github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
Files
c883410c96d0318eddcb8c97ea35e484396758e7
containerd/.github/workflows/release.yml
Sebastiaan van Stijn 157dff2812 update to go1.20.7, go1.19.12 
Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7

go1.19.12 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.19.12 milestone on our issue tracker for details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.19.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.19.11...go1.19.12

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 23:57:32 +02:00

159 lines
5.8 KiB
YAML
Raw Blame History

on:
push:
branches:
- main
- "release/**"
tags:
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
pull_request:
branches:
- main
- "release/**"
name: Release
env:
GO_VERSION: "1.20.7"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
check:
name: Check Signed Tag
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-20.04
timeout-minutes: 5
outputs:
stringver: ${{ steps.contentrel.outputs.stringver }}
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
ref: ${{ github.ref }}
path: src/github.com/containerd/containerd
- name: Check signature
run: |
releasever=${{ github.ref }}
releasever="${releasever#refs/tags/}"
TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
echo "${TAGCHECK}" | grep -q "error" && {
echo "::error::tag ${releasever} is not a signed tag. Failing release process."
exit 1
} || {
echo "Tag ${releasever} is signed."
exit 0
}
working-directory: src/github.com/containerd/containerd
- name: Release content
id: contentrel
run: |
RELEASEVER=${{ github.ref }}
echo "stringver=${RELEASEVER#refs/tags/v}" >> $GITHUB_OUTPUT
git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
working-directory: src/github.com/containerd/containerd
- name: Save release notes
uses: actions/upload-artifact@v3
with:
name: containerd-release-notes
path: src/github.com/containerd/containerd/release-notes.md
build:
name: Build Release Binaries
runs-on: ubuntu-20.04
timeout-minutes: 30
strategy:
matrix:
include:
# Ubuntu 22.04 can't be used until we drop support for binary compatibility with dynamically-linked glibc 2.17 (CentOS 7).
# https://github.com/containerd/containerd/issues/7255
# https://github.com/containerd/containerd/issues/7961
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/amd64
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/arm64
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/ppc64le
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/s390x
- dockerfile-ubuntu: 20.04
dockerfile-platform: linux/riscv64
- dockerfile-ubuntu: 20.04
dockerfile-platform: windows/amd64
steps:
- name: Set RELEASE_VER
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
shell: bash
run: |
releasever=${{ github.ref }}
releasever="${releasever#refs/tags/}"
echo "RELEASE_VER=${releasever}" >> $GITHUB_ENV
- name: Checkout containerd
uses: actions/checkout@v3
with:
# Intentionally use github.repository instead of containerd/containerd to
# make this action runnable on forks.
# See https://github.com/containerd/containerd/issues/5098 for the context.
repository: ${{ github.repository }}
ref: ${{ github.ref }}
path: src/github.com/containerd/containerd
- name: Setup buildx instance
uses: docker/setup-buildx-action@v2
with:
use: true
- uses: crazy-max/ghaction-github-runtime@v2 # sets up needed vars for caching to github
- name: Make
shell: bash
run: |
cache="--cache-from=type=gha,scope=containerd-release --cache-to=type=gha,scope=containerd-release"
if [[ "${PLATFORM}" =~ "windows" ]]; then
# For Windows the cni build script generates a config but shells out to powershell (and also assume it is running on windows) to get a gateway and subnet.
# The values provided here are taken from packages that we previously generated.
export GATEWAY=172.21.16.1
export PREFIX_LEN=12
BUILD_ARGS="--build-arg GATEWAY --build-arg PREFIX_LEN"
fi
docker buildx build ${cache} --build-arg RELEASE_VER --build-arg UBUNTU_VERSION=${{ matrix.dockerfile-ubuntu }} --build-arg GO_VERSION ${BUILD_ARGS} -f .github/workflows/release/Dockerfile --platform=${PLATFORM} -o releases/ .
echo PLATFORM_CLEAN=${PLATFORM/\//-} >> $GITHUB_ENV
# Remove symlinks since we don't want these in the release Artifacts
find ./releases/ -maxdepth 1 -type l | xargs rm
working-directory: src/github.com/containerd/containerd
env:
PLATFORM: ${{ matrix.dockerfile-platform }}
- name: Save Artifacts
uses: actions/upload-artifact@v3
with:
name: release-tars-${{env.PLATFORM_CLEAN}}
path: src/github.com/containerd/containerd/releases/*.tar.gz*
release:
name: Create containerd Release
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
permissions:
contents: write
runs-on: ubuntu-20.04
timeout-minutes: 10
needs: [build, check]
steps:
- name: Download builds and release notes
uses: actions/download-artifact@v3
with:
path: builds
- name: Create Release
uses: softprops/action-gh-release@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
fail_on_unmatched_files: true
name: containerd ${{ needs.check.outputs.stringver }}
draft: false
prerelease: ${{ contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
body_path: ./builds/containerd-release-notes/release-notes.md
files: |
builds/release-tars-**/*
Reference in New Issue View Git Blame Copy Permalink