | | |
echo "RPM_PACKAGE=$(basename out/*.rpm)" >> $GITHUB_ENV | |
echo "DEB_PACKAGE=$(basename out/*.deb)" >> $GITHUB_ENV | |
- name: Test rpm package | |
if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}} | |
uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 | |
with: | |
image: registry.access.redhat.com/ubi9/ubi:latest | |
options: -v ${{ github.workspace }}:/work | |
run: | | |
dnf install -qy openssl | |
cd /work | |
rpm -ivh out/${{ env.RPM_PACKAGE }} | |
CONSUL_K8S_VERSION="$(consul-k8s version | awk '{print $2}')" | |
VERSION="v${{ needs.get-product-version.outputs.product-version }}" | |
if [ "${VERSION}" != "${CONSUL_K8S_VERSION}" ]; then | |
echo "Test FAILED, expected: ${VERSION}, got: ${CONSUL_K8S_VERSION}" | |
exit 1 | |
fi | |
echo "Test PASSED, expected: ${VERSION}, got: ${CONSUL_K8S_VERSION}" | |
- name: Upload rpm package | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}} | |
with: | |
name: ${{ env.RPM_PACKAGE }} | |
path: out/${{ env.RPM_PACKAGE }} | |
- name: Test debian package | |
if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}} | |
uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3 | |
with: | |
image: ubuntu:latest | |
options: -v ${{ github.workspace }}:/work | |
run: | | |
apt update && apt install -y openssl | |
cd /work | |
apt install ./out/${{ env.DEB_PACKAGE }} | |
CONSUL_K8S_VERSION="$(consul-k8s version | awk '{print $2}')" | |
VERSION="v${{ needs.get-product-version.outputs.product-version }}" | |
if [ "${VERSION}" != "${CONSUL_K8S_VERSION}" ]; then | |
echo "Test FAILED, expected: ${VERSION}, got: ${CONSUL_K8S_VERSION}" | |
exit 1 | |
fi | |
echo "Test PASSED, expected: ${VERSION}, got: ${CONSUL_K8S_VERSION}" | |
- name: Upload debian packages | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
if: ${{ matrix.goos == 'linux' && matrix.component == 'cli' && matrix.goarch == 'amd64'}} | |
with: | |
name: ${{ env.DEB_PACKAGE }} | |
path: out/${{ env.DEB_PACKAGE }} | |
build-docker: | |
name: Docker ${{ matrix.arch }} default release build | |
needs: [get-product-version, get-go-version, build] | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
arch: ["arm", "arm64", "386", "amd64"] | |
env: | |
repo: ${{ github.event.repository.name }} | |
version: ${{ needs.get-product-version.outputs.product-version }} | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: consul-cni_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip | |
path: control-plane/dist/cni/linux/${{ matrix.arch }} | |
- name: extract consul-cni zip | |
env: | |
ZIP_LOCATION: control-plane/dist/cni/linux/${{ matrix.arch }} | |
run: | | |
cd "${ZIP_LOCATION}" | |
unzip -j *.zip | |
# This naming convention will be used ONLY for per-commit dev images | |
- name: Set docker dev tag | |
run: | | |
echo "full_dev_tag=${{ env.version }}" | |
echo "full_dev_tag=${{ env.version }}" >> $GITHUB_ENV | |
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" | |
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV | |
- name: Docker Build (Action) | |
uses: hashicorp/actions-docker-build@v2 | |
with: | |
smoke_test: | | |
TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version | awk '{print $2}')" | |
if [ "${TEST_VERSION}" != "v${version}" ]; then | |
echo "Test FAILED" | |
exit 1 | |
fi | |
echo "Test PASSED" | |
version: ${{ env.version }} | |
target: release-default | |
arch: ${{ matrix.arch }} | |
pkg_name: consul-k8s-control-plane_${{ env.version }} | |
bin_name: consul-k8s-control-plane | |
workdir: control-plane | |
tags: | | |
docker.io/hashicorp/${{ env.repo }}-control-plane:${{ env.version }} | |
public.ecr.aws/hashicorp/${{ env.repo }}-control-plane:${{ env.version }} | |
dev_tags: | | |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }} | |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-${{ github.sha }} | |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }} | |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-${{ github.sha }} | |
extra_build_args: | | |
GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }} | |
build-docker-ubi: | |
name: Docker ${{ matrix.arch }} UBI builds | |
needs: [get-product-version, get-go-version, build] | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
arch: [ "amd64" ] | |
env: | |
repo: ${{ github.event.repository.name }} | |
version: ${{ needs.get-product-version.outputs.product-version }} | |
steps: | |
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 | |
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: consul-cni_${{ needs.get-product-version.outputs.product-version }}_linux_${{ matrix.arch }}.zip | |
path: control-plane/dist/cni/linux/${{ matrix.arch }} | |
- name: extract consul-cni zip | |
env: | |
ZIP_LOCATION: control-plane/dist/cni/linux/${{ matrix.arch }} | |
run: | | |
cd "${ZIP_LOCATION}" | |
unzip -j *.zip | |
# This naming convention will be used ONLY for per-commit dev images | |
- name: Set docker dev tag | |
run: | | |
echo "full_dev_tag=${{ env.version }}" | |
echo "full_dev_tag=${{ env.version }}" >> $GITHUB_ENV | |
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" | |
echo "minor_dev_tag=$(echo ${{ env.version }}| sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+(-[0-9a-zA-Z\+\.]+)?$/\1\2/')" >> $GITHUB_ENV | |
- name: Docker Build (Action) | |
uses: hashicorp/actions-docker-build@v2 | |
with: | |
smoke_test: | | |
TEST_VERSION="$(docker run "${IMAGE_NAME}" consul-k8s-control-plane version | awk '{print $2}')" | |
if [ "${TEST_VERSION}" != "v${version}" ]; then | |
echo "Test FAILED" | |
exit 1 | |
fi | |
echo "Test PASSED" | |
version: ${{ env.version }} | |
target: ubi | |
arch: ${{ matrix.arch }} | |
pkg_name: consul-k8s-control-plane_${{ env.version }} | |
bin_name: consul-k8s-control-plane | |
workdir: control-plane | |
tags: | | |
docker.io/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi | |
public.ecr.aws/hashicorp/${{ env.repo }}-control-plane:${{ env.version }}-ubi | |
dev_tags: | | |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi | |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.full_dev_tag }}-ubi-${{ github.sha }} | |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-ubi | |
docker.io/hashicorppreview/${{ env.repo }}-control-plane:${{ env.minor_dev_tag }}-ubi-${{ github.sha }} | |
redhat_tag: quay.io/redhat-isv-containers/611ca2f89a9b407267837100:${{env.version}}-ubi | |
extra_build_args: | | |
GOLANG_VERSION=${{ needs.get-go-version.outputs.go-version }} |