James Blair
5b3497555f
Updated go to 1.19.7.
...
Mitigates CVE-2023-24532.
Signed-off-by: James Blair <mail@jamesblair.net>
2023-03-08 21:39:31 +13:00
Marek Siarkowicz
d475cf81a0
tests: Rename linearizability tests to robustness
...
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2023-02-26 14:36:18 +01:00
dependabot[bot]
0c52e5e133
build(deps): bump github/codeql-action from 2.2.4 to 2.2.5
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.4 to 2.2.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](17573ee1cc...32dc499307
2023-02-24 23:21:07 +00:00
James Blair
2d2fbcc30e
Ensure we are using an up to date govulncheck.
...
Signed-off-by: James Blair <mail@jamesblair.net>
2023-02-25 11:25:33 +13:00
James Blair
ee6781bf6f
Bump to go 1.19.6
...
go 1.19.6 (released 2023-02-14) includes important security and bug fixes.
Signed-off-by: James Blair <mail@jamesblair.net>
2023-02-16 17:12:59 +08:00
Marek Siarkowicz
116a3150c0
Merge pull request #15282 from serathius/linearizability-report-watch
...
test: Report watch histories
2023-02-15 16:00:10 +01:00
Marek Siarkowicz
d99b1dbdaf
tests: Move results reporting to top and add reporting watch histories
...
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2023-02-15 13:02:42 +01:00
Davanum Srinivas
597bac7b51
Do not run arm64 jobs on forks
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2023-02-14 08:20:06 -05:00
dependabot[bot]
50532c9fb5
build(deps): bump github/codeql-action from 2.2.1 to 2.2.4
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.1 to 2.2.4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3ebbd71c74...17573ee1cc
2023-02-13 20:35:03 +08:00
Marek Siarkowicz
5f68ecc1ef
tests: Remove functional testing as they were replaced by linearizability tests
...
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2023-02-11 13:20:44 +01:00
Kevin Zhao
4d715c0c44
Add integration test for Arm64
...
Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2023-02-03 18:20:30 +08:00
Kevin Zhao
009a6c0b94
Add E2E tests on arm64
...
Now it is daily nightly build at 1 am.
Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2023-02-02 10:38:04 +08:00
dependabot[bot]
d0a481be84
build(deps): bump github/codeql-action from 2.1.39 to 2.2.1
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.39 to 2.2.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](a34ca99b46...3ebbd71c74
2023-01-31 05:28:21 +08:00
Marek Siarkowicz
187d2748a4
Merge pull request #15172 from dims/add-functional-tests-on-arm64
...
Add functional tests on arm64
2023-01-24 19:09:38 +01:00
Davanum Srinivas
0575166651
Run on a schedule instead of every PR
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2023-01-24 13:06:42 -05:00
dependabot[bot]
54bd81815d
build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0
...
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action ) from 3.3.1 to 3.4.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases )
- [Commits](0ad9a0988b...08e2f20817
2023-01-24 08:10:43 +08:00
Davanum Srinivas
5f94975860
Add functional tests on arm64
...
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2023-01-23 16:10:24 -05:00
dependabot[bot]
ee566c492b
build(deps): bump github/codeql-action from 2.1.38 to 2.1.39
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.38 to 2.1.39.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](515828d974...a34ca99b46
2023-01-20 18:35:49 +08:00
Marek Siarkowicz
1a315097de
tests: Set artifact name based to avoid file override from different subruns
...
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2023-01-20 09:51:41 +01:00
Marek Siarkowicz
a581062c7a
tests: Fix linearizability nightly
...
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2023-01-20 09:13:51 +01:00
Marek Siarkowicz
a0d12d316d
tests: Add reproduce #13766 scenario
...
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2023-01-17 14:34:19 +01:00
Marek Siarkowicz
0c483830d9
tests: Fix linearizability nightly variable name
2023-01-17 10:40:05 +01:00
Benjamin Wang
1659f8980f
dependency: bump github/codeql-action from 2.1.37 to 2.1.38
...
Signed-off-by: Benjamin Wang <wachao@vmware.com>
2023-01-17 06:46:31 +08:00
Thomas Jungblut
ab3c530b92
add linearizability nightlies for release 3.4/3.5
...
This CL refactors the tests to reuse a single workflow that has
parameters. This is then reused for PRs/pushes and the nightlies.
Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2023-01-16 11:00:16 +01:00
Marek Siarkowicz
5b8d19c7b3
tests: Reduce number of runs in nightly action
...
Single run takes up to 30s. Let's reduce number of runs to reduce chance
of timeout.
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2023-01-14 09:29:12 +01:00
yanggang
ebf1e3bb1a
Bump go to 1.19.5
...
Signed-off-by: yanggang <gang.yang@daocloud.io>
2023-01-11 14:42:31 +08:00
Benjamin Wang
c9a9968d40
Merge pull request #15074 from etcd-io/dependabot/github_actions/actions/upload-artifact-3.1.2
...
build(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2
2023-01-10 09:08:02 +08:00
dependabot[bot]
9f93448500
build(deps): bump actions/checkout from 3.2.0 to 3.3.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](755da8c3cf...ac59398561
2023-01-09 17:12:51 +00:00
dependabot[bot]
ad315b38fa
build(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.1 to 3.1.2.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](83fd05a356...0b7f8abb15
2023-01-09 17:12:44 +00:00
Benjamin Wang
a60db1192d
Added 'secrets.GITHUB_TOKEN' for the static-analysis workflow
...
Refer to: https://github.com/arduino/setup-protoc/issues/63
Signed-off-by: Benjamin Wang <wachao@vmware.com>
2022-12-28 15:43:44 +08:00
dependabot[bot]
0fcd828de9
build(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.2
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.1.0 to 2.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](937ffa90d7...e38b1902ae
2022-12-26 17:18:42 +00:00
dependabot[bot]
429f66e12a
build(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.0.6 to 2.1.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](99c53751e0...937ffa90d7
2022-12-20 09:28:23 +08:00
dependabot[bot]
ef02c159f2
build(deps): bump github/codeql-action from 2.1.36 to 2.1.37
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.1.36 to 2.1.37.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](https://github.com/github/codeql-action/compare/v2.1.36...959cbb7472c4d4ad70cdfe6f4976053fe48ab394 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-12-19 17:09:20 +00:00
ArkaSaha30
2d47811407
Move trivy scan workflow of specific versions to respective branches
...
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
2022-12-16 10:43:55 +05:30
dependabot[bot]
a59276c171
build(deps): bump actions/setup-go from 2.2.0 to 3.5.0
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 2.2.0 to 3.5.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](bfdd3570ce...6edd4406fa
2022-12-14 08:59:29 +08:00
Benjamin Wang
cb5b7c2ec7
Merge pull request #14928 from ArkaSaha30/trivy-nightly-scan
...
etcd: add `trivy-nightly-scan` for etcd images
2022-12-14 08:52:44 +08:00
ArkaSaha30
f4d3fa91db
Add permissions: read-all to the workflow
...
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
2022-12-13 12:42:51 +05:30
Benjamin Wang
e103e2c18c
Merge pull request #14946 from etcd-io/dependabot/github_actions/actions/checkout-3.2.0
...
build(deps): bump actions/checkout from 2.5.0 to 3.2.0
2022-12-13 14:29:41 +08:00
Benjamin Wang
9cb4c817f3
Merge pull request #14940 from etcd-io/dependabot/github_actions/actions/upload-artifact-3.1.1
...
build(deps): bump actions/upload-artifact from 2.3.1 to 3.1.1
2022-12-13 14:28:12 +08:00
ArkaSaha30
941fe6b877
Add newline at end of file
...
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
2022-12-13 11:34:57 +05:30
dependabot[bot]
ffd26d6a0a
build(deps): bump actions/checkout from 2.5.0 to 3.2.0
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 2.5.0 to 3.2.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](https://github.com/actions/checkout/compare/v2.5.0...755da8c3cf115ac066823e79a1e1788f8940201b )
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-12-13 03:36:57 +00:00
dependabot[bot]
7a55adcfd1
build(deps): bump actions/upload-artifact from 2.3.1 to 3.1.1
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 2.3.1 to 3.1.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v2.3.1...83fd05a356d7e2593de66fc9913b3002723633cb )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-12-13 03:36:52 +00:00
dependabot[bot]
0fabbebeaa
build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1
...
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action ) from 3.3.0 to 3.3.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases )
- [Commits](07db5389c9...0ad9a0988b
2022-12-13 03:36:49 +00:00
Benjamin Wang
ee9db729da
Merge pull request #14860 from ahrtr/fix_release_20221126
...
Trigger release in current branch for github workflow case
2022-12-12 17:46:19 +08:00
Benjamin Wang
bf5c094f3c
secure the github workflow
...
https://app.stepsecurity.io/secureworkflow/etcd-io/etcd/tests.yaml/main?enable=pin
1. Copy the existing yaml file and paste into the textbox,
2. Click "SECURE WORKFLOW"
3. Copy the manifest from the textbox and paste into etcd repo.
Signed-off-by: Benjamin Wang <wachao@vmware.com>
2022-12-12 16:23:13 +08:00
ArkaSaha30
e30ced0d2f
etcd: add trivy-nightly-scan for etcd images
...
This PR will add `trivy-nightly-scan` for etcd images with versions `3.4.22` and `3.5.6` to scan for vulnerabilities everyday at 2AM UTC.
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
2022-12-12 12:33:13 +05:30
Benjamin Wang
5d78d6d4b1
release: support kick off release in current branch
...
Currently when triggering release, it always pull remote repo and
checkout main branch. Any changes which are merged into the target
release branch (e.g. release-3.5) will be ignored. It isn't
convenient for test, including in github workflow and local environment.
So we need to support triggering release in current branch.
Note: --current-branch should only be called with DRY_RUN=true
Signed-off-by: Benjamin Wang <wachao@vmware.com>
2022-12-12 09:35:03 +08:00
Benjamin Wang
808099dc24
Pin govulncheck to v0.0.0-20221208180742-f2dca5ff4cc3
...
go install golang.org/x/vuln/cmd/govulncheck@latest && govulncheck ./...
shell: /usr/bin/bash -e {0}
env:
GOROOT: /opt/hostedtoolcache/go/1.19.4/x64
go: golang.org/x/vuln/cmd/govulncheck@latest: no matching versions for query "latest"
Signed-off-by: Benjamin Wang <wachao@vmware.com>
2022-12-09 18:23:53 +08:00
Marek Siarkowicz
a8bc8ba28b
tests: Increase test timeout for nighly runs to match job timeout minus ten minutes
...
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
2022-12-09 09:47:17 +01:00
Benjamin Wang
dccc21bb69
bump go 1.19.4
...
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback .
Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.
Vulnerability #1 : GO-2022-1144
An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests. HTTP/2 server connections contain a
cache of HTTP header keys sent by the client. While the total
number of entries in this cache is capped, an attacker sending
very large keys can cause the server to allocate approximately
64 MiB per open connection.
Call stacks in your code:
tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls golang.org/x/net/http2.ConfigureServer$1
Found in: golang.org/x/net/http2@v0.2.0
Fixed in: golang.org/x/net/http2@v1.19.4
More info: https://pkg.go.dev/vuln/GO-2022-1144
Vulnerability #2 : GO-2022-1144
An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests. HTTP/2 server connections contain a
cache of HTTP header keys sent by the client. While the total
number of entries in this cache is capped, an attacker sending
very large keys can cause the server to allocate approximately
64 MiB per open connection.
Call stacks in your code:
contrib/lock/storage/storage.go:106:28: go.etcd.io/etcd/v3/contrib/lock/storage.main calls net/http.ListenAndServe
contrib/raftexample/httpapi.go:113:31: go.etcd.io/etcd/v3/contrib/raftexample.serveHTTPKVAPI$1 calls net/http.Server.ListenAndServe
tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls net/http.Serve
tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls net/http.Server.Serve
Found in: net/http@go1.19.3
Fixed in: net/http@go1.19.4
More info: https://pkg.go.dev/vuln/GO-2022-1144
Signed-off-by: Benjamin Wang <wachao@vmware.com>
2022-12-09 07:39:57 +08:00
