Merge pull request #387 from thaJeztah/bump_go1.25

update to go1.25.1

.github/workflows/build.yml

@@ -15,7 +15,7 @@ on:
 
 env:
   DESTDIR: ./bin
-  GO_VERSION: 1.23.6
+  GO_VERSION: 1.25.1
 
 jobs:
   validate:
@@ -29,7 +29,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -44,19 +44,19 @@ jobs:
       fail-fast: false
       matrix:
         os:
+          - ubuntu-24.04
           - ubuntu-22.04
-          - ubuntu-20.04
+          - macOS-15-intel
           - macOS-15
           - macOS-14
-          - macOS-13
           - windows-2022
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       -
         name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ env.GO_VERSION }}
       -
@@ -73,7 +73,7 @@ jobs:
       -
         name: GPG conf
         if: ${{ !startsWith(matrix.os, 'windows-') }}
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         id: gpg
         with:
           script: |
@@ -139,7 +139,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       -
@@ -173,7 +173,7 @@ jobs:
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda  # v2.2.1
+        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836  # v2.3.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -185,7 +185,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       -

.golangci.yml

@@ -1,31 +1,23 @@
+version: "2"
 run:
-  timeout: 10m
   modules-download-mode: vendor
 
 linters:
+  default: none
   enable:
-    - gofmt
     - govet
-    - depguard
-    - goimports
     - ineffassign
     - misspell
-    - unused
     - revive
     - staticcheck
-    - typecheck
+    - unused
-  disable-all: true
+  settings:
+    revive:
+      rules:
+        - name: package-comments  # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#package-comments
+          disabled: true
 
-linters-settings:
+formatters:
-  depguard:
+  enable:
-    rules:
+    - gofmt
-      main:
+    - goimports
-        deny:
-          - pkg: "io/ioutil"
-            desc: The io/ioutil package has been deprecated. See https://go.dev/doc/go1.16#ioutil
-
-issues:
-  exclude-rules:
-    - linters:
-        - revive
-      text: "stutters"

Dockerfile

@@ -1,11 +1,11 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.23.6
+ARG GO_VERSION=1.25.1
 ARG DEBIAN_VERSION=bookworm
 
-ARG XX_VERSION=1.6.1
+ARG XX_VERSION=1.7.0
-ARG OSXCROSS_VERSION=11.3-r7-debian
+ARG OSXCROSS_VERSION=11.3-r8-debian
-ARG GOLANGCI_LINT_VERSION=v1.64.5
+ARG GOLANGCI_LINT_VERSION=v2.5
 ARG DEBIAN_FRONTEND=noninteractive
 
 ARG PACKAGE=github.com/docker/docker-credential-helpers
@@ -99,21 +99,7 @@ FROM gobase AS version
 RUN --mount=target=. \
     echo -n "$(./hack/git-meta version)" | tee /tmp/.version ; echo -n "$(./hack/git-meta revision)" | tee /tmp/.revision
 
-FROM base AS build-linux
+FROM base AS build
-ARG PACKAGE
-RUN --mount=type=bind,target=. \
-    --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
-    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
-  set -ex
-  xx-go --wrap
-  make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
-  xx-verify /out/docker-credential-pass
-  xx-verify /out/docker-credential-secretservice
-EOT
-
-FROM base AS build-darwin
 ARG PACKAGE
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
@@ -124,28 +110,26 @@ RUN --mount=type=bind,target=. \
   set -ex
   export MACOSX_VERSION_MIN=$(make print-MACOSX_DEPLOYMENT_TARGET)
   xx-go --wrap
-  go install std
+  case "$(xx-info os)" in
-  make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+    linux)
-  xx-verify /out/docker-credential-osxkeychain
+      make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
-  xx-verify /out/docker-credential-pass
+      xx-verify /out/docker-credential-pass
+      xx-verify /out/docker-credential-secretservice
+      ;;
+    darwin)
+      go install std
+      make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+      xx-verify /out/docker-credential-osxkeychain
+      xx-verify /out/docker-credential-pass
+      ;;
+    windows)
+      make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+      mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
+      xx-verify /out/docker-credential-wincred.exe
+      ;;
+  esac
 EOT
 
-FROM base AS build-windows
-ARG PACKAGE
-RUN --mount=type=bind,target=. \
-    --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
-    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
-  set -ex
-  xx-go --wrap
-  make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
-  mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
-  xx-verify /out/docker-credential-wincred.exe
-EOT
-
-FROM build-$TARGETOS AS build
-
 FROM scratch AS binaries
 COPY --from=build /out /
 

deb/Dockerfile

@@ -1,10 +1,10 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.23.6
+ARG GO_VERSION=1.25.1
 ARG DISTRO=ubuntu
-ARG SUITE=focal
+ARG SUITE=jammy
 
-FROM golang:${GO_VERSION}-bullseye AS golang
+FROM golang:${GO_VERSION}-bookworm AS golang
 
 FROM ${DISTRO}:${SUITE}
 

go.mod

@@ -2,10 +2,13 @@ module github.com/docker/docker-credential-helpers
 
 go 1.21
 
-retract v0.9.0 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+retract (
+	v0.9.1 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+	v0.9.0 // osxkeychain: a regression caused backward-incompatibility with earlier versions
+)
 
 require (
-	github.com/danieljoos/wincred v1.2.2
+	github.com/danieljoos/wincred v1.2.3
 	github.com/keybase/go-keychain v0.0.1
 )
 

go.sum

@@ -1,5 +1,5 @@
-github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ=
-github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
+github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
@@ -8,8 +8,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

osxkeychain/osxkeychain.go

@@ -12,6 +12,8 @@ import "C"
 
 import (
 	"errors"
+	"net"
+	"net/url"
 	"strconv"
 
 	"github.com/docker/docker-credential-helpers/credentials"
@@ -44,6 +46,17 @@ func (h Osxkeychain) Add(creds *credentials.Credentials) error {
 	item.SetLabel(credentials.CredsLabel)
 	item.SetAccount(creds.Username)
 	item.SetData([]byte(creds.Secret))
+	// Prior to v0.9, the credential helper was searching for credentials with
+	// the "dflt" authentication type (see [1]). Since v0.9.0, Get doesn't use
+	// that attribute anymore, and v0.9.0 - v0.9.2 were not setting it here
+	// either.
+	//
+	// In order to keep compatibility with older versions, we need to store
+	// credentials with this attribute set. This way, credentials stored with
+	// newer versions can be retrieved by older versions.
+	//
+	// [1]: https://github.com/docker/docker-credential-helpers/blob/v0.8.2/osxkeychain/osxkeychain.c#L66
+	item.SetAuthenticationType("dflt")
 	if err := splitServer(creds.ServerURL, item); err != nil {
 		return err
 	}
@@ -121,10 +134,20 @@ func (h Osxkeychain) List() (map[string]string, error) {
 
 	resp := make(map[string]string)
 	for _, r := range res {
-		if r.Path == "" {
+		proto := "http"
-			continue
+		if r.Protocol == kSecProtocolTypeHTTPS {
+			proto = "https"
 		}
-		resp[r.Path] = r.Account
+		host := r.Server
+		if r.Port != 0 {
+			host = net.JoinHostPort(host, strconv.Itoa(int(r.Port)))
+		}
+		u := url.URL{
+			Scheme: proto,
+			Host:   host,
+			Path:   r.Path,
+		}
+		resp[u.String()] = r.Account
 	}
 	return resp, nil
 }

osxkeychain/osxkeychain_test.go

@@ -15,11 +15,6 @@ func TestOSXKeychainHelper(t *testing.T) {
 		Username:  "foobar",
 		Secret:    "foobarbaz",
 	}
-	creds1 := &credentials.Credentials{
-		ServerURL: "https://foobar.example.com:2376/v2",
-		Username:  "foobarbaz",
-		Secret:    "foobar",
-	}
 	helper := Osxkeychain{}
 	if err := helper.Add(creds); err != nil {
 		t.Fatal(err)
@@ -43,19 +38,49 @@ func TestOSXKeychainHelper(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	helper.Add(creds1)
+	if _, ok := auths[creds.ServerURL]; !ok {
-	defer helper.Delete(creds1.ServerURL)
+		t.Fatalf("server %s not found in list, got: %+v", creds.ServerURL, auths)
-	newauths, err := helper.List()
-	if len(newauths)-len(auths) != 1 {
-		if err == nil {
-			t.Fatalf("Error: len(newauths): %d, len(auths): %d", len(newauths), len(auths))
-		}
-		t.Fatalf("Error: len(newauths): %d, len(auths): %d\n Error= %v", len(newauths), len(auths), err)
 	}
 
+	// Insert another token and check if it is in the list
+	creds1 := &credentials.Credentials{
+		ServerURL: "https://foobar.example.com:2376/v2",
+		Username:  "foobarbaz",
+		Secret:    "foobar",
+	}
+	helper.Add(creds1)
+	defer helper.Delete(creds1.ServerURL)
+
+	auths, err = helper.List()
+	if err != nil {
+		t.Fatalf("operation List failed: %+v", err)
+	}
+
+	if _, ok := auths[creds.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds.ServerURL, auths)
+	}
+	if _, ok := auths[creds1.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds1.ServerURL, auths)
+	}
+
+	// Delete the 1st token inserted
 	if err := helper.Delete(creds.ServerURL); err != nil {
 		t.Fatal(err)
 	}
+
+	auths, err = helper.List()
+	if err != nil {
+		t.Fatalf("operation List failed: %+v", err)
+	}
+
+	// First token should have been deleted
+	if _, ok := auths[creds.ServerURL]; ok {
+		t.Fatalf("server %s was not deleted, got: %+v", creds.ServerURL, auths)
+	}
+	// Second token should still be there
+	if _, ok := auths[creds1.ServerURL]; !ok {
+		t.Fatalf("server %s not found in list, got: %+v", creds1.ServerURL, auths)
+	}
 }
 
 // TestOSXKeychainHelperRetrieveAliases verifies that secrets can be accessed
@@ -116,6 +141,39 @@ func TestOSXKeychainHelperRetrieveAliases(t *testing.T) {
 	}
 }
 
+func TestOSXKeychainHelperStoreWithUncleanPath(t *testing.T) {
+	helper := Osxkeychain{}
+	creds := &credentials.Credentials{
+		ServerURL: "https://::1:8080//////location/../../hello",
+		Username:  "testuser",
+		Secret:    "testsecret",
+	}
+
+	// Clean store before and after the test.
+	defer helper.Delete(creds.ServerURL)
+	if err := helper.Delete(creds.ServerURL); err != nil && !credentials.IsErrCredentialsNotFound(err) {
+		t.Errorf("prepare: failed to delete '%s': %v", creds.ServerURL, err)
+	}
+
+	// Store the credentials
+	if err := helper.Add(creds); err != nil {
+		t.Fatalf("Error: failed to store credentials with unclean path %q: %s", creds.ServerURL, err)
+	}
+
+	// Retrieve and verify credentials
+	username, secret, err := helper.Get(creds.ServerURL)
+	if err != nil {
+		t.Fatalf("Error: failed to retrieve credentials with unclean path %q: %s", creds.ServerURL, err)
+	}
+
+	if username != creds.Username {
+		t.Errorf("Error: expected username %s, got %s", creds.Username, username)
+	}
+	if secret != creds.Secret {
+		t.Errorf("Error: expected secret %s, got %s", creds.Secret, secret)
+	}
+}
+
 // TestOSXKeychainHelperRetrieveStrict verifies that only matching secrets are
 // returned.
 func TestOSXKeychainHelperRetrieveStrict(t *testing.T) {

pass/pass_test.go

@@ -83,10 +83,10 @@ func TestPassHelperList(t *testing.T) {
 		t.Error(err)
 	}
 	for server, username := range credsList {
-		if !(strings.HasSuffix(server, "2376/v1") || strings.HasSuffix(server, "2375/v1")) {
+		if !strings.HasSuffix(server, "2376/v1") && !strings.HasSuffix(server, "2375/v1") {
 			t.Errorf("invalid url: %s", server)
 		}
-		if !(username == "foo" || username == "bar") {
+		if username != "foo" && username != "bar" {
 			t.Errorf("invalid username: %v", username)
 		}
 

vendor/github.com/danieljoos/wincred/conversion.go

@@ -31,13 +31,13 @@ func utf16FromString(str string) []uint16 {
 
 // goBytes copies the given C byte array to a Go byte array (see `C.GoBytes`).
 // This function avoids having cgo as dependency.
-func goBytes(src uintptr, len uint32) []byte {
+func goBytes(src *byte, len uint32) []byte {
-	if src == uintptr(0) {
+	if src == nil || len == 0 {
 		return []byte{}
 	}
 	rv := make([]byte, len)
 	copy(rv, *(*[]byte)(unsafe.Pointer(&reflect.SliceHeader{
-		Data: src,
+		Data: uintptr(unsafe.Pointer(src)),
 		Len:  int(len),
 		Cap:  int(len),
 	})))
@@ -59,7 +59,7 @@ func sysToCredential(cred *sysCREDENTIAL) (result *Credential) {
 	result.CredentialBlob = goBytes(cred.CredentialBlob, cred.CredentialBlobSize)
 	result.Attributes = make([]CredentialAttribute, cred.AttributeCount)
 	attrSlice := *(*[]sysCREDENTIAL_ATTRIBUTE)(unsafe.Pointer(&reflect.SliceHeader{
-		Data: cred.Attributes,
+		Data: uintptr(unsafe.Pointer(cred.Attributes)),
 		Len:  int(cred.AttributeCount),
 		Cap:  int(cred.AttributeCount),
 	}))
@@ -85,17 +85,13 @@ func sysFromCredential(cred *Credential) (result *sysCREDENTIAL) {
 	result.LastWritten = syscall.NsecToFiletime(cred.LastWritten.UnixNano())
 	result.CredentialBlobSize = uint32(len(cred.CredentialBlob))
 	if len(cred.CredentialBlob) > 0 {
-		result.CredentialBlob = uintptr(unsafe.Pointer(&cred.CredentialBlob[0]))
+		result.CredentialBlob = &cred.CredentialBlob[0]
-	} else {
-		result.CredentialBlob = 0
 	}
 	result.Persist = uint32(cred.Persist)
 	result.AttributeCount = uint32(len(cred.Attributes))
 	attributes := make([]sysCREDENTIAL_ATTRIBUTE, len(cred.Attributes))
 	if len(attributes) > 0 {
-		result.Attributes = uintptr(unsafe.Pointer(&attributes[0]))
+		result.Attributes = &attributes[0]
-	} else {
-		result.Attributes = 0
 	}
 	for i := range cred.Attributes {
 		inAttr := &cred.Attributes[i]
@@ -104,9 +100,7 @@ func sysFromCredential(cred *Credential) (result *sysCREDENTIAL) {
 		outAttr.Flags = 0
 		outAttr.ValueSize = uint32(len(inAttr.Value))
 		if len(inAttr.Value) > 0 {
-			outAttr.Value = uintptr(unsafe.Pointer(&inAttr.Value[0]))
+			outAttr.Value = &inAttr.Value[0]
-		} else {
-			outAttr.Value = 0
 		}
 	}
 	result.TargetAlias, _ = syscall.UTF16PtrFromString(cred.TargetAlias)

vendor/github.com/danieljoos/wincred/sys.go

@@ -5,6 +5,7 @@ package wincred
 
 import (
 	"reflect"
+	"runtime"
 	"syscall"
 	"unsafe"
 
@@ -33,10 +34,10 @@ type sysCREDENTIAL struct {
 	Comment            *uint16
 	LastWritten        windows.Filetime
 	CredentialBlobSize uint32
-	CredentialBlob     uintptr
+	CredentialBlob     *byte
 	Persist            uint32
 	AttributeCount     uint32
-	Attributes         uintptr
+	Attributes         *sysCREDENTIAL_ATTRIBUTE
 	TargetAlias        *uint16
 	UserName           *uint16
 }
@@ -46,7 +47,7 @@ type sysCREDENTIAL_ATTRIBUTE struct {
 	Keyword   *uint16
 	Flags     uint32
 	ValueSize uint32
-	Value     uintptr
+	Value     *byte
 }
 
 // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
@@ -93,6 +94,8 @@ func sysCredWrite(cred *Credential, typ sysCRED_TYPE) error {
 		uintptr(unsafe.Pointer(ncred)),
 		0,
 	)
+	// Make sure everything reachable from ncred stays alive through the call.
+	runtime.KeepAlive(ncred)
 	if ret == 0 {
 		return err
 	}

vendor/modules.txt

@@ -1,4 +1,4 @@
-# github.com/danieljoos/wincred v1.2.2
+# github.com/danieljoos/wincred v1.2.3
 ## explicit; go 1.18
 github.com/danieljoos/wincred
 # github.com/keybase/go-keychain v0.0.1