notkshitij/docker-credential-helpers
1
0
Fork 0
mirror of https://github.com/docker/docker-credential-helpers.git synced 2026-06-28 15:21:29 +05:30
Code Releases 1 Activity

Compare commits

base: notkshitij/docker-credential-helpers:v0.9.2
Branches Tags
notkshitij/docker-credential-helpers:dependabot/github_actions/actions/setup-go-6.5.0 notkshitij/docker-credential-helpers:dependabot/github_actions/softprops/action-gh-release-3.0.1 notkshitij/docker-credential-helpers:dependabot/github_actions/actions/checkout-7.0.0 notkshitij/docker-credential-helpers:dependabot/github_actions/crazy-max/dot-github/dot-github/workflows/zizmor.yml-1.10.1 notkshitij/docker-credential-helpers:main notkshitij/docker-credential-helpers:dependabot/github_actions/codecov/codecov-action-7.0.0
notkshitij/docker-credential-helpers:v0.9.8 notkshitij/docker-credential-helpers:v0.9.7 notkshitij/docker-credential-helpers:v0.9.6 notkshitij/docker-credential-helpers:v0.9.5 notkshitij/docker-credential-helpers:v0.9.4 notkshitij/docker-credential-helpers:0.9.3 notkshitij/docker-credential-helpers:v0.9.3 notkshitij/docker-credential-helpers:v0.9.2 notkshitij/docker-credential-helpers:v0.9.1 notkshitij/docker-credential-helpers:v0.9.0 notkshitij/docker-credential-helpers:v0.8.2 notkshitij/docker-credential-helpers:v0.8.1 notkshitij/docker-credential-helpers:v0.8.0 notkshitij/docker-credential-helpers:v0.7.0 notkshitij/docker-credential-helpers:v0.7.0-beta.2 notkshitij/docker-credential-helpers:v0.7.0-beta.1 notkshitij/docker-credential-helpers:v0.6.4 notkshitij/docker-credential-helpers:v0.6.3 notkshitij/docker-credential-helpers:v0.6.2 notkshitij/docker-credential-helpers:v0.6.1 notkshitij/docker-credential-helpers:v0.6.0 notkshitij/docker-credential-helpers:v0.5.2 notkshitij/docker-credential-helpers:v0.5.1 notkshitij/docker-credential-helpers:v0.5.0 notkshitij/docker-credential-helpers:v0.4.2 notkshitij/docker-credential-helpers:v0.4.1 notkshitij/docker-credential-helpers:v0.4.0 notkshitij/docker-credential-helpers:v0.3.0 notkshitij/docker-credential-helpers:v0.2.0 notkshitij/docker-credential-helpers:v0.1.0
..
compare: notkshitij/docker-credential-helpers:16a8c2ce61b552a4263882a57755d712d84f5762
Branches Tags
notkshitij/docker-credential-helpers:dependabot/github_actions/actions/setup-go-6.5.0 notkshitij/docker-credential-helpers:dependabot/github_actions/softprops/action-gh-release-3.0.1 notkshitij/docker-credential-helpers:dependabot/github_actions/actions/checkout-7.0.0 notkshitij/docker-credential-helpers:dependabot/github_actions/crazy-max/dot-github/dot-github/workflows/zizmor.yml-1.10.1 notkshitij/docker-credential-helpers:main notkshitij/docker-credential-helpers:dependabot/github_actions/codecov/codecov-action-7.0.0
notkshitij/docker-credential-helpers:v0.9.8 notkshitij/docker-credential-helpers:v0.9.7 notkshitij/docker-credential-helpers:v0.9.6 notkshitij/docker-credential-helpers:v0.9.5 notkshitij/docker-credential-helpers:v0.9.4 notkshitij/docker-credential-helpers:0.9.3 notkshitij/docker-credential-helpers:v0.9.3 notkshitij/docker-credential-helpers:v0.9.2 notkshitij/docker-credential-helpers:v0.9.1 notkshitij/docker-credential-helpers:v0.9.0 notkshitij/docker-credential-helpers:v0.8.2 notkshitij/docker-credential-helpers:v0.8.1 notkshitij/docker-credential-helpers:v0.8.0 notkshitij/docker-credential-helpers:v0.7.0 notkshitij/docker-credential-helpers:v0.7.0-beta.2 notkshitij/docker-credential-helpers:v0.7.0-beta.1 notkshitij/docker-credential-helpers:v0.6.4 notkshitij/docker-credential-helpers:v0.6.3 notkshitij/docker-credential-helpers:v0.6.2 notkshitij/docker-credential-helpers:v0.6.1 notkshitij/docker-credential-helpers:v0.6.0 notkshitij/docker-credential-helpers:v0.5.2 notkshitij/docker-credential-helpers:v0.5.1 notkshitij/docker-credential-helpers:v0.5.0 notkshitij/docker-credential-helpers:v0.4.2 notkshitij/docker-credential-helpers:v0.4.1 notkshitij/docker-credential-helpers:v0.4.0 notkshitij/docker-credential-helpers:v0.3.0 notkshitij/docker-credential-helpers:v0.2.0 notkshitij/docker-credential-helpers:v0.1.0

81 Commits
v0.9.2 .. 16a8c2ce61

Author SHA1 Message Date
Sebastiaan van Stijn 16a8c2ce61 Merge pull request #421 from docker/dependabot/github_actions/actions/upload-artifact-7.0.1 
build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1
 2026-04-15 11:49:37 +02:00
Sebastiaan van Stijn 164ec8c494 Merge pull request #422 from docker/dependabot/github_actions/actions/setup-go-6.4.0 
build(deps): bump actions/setup-go from 6.3.0 to 6.4.0
 2026-04-15 11:48:45 +02:00
dependabot[bot] defdb5e2f5 build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/4b73464bb391d4059bd26b0524d20df3927bd417...4a3601121dd01d1626a1e23e37211e3254c1c06c)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-15 09:43:51 +00:00
dependabot[bot] 28e11f3745 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-15 09:43:47 +00:00
Sebastiaan van Stijn e3d1da694f Merge pull request #419 from docker/dependabot/github_actions/actions/github-script-9 
build(deps): bump actions/github-script from 8 to 9
 2026-04-14 23:26:08 +02:00
Sebastiaan van Stijn 98a1b9ce53 Merge pull request #413 from docker/dependabot/github_actions/docker/bake-action-7 
build(deps): bump docker/bake-action from 6 to 7
 2026-04-14 23:25:31 +02:00
Sebastiaan van Stijn ca21698edc Merge pull request #418 from docker/dependabot/github_actions/codecov/codecov-action-6 
build(deps): bump codecov/codecov-action from 5 to 6
 2026-04-14 23:17:01 +02:00
dependabot[bot] 300c1b491f build(deps): bump docker/bake-action from 6 to 7 
Bumps [docker/bake-action](https://github.com/docker/bake-action) from 6 to 7.
- [Release notes](https://github.com/docker/bake-action/releases)
- [Commits](https://github.com/docker/bake-action/compare/v6...v7)

---
updated-dependencies:
- dependency-name: docker/bake-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-14 21:16:09 +00:00
Sebastiaan van Stijn 14b6d371c9 Merge pull request #420 from docker/dependabot/github_actions/softprops/action-gh-release-3.0.0 
build(deps): bump softprops/action-gh-release from 2.5.0 to 3.0.0
 2026-04-14 23:13:27 +02:00
dependabot[bot] bfd43cacbb build(deps): bump codecov/codecov-action from 5 to 6 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5 to 6.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5...v6)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-14 21:12:32 +00:00
dependabot[bot] 7b43509f5b build(deps): bump actions/github-script from 8 to 9 
Bumps [actions/github-script](https://github.com/actions/github-script) from 8 to 9.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v8...v9)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '9'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-14 21:12:31 +00:00
Sebastiaan van Stijn 5ad51ee4a4 Merge pull request #417 from thaJeztah/pin_actions 
ci: pin actions by sha
 2026-04-14 23:11:29 +02:00
dependabot[bot] 5b6a1880fa build(deps): bump softprops/action-gh-release from 2.5.0 to 3.0.0 
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.5.0 to 3.0.0.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/a06a81a03ee405af7f2048a818ed3f03bbf83c7b...b4309332981a82ec1c5618f44dd2e27cc8bfbfda)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-04-13 10:33:46 +00:00
Sebastiaan van Stijn 29038b4df4 ci: pin actions by sha 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-03-25 20:24:38 +01:00
Sebastiaan van Stijn 955f6c518d Merge pull request #414 from thaJeztah/update_go1.25.8 
update to go1.25.8
 2026-03-10 17:30:11 +01:00
Sebastiaan van Stijn 0202e5a960 update to go1.25.8 
go1.25.8 (released 2026-03-05) includes security fixes to the html/template,
net/url, and os packages, as well as bug fixes to the go command, the compiler,
and the os package. See the Go 1.25.8 milestone on our issue tracker for details.

- 1.25.8 https://github.com/golang/go/issues?q=milestone%3AGo1.25.8+label%3ACherryPickApproved
- diff: https://github.com/golang/go/compare/go1.25.7...go1.25.8
- 1.26.1 https://github.com/golang/go/issues?q=milestone%3AGo1.26.1+label%3ACherryPickApproved
- diff: https://github.com/golang/go/compare/go1.26.0...go1.26.1

---

We have just released Go versions 1.26.1 and 1.25.8, minor point releases.

These releases include 5 security fixes following the security policy:

crypto/x509: incorrect enforcement of email constraints

- When verifying a certificate chain which contains a certificate containing
  multiple email address constraints (composed of the full email address) which
  share common local portions (the portion of the address before the '@'
  character) but different domain portions (the portion of the address after the
  '@' character), these constraints will not be properly applied, and only the
  last constraint will be considered.

  This can allow certificates in the chain containing email addresses which are
  either not permitted or excluded by the relevant constraints to be returned by
  calls to Certificate.Verify. Since the name constraint checks happen after chain
  building is complete, this only applies to certificate chains which chain to
  trusted roots (root certificates either in VerifyOptions.Roots or in the system
  root certificate pool), requiring a trusted CA to issue certificates containing
  either not permitted or excluded email addresses.

  This issue only affects Go 1.26.

  Thanks to Jakub Ciolek for reporting this issue.

  This is CVE-2026-27137 and Go issue https://go.dev/issue/77952.

- crypto/x509: panic in name constraint checking for malformed certificates

  Certificate verification can panic when a certificate in the chain has an empty
  DNS name and another certificate in the chain has excluded name constraints.
  This can crash programs that are either directly verifying X.509 certificate
  chains, or those that use TLS.

  Since the name constraint checks happen after chain building is complete, this
  only applies to certificate chains which chain to trusted roots (root
  certificates either in VerifyOptions.Roots or in the system root certificate
  pool), requiring a trusted CA to issue certificates containing malformed DNS
  names.

  This issue only affects Go 1.26.

  Thanks to Jakub Ciolek for reporting this issue.

  This is CVE-2026-27138 and Go issue https://go.dev/issue/77953.

- html/template: URLs in meta content attribute actions are not escaped

  Actions which insert URLs into the content attribute of HTML meta tags are not
  escaped. This can allow XSS if the meta tag also has an http-equiv attribute
  with the value "refresh".

  A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be
  used to disable escaping URLs in actions in the meta content attribute which
  follow "url=" by setting htmlmetacontenturlescape=0.

  This is CVE-2026-27142 and Go issue https://go.dev/issue/77954.

- net/url: reject IPv6 literal not at start of host

  The Go standard library function net/url.Parse insufficiently
  validated the host/authority component and accepted some invalid URLs
  by effectively treating garbage before an IP-literal as ignorable.
  The function should have rejected this as invalid.

  To prevent this behavior, net/url.Parse now rejects IPv6 literals
  that do not appear at the start of the host subcomponent of a URL.

  Thanks to Masaki Hara (https://github.com/qnighy) of Wantedly.

  This is CVE-2026-25679 and Go issue https://go.dev/issue/77578.

- os: FileInfo can escape from a Root

  On Unix platforms, when listing the contents of a directory using
  File.ReadDir or File.Readdir the returned FileInfo could reference
  a file outside of the Root in which the File was opened.

  The contents of the FileInfo were populated using the lstat system
  call, which takes the path to the file as a parameter. If a component
  of the full path of the file described by the FileInfo is replaced with
  a symbolic link, the target of the lstat can be directed to another
  location on the filesystem.

  The impact of this escape is limited to reading metadata provided by
  lstat from arbitrary locations on the filesystem. This could be used
  to probe for the presence or absence of files as well as gleaning
  metadata like file sizes, but does not permit reading or writing files
  outside the root.

  The FileInfo is now populated using fstatat.

  Thank you to Miloslav Trmač of Red Hat for reporting this issue.

  This is CVE-2026-27139 and Go issue https://go.dev/issue/77827.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-03-06 13:58:18 +01:00
CrazyMax 4e2b0ff14f Merge pull request #408 from docker/dependabot/github_actions/actions/upload-artifact-7 
build(deps): bump actions/upload-artifact from 6 to 7
 2026-03-05 11:15:50 +01:00
CrazyMax 8fe8d458f7 Merge pull request #409 from docker/dependabot/github_actions/crazy-max/ghaction-import-gpg-7 
build(deps): bump crazy-max/ghaction-import-gpg from 6 to 7
 2026-03-05 11:15:27 +01:00
CrazyMax af758c414c Merge pull request #411 from docker/dependabot/github_actions/docker/setup-buildx-action-4 
build(deps): bump docker/setup-buildx-action from 3 to 4
 2026-03-05 11:15:06 +01:00
dependabot[bot] dc6f4f5cb9 build(deps): bump docker/setup-buildx-action from 3 to 4 
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-05 09:43:23 +00:00
CrazyMax 4e68cd824e Merge pull request #410 from docker/dependabot/github_actions/docker/setup-qemu-action-4 
build(deps): bump docker/setup-qemu-action from 3 to 4
 2026-03-04 11:02:41 +01:00
dependabot[bot] d520877610 build(deps): bump docker/setup-qemu-action from 3 to 4 
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3 to 4.
- [Release notes](https://github.com/docker/setup-qemu-action/releases)
- [Commits](https://github.com/docker/setup-qemu-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: docker/setup-qemu-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-04 09:43:23 +00:00
dependabot[bot] f0e4adbf36 build(deps): bump crazy-max/ghaction-import-gpg from 6 to 7 
Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 6 to 7.
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Commits](https://github.com/crazy-max/ghaction-import-gpg/compare/v6...v7)

---
updated-dependencies:
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-03 09:43:35 +00:00
dependabot[bot] bf6137df6b build(deps): bump actions/upload-artifact from 6 to 7 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-02-27 09:43:12 +00:00
Sebastiaan van Stijn 2b4e08bca3 Merge pull request #407 from thaJeztah/bump_go1.25.7 
update to go1.25.7
 2026-02-05 13:23:39 +01:00
Sebastiaan van Stijn 62deeb49c1 update to go1.25.7 
go1.25.7 (released 2026-02-04) includes security fixes to the go command
and the crypto/tls package, as well as bug fixes to the compiler and the
crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for
details:
https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.25.6...go1.25.7

From the security mailing list:

> Hello gophers,
>
> We have just released Go versions 1.25.7 and 1.24.13, minor point releases.
>
> These releases include 2 security fixes following the security policy:
>
> - cmd/cgo: remove user-content from doc strings in cgo ASTs
>
>   A discrepancy between how Go and C/C++ comments
>   were parsed allowed for code smuggling into the
>   resulting cgo binary.
>
>   To prevent this behavior, the cgo compiler
>   will no longer parse user-provided doc
>   comments.
>
>   Thank you to RyotaK (https://ryotak.net) of
>   GMO Flatt Security Inc. for reporting this issue.
>
>   This is CVE-2025-61732 and https://go.dev/issue/76697.
>
> - crypto/tls: unexpected session resumption when using Config.GetConfigForClient
>
>   Config.GetConfigForClient is documented to use the original Config's session
>   ticket keys unless explicitly overridden. This can cause unexpected behavior if
>   the returned Config modifies authentication parameters, like ClientCAs: a
>   connection initially established with the parent (or a sibling) Config can be
>   resumed, bypassing the modified authentication requirements.
>
>   If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the
>   server) or InsecureSkipVerify is false (on the client), crypto/tls now checks
>   that the root of the previously-verified chain is still in ClientCAs/RootCAs
>   when resuming a connection.
>
>   Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue
>   related to session ticket keys being implicitly shared by Config.Clone. Since
>   this fix is broader, the Config.Clone behavior change has been reverted.
>
>   Note that VerifyPeerCertificate still behaves as documented: it does not apply
>   to resumed connections. Applications that use Config.GetConfigForClient or
>   Config.Clone and do not wish to blindly resume connections established with the
>   original Config must use VerifyConnection instead (or SetSessionTicketKeys or
>   SessionTicketsDisabled).
>
>   Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
>
>   This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-02-05 13:13:02 +01:00
Paweł Gronowski 6ca9924445 Merge pull request #406 from thaJeztah/bump_go 
update to go1.25.6
 2026-01-19 13:51:23 +00:00
Sebastiaan van Stijn 806dc5f678 update to go1.25.6 
This releases includes 6 security fixes following the security policy:

- archive/zip: denial of service when parsing arbitrary ZIP archives

    archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

    Thanks to Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.

- net/http: memory exhaustion in Request.ParseForm

    When parsing a URL-encoded form net/http may allocate an unexpected amount of
    memory when provided a large number of key-value pairs. This can result in a
    denial of service due to memory exhaustion.

    Thanks to jub0bs for reporting this issue.

    This is CVE-2025-61726 and Go issue https://go.dev/issue/77101.

- crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain

    The Config.Clone methods allows cloning a Config which has already been passed
    to a TLS function, allowing it to be mutated and reused.

    If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has
    not been called, crypto/tls will generate random session ticket keys and
    automatically rotate them. Config.Clone would copy these automatically generated
    keys into the returned Config, meaning that the two Configs would share session
    ticket keys, allowing sessions created using one Config could be used to resume
    sessions with the other Config. This can allow clients to resume sessions even
    though the Config may be configured such that they should not be able to do so.

    Config.Clone no longer copies the automatically generated session ticket keys.
    Config.Clone still copies keys which are explicitly provided, either by setting
    Config.SessionTicketKey or by calling Config.SetSessionTicketKeys.

    This issue was discoverd by the Go Security team while investigating another
    issue reported by Coia Prant (github.com/rbqvq).

    Additionally, on the server side only the expiration of the leaf certificate, if
    one was provided during the initial handshake, was checked when considering if a
    session could be resumed. This allowed sessions to be resumed if an intermediate
    or root certificate in the chain had expired.

    Session resumption now takes into account of the full chain when determining if
    the session can be resumed.

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This is CVE-2025-68121 and Go issue https://go.dev/issue/77113.

- cmd/go: bypass of flag sanitization can lead to arbitrary code execution

    Usage of 'CgoPkgConfig' allowed execution of the pkg-config
    binary with flags that are not explicitly safe-listed.

    To prevent this behavior, compiler flags resulting from usage
    of 'CgoPkgConfig' are sanitized prior to invoking pkg-config.

    Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
    for reporting this issue.

    This is CVE-2025-61731 and go.dev/issue/77100.

- cmd/go: unexpected code execution when invoking toolchain

    The Go toolchain supports multiple VCS which are used retrieving modules and
    embedding build information into binaries.

    On systems with Mercurial installed (hg) downloading modules (e.g. via go get or
    go mod download) from non-standard sources (e.g. custom domains) can cause
    unexpected code execution due to how external VCS commands are constructed.

    On systems with Git installed, downloading and building modules with malicious
    version strings could allow an attacker to write to arbitrary files on the
    system the user has access to. This can only be triggered by explicitly
    providing the malicious version strings to the toolchain, and does not affect
    usage of @latest or bare module paths.

    The toolchain now uses safer VCS options to prevent misinterpretation of
    untrusted inputs. In addition, the toolchain now disallows module version
    strings prefixed with a "-" or "/" character.

    Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this
    issue.

    This is CVE-2025-68119 and Go issue https://go.dev/issue/77099.

- crypto/tls: handshake messages may be processed at the incorrect encryption level

    During the TLS 1.3 handshake if multiple messages are sent in records that span
    encryption level boundaries (for instance the Client Hello and Encrypted
    Extensions messages), the subsequent messages may be processed before the
    encryption level changes. This can cause some minor information disclosure if a
    network-local attacker can inject messages during the handshake.

    Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.

    This is CVE-2025-61730 and Go issue https://go.dev/issue/76443

View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-01-19 14:21:10 +01:00
Sebastiaan van Stijn a7b23cd2b5 Merge pull request #405 from thaJeztah/gha_perms 
gha: set default permissions, add guardrail timeouts, and update branch name (master -> main)
 2026-01-09 11:41:43 +01:00
Sebastiaan van Stijn 178a3a4e57 gha: update master branch to main 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-01-09 09:43:50 +01:00
Sebastiaan van Stijn f5fd80af0f gha: add guardrails timeouts to jobs 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-01-09 09:35:19 +01:00
Sebastiaan van Stijn ae163ade7b gha: set "read" permissions as default 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-01-09 09:28:23 +01:00
Sebastiaan van Stijn b871f76540 Merge pull request #404 from thaJeztah/rm_noninteractive 
Dockerfile: remove redundant DEBIAN_FRONTEND=noninteractive
 2026-01-08 17:44:32 +01:00
Sebastiaan van Stijn 50c1460bf5 Dockerfile: remove redundant DEBIAN_FRONTEND=noninteractive 
This should no longer be needed for current versions of Debian
and Ubuntu.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-01-08 13:06:40 +01:00
Sebastiaan van Stijn aecf6e5780 Merge pull request #402 from thaJeztah/bump_golangci_lint 
Dockerfile: update golangci-lint to v2.8
 2026-01-08 13:06:09 +01:00
Sebastiaan van Stijn ecf6c1ccc7 Merge pull request #399 from ameya-keskar/bump_go_1.25.5 
update to go1.25.5
 2026-01-08 12:40:22 +01:00
Ameya Keskar b844409a12 update to go1.25.5 
- Update Go version to v1.25.5 in build workflow
- Update GO_VERSION to 1.25.5 in Dockerfile
- Update GO_VERSION to 1.25.5

Signed-off-by: Ameya Keskar <55844298+ameya-keskar@users.noreply.github.com>
 2026-01-08 11:59:16 +01:00
Sebastiaan van Stijn 9df2c7782a Merge pull request #401 from thaJeztah/bump_ubuntu 
gha: update some actions to ubuntu 24.04
 2026-01-08 11:57:23 +01:00
Sebastiaan van Stijn 7a15b77bcb Dockerfile: update golangci-lint to v2.8 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-01-08 11:55:17 +01:00
Sebastiaan van Stijn 81f7ebebfd gha: update some actions to ubuntu 24.04 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2026-01-08 11:49:17 +01:00
Sebastiaan van Stijn 3f97cf3ce3 Merge pull request #398 from docker/dependabot/github_actions/actions/upload-artifact-6 
build(deps): bump actions/upload-artifact from 4 to 6
 2026-01-08 11:28:12 +01:00
Sebastiaan van Stijn 8b5e6dffc6 Merge pull request #397 from docker/dependabot/github_actions/softprops/action-gh-release-2.5.0 
build(deps): bump softprops/action-gh-release from 2.4.1 to 2.5.0
 2026-01-08 11:27:39 +01:00
Sebastiaan van Stijn 4741f33d28 Merge pull request #395 from docker/dependabot/github_actions/actions/checkout-6 
build(deps): bump actions/checkout from 5 to 6
 2026-01-08 11:25:55 +01:00
dependabot[bot] 78303955b8 build(deps): bump actions/upload-artifact from 4 to 6 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 6.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-15 09:09:36 +00:00
dependabot[bot] 9b0c242b5c build(deps): bump softprops/action-gh-release from 2.4.1 to 2.5.0 
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.4.1 to 2.5.0.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/6da8fa9354ddfdc4aeace5fc48d7f679b5214090...a06a81a03ee405af7f2048a818ed3f03bbf83c7b)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-02 09:09:45 +00:00
dependabot[bot] 057ed818a9 build(deps): bump actions/checkout from 5 to 6 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-11-21 09:09:36 +00:00
Sebastiaan van Stijn b7a754b9ff Merge pull request #392 from thaJeztah/bump_go_1.25.2 
update to go1.25.2
 2025-10-13 14:20:23 +02:00
Sebastiaan van Stijn 62777f0887 Merge pull request #391 from docker/dependabot/github_actions/softprops/action-gh-release-2.4.1 
build(deps): bump softprops/action-gh-release from 2.3.3 to 2.4.1
 2025-10-13 13:24:04 +02:00
Sebastiaan van Stijn 9d04e49561 update to go1.25.2 
This minor release includes 10 security fixes following the security policy:

- net/mail: excessive CPU consumption in ParseAddress

    The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.

    Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

    This is CVE-2025-61725 and Go issue https://go.dev/issue/75680.

- crypto/x509: quadratic complexity when checking name constraints

    Due to the design of the name constraint checking algorithm, the processing time
    of some inputs scales non-linearly with respect to the size of the certificate.

    This affects programs which validate arbitrary certificate chains.

    Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2025-58187 and Go issue https://go.dev/issue/75681.

- crypto/tls: ALPN negotiation errors can contain arbitrary text

    The crypto/tls conn.Handshake method returns an error on the server-side when
    ALPN negotation fails which can contain arbitrary attacker controlled
    information provided by the client-side of the connection which is not escaped.

    This affects programs which log these errors without any additional form of
    sanitization, and may allow injection of attacker controlled information into
    logs.

    Thanks to National Cyber Security Centre Finland for reporting this issue.

    This is CVE-2025-58189 and Go issue https://go.dev/issue/75652.

- encoding/pem: quadratic complexity when parsing some invalid inputs

    Due to the design of the PEM parsing function, the processing time for some
    inputs scales non-linearly with respect to the size of the input.

    This affects programs which parse untrusted PEM inputs.

    Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2025-61723 and Go issue https://go.dev/issue/75676.

- net/url: insufficient validation of bracketed IPv6 hostnames

    The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

    Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue.

    This is CVE-2025-47912 and Go issue https://go.dev/issue/75678.

- encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion

    When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
    This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.

    Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2025-58185 and Go issue https://go.dev/issue/75671.

- net/http: lack of limit when parsing cookies can cause memory exhaustion

    Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
    By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

    net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.

    Thanks to jub0bs for reporting this issue.

    This is CVE-2025-58186 and Go issue https://go.dev/issue/75672.

- crypto/x509: panic when validating certificates with DSA public keys

    Validating certificate chains which contain DSA public keys can cause programs
    to panic, due to a interface cast that assumes they implement the Equal method.

    This affects programs which validate arbitrary certificate chains.

    Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2025-58188 and Go issue https://go.dev/issue/75675.

- archive/tar: unbounded allocation when parsing GNU sparse map

    tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.

    Thanks to Harshit Gupta (Mr HAX) - https://www.linkedin.com/in/iam-harshit-gupta/ for reporting this issue.

    This is CVE-2025-58183 and Go issue https://go.dev/issue/75677.

- net/textproto: excessive CPU consumption in Reader.ReadResponse

    The Reader.ReadResponse function constructed a response string through
    repeated string concatenation of lines. When the number of lines in a response is large,
    this could cause excessive CPU consumption.

    Thanks to Jakub Ciolek for reporting this issue.

    This is CVE-2025-61724 and Go issue https://go.dev/issue/75716.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-13 13:22:38 +02:00
dependabot[bot] bc131d729d build(deps): bump softprops/action-gh-release from 2.3.3 to 2.4.1 
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.3.3 to 2.4.1.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/6cbd405e2c4e67a21c47fa9e383d020e4e28b836...6da8fa9354ddfdc4aeace5fc48d7f679b5214090)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: 2.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-13 09:27:58 +00:00
Sebastiaan van Stijn 84c3413e0e Merge pull request #387 from thaJeztah/bump_go1.25 
update to go1.25.1
 2025-10-02 21:54:13 +02:00
Sebastiaan van Stijn fcb0b664b5 update to go1.25.1 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-02 21:49:20 +02:00
Sebastiaan van Stijn cf4e41fbb0 Merge pull request #388 from thaJeztah/bump_wincred 
vendor: github.com/danieljoos/wincred v1.2.3
 2025-10-02 21:48:59 +02:00
Sebastiaan van Stijn 53f7bdc3fa vendor: github.com/danieljoos/wincred v1.2.3 
fix unsafe uintptr usage to be GC-safe on go1.25

full diff: https://github.com/danieljoos/wincred/compare/v1.2.2...v1.2.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-02 21:43:59 +02:00
Sebastiaan van Stijn d4602cd917 Merge pull request #249 from crazy-max/upd-dockerfile 
Dockerfile: merge build stages
 2025-10-01 16:45:53 +02:00
CrazyMax ae84c25786 Dockerfile: merge build stages 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
 2025-10-01 16:34:48 +02:00
Sebastiaan van Stijn 2adf3cf9aa Merge pull request #383 from thaJeztah/bump_go_deps 
update to go1.24.7, xx v1.7.0
 2025-10-01 16:29:36 +02:00
Sebastiaan van Stijn 1fdce4c733 Dockerfile: update xx to v1.7.0 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-01 16:24:12 +02:00
Sebastiaan van Stijn 962a779645 update to go1.24.7 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-01 16:23:59 +02:00
Sebastiaan van Stijn ec5efac3ca Merge pull request #386 from thaJeztah/bump_golangci_lint 
Dockerfile: update golangci-lint to v2.5
 2025-10-01 16:20:44 +02:00
Sebastiaan van Stijn 8154b98959 Merge pull request #385 from thaJeztah/bump_deb 
deb: Dockerfile: update to debian bookworm, ubuntu jammy (22.04)
 2025-10-01 16:20:25 +02:00
CrazyMax d075f3cecc Merge pull request #379 from docker/dependabot/github_actions/softprops/action-gh-release-2.3.3 
build(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3
 2025-10-01 16:15:13 +02:00
Sebastiaan van Stijn fdddb02817 deb: Dockerfile: use ubuntu:jammy (22.04 LTS) 
ubuntu 20.04 reached end of standard support;
https://ubuntu.com/blog/ubuntu-20-04-lts-end-of-life-standard-support-is-coming-to-an-end-heres-how-to-prepare

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-01 15:56:28 +02:00
Sebastiaan van Stijn c07513a69d deb: Dockerfile: update to golang bookworm 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-01 15:56:28 +02:00
Sebastiaan van Stijn 4142982fb8 Dockerfile: update golangci-lint to v2.5 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-01 15:55:19 +02:00
Sebastiaan van Stijn 860f1459e3 pass: fix QF1001 (staticcheck) 
pass/pass_test.go:86:6: QF1001: could apply De Morgan's law (staticcheck)
            if !(strings.HasSuffix(server, "2376/v1") || strings.HasSuffix(server, "2375/v1")) {
               ^
    pass/pass_test.go:89:6: QF1001: could apply De Morgan's law (staticcheck)
            if !(username == "foo" || username == "bar") {
               ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-01 15:55:19 +02:00
Sebastiaan van Stijn d378d46316 Merge pull request #384 from thaJeztah/bump_distros 
gha: add macos-15-intel, remove macos-13 (deprecated)
 2025-10-01 15:53:03 +02:00
Sebastiaan van Stijn 4c97a761df Merge pull request #378 from docker/dependabot/github_actions/actions/github-script-8 
build(deps): bump actions/github-script from 7 to 8
 2025-10-01 15:22:51 +02:00
Sebastiaan van Stijn b61abf1cb8 Merge pull request #377 from docker/dependabot/github_actions/actions/setup-go-6 
build(deps): bump actions/setup-go from 5 to 6
 2025-10-01 15:22:19 +02:00
Sebastiaan van Stijn 85841ea0ce Merge pull request #376 from docker/dependabot/github_actions/actions/checkout-5 
build(deps): bump actions/checkout from 4 to 5
 2025-10-01 15:21:38 +02:00
Sebastiaan van Stijn c32e697324 gha: add macos-15-intel, remove macos-13 (deprecated) 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-10-01 15:11:20 +02:00
dependabot[bot] d770c60191 build(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.3.2 to 2.3.3.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/72f2c25fcb47643c292f7107632f7a47c1df5cd8...6cbd405e2c4e67a21c47fa9e383d020e4e28b836)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: 2.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-08 09:15:45 +00:00
dependabot[bot] 5095e43ecf build(deps): bump actions/github-script from 7 to 8 
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 8.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7...v8)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-05 09:08:21 +00:00
dependabot[bot] 00313838c6 build(deps): bump actions/setup-go from 5 to 6 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-04 13:01:52 +00:00
dependabot[bot] bcf656656f build(deps): bump actions/checkout from 4 to 5 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-12 18:09:48 +00:00
Sebastiaan van Stijn fd27520bbd Merge pull request #375 from austinvazquez/update-golang-1.23.12 
update to go1.23.12
 2025-08-11 16:01:13 +02:00
Austin Vazquez 4849c2328b update to go1.23.12 
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
 2025-08-08 10:54:56 -05:00
Austin Vazquez 2e8005f3a7 Merge pull request #373 from docker/dependabot/github_actions/softprops/action-gh-release-2.3.2 
build(deps): bump softprops/action-gh-release from 2.2.1 to 2.3.2
 2025-08-08 08:38:17 -07:00
dependabot[bot] 5d4d5150ae build(deps): bump softprops/action-gh-release from 2.2.1 to 2.3.2 
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.2.1 to 2.3.2.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda...72f2c25fcb47643c292f7107632f7a47c1df5cd8)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: 2.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-11 09:52:55 +00:00
Albin Kerouanton f9d3010165 Merge pull request #367 from akerouanton/osxkeychain-set-atyp 
osxkeychain: store: add atyp attribute
 2025-03-14 12:52:36 +01:00
Albin Kerouanton e7bd3957ae osxkeychain: store: add atyp attribute 
Prior to v0.9.0, the osxkeychain creds helper was adding the `atyp`
attribute (ie. authentication type) to its credentials. It was also
specifying this attribute when querying the keychain for credentials.

Since v0.9.0, we don't set this attribute anymore. So, if a credential
is stored with v0.9.0+ and then queried with a v0.8.2 helper, the
atyp attribute will be missing and the credential won't be found.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
 2025-03-14 12:45:31 +01:00
11 changed files with 110 additions and 116 deletions
Expand all files Collapse all files
.github/workflows/build.yml
+40 -23
View File
@@ -1,5 +1,14 @@
name: build name: build
# Default to 'contents: read', which grants actions to read commits.
#
# If any permission is set, any permission not included in the list is
# implicitly set to "none".
#
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
@@ -8,18 +17,19 @@ on:
workflow_dispatch: workflow_dispatch:
push: push:
branches: branches:
- 'master' - 'main'
tags: tags:
- 'v*' - 'v*'
pull_request: pull_request:
env: env:
DESTDIR: ./bin DESTDIR: ./bin
GO_VERSION: 1.23.6 GO_VERSION: 1.25.8
jobs: jobs:
validate: validate:
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
timeout-minutes: 30 # guardrails timeout for the whole job
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@@ -29,10 +39,10 @@ jobs:
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- -
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- -
name: Run name: Run
run: | run: |
@@ -40,23 +50,24 @@ jobs:
test: test:
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
timeout-minutes: 30 # guardrails timeout for the whole job
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
os: os:
- ubuntu-24.04 - ubuntu-24.04
- ubuntu-22.04 - ubuntu-22.04
- macOS-15-intel
- macOS-15 - macOS-15
- macOS-14 - macOS-14
- macOS-13
- windows-2022 - windows-2022
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- -
name: Set up Go name: Set up Go
uses: actions/setup-go@v5 uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with: with:
go-version: ${{ env.GO_VERSION }} go-version: ${{ env.GO_VERSION }}
- -
@@ -73,7 +84,7 @@ jobs:
- -
name: GPG conf name: GPG conf
if: ${{ !startsWith(matrix.os, 'windows-') }} if: ${{ !startsWith(matrix.os, 'windows-') }}
uses: actions/github-script@v7 uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
id: gpg id: gpg
with: with:
script: | script: |
@@ -90,7 +101,7 @@ jobs:
- -
name: Import GPG key name: Import GPG key
if: ${{ !startsWith(matrix.os, 'windows-') }} if: ${{ !startsWith(matrix.os, 'windows-') }}
uses: crazy-max/ghaction-import-gpg@v6 uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
with: with:
gpg_private_key: ${{ steps.gpg.outputs.key }} gpg_private_key: ${{ steps.gpg.outputs.key }}
passphrase: ${{ steps.gpg.outputs.passphrase }} passphrase: ${{ steps.gpg.outputs.passphrase }}
@@ -108,20 +119,21 @@ jobs:
shell: bash shell: bash
- -
name: Upload coverage name: Upload coverage
uses: codecov/codecov-action@v5 uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with: with:
files: ${{ env.DESTDIR }}/coverage.txt files: ${{ env.DESTDIR }}/coverage.txt
token: ${{ secrets.CODECOV_TOKEN }} token: ${{ secrets.CODECOV_TOKEN }}
test-sandboxed: test-sandboxed:
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
timeout-minutes: 30 # guardrails timeout for the whole job
steps: steps:
- -
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- -
name: Test name: Test
uses: docker/bake-action@v6 uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
with: with:
targets: test targets: test
set: | set: |
@@ -129,25 +141,29 @@ jobs:
*.cache-to=type=gha,scope=test,mode=max *.cache-to=type=gha,scope=test,mode=max
- -
name: Upload coverage name: Upload coverage
uses: codecov/codecov-action@v5 uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
with: with:
files: ${{ env.DESTDIR }}//coverage.txt files: ${{ env.DESTDIR }}//coverage.txt
token: ${{ secrets.CODECOV_TOKEN }} token: ${{ secrets.CODECOV_TOKEN }}
build: build:
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
timeout-minutes: 30 # guardrails timeout for the whole job
permissions:
# required to create GitHub release
contents: write
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
fetch-depth: 0 fetch-depth: 0
- -
name: Set up QEMU name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
- -
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- -
name: Build name: Build
run: | run: |
@@ -165,7 +181,7 @@ jobs:
find ${{ env.DESTDIR }} -type f -exec file -e ascii -e text -- {} + find ${{ env.DESTDIR }} -type f -exec file -e ascii -e text -- {} +
- -
name: Upload artifacts name: Upload artifacts
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with: with:
name: docker-credential-helpers name: docker-credential-helpers
path: ${{ env.DESTDIR }}/* path: ${{ env.DESTDIR }}/*
@@ -173,7 +189,7 @@ jobs:
- -
name: GitHub Release name: GitHub Release
if: startsWith(github.ref, 'refs/tags/v') if: startsWith(github.ref, 'refs/tags/v')
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1 uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with: with:
@@ -181,11 +197,12 @@ jobs:
files: ${{ env.DESTDIR }}/* files: ${{ env.DESTDIR }}/*
build-deb: build-deb:
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
timeout-minutes: 30 # guardrails timeout for the whole job
steps: steps:
- -
name: Checkout name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
fetch-depth: 0 fetch-depth: 0
- -
.golangci.yml
+11 -19
View File
@@ -1,31 +1,23 @@
version: "2"
run: run:
timeout: 10m
modules-download-mode: vendor modules-download-mode: vendor
linters: linters:
default: none
enable: enable:
- gofmt
- govet - govet
- depguard
- goimports
- ineffassign - ineffassign
- misspell - misspell
- unused
- revive - revive
- staticcheck - staticcheck
- typecheck - unused
disable-all: true settings:
revive:
linters-settings:
depguard:
rules: rules:
main: - name: package-comments # https://github.com/mgechev/revive/blob/master/RULES_DESCRIPTIONS.md#package-comments
deny: disabled: true
- pkg: "io/ioutil"
desc: The io/ioutil package has been deprecated. See https://go.dev/doc/go1.16#ioutil
issues: formatters:
exclude-rules: enable:
- linters: - gofmt
- revive - goimports
text: "stutters"
Dockerfile
+16 -37
View File
@@ -1,12 +1,11 @@
# syntax=docker/dockerfile:1 # syntax=docker/dockerfile:1
ARG GO_VERSION=1.23.6 ARG GO_VERSION=1.25.8
ARG DEBIAN_VERSION=bookworm ARG DEBIAN_VERSION=bookworm
ARG XX_VERSION=1.6.1 ARG XX_VERSION=1.7.0
ARG OSXCROSS_VERSION=11.3-r7-debian ARG OSXCROSS_VERSION=11.3-r8-debian
ARG GOLANGCI_LINT_VERSION=v1.64.5 ARG GOLANGCI_LINT_VERSION=v2.8
ARG DEBIAN_FRONTEND=noninteractive
ARG PACKAGE=github.com/docker/docker-credential-helpers ARG PACKAGE=github.com/docker/docker-credential-helpers
@@ -18,7 +17,6 @@ FROM crazymax/osxcross:${OSXCROSS_VERSION} AS osxcross
FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${DEBIAN_VERSION} AS gobase FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${DEBIAN_VERSION} AS gobase
COPY --from=xx / / COPY --from=xx / /
ARG DEBIAN_FRONTEND
RUN apt-get update && apt-get install -y --no-install-recommends clang dpkg-dev file git lld llvm make pkg-config rsync RUN apt-get update && apt-get install -y --no-install-recommends clang dpkg-dev file git lld llvm make pkg-config rsync
ENV GOFLAGS="-mod=vendor" ENV GOFLAGS="-mod=vendor"
ENV CGO_ENABLED="1" ENV CGO_ENABLED="1"
@@ -56,7 +54,6 @@ EOT
FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION} AS golangci-lint FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION} AS golangci-lint
FROM gobase AS lint FROM gobase AS lint
ARG DEBIAN_FRONTEND
RUN apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config RUN apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config
RUN --mount=type=bind,target=. \ RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache \ --mount=type=cache,target=/root/.cache \
@@ -65,11 +62,9 @@ RUN --mount=type=bind,target=. \
FROM gobase AS base FROM gobase AS base
ARG TARGETPLATFORM ARG TARGETPLATFORM
ARG DEBIAN_FRONTEND
RUN xx-apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config RUN xx-apt-get install -y binutils gcc libc6-dev libgcc-11-dev libsecret-1-dev pkg-config
FROM base AS test FROM base AS test
ARG DEBIAN_FRONTEND
RUN xx-apt-get install -y dbus-x11 gnome-keyring gpg-agent gpgconf libsecret-1-dev pass RUN xx-apt-get install -y dbus-x11 gnome-keyring gpg-agent gpgconf libsecret-1-dev pass
RUN --mount=type=bind,target=. \ RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache \ --mount=type=cache,target=/root/.cache \
@@ -99,21 +94,7 @@ FROM gobase AS version
RUN --mount=target=. \ RUN --mount=target=. \
echo -n "$(./hack/git-meta version)" | tee /tmp/.version ; echo -n "$(./hack/git-meta revision)" | tee /tmp/.revision echo -n "$(./hack/git-meta version)" | tee /tmp/.version ; echo -n "$(./hack/git-meta revision)" | tee /tmp/.revision
FROM base AS build-linux FROM base AS build
ARG PACKAGE
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache \
--mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
--mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
set -ex
xx-go --wrap
make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
xx-verify /out/docker-credential-pass
xx-verify /out/docker-credential-secretservice
EOT
FROM base AS build-darwin
ARG PACKAGE ARG PACKAGE
RUN --mount=type=bind,target=. \ RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache \ --mount=type=cache,target=/root/.cache \
@@ -124,28 +105,26 @@ RUN --mount=type=bind,target=. \
set -ex set -ex
export MACOSX_VERSION_MIN=$(make print-MACOSX_DEPLOYMENT_TARGET) export MACOSX_VERSION_MIN=$(make print-MACOSX_DEPLOYMENT_TARGET)
xx-go --wrap xx-go --wrap
case "$(xx-info os)" in
linux)
make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
xx-verify /out/docker-credential-pass
xx-verify /out/docker-credential-secretservice
;;
darwin)
go install std go install std
make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
xx-verify /out/docker-credential-osxkeychain xx-verify /out/docker-credential-osxkeychain
xx-verify /out/docker-credential-pass xx-verify /out/docker-credential-pass
EOT ;;
windows)
FROM base AS build-windows
ARG PACKAGE
RUN --mount=type=bind,target=. \
--mount=type=cache,target=/root/.cache \
--mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
--mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
set -ex
xx-go --wrap
make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
mv /out/docker-credential-wincred /out/docker-credential-wincred.exe mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
xx-verify /out/docker-credential-wincred.exe xx-verify /out/docker-credential-wincred.exe
;;
esac
EOT EOT
FROM build-$TARGETOS AS build
FROM scratch AS binaries FROM scratch AS binaries
COPY --from=build /out / COPY --from=build /out /
deb/Dockerfile
+3 -5
View File
@@ -1,14 +1,12 @@
# syntax=docker/dockerfile:1 # syntax=docker/dockerfile:1
ARG GO_VERSION=1.23.6 ARG GO_VERSION=1.25.8
ARG DISTRO=ubuntu ARG DISTRO=ubuntu
ARG SUITE=focal ARG SUITE=jammy
FROM golang:${GO_VERSION}-bullseye AS golang FROM golang:${GO_VERSION}-bookworm AS golang
FROM ${DISTRO}:${SUITE} FROM ${DISTRO}:${SUITE}
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -yy debhelper dh-make libsecret-1-dev RUN apt-get update && apt-get install -yy debhelper dh-make libsecret-1-dev
RUN mkdir -p /build RUN mkdir -p /build
go.mod
+1 -1
View File
@@ -8,7 +8,7 @@ retract (
) )
require ( require (
github.com/danieljoos/wincred v1.2.2 github.com/danieljoos/wincred v1.2.3
github.com/keybase/go-keychain v0.0.1 github.com/keybase/go-keychain v0.0.1
) )
go.sum
+4 -4
View File
@@ -1,5 +1,5 @@
github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0= github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ=
github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8= github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU= github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
@@ -8,8 +8,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
osxkeychain/osxkeychain.go
+11
View File
@@ -46,6 +46,17 @@ func (h Osxkeychain) Add(creds *credentials.Credentials) error {
item.SetLabel(credentials.CredsLabel) item.SetLabel(credentials.CredsLabel)
item.SetAccount(creds.Username) item.SetAccount(creds.Username)
item.SetData([]byte(creds.Secret)) item.SetData([]byte(creds.Secret))
// Prior to v0.9, the credential helper was searching for credentials with
// the "dflt" authentication type (see [1]). Since v0.9.0, Get doesn't use
// that attribute anymore, and v0.9.0 - v0.9.2 were not setting it here
// either.
//
// In order to keep compatibility with older versions, we need to store
// credentials with this attribute set. This way, credentials stored with
// newer versions can be retrieved by older versions.
//
// [1]: https://github.com/docker/docker-credential-helpers/blob/v0.8.2/osxkeychain/osxkeychain.c#L66
item.SetAuthenticationType("dflt")
if err := splitServer(creds.ServerURL, item); err != nil { if err := splitServer(creds.ServerURL, item); err != nil {
return err return err
} }
pass/pass_test.go
+2 -2
View File
@@ -83,10 +83,10 @@ func TestPassHelperList(t *testing.T) {
t.Error(err) t.Error(err)
} }
for server, username := range credsList { for server, username := range credsList {
if !(strings.HasSuffix(server, "2376/v1") || strings.HasSuffix(server, "2375/v1")) { if !strings.HasSuffix(server, "2376/v1") && !strings.HasSuffix(server, "2375/v1") {
t.Errorf("invalid url: %s", server) t.Errorf("invalid url: %s", server)
} }
if !(username == "foo" || username == "bar") { if username != "foo" && username != "bar" {
t.Errorf("invalid username: %v", username) t.Errorf("invalid username: %v", username)
} }
vendor/github.com/danieljoos/wincred/conversion.go
Generated Vendored
+7 -13
View File
@@ -31,13 +31,13 @@ func utf16FromString(str string) []uint16 {
// goBytes copies the given C byte array to a Go byte array (see `C.GoBytes`). // goBytes copies the given C byte array to a Go byte array (see `C.GoBytes`).
// This function avoids having cgo as dependency. // This function avoids having cgo as dependency.
func goBytes(src uintptr, len uint32) []byte { func goBytes(src *byte, len uint32) []byte {
if src == uintptr(0) { if src == nil || len == 0 {
return []byte{} return []byte{}
} }
rv := make([]byte, len) rv := make([]byte, len)
copy(rv, *(*[]byte)(unsafe.Pointer(&reflect.SliceHeader{ copy(rv, *(*[]byte)(unsafe.Pointer(&reflect.SliceHeader{
Data: src, Data: uintptr(unsafe.Pointer(src)),
Len: int(len), Len: int(len),
Cap: int(len), Cap: int(len),
}))) })))
@@ -59,7 +59,7 @@ func sysToCredential(cred *sysCREDENTIAL) (result *Credential) {
result.CredentialBlob = goBytes(cred.CredentialBlob, cred.CredentialBlobSize) result.CredentialBlob = goBytes(cred.CredentialBlob, cred.CredentialBlobSize)
result.Attributes = make([]CredentialAttribute, cred.AttributeCount) result.Attributes = make([]CredentialAttribute, cred.AttributeCount)
attrSlice := *(*[]sysCREDENTIAL_ATTRIBUTE)(unsafe.Pointer(&reflect.SliceHeader{ attrSlice := *(*[]sysCREDENTIAL_ATTRIBUTE)(unsafe.Pointer(&reflect.SliceHeader{
Data: cred.Attributes, Data: uintptr(unsafe.Pointer(cred.Attributes)),
Len: int(cred.AttributeCount), Len: int(cred.AttributeCount),
Cap: int(cred.AttributeCount), Cap: int(cred.AttributeCount),
})) }))
@@ -85,17 +85,13 @@ func sysFromCredential(cred *Credential) (result *sysCREDENTIAL) {
result.LastWritten = syscall.NsecToFiletime(cred.LastWritten.UnixNano()) result.LastWritten = syscall.NsecToFiletime(cred.LastWritten.UnixNano())
result.CredentialBlobSize = uint32(len(cred.CredentialBlob)) result.CredentialBlobSize = uint32(len(cred.CredentialBlob))
if len(cred.CredentialBlob) > 0 { if len(cred.CredentialBlob) > 0 {
result.CredentialBlob = uintptr(unsafe.Pointer(&cred.CredentialBlob[0])) result.CredentialBlob = &cred.CredentialBlob[0]
} else {
result.CredentialBlob = 0
} }
result.Persist = uint32(cred.Persist) result.Persist = uint32(cred.Persist)
result.AttributeCount = uint32(len(cred.Attributes)) result.AttributeCount = uint32(len(cred.Attributes))
attributes := make([]sysCREDENTIAL_ATTRIBUTE, len(cred.Attributes)) attributes := make([]sysCREDENTIAL_ATTRIBUTE, len(cred.Attributes))
if len(attributes) > 0 { if len(attributes) > 0 {
result.Attributes = uintptr(unsafe.Pointer(&attributes[0])) result.Attributes = &attributes[0]
} else {
result.Attributes = 0
} }
for i := range cred.Attributes { for i := range cred.Attributes {
inAttr := &cred.Attributes[i] inAttr := &cred.Attributes[i]
@@ -104,9 +100,7 @@ func sysFromCredential(cred *Credential) (result *sysCREDENTIAL) {
outAttr.Flags = 0 outAttr.Flags = 0
outAttr.ValueSize = uint32(len(inAttr.Value)) outAttr.ValueSize = uint32(len(inAttr.Value))
if len(inAttr.Value) > 0 { if len(inAttr.Value) > 0 {
outAttr.Value = uintptr(unsafe.Pointer(&inAttr.Value[0])) outAttr.Value = &inAttr.Value[0]
} else {
outAttr.Value = 0
} }
} }
result.TargetAlias, _ = syscall.UTF16PtrFromString(cred.TargetAlias) result.TargetAlias, _ = syscall.UTF16PtrFromString(cred.TargetAlias)
vendor/github.com/danieljoos/wincred/sys.go
Generated Vendored
+6 -3
View File
@@ -5,6 +5,7 @@ package wincred
import ( import (
"reflect" "reflect"
"runtime"
"syscall" "syscall"
"unsafe" "unsafe"
@@ -33,10 +34,10 @@ type sysCREDENTIAL struct {
Comment *uint16 Comment *uint16
LastWritten windows.Filetime LastWritten windows.Filetime
CredentialBlobSize uint32 CredentialBlobSize uint32
CredentialBlob uintptr CredentialBlob *byte
Persist uint32 Persist uint32
AttributeCount uint32 AttributeCount uint32
Attributes uintptr Attributes *sysCREDENTIAL_ATTRIBUTE
TargetAlias *uint16 TargetAlias *uint16
UserName *uint16 UserName *uint16
} }
@@ -46,7 +47,7 @@ type sysCREDENTIAL_ATTRIBUTE struct {
Keyword *uint16 Keyword *uint16
Flags uint32 Flags uint32
ValueSize uint32 ValueSize uint32
Value uintptr Value *byte
} }
// https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw // https://docs.microsoft.com/en-us/windows/desktop/api/wincred/ns-wincred-_credentialw
@@ -93,6 +94,8 @@ func sysCredWrite(cred *Credential, typ sysCRED_TYPE) error {
uintptr(unsafe.Pointer(ncred)), uintptr(unsafe.Pointer(ncred)),
0, 0,
) )
// Make sure everything reachable from ncred stays alive through the call.
runtime.KeepAlive(ncred)
if ret == 0 { if ret == 0 {
return err return err
} }
vendor/modules.txt
Vendored
+1 -1
View File
@@ -1,4 +1,4 @@
# github.com/danieljoos/wincred v1.2.2 # github.com/danieljoos/wincred v1.2.3
## explicit; go 1.18 ## explicit; go 1.18
github.com/danieljoos/wincred github.com/danieljoos/wincred
# github.com/keybase/go-keychain v0.0.1 # github.com/keybase/go-keychain v0.0.1