mirror of
https://github.com/docker/docker-credential-helpers.git
synced 2026-06-13 16:01:28 +05:30
Sebastiaan van Stijn
a6e03c60ab
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and runtime packages, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5 These minor releases include 3 security fixes following the security policy: - cmd/go: cgo code injection The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29402 and Go issue https://go.dev/issue/60167. - runtime: unexpected behavior of setuid/setgid binaries The Go runtime didn't act any differently when a binary had the setuid/setgid bit set. On Unix platforms, if a setuid/setgid binary was executed with standard I/O file descriptors closed, opening any files could result in unexpected content being read/written with elevated prilieges. Similarly if a setuid/setgid program was terminated, either via panic or signal, it could leak the contents of its registers. Thanks to Vincent Dehors from Synacktiv for reporting this issue. This is CVE-2023-29403 and Go issue https://go.dev/issue/60272. - cmd/go: improper sanitization of LDFLAGS The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
195 lines
4.8 KiB
YAML
195 lines
4.8 KiB
YAML
name: build
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
tags:
|
|
- 'v*'
|
|
pull_request:
|
|
|
|
env:
|
|
DESTDIR: ./bin
|
|
GO_VERSION: 1.20.5
|
|
|
|
jobs:
|
|
validate:
|
|
runs-on: ubuntu-22.04
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
target:
|
|
- lint
|
|
- validate-vendor
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v3
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
-
|
|
name: Run
|
|
run: |
|
|
make ${{ matrix.target }}
|
|
|
|
test:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os:
|
|
- ubuntu-22.04
|
|
- ubuntu-20.04
|
|
- macOS-11
|
|
- windows-2022
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v3
|
|
-
|
|
name: Set up Go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
cache: true
|
|
-
|
|
name: Install deps (ubuntu)
|
|
if: startsWith(matrix.os, 'ubuntu-')
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y dbus-x11 gnome-keyring libsecret-1-dev pass
|
|
-
|
|
name: Install deps (macOS)
|
|
if: startsWith(matrix.os, 'macOS-')
|
|
run: |
|
|
brew install pass
|
|
-
|
|
name: GPG conf
|
|
if: ${{ !startsWith(matrix.os, 'windows-') }}
|
|
uses: actions/github-script@v6
|
|
id: gpg
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
const gnupgfolder = `${require('os').homedir()}/.gnupg`;
|
|
if (!fs.existsSync(gnupgfolder)){
|
|
fs.mkdirSync(gnupgfolder);
|
|
}
|
|
fs.copyFile('.github/workflows/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
|
|
if (err) throw err;
|
|
});
|
|
core.setOutput('key', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.key', {encoding: 'utf8'}));
|
|
core.setOutput('passphrase', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.pass', {encoding: 'utf8'}));
|
|
-
|
|
name: Import GPG key
|
|
if: ${{ !startsWith(matrix.os, 'windows-') }}
|
|
uses: crazy-max/ghaction-import-gpg@v5
|
|
with:
|
|
gpg_private_key: ${{ steps.gpg.outputs.key }}
|
|
passphrase: ${{ steps.gpg.outputs.passphrase }}
|
|
trust_level: 5
|
|
-
|
|
name: Init pass
|
|
if: ${{ !startsWith(matrix.os, 'windows-') }}
|
|
run: |
|
|
pass init 7D851EB72D73BDA0
|
|
shell: bash
|
|
-
|
|
name: Test
|
|
run: |
|
|
make test COVERAGEDIR=${{ env.DESTDIR }}
|
|
shell: bash
|
|
-
|
|
name: Upload coverage
|
|
uses: codecov/codecov-action@v3
|
|
with:
|
|
file: ${{ env.DESTDIR }}/coverage.txt
|
|
|
|
test-sandboxed:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v3
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
-
|
|
name: Test
|
|
uses: docker/bake-action@v2
|
|
with:
|
|
targets: test
|
|
set: |
|
|
*.cache-from=type=gha,scope=test
|
|
*.cache-to=type=gha,scope=test,mode=max
|
|
-
|
|
name: Upload coverage
|
|
uses: codecov/codecov-action@v3
|
|
with:
|
|
file: ${{ env.DESTDIR }}//coverage.txt
|
|
|
|
build:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
-
|
|
name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v2
|
|
-
|
|
name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
-
|
|
name: Build
|
|
run: |
|
|
make release
|
|
env:
|
|
CACHE_FROM: type=gha,scope=build
|
|
CACHE_TO: type=gha,scope=build,mode=max
|
|
-
|
|
name: List artifacts
|
|
run: |
|
|
tree -nh ${{ env.DESTDIR }}
|
|
-
|
|
name: Check artifacts
|
|
run: |
|
|
find ${{ env.DESTDIR }} -type f -exec file -e ascii -e text -- {} +
|
|
-
|
|
name: Upload artifacts
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: docker-credential-helpers
|
|
path: ${{ env.DESTDIR }}/*
|
|
if-no-files-found: error
|
|
-
|
|
name: GitHub Release
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
with:
|
|
draft: true
|
|
files: ${{ env.DESTDIR }}/*
|
|
|
|
build-deb:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
-
|
|
name: Checkout
|
|
uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
-
|
|
name: Build
|
|
run: |
|
|
make deb
|