From 4b550d392edaa0e23d338be9659945c733ca9e5c Mon Sep 17 00:00:00 2001 From: LaunchDarklyReleaseBot <86431345+LaunchDarklyReleaseBot@users.noreply.github.com> Date: Fri, 5 May 2023 16:07:39 -0400 Subject: [PATCH] prepare 7.2.4 release (#241) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * minimal changes for using prerelease Go SDK v6 (#306) * revise "summarizing" event proxy logic to use new event processor * comments * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * add support & tests for handling any kind of context in eval endpoints * move some constants and test code out of internal/core/internal/... * use a clearer import alias * refactoring * move packages from core/ and core/internal/ to internal/ * fix linting * update Alpine to 3.14.6 for CVE-2022-28391 * merge RelayCore logic into Relay and remove the core package (#315) * merge RelayCore logic into Relay and remove the core package * don't export these fields * fix tests * comment * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * use latest prerelease packages, update for misc SDK API changes (interfaces package) * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * add "context" URL paths for evaluations, update endpoint docs * fix tests * bump minimum Go to 1.18, build images in 1.19 * linter + misc fixes * "latest" Go image is no longer a thing * fix TLS test * fix command to run coverage enforcer * fix vulnerable dependencies * migrate to AWS Go SDK v2 for DynamoDB (#333) * remove obsolete "eval" endpoints superseded by "evalx" (#338) * remove obsolete "eval" endpoints superseded by "evalx" * fix tests & examples * fix more tests * update AWS SDK and related packages on u2c branch (#341) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * use latest Go SDK prerelease packages, update for API changes * lint * streamline test code using go-test-helpers v3 * remove some more unnecessary helpers * fix test app * use latest SDK packages * use Go SDK v6.0.0 and latest releases of database integrations * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 (even though the fix is also bundled in Go 1.19.4) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release * prepare 6.7.15 release (#212) * don't return 503 if SDK initialization has timed out * add in-repo docs about error/503 behavior (#249) * [ch102255] BigSegments DynamoDB (#245) * add init timeout config option + better test coverage + misc refactoring (#250) * fix example build command * use public prerelease tags instead of private dependencies * fix Go installation in CI * update SDK dependencies for JSON number parsing bugfix * update gorilla/mux to 1.8.0 * update OpenCensus packages * add Go 1.16 CI + "latest Go" CI + use latest 1.15 patch for release * cimg images use "current", not "latest" * seems there isn't any cimg/go "latest" or "current" * add daily package build test in CI * job names * bump SDK version for traffic allocation feature * [ch113491] update alpine base image (#258) * use latest prerelease SDK * fix enabling of test tags in CI * add DynamoDB docker image in CI * set a polling base URI in end-to-end tests since big segments logic will use it * fix initialization logic so SDK client creation errors aren't lost when big segments are enabled * fix use of prefix key in DynamoDB + improve tests (#260) * more debug logging, less info logging for big segments logic * make logging of big segments patch version mismatch clearer and use Warn level * fix log parameter * fix DynamoDB updates for big segments metadata * add test to make sure sync time and cursor can be updated independently * only start big seg synchronizer if necessary * use SDK GA releases * change applyPatch to exit early on version mismatch; go back to restarting stream in this case * add unit tests for version mismatch behavior + DRY tests * add log assertion * fix retry logic on big segments stream failure * add more logging for big segments connection status * fix logging assertion * add more big segments integration tests * fix overly-time-sensitive file data tests * fix more flaky tests * run big segments tests with DynamoDB too * Migrate transitive dep (jwt-go) to use modern version without vulnerability. * Edit doc * move Relay release logic to .ldrelease script * suppress SDK big segments status query if we've never synced big segments * dump Relay logs including debug logs if integration test fails * include environment prefix in BigSegmentSynchronizer logging * increase big segment integration test timeout (#274) * generate client-side stream pings if big segments have changed * clear big segments cache as needed + simplify state management * fix tests and simplify component creation * use GA releases of SDK packages * disable CI package-build-test in Go 1.16+ * Migrate Relay release to Releaser v2 and support dry run (#278) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * update Alpine to 3.14.6 for CVE-2022-28391 * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * migrate to AWS Go SDK v2 for DynamoDB (#333) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good * Releasing version 6.7.15 * redo the security patch by updating go.mod for all builds; drop Go 1.16 * prepare 6.7.16 release (#214) * [ch102255] BigSegments DynamoDB (#245) * add init timeout config option + better test coverage + misc refactoring (#250) * fix example build command * use public prerelease tags instead of private dependencies * fix Go installation in CI * update SDK dependencies for JSON number parsing bugfix * update gorilla/mux to 1.8.0 * update OpenCensus packages * add Go 1.16 CI + "latest Go" CI + use latest 1.15 patch for release * cimg images use "current", not "latest" * seems there isn't any cimg/go "latest" or "current" * add daily package build test in CI * job names * bump SDK version for traffic allocation feature * [ch113491] update alpine base image (#258) * use latest prerelease SDK * fix enabling of test tags in CI * add DynamoDB docker image in CI * set a polling base URI in end-to-end tests since big segments logic will use it * fix initialization logic so SDK client creation errors aren't lost when big segments are enabled * fix use of prefix key in DynamoDB + improve tests (#260) * more debug logging, less info logging for big segments logic * make logging of big segments patch version mismatch clearer and use Warn level * fix log parameter * fix DynamoDB updates for big segments metadata * add test to make sure sync time and cursor can be updated independently * only start big seg synchronizer if necessary * use SDK GA releases * change applyPatch to exit early on version mismatch; go back to restarting stream in this case * add unit tests for version mismatch behavior + DRY tests * add log assertion * fix retry logic on big segments stream failure * add more logging for big segments connection status * fix logging assertion * add more big segments integration tests * fix overly-time-sensitive file data tests * fix more flaky tests * run big segments tests with DynamoDB too * Migrate transitive dep (jwt-go) to use modern version without vulnerability. * Edit doc * move Relay release logic to .ldrelease script * suppress SDK big segments status query if we've never synced big segments * dump Relay logs including debug logs if integration test fails * include environment prefix in BigSegmentSynchronizer logging * increase big segment integration test timeout (#274) * generate client-side stream pings if big segments have changed * clear big segments cache as needed + simplify state management * fix tests and simplify component creation * use GA releases of SDK packages * disable CI package-build-test in Go 1.16+ * Migrate Relay release to Releaser v2 and support dry run (#278) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * update Alpine to 3.14.6 for CVE-2022-28391 * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * migrate to AWS Go SDK v2 for DynamoDB (#333) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release * redo the security patch by updating go.mod for all builds; drop Go 1.16 Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good * Releasing version 6.7.16 * update Redis/DDB integrations to remove misleading error logging * prepare 6.7.17 release (#215) * fix example build command * use public prerelease tags instead of private dependencies * fix Go installation in CI * update SDK dependencies for JSON number parsing bugfix * update gorilla/mux to 1.8.0 * update OpenCensus packages * add Go 1.16 CI + "latest Go" CI + use latest 1.15 patch for release * cimg images use "current", not "latest" * seems there isn't any cimg/go "latest" or "current" * add daily package build test in CI * job names * bump SDK version for traffic allocation feature * [ch113491] update alpine base image (#258) * use latest prerelease SDK * fix enabling of test tags in CI * add DynamoDB docker image in CI * set a polling base URI in end-to-end tests since big segments logic will use it * fix initialization logic so SDK client creation errors aren't lost when big segments are enabled * fix use of prefix key in DynamoDB + improve tests (#260) * more debug logging, less info logging for big segments logic * make logging of big segments patch version mismatch clearer and use Warn level * fix log parameter * fix DynamoDB updates for big segments metadata * add test to make sure sync time and cursor can be updated independently * only start big seg synchronizer if necessary * use SDK GA releases * change applyPatch to exit early on version mismatch; go back to restarting stream in this case * add unit tests for version mismatch behavior + DRY tests * add log assertion * fix retry logic on big segments stream failure * add more logging for big segments connection status * fix logging assertion * add more big segments integration tests * fix overly-time-sensitive file data tests * fix more flaky tests * run big segments tests with DynamoDB too * Migrate transitive dep (jwt-go) to use modern version without vulnerability. * Edit doc * move Relay release logic to .ldrelease script * suppress SDK big segments status query if we've never synced big segments * dump Relay logs including debug logs if integration test fails * include environment prefix in BigSegmentSynchronizer logging * increase big segment integration test timeout (#274) * generate client-side stream pings if big segments have changed * clear big segments cache as needed + simplify state management * fix tests and simplify component creation * use GA releases of SDK packages * disable CI package-build-test in Go 1.16+ * Migrate Relay release to Releaser v2 and support dry run (#278) * Adding degraded doc blurb for big segments (#280) * respect Redis password & TLS options for big segments; add Redis password integration tests * redact Redis URL password in logs and status resource * update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix * Part 1, add the config and the documentation for the new config * Part 2, Add the configuration validation and test * Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers * Linter * update Alpine version to 3.14.2 to fix openssl CVEs * Fix the global variable modification * Go format * turn off unnecessary metrics integrations in config for Docker smoke test * rename test.env to smoke-test.env to clarify what it's for * fix setting of custom Access-Control-Allow-Origin and add test (#285) * add more explanatory test output and more verbose debugging for big segments integration tests (#287) * update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288) * update go-server-sdk-consul version for Consul API version update * override x/crypto dependency version for CVE-2020-29652 * bump Prometheus dependency to eliminate jwt-go vulnerability * drop support for Go 1.14 & 1.15 * make sure defaults are always applied for base URL properties * rm unused * rm unnecessary linter directive * add separate configuration for server-side/client-side SDK base URLs & update the defaults * remove Whitesource CI job + remove obsolete dependency issue note * don't include any big segment status info in status resource unless that feature is active (#296) * don't include any big segment status info in status resource unless that feature is active * fix Big Segments staleness logic in status resource * documentation * update x/text package for vulnerability GO-2021-0113 * add Trivy security scan to CI (#297) * add daily re-scan with Trivy * use long timeout when awaiting changes related to file mod watching * update Go version to 1.17.6 (#301) * always terminate if auto-config stream fails with a fatal error * pass along tags header when proxying events * comments, rm debugging * fix auth header logic * fix auth header logic some more * comments * add tags header to CORS header whitelist (#304) * update to Alpine 3.14.4 for CVE-2022-0778 fix * force upgrade of openssl in Alpine * also upgrade libretls * fix it in both files * update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308) * update to Alpine 3.14.5 for CVE-2022-0778 * revert patches that are now included in Alpine 3.14.5 * add scripts for checking and updating Go/Alpine versions (#309) * update to Alpine 3.14.5 for CVE-2022-0778 * add scripts for checking and updating Go/Alpine versions * also make sure the Docker images really exist * update CONTRIBUTING.md * fix file rename * revert patches that are now included in Alpine 3.14.5 * update Alpine to 3.14.6 for CVE-2022-28391 * update SDK packages (includes sc-136333 fix) * don't include "v" prefix in Docker image version * update go-server-sdk-dynamodb for data size error fix & add docs (#316) * update builds to use Go 1.17.9 and fix the update script * update go-server-sdk-consul to latest release * update remote Docker version * update golang.org/x/crypto for CVE-2022-27191 (#321) * update golang.org/x/crypto for CVE-2022-27191 * fix go.sum * update eventsource for SSE output efficiency fix (#322) * Cache the replay event in case we get multiple new client connections (#189) * Cache the replay event in case we get multiple new client connections * Use singleflight to ensure only one replay event is generated at a time Co-authored-by: Moshe Good * don't install curl in Docker images * fix makefile logic for lint step * remove indirect curl-based request logic in integration tests * fix linter installation * update Go to 1.17.11, Alpine to 3.16.0 * improve concurrency test to verify that the data is or isn't from a separate query * fix lint warnings and remove unnecessary error return * update libssl & libcrypto versions for CVE-2022-2097 * add security scan of already-published Docker image (#328) * update Alpine version and some Go libraries to address CVEs (#329) * use Alpine 3.16.1 * update golang.org/x/net and golang.org/x/sync patch versions for CVEs * update golang.org/x/sys patch version for CVE * update Prometheus client library for CVE-2022-21698 * ensure that DynamoDB config is consistent between Big Segments and regular data store * comment * update Alpine to 3.16.2 * update golangci-lint and go-junit-report * fix CI * prevent traversal of directories outside target path when expanding archive * enforce TLS >= 1.2 for secure Redis * misc linter updates * fix test message * add Go 1.18 & 1.19 jobs * make test expectation less Go-version-dependent * linting * revert unnecessary change * fix installation of test coverage tool * migrate to AWS Go SDK v2 for DynamoDB (#333) * update to Go 1.19.2 * update golang.org/x/net for CVE-2022-27664 * update golang.org/x/text for CVE-2022-32149 * update Consul API dependency to avoid false report of CVE-2022-40716 * switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343) * update to Go 1.19.4 and Alpine 3.16.3 * override golang.org/x/net for CVE-2022-41717 only when building executables for release * redo the security patch by updating go.mod for all builds; drop Go 1.16 * update Redis/DDB integrations to remove misleading error logging Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good * Releasing version 6.7.17 * chore: update markdown tables to include borders (#351) * update markdown tables to include borders * fix a couple of broken links in docs * fix: update Go module path to github.com/launchdarkly/ld-relay/v7 (#353) * feat: allow specifying redis username (#359) * feat: allow specifying redis username via config or environment variable * Update docs to include new username parameter * chore: upgrade goreleaser to 1.15.2 (#361) * chore: upgrade goreleaser to 1.15.2 and use conventional release artifact filenames * chore: fix typo in metrics.md (#221) * chore: bump golnag.org/x/net to v0.7.0 to address CVE-2022-41723 (#363) * chore: drop go 1.18 tests; add go 1.20 [v7] (#366) * chore: drop go1.18 support; add go 1.20 This commit also plumbs the existing 'go-release-version' parameter (which represents the version of Go we're using to build release artifacts) into the CircleCI config in a couple more places, so it cannot go out of sync accidentally. Additionally a new 'go-previous-version' param represents the previously supported Go version (by the Go team), and has been plumbed into CircleCI job config for the same reason. Finally, the scheduled security-scan/packaging jobs have been updated to the v7 branch. They shouldn't be v6, as the v6 branch already does those jobs. * chore: update golanglint-ci to 1.51.2 * chore: create Github Action to notify new Go versions (#368) Adds a daily check against official supported Go versions. If Relay is out-of-date, submits a new issue with the details. * chore: bump supported Go versions to 1.20.2 & 1.19.7 [v7] (#373) go1.20.2 (released 2023-03-07) includes a security fix to the crypto/elliptic package, as well as bug fixes to the compiler, the covdata command, the linker, the runtime, and the crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages. go1.19.7 (released 2023-03-07) includes a security fix to the crypto/elliptic package, as well as bug fixes to the linker, the runtime, and the crypto/x509 and syscall packages. * Update version checker to run at 9am PST, rather than 4pm PST * chore: update workflow_dispatch type to bool (#376) When you manually trigger the Go version checker workflow (workflow_dispatch), the 'force_create_issue' is a string ("false") instead of a bool. Update to type bool. * chore: fix workflow_dispatch type to boolean (#377) * fix: broken link in configuration.md for Proxy Mode (#378) * chore: create Dependabot configuration for v6 & v7 branches (#379) * chore: create .github/dependabot.yml Scheduled weekly, on sunday. * chore: merge v6 into v7 to pull in REST client update; flaky tests fix (#383) * chore: update dependencies (#409) * chore: remove dependabot (#419) * chore: add tools.go to track goreleaser version (#422) * chore: add tools.go to track goreleaser version * chore: bump github.com/docker/docker from 20.10.21+incompatible to 20.10.24+incompatible (#423) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.21+incompatible to 20.10.24+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v20.10.21...v20.10.24) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: remove redundant stream.Restart() in autoconfig stream manager: (#426) * chore: update alpine docker image to 3.17.3 (#428) * chore: upgrade go from 1.20.2 -> 1.20.4 (#431) * chore: add release notes link to Go version checker workflow (#427) * chore: add release notes link to Go version checker workflow * attempt to fix the force_create_issue feature --------- Signed-off-by: dependabot[bot] Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com> Co-authored-by: Ben Woskow Co-authored-by: Eli Bishop Co-authored-by: LaunchDarklyReleaseBot Co-authored-by: Louis Chan Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com> Co-authored-by: Moshe Good Co-authored-by: Moshe Good Co-authored-by: LaunchDarklyCI Co-authored-by: hroederld Co-authored-by: Dan Richelson Co-authored-by: Dan Richelson Co-authored-by: Casey Waldren Co-authored-by: Phil Z Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .circleci/config.yml | 4 ++-- .github/ISSUE_TEMPLATE/update_go_versions.md | 8 ++++---- .github/workflows/check-go-versions.yml | 4 +--- .ldrelease/config.yml | 2 +- Dockerfile | 2 +- 5 files changed, 9 insertions(+), 11 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index a3b83f6c..f1aa3b0a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -9,12 +9,12 @@ parameters: # override it in any parameterized builds, but just as a convenient shareable constant. go-release-version: type: string - default: "1.20.2" + default: "1.20.4" # In addition to the most recent version of Go, we also support the previous version. go-previous-version: type: string - default: "1.19.7" + default: "1.19.9" # We use a remote Docker host in some CI jobs that need to run Docker containers. # As of 2022-04-15, the default Docker daemon version was 17.09.0-ce, which started diff --git a/.github/ISSUE_TEMPLATE/update_go_versions.md b/.github/ISSUE_TEMPLATE/update_go_versions.md index 6f77fb7d..e6dd6682 100644 --- a/.github/ISSUE_TEMPLATE/update_go_versions.md +++ b/.github/ISSUE_TEMPLATE/update_go_versions.md @@ -8,10 +8,10 @@ It's time to update Relay's supported Go versions, due to a recent upstream Go r The Go major release cadence is ~every 6 months; the two most recent major versions are supported. Note that between major releases, the Go team often ships multiple minor versions. -| | Current repo configuration | Desired repo configuration | -|-------------|------------------------------------|----------------------------------------| -| Latest | {{ env.RELAY_LATEST_VERSION}} | {{ env.OFFICIAL_LATEST_VERSION }} | -| Penultimate | {{ env.RELAY_PENULTIMATE_VERSION}} | {{ env.OFFICIAL_PENULTIMATE_VERSION }} | +| | Current repo configuration | Desired repo configuration | +|-------------|------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| Latest | {{ env.RELAY_LATEST_VERSION}} | [{{ env.OFFICIAL_LATEST_VERSION }}](https://go.dev/doc/devel/release#go{{ env.OFFICIAL_LATEST_VERSION }}) | +| Penultimate | {{ env.RELAY_PENULTIMATE_VERSION}} | [{{ env.OFFICIAL_PENULTIMATE_VERSION }}](https://go.dev/doc/devel/release#go{{ env.OFFICIAL_PENULTIMATE_VERSION }}) | diff --git a/.github/workflows/check-go-versions.yml b/.github/workflows/check-go-versions.yml index 28b0a39c..28ee7082 100644 --- a/.github/workflows/check-go-versions.yml +++ b/.github/workflows/check-go-versions.yml @@ -16,8 +16,6 @@ jobs: issues: write contents: read runs-on: ubuntu-latest - env: - force_create_issue: ${{ github.event.inputs.force_create_issue }} timeout-minutes: 2 steps: - uses: actions/checkout@v1 @@ -49,7 +47,7 @@ jobs: # If the latest official Go version is different from Relay's release version, generate an issue # with useful details. - name: Create issue if update required - if: env.force_create_issue == true || (steps.relay-latest-version.outputs.result != env.officialLatestVersion) + if: github.event.inputs.force_create_issue || (steps.relay-latest-version.outputs.result != env.officialLatestVersion) uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.ldrelease/config.yml b/.ldrelease/config.yml index df883394..172b294f 100644 --- a/.ldrelease/config.yml +++ b/.ldrelease/config.yml @@ -38,7 +38,7 @@ repo: jobs: - docker: - image: cimg/go:1.20.2 # See "Runtime platform versions" in CONTRIBUTING.md + image: cimg/go:1.20.4 # See "Runtime platform versions" in CONTRIBUTING.md copyGitHistory: true template: name: go diff --git a/Dockerfile b/Dockerfile index 612e697f..ec5a2558 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # This is a standalone Dockerfile that does not depend on goreleaser building the binary # It is NOT the version that is pushed to dockerhub -FROM golang:1.20.2-alpine3.17 as builder +FROM golang:1.20.4-alpine3.17 as builder # See "Runtime platform versions" in CONTRIBUTING.md RUN apk --no-cache add \