Merge pull request #26 from inloco/security/upgrade

security: upgrade packer with security fixes
inloco · May 7, 2024 · aba4c88 · aba4c88
2 parents ab138f0 + c47b325
commit aba4c88
Show file tree

Hide file tree

Showing 217 changed files with 15,746 additions and 1,618 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -66,7 +66,7 @@ runtime in order to build packer with the Amazon plugin.
 
 1. This project always releases from the latest version of golang.
 [Install go](https://golang.org/doc/install#install) To properly build from
-source, you need to have golang >= 1.18
+source, you need to have golang >= 1.21
 
 ## Setting up Amazon plugin for dev
 

diff --git a/.github/actions/build-and-persist-plugin-binary/action.yml b/.github/actions/build-and-persist-plugin-binary/action.yml
@@ -0,0 +1,24 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+name: build-and-persist-plugin-binary
+inputs:
+  GOOS:
+    required: true
+  GOARCH:
+    required: true
+runs:
+  using: composite
+  steps:
+  - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+  - run: "GOOS=${{ inputs.GOOS }} GOARCH=${{ inputs.GOARCH }} go build -o ./pkg/packer_plugin_amazon_${{ inputs.GOOS }}_${{ inputs.GOARCH }} ."
+    shell: bash
+  - run: zip ./pkg/packer_plugin_amazon_${{ inputs.GOOS }}_${{ inputs.GOARCH }}.zip ./pkg/packer_plugin_amazon_${{ inputs.GOOS }}_${{ inputs.GOARCH }}
+    shell: bash
+  - run: rm ./pkg/packer_plugin_amazon_${{ inputs.GOOS }}_${{ inputs.GOARCH }}
+    shell: bash
+  - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+    with:
+      name: "packer_plugin_amazon_${{ inputs.GOOS }}_${{ inputs.GOARCH }}.zip"
+      path: "pkg/packer_plugin_amazon_${{ inputs.GOOS }}_${{ inputs.GOARCH }}.zip"
+      retention-days: 30
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,7 +1,5 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
 
 version: 2
 updates:
@@ -11,6 +9,4 @@ updates:
       interval: "daily"
     allow:
       - dependency-name: "github.com/hashicorp/packer-plugin-sdk"
-      - dependency-name: "github.com/hashicorp/hcl/v2"
-      - dependency-name: "github.com/zclconf/go-cty"
 
diff --git a/.github/release.yml b/.github/release.yml
@@ -1,3 +1,6 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
 changelog:
   exclude:
     labels:

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
@@ -0,0 +1,118 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+name: "AWS Acceptance Tests"
+
+on:
+  schedule:
+    - cron: '0 4 * * SUN'
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: "A branch or SHA"
+        default: 'main'
+        required: false
+      run_pattern:
+        description: "The pattern to run tests on"
+        default: "TestAcc"
+        required: false
+
+permissions:
+  contents: read
+
+jobs:
+  get-go-version:
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.get-go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      - name: 'Determine Go version'
+        id: get-go-version
+        run: |
+          echo "Found Go $(cat .go-version)"
+          echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
+
+  ebs-acc-tests:
+    needs:
+      - get-go-version
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    name: AWS EBS Acceptance tests
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        with:
+          ref: ${{ github.event.inputs.branch }}
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        with:
+          go-version: ${{ needs.get-go-version.outputs.go-version }}
+      - name: "Compile/install the plugin on the current branch"
+        run: |
+          make dev
+      - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        with:
+          aws-access-key-id: "${{ secrets.AWS_ACC_TEST_KEY_ID }}"
+          aws-secret-access-key: "${{ secrets.AWS_ACC_TEST_KEY_SECRET }}"
+          aws-region: "${{ secrets.AWS_ACC_TEST_REGION }}"
+          role-to-assume: "${{ secrets.AWS_ACC_TEST_ROLE }}"
+          role-session-name: "packer-aws-acceptance-tests"
+          role-duration-seconds: 21600 # 6h
+      - run: |
+          echo "Testing with Go ${{ needs.get-go-version.outputs.go-version }}"
+          PACKER_ACC=1 go test \
+            -timeout 5h \
+            -count 1 \
+            -run "${{ github.event.inputs.run_pattern }}" \
+            ./builder/ebs
+      - run: zip ebs_failure_logs.zip builder/ebs/*txt
+        if: ${{ failure() }}
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        if: ${{ failure() }}
+        with:
+          name: "ebs_failure_logs.zip"
+          path: "ebs_failure_logs.zip"
+          retention-days: 5
+
+  ebssurrogate-acc-tests:
+    needs:
+      - get-go-version
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    name: AWS EBS Surrogate Acceptance tests
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        with:
+          ref: ${{ github.event.inputs.branch }}
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        with:
+          go-version: ${{ needs.get-go-version.outputs.go-version }}
+      - name: "Compile/install the plugin on the current branch"
+        run: |
+          make dev
+      - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2
+        with:
+          aws-access-key-id: "${{ secrets.AWS_ACC_TEST_KEY_ID }}"
+          aws-secret-access-key: "${{ secrets.AWS_ACC_TEST_KEY_SECRET }}"
+          aws-region: "${{ secrets.AWS_ACC_TEST_REGION }}"
+          role-to-assume: "${{ secrets.AWS_ACC_TEST_ROLE }}"
+          role-session-name: "packer-aws-acceptance-tests"
+          role-duration-seconds: 14400 # 4h
+      - run: |
+          echo "Testing with Go ${{ needs.get-go-version.outputs.go-version }}"
+          PACKER_ACC=1 go test \
+            -timeout 1h \
+            -count 1 \
+            -run "${{ github.event.inputs.run_pattern }}" \
+            ./builder/ebssurrogate
+      - run: zip ebssurrogate_failure_logs.zip builder/ebssurrogate/*txt
+        if: ${{ failure() }}
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        if: ${{ failure() }}
+        with:
+          name: "ebssurrogate_failure_logs.zip"
+          path: "ebssurrogate_failure_logs.zip"
+          retention-days: 5