[Backport release-1.27] Fixes for CVE-2023-44487 #8408
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Go build | |
on: | |
push: | |
branches: | |
- main | |
- release-* | |
paths-ignore: | |
- 'docs/**' | |
- 'examples/**' | |
- '**.md' | |
- LICENSE | |
- '**.svg' | |
- '.github/workflows/docs.yml' | |
- '.github/workflows/mkdocs-set-default-version.yml' | |
- 'mkdocs.yml' | |
pull_request: | |
branches: | |
- main | |
- release-* | |
paths-ignore: | |
- 'docs/**' | |
- 'examples/**' | |
- '**.md' | |
- LICENSE | |
- '**.svg' | |
- '.github/workflows/docs.yml' | |
- '.github/workflows/mkdocs-set-default-version.yml' | |
- 'mkdocs.yml' | |
jobs: | |
build: | |
name: Build | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
target: [linux, windows] | |
include: | |
- target: linux | |
build-docker-image: k0sbuild | |
airgap-image-bundle: airgap-image-bundle-linux-amd64.tar | |
- target: windows | |
binary-suffix: .exe | |
outputs: | |
smoke-test-matrix: ${{ steps.list-smoke-tests.outputs.linux-matrix }} | |
airgap-image-bundle-hash-linux: ${{ steps.image-bundle-source.outputs.linux-hash }} | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # for `git describe` | |
persist-credentials: false | |
- name: Prepare build environment | |
run: .github/workflows/prepare-build-env.sh | |
- name: Cache embedded binaries | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-embedded-bins-${{ matrix.target }}-${{ hashFiles('embedded-bins/**/*') }} | |
path: | | |
.bins.${{ matrix.target }}.stamp | |
bindata_${{ matrix.target }} | |
embedded-bins/staging/${{ matrix.target }}/bin/ | |
embedded-bins/Makefile.variables | |
pkg/assets/zz_generated_offsets_${{ matrix.target }}.go | |
- name: Cache GOCACHE | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-build-gocache-${{ matrix.target }}-${{ github.ref_name }}-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-build-gocache-${{ matrix.target }}-${{ github.ref_name }}- | |
path: | | |
build/cache/go/build | |
- name: Cache GOMODCACHE | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-build-gomodcache-${{ matrix.target }}-${{ hashFiles('go.sum') }} | |
path: | | |
build/cache/go/mod | |
- name: Build | |
env: | |
TARGET_OS: '${{ matrix.target }}' | |
run: | | |
make bindata | |
make --touch codegen | |
make build | |
- name: Upload compiled binary | |
uses: actions/upload-artifact@v3 | |
with: | |
name: k0s${{ matrix.binary-suffix }} | |
path: k0s${{ matrix.binary-suffix }} | |
- name: List smoke tests | |
id: list-smoke-tests | |
run: | | |
./vars.sh FROM=inttest smoketests | jq --raw-input --raw-output \ | |
'split(" ") | [ .[] | select(. != "") ] | "${{ matrix.target }}-matrix=" + tojson' >> $GITHUB_OUTPUT | |
- name: Create airgap image list | |
if: matrix.airgap-image-bundle | |
run: make airgap-images.txt && cat airgap-images.txt | |
# Capture the calculated image bundle source hash in a build output, so | |
# it can be shared between the cache actions in this job and in the | |
# integration test matrix. Do this in a separate step, as the hashFiles | |
# function is evaluated before the step execution. So all the required | |
# files need to exist before that. A cleaner solution would have been to | |
# use the cache here, and then upload the cached image bundle, to be | |
# downloaded later on in the integration tests. That's the way it's done | |
# for the k0s binary. Unfortunately, the upload action is significantly | |
# slower than the cache action, for unclear reasons, so stick with this | |
# solution for faster builds. See: | |
# * https://github.com/actions/upload-artifact/issues/199#issuecomment-1190171851 | |
- name: Calculate airgap image bundle source hash | |
id: image-bundle-source | |
if: matrix.airgap-image-bundle | |
env: | |
HASH_KEY: ${{ matrix.target }}-hash | |
HASH_VALUE: ${{ hashFiles('Makefile', 'airgap-images.txt', 'hack/image-bundler/*') }} | |
run: printf '%s=%s\n' "$HASH_KEY" "$HASH_VALUE" >> "$GITHUB_OUTPUT" | |
- name: Cache airgap image bundle | |
id: cache-airgap-image-bundle | |
if: matrix.airgap-image-bundle | |
uses: actions/cache@v3 | |
# Technically, there's no need to restore the cache here, since this | |
# is more like a create-if-not-exists logic. Currently, there's no way | |
# to achieve this directly via actions/cache. See: | |
# * https://github.com/actions/cache/issues/321 | |
# * https://github.com/actions/cache/pull/420 | |
with: | |
key: ${{ matrix.airgap-image-bundle }}-${{ steps.image-bundle-source.outputs[format('{0}-hash', matrix.target)] }} | |
path: ${{ matrix.airgap-image-bundle }} | |
- name: Create airgap image bundle if not cached | |
if: matrix.airgap-image-bundle && steps.cache-airgap-image-bundle.outputs.cache-hit != 'true' | |
run: make ${{ matrix.airgap-image-bundle }} | |
unittest: | |
name: Unit test | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
- name: Cache GOCACHE | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-unittest-gocache-linux-${{ github.ref_name }}-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-unittest-gocache-linux-${{ github.ref_name }}- | |
${{ runner.os }}-build-gocache-linux-${{ github.ref_name }}- | |
path: | | |
build/cache/go/build | |
- name: Cache GOMODCACHE | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-unittest-gomodcache-linux-${{ hashFiles('go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-build-gomodcache-linux-${{ hashFiles('go.sum') }} | |
path: | | |
build/cache/go/mod | |
- name: Run unit tests | |
env: | |
EMBEDDED_BINS_BUILDMODE: none | |
run: | | |
make bindata | |
make --touch codegen | |
make check-unit | |
- name: Validate OCI images manifests | |
run: make check-image-validity | |
unittest_windows: | |
name: Unit test (windows) | |
runs-on: windows-latest | |
defaults: | |
run: | |
shell: bash | |
steps: | |
- name: Check out | |
uses: actions/checkout@v3 | |
- name: Prepare build environment | |
run: .github/workflows/prepare-build-env.sh | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Cache GOCACHE | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-unittest-gocache-windows-${{ github.ref_name }}-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-unittest-gocache-windows-${{ github.ref_name }}- | |
path: | | |
~\AppData\Local\go-build | |
- name: Cache GOMODCACHE | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-unittest-gomodcache-windows-${{ hashFiles('go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-build-gomodcache-windows-${{ hashFiles('go.sum') }} | |
path: | | |
~\go\pkg\mod | |
- name: Run unit tests | |
env: | |
EMBEDDED_BINS_BUILDMODE: none | |
TARGET_OS: windows | |
GO: go | |
GO_ENV: '' | |
run: | | |
make --touch .k0sbuild.docker-image.k0s go.sum | |
make bindata | |
make --touch codegen | |
make check-unit | |
smoketest: | |
name: Smoke test | |
needs: build | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
smoke-suite: ${{ fromJson(needs.build.outputs.smoke-test-matrix) }} | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
- name: Reclaim runner disk space | |
run: .github/workflows/reclaim-runner-disk-space.bash | |
- name: Prepare build environment | |
run: .github/workflows/prepare-build-env.sh | |
- name: Prepare docker for ipv6 dualstack tests | |
if: contains(matrix.smoke-suite, 'dualstack') | |
run: .github/workflows/prepare-docker-ipv6.sh | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Download compiled binary | |
uses: actions/download-artifact@v3 | |
with: | |
name: k0s | |
- name: k0s sysinfo | |
run: | | |
chmod +x k0s | |
./k0s sysinfo | |
- name: Cache airgap image bundle | |
id: cache-airgap-image-bundle | |
if: contains(matrix.smoke-suite, 'airgap') | |
uses: actions/cache@v3 | |
with: | |
key: airgap-image-bundle-linux-amd64.tar-${{ needs.build.outputs.airgap-image-bundle-hash-linux }} | |
path: airgap-image-bundle-linux-amd64.tar | |
- name: Run inttest | |
env: | |
NEEDS_AIRGAP_IMAGE_BUNDLE: ${{ contains(matrix.smoke-suite, 'airgap') }} | |
run: | | |
[ "$NEEDS_AIRGAP_IMAGE_BUNDLE" != true ] || [ -f airgap-image-bundle-linux-amd64.tar ] || { | |
echo Airgap image bundle file missing! | |
exit 1 | |
} | |
make -C inttest ${{ matrix.smoke-suite }} | |
- name: Collect k0s logs and support bundle | |
if: failure() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: smoketest-${{ matrix.smoke-suite }}-files | |
path: | | |
/tmp/*.log | |
/tmp/support-bundle.tar.gz | |
- name: Collect sonobuoy results | |
if: failure() && contains(matrix.smoke-suite, 'conformance') | |
uses: actions/upload-artifact@v3 | |
with: | |
name: smoketest-${{ matrix.smoke-suite }}-sonobuoy-results | |
path: /tmp/*_sonobuoy_*.tar.gz | |
autopilot-smoketest-matrix: | |
name: Release matrix | |
runs-on: ubuntu-latest | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v3 | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Generate Autopilot test matrix | |
id: set-matrix | |
run: | | |
set -x | |
k8sVersion="$(./vars.sh kubernetes_version)" | |
majorVersion="${k8sVersion%%.*}" | |
minorVersion=${k8sVersion#$majorVersion.} | |
minorVersion="${minorVersion%%.*}" | |
{ | |
printf matrix= | |
hack/tools/gen-matrix.sh "$majorVersion.$(($minorVersion - 1))" "$majorVersion.$minorVersion" | |
} >> "$GITHUB_OUTPUT" | |
autopilot-smoketest: | |
name: Autopilot smoke test | |
needs: | |
- build | |
- autopilot-smoketest-matrix | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
version: ${{fromJson(needs.autopilot-smoketest-matrix.outputs.matrix)}} | |
smoke-suite: | |
- check-ap-ha3x3 | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
- name: Reclaim runner disk space | |
run: .github/workflows/reclaim-runner-disk-space.bash | |
- name: Prepare build environment | |
run: .github/workflows/prepare-build-env.sh | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Download compiled binary | |
uses: actions/download-artifact@v3 | |
with: | |
name: k0s | |
- name: Download latest release | |
if: matrix.smoke-suite == 'check-ap-ha3x3' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
curl -L -o k0s-${{ matrix.version }} https://github.com/k0sproject/k0s/releases/download/${{ matrix.version }}/k0s-${{ matrix.version }}-amd64 | |
chmod +x k0s-${{ matrix.version }} | |
- name: k0s sysinfo | |
run: | | |
chmod +x k0s | |
./k0s sysinfo | |
- name: Run inttest | |
run: | | |
make -C inttest ${{ matrix.smoke-suite }} K0S_UPDATE_FROM_BIN=../k0s-${{ matrix.version }} | |
- name: Collect k0s logs and support bundle | |
if: failure() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: autopilot-smoketest-${{ matrix.smoke-suite }}-${{ matrix.version }}-files | |
path: | | |
/tmp/*.log | |
/tmp/support-bundle.tar.gz | |
smoketest-arm: | |
name: Smoke test on armv7/arm64 | |
if: github.repository == 'k0sproject/k0s' | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: | |
- arm # this is armv7 | |
- arm64 | |
runs-on: | |
- self-hosted | |
- linux | |
- ${{ matrix.arch }} | |
steps: | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 (see below) | |
- name: "Pre: Fixup directories" | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # for `git describe` | |
persist-credentials: false | |
- name: Prepare build environment | |
run: .github/workflows/prepare-build-env.sh | |
# We cannot rely on this for arm: https://github.com/actions/setup-go/issues/106 | |
- name: Set up Go | |
if: matrix.arch != 'arm' | |
uses: actions/setup-go@v3 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
# Install Go manually for arm. See above. | |
- name: Set up Go for armv6l | |
if: matrix.arch == 'arm' | |
run: | | |
echo "Setup go stable version $GO_VERSION" | |
rm -rf -- "$HOME/.local/go" | |
mkdir -p -- "$HOME/.local/go" | |
curl --silent -L "https://go.dev/dl/go${GO_VERSION%%.0}.linux-armv6l.tar.gz" | tar -C "$HOME/.local" -xz | |
echo "$HOME/.local/go/bin" >>"$GITHUB_PATH" | |
export PATH="$PATH:$HOME/.local/go/bin" | |
echo Added go to the path | |
echo "Successfully setup go version $GO_VERSION" | |
go version | |
echo ::group::go env | |
go env | |
echo ::endgroup:: | |
- name: Cache embedded binaries | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-embedded-bins-${{ matrix.arch }}-${{ hashFiles('**/embedded-bins/**/*') }} | |
path: | | |
.bins.linux.stamp | |
bindata_linux | |
embedded-bins/staging/linux/bin/ | |
embedded-bins/Makefile.variables | |
pkg/assets/zz_generated_offsets_linux.go | |
- name: Cache GOCACHE | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-smoketest-arm-gocache-${{ matrix.arch }}-${{ github.ref_name }}-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-smoketest-arm-gocache-${{ matrix.arch }}-${{ github.ref_name }}- | |
path: | | |
build/cache/go/build | |
- name: Cache GOMODCACHE | |
uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-smoketest-arm-gomodcache-${{ matrix.arch }}-${{ hashFiles('go.sum') }} | |
path: | | |
build/cache/go/mod | |
- name: Disable race checker | |
if: matrix.arch == 'arm' | |
run: echo GO_TEST_RACE= >>"$GITHUB_ENV" | |
- name: Build | |
run: | | |
make bindata | |
make --touch codegen | |
make build | |
- name: Upload compiled binary | |
uses: actions/upload-artifact@v3 | |
with: | |
name: k0s-${{ matrix.arch }} | |
path: k0s | |
- name: Unit tests | |
run: make check-unit | |
- name: k0s sysinfo | |
run: ./k0s sysinfo | |
- name: Run smoketest | |
run: make check-basic | |
- name: Create airgap image list | |
run: make airgap-images.txt | |
- name: Cache airgap image bundle | |
id: cache-airgap-image-bundle | |
uses: actions/cache@v3 | |
with: | |
key: airgap-image-bundle-linux-${{ matrix.arch }}-${{ hashFiles('Makefile', 'airgap-images.txt', 'hack/image-bundler/*') }} | |
path: | | |
airgap-images.txt | |
airgap-image-bundle-linux-${{ matrix.arch }}.tar | |
- name: Create airgap image bundle if not cached | |
if: steps.cache-airgap-image-bundle.outputs.cache-hit != 'true' | |
run: make airgap-image-bundle-linux-${{ matrix.arch }}.tar | |
- name: Run airgap test | |
run: | | |
make --touch airgap-image-bundle-linux-${{ matrix.arch }}.tar | |
make check-airgap | |
- name: Collect k0s logs and support bundle | |
if: failure() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: smoketest-${{ matrix.arch }}-check-basic-files | |
path: | | |
/tmp/*.log | |
/tmp/support-bundle.tar.gz | |
# https://github.com/actions/checkout/issues/273#issuecomment-642908752 | |
# Golang mod cache tends to set directories to read-only, which breaks any | |
# attempts to simply remove those directories. The `make clean-gocache` | |
# target takes care of this, but the mod cache can't be deleted here, | |
# since it shall be cached across builds, and caching takes place as a | |
# post build action. So, as a workaround, ensure that all subdirectories | |
# are writable. | |
- name: "Post: Fixup directories" | |
if: always() | |
run: find . -type d -not -perm /u+w -exec chmod u+w '{}' \; |