DockerCLI/dockerfiles/Dockerfile.vendor

# syntax=docker/dockerfile:1

ARG GO_VERSION=1.21.3
ARG ALPINE_VERSION=3.17
ARG MODOUTDATED_VERSION=v0.8.0

FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
ENV GOTOOLCHAIN=local
RUN apk add --no-cache bash git rsync
WORKDIR /src

FROM base AS vendored
ENV GOPROXY=https://proxy.golang.org|direct
RUN --mount=target=/context \
    --mount=target=.,type=tmpfs  \
    --mount=target=/go/pkg/mod,type=cache <<EOT
set -e
rsync -a /context/. .
./scripts/vendor update
mkdir /out
cp -r vendor.mod vendor.sum vendor /out
EOT

FROM scratch AS update
COPY --from=vendored /out /out

FROM vendored AS validate
RUN --mount=target=/context \
    --mount=target=.,type=tmpfs <<EOT
set -e
rsync -a /context/. .
git add -A
rm -rf vendor
cp -rf /out/* .
./scripts/vendor validate
EOT

FROM psampaz/go-mod-outdated:${MODOUTDATED_VERSION} AS go-mod-outdated
FROM base AS outdated
RUN --mount=target=.,rw \
    --mount=target=/go/pkg/mod,type=cache \
    --mount=from=go-mod-outdated,source=/home/go-mod-outdated,target=/usr/bin/go-mod-outdated \
    ./scripts/vendor outdated
Dockerfile: use syntax=docker/dockerfile:1 Now that HEREDOC is included in the stable Dockerfile syntax, we can use the latest stable syntax for all Dockerfiles. The recommendation for the stable syntax is to use `:1` (which is equivalent to "latest" stable syntax. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-03-17 05:37:08 -04:00			`# syntax=docker/dockerfile:1`
vendor with go mod Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> 2021-12-16 15:15:53 -05:00
update to go1.21.3 go1.21.3 (released 2023-10-10) includes a security fix to the net/http package. See the Go 1.21.3 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.21.3+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.21.2...go1.21.3 From the security mailing: [security] Go 1.21.3 and Go 1.20.10 are released Hello gophers, We have just released Go versions 1.21.3 and 1.20.10, minor point releases. These minor releases include 1 security fixes following the security policy: - net/http: rapid stream resets can cause excessive work A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-10-11 13:29:25 -04:00			`ARG GO_VERSION=1.21.3`
Dockerfile: update ALPINE_VERSION to 3.17 Official Golang images are now only available for 3.18 and 3.17; 3.18 doesn't look to play well with gotestsum, so sticking to an older version. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-06-14 07:30:40 -04:00			`ARG ALPINE_VERSION=3.17`
vendor with go mod Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> 2021-12-16 15:15:53 -05:00			`ARG MODOUTDATED_VERSION=v0.8.0`

Dockerfile: add ALPINE_VERSION build-arg This allows us to pin to a specific version of Alpine, in case the golang:alpine image switches to a newer version, which may at times be incompatible, e.g. see https://github.com/moby/moby/issues/44570 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-12-04 08:01:30 -05:00			`FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base`
Dockerfile: use GOTOOLCHAIN=local This may find its way into the official images, but until it does, let's make sure we don't get unexpected updates of go. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-09-26 06:43:38 -04:00			`ENV GOTOOLCHAIN=local`
vendor with go mod Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> 2021-12-16 15:15:53 -05:00			`RUN apk add --no-cache bash git rsync`
			`WORKDIR /src`

			`FROM base AS vendored`
Dockerfile.vendor: update GOPROXY to use default with fallback Use the default proxy, to assist with vanity domains mis-behaving, but keep a fallback for situations where we need to get modules from GitHub directly. This should hopefully help with the gopkg.in/yaml.v2 domain often going AWOL; #14 245.9 gopkg.in/yaml.v2@v2.4.0: unrecognized import path "gopkg.in/yaml.v2": reading https://gopkg.in/yaml.v2?go-get=1: 502 Bad Gateway #14 245.9 server response: Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe curl 'https://gopkg.in/yaml.v2?go-get=1' Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe From the Go documentation; https://go.dev/ref/mod#goproxy-protocol > List elements may be separated by commas (,) or pipes (\|), which determine error > fallback behavior. When a URL is followed by a comma, the go command falls back > to later sources only after a 404 (Not Found) or 410 (Gone) response. When a URL > is followed by a pipe, the go command falls back to later sources after any error, > including non-HTTP errors such as timeouts. This error handling behavior lets a > proxy act as a gatekeeper for unknown modules. For example, a proxy could respond > with error 403 (Forbidden) for modules not on an approved list (see Private proxy > serving private modules). Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-06-02 07:12:35 -04:00			`ENV GOPROXY=https://proxy.golang.org\|direct`
vendor with go mod Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> 2021-12-16 15:15:53 -05:00			`RUN --mount=target=/context \`
			`--mount=target=.,type=tmpfs \`
			`--mount=target=/go/pkg/mod,type=cache <<EOT`
			`set -e`
			`rsync -a /context/. .`
			`./scripts/vendor update`
			`mkdir /out`
			`cp -r vendor.mod vendor.sum vendor /out`
			`EOT`

			`FROM scratch AS update`
			`COPY --from=vendored /out /out`

			`FROM vendored AS validate`
			`RUN --mount=target=/context \`
			`--mount=target=.,type=tmpfs <<EOT`
			`set -e`
			`rsync -a /context/. .`
			`git add -A`
			`rm -rf vendor`
			`cp -rf /out/* .`
			`./scripts/vendor validate`
			`EOT`

			`FROM psampaz/go-mod-outdated:${MODOUTDATED_VERSION} AS go-mod-outdated`
			`FROM base AS outdated`
			`RUN --mount=target=.,rw \`
			`--mount=target=/go/pkg/mod,type=cache \`
			`--mount=from=go-mod-outdated,source=/home/go-mod-outdated,target=/usr/bin/go-mod-outdated \`
			`./scripts/vendor outdated`