Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: auto-bump golang patch versions #6711

Merged
merged 2 commits into from
May 19, 2024
Merged

chore: auto-bump golang patch versions #6711

merged 2 commits into from
May 19, 2024

Conversation

chen-keinan
Copy link
Contributor

@chen-keinan chen-keinan commented May 16, 2024
edited

Description

The following change will help to solve an issue of auto-bump golang patch versions.

Current behaviour

up to now that auto-bump golang patch versions was using the:

- uses: actions/setup-go@v5
    with:
      go-version-file: 'go.mod'

This setting assumes that the go.mod file of Trivy is configured with a partial Go version <major>.<minor> for instance, go 1.22.

The Problem

It has been observed that if a go.mod file includes a dependency like github.com/aquasecurity/trivy-kubernetes, and that dependency's go.mod file specifies a full Go version <major>.<minor>.<patch> such as go 1.22.0, then the Go version of this dependency will replace the Go version specified in trivy go.mod file.

therefore the above actions/setup-go cannot be used with go-version-file: 'go.mod' param.

Workaround

The workaround will be to use the following go-version param with partial version, which will auto bump patch version without relating to go mod file.

- uses: actions/setup-go@v5
    with:
      go-version: '1.22'

@chen-keinan chen-keinan force-pushed the chore/auto-bump-minor-golang-version branch from 6ca626c to 0f08d0d Compare May 16, 2024 12:44
@knqyf263
Copy link
Collaborator

knqyf263 commented May 17, 2024
edited

@aquasecurity/trivy FYI

Let me add something here. According to the document in actions/setup-go, it uses the specific patch version if it is specified in go.mod. That's why I suggested using go 1.22 here rather than go 1.22.0.

The go directive in go.mod can specify a patch version or omit it altogether (e.g., go 1.22.0 or go 1.22).
If a patch version is specified, that specific patch version will be used.
If no patch version is specified, it will search for the latest available patch version in the cache, versions-manifest.json, and the official Go language website, in that order.

https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file

We confirmed v1.22.0 was used in this workflow.
https://github.com/aquasecurity/trivy/actions/runs/9108238744/job/25038616208?pr=6707

It will miss patches in v1.22.x and be problematic in terms of security. However, it is impossible to ask all dependent modules not to use 1.22.0. We need this workaround for now.

@chen-keinan
Copy link
Contributor Author

@knqyf263 comments has been addressed

@knqyf263 knqyf263 added this pull request to the merge queue May 19, 2024
Merged via the queue into aquasecurity:main with commit eca5150 May 19, 2024
12 checks passed
knqyf263 pushed a commit that referenced this pull request May 20, 2024
@chen-keinan @knqyf263
chore: auto-bump golang patch versions (#6711)
013f71a 
Signed-off-by: chenk <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@chen-keinan @knqyf263