mirror of
https://github.com/docker/docker-credential-helpers.git
synced 2026-06-13 16:01:28 +05:30
Sebastiaan van Stijn
62deeb49c1
go1.25.7 (released 2026-02-04) includes security fixes to the go command and the crypto/tls package, as well as bug fixes to the compiler and the crypto/x509 package. See the Go 1.25.7 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.25.7+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.25.6...go1.25.7 From the security mailing list: > Hello gophers, > > We have just released Go versions 1.25.7 and 1.24.13, minor point releases. > > These releases include 2 security fixes following the security policy: > > - cmd/cgo: remove user-content from doc strings in cgo ASTs > > A discrepancy between how Go and C/C++ comments > were parsed allowed for code smuggling into the > resulting cgo binary. > > To prevent this behavior, the cgo compiler > will no longer parse user-provided doc > comments. > > Thank you to RyotaK (https://ryotak.net) of > GMO Flatt Security Inc. for reporting this issue. > > This is CVE-2025-61732 and https://go.dev/issue/76697. > > - crypto/tls: unexpected session resumption when using Config.GetConfigForClient > > Config.GetConfigForClient is documented to use the original Config's session > ticket keys unless explicitly overridden. This can cause unexpected behavior if > the returned Config modifies authentication parameters, like ClientCAs: a > connection initially established with the parent (or a sibling) Config can be > resumed, bypassing the modified authentication requirements. > > If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on the > server) or InsecureSkipVerify is false (on the client), crypto/tls now checks > that the root of the previously-verified chain is still in ClientCAs/RootCAs > when resuming a connection. > > Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar issue > related to session ticket keys being implicitly shared by Config.Clone. Since > this fix is broader, the Config.Clone behavior change has been reverted. > > Note that VerifyPeerCertificate still behaves as documented: it does not apply > to resumed connections. Applications that use Config.GetConfigForClient or > Config.Clone and do not wish to blindly resume connections established with the > original Config must use VerifyConnection instead (or SetSessionTicketKeys or > SessionTicketsDisabled). > > Thanks to Coia Prant (github.com/rbqvq) for reporting this issue. > > This updates CVE-2025-68121 and Go issue https://go.dev/issue/77217. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
212 lines
5.5 KiB
YAML
212 lines
5.5 KiB
YAML
name: build
|
|
|
|
# Default to 'contents: read', which grants actions to read commits.
|
|
#
|
|
# If any permission is set, any permission not included in the list is
|
|
# implicitly set to "none".
|
|
#
|
|
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches:
|
|
- 'main'
|
|
tags:
|
|
- 'v*'
|
|
pull_request:
|
|
|
|
env:
|
|
DESTDIR: ./bin
|
|
GO_VERSION: 1.25.7
|
|
|
|
jobs:
|
|
validate:
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 30 # guardrails timeout for the whole job
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- lint
|
|
- validate-vendor
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
-
|
|
name: Run
|
|
run: |
|
|
make ${{ matrix.target }}
|
|
|
|
test:
|
|
runs-on: ${{ matrix.os }}
|
|
timeout-minutes: 30 # guardrails timeout for the whole job
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os:
|
|
- ubuntu-24.04
|
|
- ubuntu-22.04
|
|
- macOS-15-intel
|
|
- macOS-15
|
|
- macOS-14
|
|
- windows-2022
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
-
|
|
name: Set up Go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
-
|
|
name: Install deps (ubuntu)
|
|
if: startsWith(matrix.os, 'ubuntu-')
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y dbus-x11 gnome-keyring libsecret-1-dev pass
|
|
-
|
|
name: Install deps (macOS)
|
|
if: startsWith(matrix.os, 'macOS-')
|
|
run: |
|
|
brew install pass
|
|
-
|
|
name: GPG conf
|
|
if: ${{ !startsWith(matrix.os, 'windows-') }}
|
|
uses: actions/github-script@v8
|
|
id: gpg
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
const gnupgfolder = `${require('os').homedir()}/.gnupg`;
|
|
if (!fs.existsSync(gnupgfolder)){
|
|
fs.mkdirSync(gnupgfolder);
|
|
}
|
|
fs.copyFile('.github/workflows/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
|
|
if (err) throw err;
|
|
});
|
|
core.setOutput('key', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.key', {encoding: 'utf8'}));
|
|
core.setOutput('passphrase', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.pass', {encoding: 'utf8'}));
|
|
-
|
|
name: Import GPG key
|
|
if: ${{ !startsWith(matrix.os, 'windows-') }}
|
|
uses: crazy-max/ghaction-import-gpg@v6
|
|
with:
|
|
gpg_private_key: ${{ steps.gpg.outputs.key }}
|
|
passphrase: ${{ steps.gpg.outputs.passphrase }}
|
|
trust_level: 5
|
|
-
|
|
name: Init pass
|
|
if: ${{ !startsWith(matrix.os, 'windows-') }}
|
|
run: |
|
|
pass init 7D851EB72D73BDA0
|
|
shell: bash
|
|
-
|
|
name: Test
|
|
run: |
|
|
make test COVERAGEDIR=${{ env.DESTDIR }}
|
|
shell: bash
|
|
-
|
|
name: Upload coverage
|
|
uses: codecov/codecov-action@v5
|
|
with:
|
|
files: ${{ env.DESTDIR }}/coverage.txt
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|
|
|
|
test-sandboxed:
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 30 # guardrails timeout for the whole job
|
|
steps:
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
-
|
|
name: Test
|
|
uses: docker/bake-action@v6
|
|
with:
|
|
targets: test
|
|
set: |
|
|
*.cache-from=type=gha,scope=test
|
|
*.cache-to=type=gha,scope=test,mode=max
|
|
-
|
|
name: Upload coverage
|
|
uses: codecov/codecov-action@v5
|
|
with:
|
|
files: ${{ env.DESTDIR }}//coverage.txt
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|
|
|
|
build:
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 30 # guardrails timeout for the whole job
|
|
permissions:
|
|
# required to create GitHub release
|
|
contents: write
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
-
|
|
name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
-
|
|
name: Build
|
|
run: |
|
|
make release
|
|
env:
|
|
CACHE_FROM: type=gha,scope=build
|
|
CACHE_TO: type=gha,scope=build,mode=max
|
|
-
|
|
name: List artifacts
|
|
run: |
|
|
tree -nh ${{ env.DESTDIR }}
|
|
-
|
|
name: Check artifacts
|
|
run: |
|
|
find ${{ env.DESTDIR }} -type f -exec file -e ascii -e text -- {} +
|
|
-
|
|
name: Upload artifacts
|
|
uses: actions/upload-artifact@v6
|
|
with:
|
|
name: docker-credential-helpers
|
|
path: ${{ env.DESTDIR }}/*
|
|
if-no-files-found: error
|
|
-
|
|
name: GitHub Release
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
draft: true
|
|
files: ${{ env.DESTDIR }}/*
|
|
|
|
build-deb:
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 30 # guardrails timeout for the whole job
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
-
|
|
name: Build
|
|
run: |
|
|
make deb
|