github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
Files
0ffc3e9873278bd59cd58c5a306d188633558790
containerd/.github/workflows/release.yml
Sebastiaan van Stijn 313f514fdd update to go1.21.3. gp1.20.10 
go1.21.3 (released 2023-10-10) includes a security fix to the net/http package.
See the Go 1.21.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.21.3+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.21.2...go1.21.3

From the security mailing:

[security] Go 1.21.3 and Go 1.20.10 are released

Hello gophers,

We have just released Go versions 1.21.3 and 1.20.10, minor point releases.

These minor releases include 1 security fixes following the security policy:

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:29:07 +02:00

159 lines
5.8 KiB
YAML
Raw Blame History

on:
push:
branches:
- main
- "release/**"
tags:
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
pull_request:
branches:
- main
- "release/**"
name: Release
env:
GO_VERSION: "1.21.3"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
check:
name: Check Signed Tag
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-20.04
timeout-minutes: 5
outputs:
stringver: ${{ steps.contentrel.outputs.stringver }}
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
ref: ${{ github.ref }}
path: src/github.com/containerd/containerd
- name: Check signature
run: |
releasever=${{ github.ref }}
releasever="${releasever#refs/tags/}"
TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
echo "${TAGCHECK}" | grep -q "error" && {
echo "::error::tag ${releasever} is not a signed tag. Failing release process."
exit 1
} || {
echo "Tag ${releasever} is signed."
exit 0
}
working-directory: src/github.com/containerd/containerd
- name: Release content
id: contentrel
run: |
RELEASEVER=${{ github.ref }}
echo "stringver=${RELEASEVER#refs/tags/v}" >> $GITHUB_OUTPUT
git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
working-directory: src/github.com/containerd/containerd
- name: Save release notes
uses: actions/upload-artifact@v3
with:
name: containerd-release-notes
path: src/github.com/containerd/containerd/release-notes.md
build:
name: Build Release Binaries
runs-on: ubuntu-20.04
timeout-minutes: 30
strategy:
matrix:
include:
# Ubuntu 22.04 can't be used until we drop support for binary compatibility with dynamically-linked glibc 2.17 (CentOS 7).
# https://github.com/containerd/containerd/issues/7255
# https://github.com/containerd/containerd/issues/7961
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/amd64
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/arm64
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/ppc64le
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/s390x
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/riscv64
- dockerfile-ubuntu: 20.04
dockerfile-platform: windows/amd64
steps:
- name: Set RELEASE_VER
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
shell: bash
run: |
releasever=${{ github.ref }}
releasever="${releasever#refs/tags/}"
echo "RELEASE_VER=${releasever}" >> $GITHUB_ENV
- name: Checkout containerd
uses: actions/checkout@v3
with:
# Intentionally use github.repository instead of containerd/containerd to
# make this action runnable on forks.
# See https://github.com/containerd/containerd/issues/5098 for the context.
repository: ${{ github.repository }}
ref: ${{ github.ref }}
path: src/github.com/containerd/containerd
- name: Setup buildx instance
uses: docker/setup-buildx-action@v2
with:
use: true
- uses: crazy-max/ghaction-github-runtime@v2 # sets up needed vars for caching to github
- name: Make
shell: bash
run: |
cache="--cache-from=type=gha,scope=containerd-release --cache-to=type=gha,scope=containerd-release"
if [[ "${PLATFORM}" =~ "windows" ]]; then
# For Windows the cni build script generates a config but shells out to powershell (and also assume it is running on windows) to get a gateway and subnet.
# The values provided here are taken from packages that we previously generated.
export GATEWAY=172.21.16.1
export PREFIX_LEN=12
BUILD_ARGS="--build-arg GATEWAY --build-arg PREFIX_LEN"
fi
docker buildx build ${cache} --build-arg RELEASE_VER --build-arg UBUNTU_VERSION=${{ matrix.dockerfile-ubuntu }} --build-arg GO_VERSION ${BUILD_ARGS} -f .github/workflows/release/Dockerfile --platform=${PLATFORM} -o releases/ .
echo PLATFORM_CLEAN=${PLATFORM/\//-} >> $GITHUB_ENV
# Remove symlinks since we don't want these in the release Artifacts (if any)
find ./releases/ -maxdepth 1 -type l | xargs rm -f
working-directory: src/github.com/containerd/containerd
env:
PLATFORM: ${{ matrix.dockerfile-platform }}
- name: Save Artifacts
uses: actions/upload-artifact@v3
with:
name: release-tars-${{env.PLATFORM_CLEAN}}
path: src/github.com/containerd/containerd/releases/*.tar.gz*
release:
name: Create containerd Release
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
permissions:
contents: write
runs-on: ubuntu-20.04
timeout-minutes: 10
needs: [build, check]
steps:
- name: Download builds and release notes
uses: actions/download-artifact@v3
with:
path: builds
- name: Create Release
uses: softprops/action-gh-release@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
fail_on_unmatched_files: true
name: containerd ${{ needs.check.outputs.stringver }}
draft: false
prerelease: ${{ contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
body_path: ./builds/containerd-release-notes/release-notes.md
files: |
builds/release-tars-**/*
Reference in New Issue View Git Blame Copy Permalink