From fb3ba302d2081082cf040a2f15f68ea2e0f5297a Mon Sep 17 00:00:00 2001 From: Milos Gajdos Date: Thu, 12 Dec 2024 08:42:19 +0000 Subject: [PATCH 1/2] chore: Bump alpine and Go versions 3.20 had a minor security vulnerability. Let's bump it. Related: * https://github.com/distribution/distribution-library-image/issues/171 * https://github.com/distribution/distribution/pull/4527 Bump Go version * CI * go.mod Signed-off-by: Milos Gajdos --- .github/workflows/build.yml | 2 +- Dockerfile | 4 ++-- dockerfiles/authors.Dockerfile | 2 +- dockerfiles/docs.Dockerfile | 4 ++-- dockerfiles/git.Dockerfile | 4 ++-- dockerfiles/lint.Dockerfile | 4 ++-- dockerfiles/vendor.Dockerfile | 4 ++-- go.mod | 2 +- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 825ca9272..f8a39bf22 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: matrix: go: - 1.22.8 - - 1.23.2 + - 1.23.4 target: - test-coverage - test-cloud-storage diff --git a/Dockerfile b/Dockerfile index 7a73f2ebd..95f8a4850 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.23.2 -ARG ALPINE_VERSION=3.20 +ARG GO_VERSION=1.23.4 +ARG ALPINE_VERSION=3.21 ARG XX_VERSION=1.6.1 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx diff --git a/dockerfiles/authors.Dockerfile b/dockerfiles/authors.Dockerfile index 908898c07..fad3d4cb1 100644 --- a/dockerfiles/authors.Dockerfile +++ b/dockerfiles/authors.Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -ARG ALPINE_VERSION=3.20 +ARG ALPINE_VERSION=3.21 FROM alpine:${ALPINE_VERSION} AS gen RUN apk add --no-cache git diff --git a/dockerfiles/docs.Dockerfile b/dockerfiles/docs.Dockerfile index 5257f20db..ec2c32d6e 100644 --- a/dockerfiles/docs.Dockerfile +++ b/dockerfiles/docs.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.23.2 -ARG ALPINE_VERSION=3.20 +ARG GO_VERSION=1.23.4 +ARG ALPINE_VERSION=3.21 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base RUN apk add --no-cache git diff --git a/dockerfiles/git.Dockerfile b/dockerfiles/git.Dockerfile index 2bc7a4de0..d0fd41e9e 100644 --- a/dockerfiles/git.Dockerfile +++ b/dockerfiles/git.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.23.2 -ARG ALPINE_VERSION=3.20 +ARG GO_VERSION=1.23.4 +ARG ALPINE_VERSION=3.21 FROM alpine:${ALPINE_VERSION} AS base RUN apk add --no-cache git gpg diff --git a/dockerfiles/lint.Dockerfile b/dockerfiles/lint.Dockerfile index f0f35c6f2..bb936b6d7 100644 --- a/dockerfiles/lint.Dockerfile +++ b/dockerfiles/lint.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.23.2 -ARG ALPINE_VERSION=3.20 +ARG GO_VERSION=1.23.4 +ARG ALPINE_VERSION=3.21 ARG GOLANGCI_LINT_VERSION=v1.61.0 ARG BUILDTAGS="" diff --git a/dockerfiles/vendor.Dockerfile b/dockerfiles/vendor.Dockerfile index d7710ae7e..788764629 100644 --- a/dockerfiles/vendor.Dockerfile +++ b/dockerfiles/vendor.Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 -ARG GO_VERSION=1.23.2 -ARG ALPINE_VERSION=3.20 +ARG GO_VERSION=1.23.4 +ARG ALPINE_VERSION=3.21 ARG MODOUTDATED_VERSION=v0.8.0 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base diff --git a/go.mod b/go.mod index f57833e9e..2c3404032 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/distribution/distribution/v3 go 1.22.7 -toolchain go1.23.2 +toolchain go1.23.4 require ( cloud.google.com/go/storage v1.45.0 From 96a3daafe907ac077d695358359f76b743410eef Mon Sep 17 00:00:00 2001 From: Milos Gajdos Date: Thu, 12 Dec 2024 11:34:21 +0000 Subject: [PATCH 2/2] Move a direct dependency to direct deps required modules Signed-off-by: Milos Gajdos --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 2c3404032..8c4eb393c 100644 --- a/go.mod +++ b/go.mod @@ -40,6 +40,7 @@ require ( golang.org/x/crypto v0.31.0 golang.org/x/net v0.30.0 golang.org/x/oauth2 v0.23.0 + golang.org/x/sync v0.10.0 google.golang.org/api v0.197.0 gopkg.in/yaml.v2 v2.4.0 ) @@ -109,7 +110,6 @@ require ( go.opentelemetry.io/otel/sdk/log v0.8.0 // indirect go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect - golang.org/x/sync v0.10.0 golang.org/x/sys v0.28.0 // indirect golang.org/x/text v0.21.0 // indirect golang.org/x/time v0.6.0 // indirect