Merge pull request #251 from opendevstack/fix/vulnerability

update to go 1.21 to fix CVE-2023-44487

Author: BraisVQ

.github/workflows/ci.yml

@@ -7,34 +7,32 @@ jobs:
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       -
         name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
-          version: 1.14
+          go-version: 1.21
       -
         name: Download Go tools
         run: |
-          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.25.0
-          go get golang.org/x/tools/cmd/goimports
+          go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.2
+          go install golang.org/x/tools/cmd/goimports@latest
+          echo "PATH=$PATH:$(go env GOPATH)/bin" >> $GITHUB_ENV
       -
         name: Run lint
         run: |
-          export PATH=$PATH:$(go env GOPATH)/bin
           make lint
       -
-        name: Setup OpenShift
-        uses: manusa/actions-setup-openshift@v1.1.2
-        with:
-          oc version: 'v3.11.0'
-          enable: 'centos-imagestreams,persistent-volumes,registry,router'
-          github token: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Run tests
+        name: Download OpenShift client
         run: |
-          export PATH=$PATH:$(go env GOPATH)/bin
-          sudo chown -R runner:docker openshift.local.clusterup/
-          make test
+          mkdir -p ~/oc
+          cd ~/oc
+          curl -L https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz -o oc.tar.gz
+          tar -xzf oc.tar.gz
+          echo "$HOME/oc" >> $GITHUB_PATH
+      -
+        name: Run Unit tests (cannot run openshift tests due to requiring Github runner with ubuntu 20.04)
+        run: make test-unit

.github/workflows/codeql-analysis.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -26,15 +26,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v4
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -48,4 +48,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v4

.github/workflows/release.yml

@@ -0,0 +1,84 @@
+name: Release
+
+on:
+  release:
+    types: [created]
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build and Upload Artifacts
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21
+
+      - name: Download Go tools
+        run: |
+          go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.2
+          go install golang.org/x/tools/cmd/goimports@latest
+          echo "PATH=$PATH:$(go env GOPATH)/bin" >> $GITHUB_ENV
+
+      - name: Run lint
+        run: make lint
+
+      -
+        name: Download OpenShift client
+        run: |
+          mkdir -p ~/oc
+          cd ~/oc
+          curl -L https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz -o oc.tar.gz
+          tar -xzf oc.tar.gz
+          echo "$HOME/oc" >> $GITHUB_PATH
+
+      - name: Run unit tests
+        run: make test-unit
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          TAG=${{ github.event.release.tag_name }}
+          VERSION=${TAG#v}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Build binaries
+        run: make build VERSION=${{ steps.version.outputs.version }}
+
+      - name: Upload Linux binary
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ./cmd/tailor/tailor-linux-amd64
+          asset_name: tailor-linux-amd64
+          asset_content_type: application/octet-stream
+
+      - name: Upload macOS binary
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ./cmd/tailor/tailor-darwin-amd64
+          asset_name: tailor-darwin-amd64
+          asset_content_type: application/octet-stream
+
+      - name: Upload Windows binary
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ./cmd/tailor/tailor-windows-amd64.exe
+          asset_name: tailor-windows-amd64.exe
+          asset_content_type: application/octet-stream

Makefile

@@ -44,17 +44,17 @@ build: imports build-linux build-darwin build-windows
 
 ## Build Linux binary.
 build-linux: imports
-	cd cmd/tailor && GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -gcflags "all=-trimpath=$(CURDIR);$(shell go env GOPATH)" -o tailor-linux-amd64
+	cd cmd/tailor && GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -gcflags "all=-trimpath=$(CURDIR);$(shell go env GOPATH)" -ldflags "-X main.Version=$(VERSION)" -o tailor-linux-amd64
 .PHONY: build-linux
 
 ## Build macOS binary.
 build-darwin: imports
-	cd cmd/tailor && GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -gcflags "all=-trimpath=$(CURDIR);$(shell go env GOPATH)" -o tailor-darwin-amd64
+	cd cmd/tailor && GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -gcflags "all=-trimpath=$(CURDIR);$(shell go env GOPATH)" -ldflags "-X main.Version=$(VERSION)" -o tailor-darwin-amd64
 .PHONY: build-darwin
 
 ## Build Windows binary.
 build-windows: imports
-	cd cmd/tailor && GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -gcflags "all=-trimpath=$(CURDIR);$(shell go env GOPATH)" -o tailor-windows-amd64.exe
+	cd cmd/tailor && GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -gcflags "all=-trimpath=$(CURDIR);$(shell go env GOPATH)" -ldflags "-X main.Version=$(VERSION)" -o tailor-windows-amd64.exe
 .PHONY: build-windows
 
 internal/test/e2e/tailor-test: cmd/tailor/main.go go.mod go.sum pkg/cli/* pkg/commands/* pkg/openshift/* pkg/utils/*

cmd/tailor/main.go

@@ -11,6 +11,11 @@ import (
 	"github.com/opendevstack/tailor/pkg/commands"
 )
 
+// Version will be set during build time using ldflags to the current version from git tags (already prepared in the Makefile).
+// For example: make build VERSION=1.0.0
+// If the version cannot be determined (e.g. when building from source manually and no version is specified), it will default to "dev".
+var Version = "dev"
+
 var (
 	app = kingpin.New(
 		"tailor",
@@ -253,7 +258,7 @@ func main() {
 	command := kingpin.MustParse(app.Parse(os.Args[1:]))
 
 	if command == versionCommand.FullCommand() {
-		fmt.Println("1.3.4+master")
+		fmt.Println(Version)
 		return
 	}
 

go.mod

@@ -2,20 +2,23 @@ module github.com/opendevstack/tailor
 
 require (
 	github.com/alecthomas/kingpin v2.2.6+incompatible
-	github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect
-	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
 	github.com/fatih/color v1.7.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/google/go-cmp v0.3.1
-	github.com/mattn/go-colorable v0.0.9 // indirect
-	github.com/mattn/go-isatty v0.0.3 // indirect
 	github.com/pmezard/go-difflib v1.0.0
-	github.com/stretchr/testify v1.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f
 	golang.org/x/crypto v0.0.0-20180820150726-614d502a4dac
 	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
+)
+
+require (
+	github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect
+	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
+	github.com/mattn/go-colorable v0.0.9 // indirect
+	github.com/mattn/go-isatty v0.0.3 // indirect
+	github.com/stretchr/testify v1.3.0 // indirect
 	golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3 // indirect
 	gopkg.in/yaml.v2 v2.2.1 // indirect
 )
 
-go 1.14
+go 1.21

internal/test/e2e/e2e_test.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"strings"
@@ -79,11 +78,11 @@ func exportInitialState(t *testing.T, testProjectName string, tailorBinary strin
 	if exportErr != nil {
 		t.Fatalf("Could not export initial state: %s\n%s", exportErr, exportStderr)
 	}
-	tempDir, tempDirErr := ioutil.TempDir("..", "initial-export-")
+	tempDir, tempDirErr := os.MkdirTemp("..", "initial-export-")
 	if tempDirErr != nil {
 		t.Fatalf("Could not create temp dir: %s", tempDirErr)
 	}
-	writeErr := ioutil.WriteFile(tempDir+"/template.yml", exportStdout, 0644)
+	writeErr := os.WriteFile(tempDir+"/template.yml", exportStdout, 0644)
 	if writeErr != nil {
 		t.Logf("Failed to write file template.yml into %s", tempDir)
 		os.RemoveAll(tempDir)
@@ -93,7 +92,7 @@ func exportInitialState(t *testing.T, testProjectName string, tailorBinary strin
 }
 
 func walkSubdirs(t *testing.T, dir string, fun func(subdir string)) {
-	files, err := ioutil.ReadDir(dir)
+	files, err := os.ReadDir(dir)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -262,7 +261,7 @@ func runCmd(executable string, args []string) (outBytes, errBytes []byte, err er
 }
 
 func readTestCaseSteps(folder string) (testCaseSteps, error) {
-	content, err := ioutil.ReadFile(folder + "/steps.json")
+	content, err := os.ReadFile(folder + "/steps.json")
 	if err != nil {
 		return nil, fmt.Errorf("Cannot read file: %w", err)
 	}

internal/test/helper/file.go

@@ -2,7 +2,6 @@ package helper
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path"
 	"runtime"
@@ -48,5 +47,5 @@ func readFile(name string) ([]byte, error) {
 		return []byte{}, fmt.Errorf("Could not get filename when looking for %s", name)
 	}
 	filepath := path.Join(path.Dir(filename), name)
-	return ioutil.ReadFile(filepath)
+	return os.ReadFile(filepath)
 }

pkg/cli/cli.go

@@ -5,7 +5,6 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"os"
 	"os/exec"
@@ -136,7 +135,7 @@ func AskForAction(question string, options []string, reader *bufio.Reader) strin
 
 // EditEnvFile opens content in EDITOR, and returns saved content.
 func EditEnvFile(content string) (string, error) {
-	err := ioutil.WriteFile(".ENV.DEC", []byte(content), 0644)
+	err := os.WriteFile(".ENV.DEC", []byte(content), 0644)
 	if err != nil {
 		return "", err
 	}
@@ -160,7 +159,7 @@ func EditEnvFile(content string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	data, err := ioutil.ReadFile(".ENV.DEC")
+	data, err := os.ReadFile(".ENV.DEC")
 	if err != nil {
 		return "", err
 	}

pkg/cli/options.go

@@ -3,7 +3,6 @@ package cli
 import (
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"strings"
@@ -619,7 +618,7 @@ func getFileFlags(filename string, verbose bool) (map[string]string, error) {
 		return fileFlags, err
 	}
 
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return fileFlags, err
 	}