From 3cf1767718c1abc6155eb26653ca2e252bbbafd2 Mon Sep 17 00:00:00 2001 From: l-qing Date: Sat, 2 Aug 2025 08:29:45 +0800 Subject: [PATCH 01/23] feat: init alauda-v4.47.1 branch (#3) --- .github/workflows/alauda-auto-tag.yaml | 87 +++++++++++++++++++ .github/workflows/release-alauda.yaml | 16 ++++ .../workflows/reusable-release-alauda.yaml | 33 +++++++ .github/workflows/scan-alauda.yaml | 34 ++++++++ .goreleaser-alauda.yml | 58 +++++++++++++ DEVELOPMENT.md | 64 ++++++++++++++ go.mod | 4 +- 7 files changed, 293 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/alauda-auto-tag.yaml create mode 100644 .github/workflows/release-alauda.yaml create mode 100644 .github/workflows/reusable-release-alauda.yaml create mode 100644 .github/workflows/scan-alauda.yaml create mode 100644 .goreleaser-alauda.yml create mode 100644 DEVELOPMENT.md diff --git a/.github/workflows/alauda-auto-tag.yaml b/.github/workflows/alauda-auto-tag.yaml new file mode 100644 index 0000000000..f3b08279a7 --- /dev/null +++ b/.github/workflows/alauda-auto-tag.yaml @@ -0,0 +1,87 @@ +name: Auto Tag for Alauda + +on: + push: + branches: + - 'alauda-v*' + +permissions: + contents: write # create tags and releases + packages: write # upload packages + +jobs: + tag: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 # fetch all tags + + - name: Set up Git + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + - name: Extract version and tag prefix + id: extract + run: | + BRANCH_NAME="${GITHUB_REF#refs/heads/}" + echo "Branch: $BRANCH_NAME" + + PREFIX="${BRANCH_NAME%%-*}" # alauda + BASE_VERSION="${BRANCH_NAME#${PREFIX}-}" # v0.62.1 + + VERSION_NO_V="${BASE_VERSION#v}" # 0.62.1 + MAJOR=$(echo "$VERSION_NO_V" | cut -d. -f1) + MINOR=$(echo "$VERSION_NO_V" | cut -d. -f2) + PATCH=$(echo "$VERSION_NO_V" | cut -d. -f3) + + echo "MAJOR: $MAJOR, MINOR: $MINOR, PATCH: $PATCH" + + # PATCH + 1 + NEXT_PATCH=$((PATCH + 1)) + echo "NEXT_PATCH=$NEXT_PATCH" + + NEXT_VERSION="v${MAJOR}.${MINOR}.${NEXT_PATCH}" # v0.62.2 + echo "NEXT_VERSION=$NEXT_VERSION" + + TAG_PREFIX="${NEXT_VERSION}-${PREFIX}" # v0.62.2-alauda + echo "TAG_PREFIX=$TAG_PREFIX" + + echo "prefix=$PREFIX" >> $GITHUB_OUTPUT + echo "base_version=$BASE_VERSION" >> $GITHUB_OUTPUT + echo "tag_prefix=$TAG_PREFIX" >> $GITHUB_OUTPUT + + - name: Find latest tag with this prefix + id: latest + run: | + TAG_PREFIX="${{ steps.extract.outputs.tag_prefix }}" + echo "Looking for tags with prefix: $TAG_PREFIX" + + EXISTING_TAGS=$(git tag --list "${TAG_PREFIX}-*" | sort -V) + echo "Existing tags: $EXISTING_TAGS" + + MAX_INDEX=-1 + for tag in $EXISTING_TAGS; do + NUM=${tag##*-} + if [[ "$NUM" =~ ^[0-9]+$ && "$NUM" -gt "$MAX_INDEX" ]]; then + MAX_INDEX=$NUM + fi + done + + NEW_INDEX=$((MAX_INDEX + 1)) + NEW_TAG="${TAG_PREFIX}-${NEW_INDEX}" + + echo "new_tag=$NEW_TAG" >> $GITHUB_OUTPUT + + - name: Create and push new tag + run: | + NEW_TAG="${{ steps.latest.outputs.new_tag }}" + git tag "$NEW_TAG" + git push origin "$NEW_TAG" + + release-alauda: + name: Release Alauda + needs: [tag] + uses: ./.github/workflows/reusable-release-alauda.yaml diff --git a/.github/workflows/release-alauda.yaml b/.github/workflows/release-alauda.yaml new file mode 100644 index 0000000000..8898f8d740 --- /dev/null +++ b/.github/workflows/release-alauda.yaml @@ -0,0 +1,16 @@ +name: Release Alauda + +on: + push: + tags: + - "v*-alauda-*" + workflow_dispatch: + +permissions: + contents: write # create releases + packages: write # upload packages + +jobs: + release-alauda: + name: Release Alauda + uses: ./.github/workflows/reusable-release-alauda.yaml diff --git a/.github/workflows/reusable-release-alauda.yaml b/.github/workflows/reusable-release-alauda.yaml new file mode 100644 index 0000000000..5749df851d --- /dev/null +++ b/.github/workflows/reusable-release-alauda.yaml @@ -0,0 +1,33 @@ +name: Release Alauda + +on: + workflow_call: + +permissions: + contents: write + packages: write + +jobs: + release: + name: alauda-release + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4.1.6 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: false + + - name: Set up GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: v2.1.0 + args: release -f=.goreleaser-alauda.yml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scan-alauda.yaml b/.github/workflows/scan-alauda.yaml new file mode 100644 index 0000000000..3255f18d84 --- /dev/null +++ b/.github/workflows/scan-alauda.yaml @@ -0,0 +1,34 @@ +name: Scan vulnerabilities for Alauda +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + build: + name: Scan Go vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4.1.6 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + cache: false + + - name: Set up GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: v2.1.0 + args: release --snapshot -f=.goreleaser-alauda.yml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'rootfs' + scan-ref: 'dist/cosign_linux_amd64_v1/alauda-cosign' + exit-code: 1 diff --git a/.goreleaser-alauda.yml b/.goreleaser-alauda.yml new file mode 100644 index 0000000000..8edf3813fc --- /dev/null +++ b/.goreleaser-alauda.yml @@ -0,0 +1,58 @@ +# This is an example .goreleaser.yml file with some sensible defaults. +# Make sure to check the documentation at https://goreleaser.com + +# The lines below are called `modelines`. See `:help modeline` +# Feel free to remove those if you don't want/need to use them. +# yaml-language-server: $schema=https://goreleaser.com/static/schema.json +# vim: set ts=2 sw=2 tw=0 fo=cnqoj + +version: 2 + +before: + hooks: + # You may remove this if you don't use go modules. + - go mod tidy + +builds: + - id: yq + env: + - CGO_ENABLED=0 + goos: + - linux + goarch: + - amd64 + - arm64 + ldflags: + - -w -s -extldflags '-static' + main: . + binary: alauda-yq + +archives: + - id: archive + format: tar.gz + name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + format_overrides: + - goos: windows + format: zip + +changelog: + sort: asc + filters: + exclude: + - "^docs:" + - "^test:" + +release: + footer: >- + + --- + + This release is intended for use only as part of the Alauda product suite. + It is not recommended for use by individuals or teams outside of Alauda. + Any consequences arising from its use are the sole responsibility of the user. diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md new file mode 100644 index 0000000000..7cce5a4457 --- /dev/null +++ b/DEVELOPMENT.md @@ -0,0 +1,64 @@ +# YQ alauda Branch Development Guide + +## Background + +Previously, yq was used as a general-purpose CLI across multiple plugins, each needing to fix vulnerabilities in yq independently. + +To avoid duplicated efforts, we forked the [yq](https://github.com/mikefarah/yq) repository and maintain it through branches named `alauda-vx.xx.xx`. + +We use [renovate](https://gitlab-ce.alauda.cn/devops/tech-research/renovate/-/blob/main/docs/quick-start/0002-quick-start.md) to automatically fix vulnerabilities in corresponding versions. + +## Repository Structure + +Based on the original code, the following content has been added: + +- [alauda-auto-tag.yaml](./.github/workflows/alauda-auto-tag.yaml): Automatically tags and triggers goreleaser when a PR is merged into the `alauda-vx.xx.xx` branch +- [release-alauda.yaml](./.github/workflows/release-alauda.yaml): Supports triggering goreleaser manually or upon tag updates (this pipeline isn't triggered when tags are created by actions due to GitHub Actions design limitations) +- [reusable-release-alauda.yaml](./.github/workflows/reusable-release-alauda.yaml): Executes goreleaser to create a release +- [scan-alauda.yaml](.github/workflows/scan-alauda.yaml): Runs trivy vulnerability scans (`rootfs` scans for Go binaries) +- [.goreleaser-alauda.yml](.goreleaser-alauda.yml): Configuration file for releasing alauda versions + +## Special Modifications + +None at present + +## Pipelines + +### Triggered on PR Submission + +- [tests.yaml](.github/workflows/tests.yaml): Official testing pipeline including unit tests, integration tests, etc. + +### Triggered on Merge to alauda-vx.xx.xx Branch + +- [alauda-auto-tag.yaml](.github/workflows/alauda-auto-tag.yaml): Automatically tags and triggers goreleaser +- [reusable-release-alauda.yaml](.github/workflows/reusable-release-alauda.yaml): Executes goreleaser to create a release (triggered by `alauda-auto-tag.yaml`) + +### Scheduled or Manual Triggering + +- [scan-alauda.yaml](.github/workflows/scan-alauda.yaml): Runs trivy vulnerability scans (`rootfs` scans for Go binaries) + +### Others + +Other officially maintained pipelines remain unchanged; some irrelevant pipelines have been disabled on the Actions page. + +## Renovate Vulnerability Fix Mechanism + +The renovate configuration file is [renovate.json](https://github.com/AlaudaDevops/trivy/blob/main/renovate.json) + +1. renovate detects vulnerabilities in the branch and submits a PR for fixes +2. Tests run automatically on the PR +3. After all tests pass, renovate automatically merges the PR +4. After the branch updates, an action automatically tags the commit (e.g., v0.62.1-alauda-0, with patch version and last digit incremented) +5. goreleaser automatically publishes a release based on the tag + +## Maintenance Plan + +When upgrading to a new version, follow these steps: + +1. Create an alauda branch from the corresponding tag, e.g., tag `v0.62.1` corresponds to branch `alauda-v0.62.1` +2. Cherry-pick previous alauda branch changes onto the new branch and push + +Renovate automatic fix mechanism: +1. After renovate submits a PR, pipelines run automatically; if all tests pass, the PR will be merged automatically +2. After merging into the `alauda-v0.62.1` branch, goreleaser will automatically create a `v0.62.2-alauda-0` release (note: not `v0.62.1-alauda-0`, because upgrading the version allows renovate to recognize it) +3. renovate configured in other plugins will automatically fetch artifacts from the release according to its configuration diff --git a/go.mod b/go.mod index 4d2625e6c2..3e3f8b788b 100644 --- a/go.mod +++ b/go.mod @@ -30,6 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.24 - -toolchain go1.24.1 +go 1.24.5 From 8344b679c72874e668f1067ca6d4495e2d3ad835 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Thu, 7 Aug 2025 01:48:41 +0000 Subject: [PATCH 02/23] chore(deps): update dependency go to v1.24.6 (#2) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 3e3f8b788b..600a786640 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.24.5 +go 1.24.6 From b488dba002613b4b4b534c0f7cdc44526ac1841d Mon Sep 17 00:00:00 2001 From: l-qing Date: Thu, 14 Aug 2025 09:21:51 +0800 Subject: [PATCH 03/23] fix: update scan-alauda workflow to scan alauda-yq binary (#4) Updates the Trivy security scan reference from alauda-cosign to alauda-yq to match the correct binary for this repository. --- .github/workflows/scan-alauda.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-alauda.yaml b/.github/workflows/scan-alauda.yaml index 3255f18d84..c8bc631033 100644 --- a/.github/workflows/scan-alauda.yaml +++ b/.github/workflows/scan-alauda.yaml @@ -30,5 +30,5 @@ jobs: uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'rootfs' - scan-ref: 'dist/cosign_linux_amd64_v1/alauda-cosign' + scan-ref: 'dist/yq_linux_amd64_v1/alauda-yq' exit-code: 1 From c463f85ee754159aae25d04e5b831bb4a1e62548 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Thu, 14 Aug 2025 09:29:41 +0800 Subject: [PATCH 04/23] chore(deps): update dependency go to v1.25.0 (#6) --- go.mod | 2 +- scripts/devtools.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 600a786640..464073812f 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.24.6 +go 1.25.0 diff --git a/scripts/devtools.sh b/scripts/devtools.sh index 7dac5be4af..432ea42284 100755 --- a/scripts/devtools.sh +++ b/scripts/devtools.sh @@ -1,5 +1,5 @@ #!/bin/sh set -ex go mod download golang.org/x/tools@latest -curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.1.5 -curl -sSfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s v2.22.5 \ No newline at end of file +curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.4.0 +curl -sSfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s v2.22.5 From bb7fb2fb343c2289851caeab59fc21f9aaabe81c Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Mon, 18 Aug 2025 14:30:57 +0000 Subject: [PATCH 05/23] chore(deps): update golang docker tag to v1.24.6 (#7) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index ba15203631..a8d2c3d053 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.5 AS builder +FROM golang:1.24.6 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index d1dddc9182..78205d00d1 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.24.5 +FROM golang:1.24.6 RUN apt-get update && \ apt-get install -y npm && \ From 1d022680d29b524e0994c7597aeb4560872771c6 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 12:35:57 +0800 Subject: [PATCH 06/23] chore(deps): update all patch dependencies (#8) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index a8d2c3d053..5c7d3d3800 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.6 AS builder +FROM golang:1.24.7 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 78205d00d1..ee6a7c71ac 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.24.6 +FROM golang:1.24.7 RUN apt-get update && \ apt-get install -y npm && \ diff --git a/go.mod b/go.mod index 464073812f..212eae0f12 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.25.0 +go 1.25.1 From dcf97fef1d20b57f16b00dd7912220b83dfc5136 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Wed, 8 Oct 2025 04:39:40 +0000 Subject: [PATCH 07/23] chore(deps): update all patch dependencies (#9) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5c7d3d3800..eece9b7d4b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.7 AS builder +FROM golang:1.24.8 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index ee6a7c71ac..db9e670a4d 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.24.7 +FROM golang:1.24.8 RUN apt-get update && \ apt-get install -y npm && \ diff --git a/go.mod b/go.mod index 212eae0f12..93c19d438d 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.25.1 +go 1.25.2 From a068008a314053cdcc2ecc15f141f1380c8d4840 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Tue, 14 Oct 2025 05:47:11 +0000 Subject: [PATCH 08/23] chore(deps): update all patch dependencies (#10) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index eece9b7d4b..27e3ad0881 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.8 AS builder +FROM golang:1.24.9 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index db9e670a4d..3e6091ee03 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.24.8 +FROM golang:1.24.9 RUN apt-get update && \ apt-get install -y npm && \ diff --git a/go.mod b/go.mod index 93c19d438d..54b760aa06 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.25.2 +go 1.25.3 From 281db1ca4d935554c2141d72f6521c3df370e34f Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Thu, 6 Nov 2025 07:15:24 +0000 Subject: [PATCH 09/23] chore(deps): update all patch dependencies (#11) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 27e3ad0881..b96c3924a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.9 AS builder +FROM golang:1.24.10 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 3e6091ee03..6996259533 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.24.9 +FROM golang:1.24.10 RUN apt-get update && \ apt-get install -y npm && \ diff --git a/go.mod b/go.mod index 54b760aa06..9e011ef14e 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.25.3 +go 1.25.4 From 87eae2211e55812cbcf7fd6bf8fa014faf39300a Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 23:51:46 +0000 Subject: [PATCH 10/23] chore(deps): update all patch dependencies (#12) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index b96c3924a2..f5d4ac800c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.10 AS builder +FROM golang:1.24.11 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 6996259533..1cba7da7a1 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.24.10 +FROM golang:1.24.11 RUN apt-get update && \ apt-get install -y npm && \ diff --git a/go.mod b/go.mod index 9e011ef14e..dae133ef6e 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.25.4 +go 1.25.5 From 1c729ebefad9808c3009a0f9be869c161f27b4a4 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Wed, 31 Dec 2025 17:46:05 +0000 Subject: [PATCH 11/23] chore(deps): update golang docker tag to v1.25.5 (#13) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index f5d4ac800c..e876901bd3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.24.11 AS builder +FROM golang:1.25.5 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 1cba7da7a1..9d5d1ea27a 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.24.11 +FROM golang:1.25.5 RUN apt-get update && \ apt-get install -y npm && \ From 9e49e262a7d046370b362111c3e7211e6d5d4867 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Fri, 16 Jan 2026 08:32:57 +0000 Subject: [PATCH 12/23] chore(deps): update golang docker tag to v1.25.6 (#14) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e876901bd3..08bf44594f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.5 AS builder +FROM golang:1.25.6 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 9d5d1ea27a..533dd23146 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.25.5 +FROM golang:1.25.6 RUN apt-get update && \ apt-get install -y npm && \ From 792dcb8d7722917aa33da9c4f9dd34d999d46e33 Mon Sep 17 00:00:00 2001 From: qingliu Date: Fri, 30 Jan 2026 16:00:45 +0800 Subject: [PATCH 13/23] chore(deps): update golang version to v1.25.6 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index dae133ef6e..3e2b6b29e8 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.25.5 +go 1.25.6 From 5e87e9acddf399c90942072e41109c61b08e9db9 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Thu, 5 Feb 2026 01:44:45 +0000 Subject: [PATCH 14/23] chore(deps): update golang docker tag to v1.25.7 (#15) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 08bf44594f..ab6a2cd6d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.6 AS builder +FROM golang:1.25.7 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 533dd23146..e665d4b7b8 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.25.6 +FROM golang:1.25.7 RUN apt-get update && \ apt-get install -y npm && \ From 7dbddafc413aac12a6dd63376b8519d798eddf54 Mon Sep 17 00:00:00 2001 From: qingliu Date: Sat, 7 Feb 2026 11:42:52 +0800 Subject: [PATCH 15/23] chore(deps): update golang version to v1.25.7 - Bump go directive from 1.25.6 to 1.25.7 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 3e2b6b29e8..3b887a3c5d 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.25.6 +go 1.25.7 From d89a90c5a32ef6a15c2588a25e6709448d70b12f Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Thu, 12 Feb 2026 18:11:03 +0000 Subject: [PATCH 16/23] chore(deps): update golang docker tag to v1.26.0 (#17) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index ab6a2cd6d0..5c0c2cd20e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.7 AS builder +FROM golang:1.26.0 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index e665d4b7b8..8d6f4c7f62 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.25.7 +FROM golang:1.26.0 RUN apt-get update && \ apt-get install -y npm && \ From 75a0e86cb7d598c5b4b06e0cea165375e8c09602 Mon Sep 17 00:00:00 2001 From: "alaudaa-renovate[bot]" <219066560+alaudaa-renovate[bot]@users.noreply.github.com> Date: Fri, 6 Mar 2026 22:28:59 +0800 Subject: [PATCH 17/23] chore(deps): update golang docker tag to v1.26.1 (#19) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5c0c2cd20e..2b53f48e30 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.0 AS builder +FROM golang:1.26.1 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 8d6f4c7f62..990cffd24b 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.26.0 +FROM golang:1.26.1 RUN apt-get update && \ apt-get install -y npm && \ From 9933184fc6821fbccefb4cf775b9a0f152e7163d Mon Sep 17 00:00:00 2001 From: qingliu Date: Mon, 9 Mar 2026 12:24:23 +0800 Subject: [PATCH 18/23] chore(deps): update golang version to v1.26.1 - Bump go directive in go.mod from 1.25.7 to 1.26.1 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 3b887a3c5d..fd7d4f5909 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.25.7 +go 1.26.1 From 33e21708f155d74c77cc3c35def222d7a677628e Mon Sep 17 00:00:00 2001 From: qingliu Date: Mon, 9 Mar 2026 13:06:55 +0800 Subject: [PATCH 19/23] chore(ci): update go version detection and devtools install - Use go-version-file in CI to align Go version with go.mod - Extract GOLANGCI_LINT_VERSION and GOSEC_VERSION as variables - Replace curl-based golangci-lint install with go install for reproducibility - Bump golangci-lint from v2.4.0 to v2.11.2 --- .github/workflows/go.yml | 8 ++++---- cmd/utils_test.go | 12 +++--------- scripts/devtools.sh | 10 ++++++++-- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 973cecb9b2..268653363b 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -10,15 +10,15 @@ jobs: runs-on: ubuntu-latest steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v4 + - name: Set up Go uses: actions/setup-go@v5 with: - go-version: '^1.20' + go-version-file: go.mod id: go - - name: Check out code into the Go module directory - uses: actions/checkout@v4 - - name: Get dependencies run: | go get -v -t -d ./... diff --git a/cmd/utils_test.go b/cmd/utils_test.go index 67d45110da..f782bfccce 100644 --- a/cmd/utils_test.go +++ b/cmd/utils_test.go @@ -3,6 +3,7 @@ package cmd import ( "fmt" "os" + "slices" "strings" "testing" @@ -907,15 +908,8 @@ func (f *mockBoolFlag) Type() string { // Helper function to compare string slices func stringsEqual(a, b []string) bool { - if len(a) != len(b) { - return false - } - for i := range a { - if a[i] != b[i] { - return false - } - } - return true + // Use the standard library comparator to avoid manual index handling. + return slices.Equal(a, b) } func TestSetupColors(t *testing.T) { diff --git a/scripts/devtools.sh b/scripts/devtools.sh index 432ea42284..2f501825de 100755 --- a/scripts/devtools.sh +++ b/scripts/devtools.sh @@ -1,5 +1,11 @@ #!/bin/sh set -ex + +# Keep tooling installation deterministic and aligned with the active Go toolchain. +# This avoids prebuilt golangci-lint binaries being built by an older Go version. +GOLANGCI_LINT_VERSION=v2.11.2 +GOSEC_VERSION=v2.22.5 + go mod download golang.org/x/tools@latest -curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.4.0 -curl -sSfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s v2.22.5 +go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@${GOLANGCI_LINT_VERSION} +curl -sSfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s ${GOSEC_VERSION} From a7ad10cde1606deda82e0fbebe4a6280523cc567 Mon Sep 17 00:00:00 2001 From: qingliu Date: Tue, 7 Apr 2026 18:23:50 -0500 Subject: [PATCH 20/23] chore: bump Go to 1.26.2 - Update Dockerfile build image to golang:1.26.2 - Update Dockerfile.dev base image to golang:1.26.2 - Align go.mod toolchain version with the new Go release --- Dockerfile | 2 +- Dockerfile.dev | 2 +- go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2b53f48e30..a598c449ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.1 AS builder +FROM golang:1.26.2 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 990cffd24b..51209dc664 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.26.1 +FROM golang:1.26.2 RUN apt-get update && \ apt-get install -y npm && \ diff --git a/go.mod b/go.mod index fd7d4f5909..f0a1cc4c1f 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.26.1 +go 1.26.2 From 5aca49675d7803d662006a5021ea9ec15f69c5cf Mon Sep 17 00:00:00 2001 From: l-qing <9499086+l-qing@users.noreply.github.com> Date: Thu, 7 May 2026 13:38:52 +0800 Subject: [PATCH 21/23] chore(github): add workflow to sync releases to Nexus (#25) - Add a GitHub Actions workflow for alauda tags. - Create a Tekton PipelineRun on the ARC runner. - Pass release metadata and Nexus sync labels to the pipeline. - Stream the PipelineRun logs after creation. --- .github/workflows/alauda-auto-tag.yaml | 97 ++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/.github/workflows/alauda-auto-tag.yaml b/.github/workflows/alauda-auto-tag.yaml index f3b08279a7..32ab49317a 100644 --- a/.github/workflows/alauda-auto-tag.yaml +++ b/.github/workflows/alauda-auto-tag.yaml @@ -12,6 +12,12 @@ permissions: jobs: tag: runs-on: ubuntu-latest + outputs: + # Expose the freshly created tag so downstream jobs (release, sync) + # in the same workflow run can act on it without relying on the + # `push: tags:` event — that event is suppressed when the tag is + # pushed using the default GITHUB_TOKEN. + new_tag: ${{ steps.latest.outputs.new_tag }} steps: - name: Checkout code uses: actions/checkout@v4 @@ -85,3 +91,94 @@ jobs: name: Release Alauda needs: [tag] uses: ./.github/workflows/reusable-release-alauda.yaml + + sync-to-nexus: + # Inlined from the former sync-to-nexus.yml workflow. We can't rely on + # `on.push.tags` to chain workflows here because the tag above is pushed + # with the default GITHUB_TOKEN, which by design does not trigger new + # workflow runs. Running sync as a downstream job in the same workflow + # run sidesteps that limitation entirely. + name: Sync Release To Nexus + needs: [tag] + runs-on: alauda-devops-runner + steps: + - name: create PipelineRun and follow logs + env: + TEKTON_NS: devops + # Pipeline source: catalog "alauda" via Tekton Hub resolver. + # Bump PIPELINE_VERSION together with catalog releases. + PIPELINE_CATALOG: alauda + PIPELINE_NAME: sync-github-release-to-nexus + PIPELINE_VERSION: "0.1" + # Component-aware PipelineRun name so the run is identifiable + # at a glance in `kubectl get pipelinerun` listings. + PR_NAME: sync-${{ github.event.repository.name }}-${{ github.run_id }}-${{ github.run_attempt }} + REPO: ${{ github.repository }} + # The tag was just produced by the `tag` job; pull it from the + # job output rather than github.ref_name (which here is the + # source branch, not a tag). + TAG: ${{ needs.tag.outputs.new_tag }} + RELEASE_URL: ${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ needs.tag.outputs.new_tag }} + run: | + set -euo pipefail + + # Source-repo label uses dots instead of slashes to satisfy + # Kubernetes label value charset (no '/'). + SOURCE_REPO_LABEL="${REPO//\//.}" + + # Create PipelineRun with metadata.name (not generateName) so the + # PR name is known up front for `tkn pr logs -f` below. + # github-token workspace intentionally omitted: forks are public, + # pipeline declares it `optional: true` and falls back to anonymous. + cat < Date: Fri, 8 May 2026 18:14:47 +0800 Subject: [PATCH 22/23] chore(deps): update golang docker tag to v1.26.3 (#26) Co-authored-by: alaudaa-renovate[bot] <219066560+alaudaa-renovate[bot]@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.dev | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a598c449ce..56754d332e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.2 AS builder +FROM golang:1.26.3 AS builder WORKDIR /go/src/mikefarah/yq diff --git a/Dockerfile.dev b/Dockerfile.dev index 51209dc664..ae22bbcd1b 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM golang:1.26.2 +FROM golang:1.26.3 RUN apt-get update && \ apt-get install -y npm && \ From f7390ebdc1f726d38095b1929130f838367be0c0 Mon Sep 17 00:00:00 2001 From: qingliu Date: Fri, 8 May 2026 07:45:05 -0500 Subject: [PATCH 23/23] chore(go): bump Go toolchain version - Update the module's Go version from 1.26.2 to 1.26.3 - Keep the change limited to the root module metadata --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index f0a1cc4c1f..c2e9ead395 100644 --- a/go.mod +++ b/go.mod @@ -30,4 +30,4 @@ require ( golang.org/x/sys v0.34.0 // indirect ) -go 1.26.2 +go 1.26.3