updatecli: microsoft security patches (#566)

v1v · web-flow · commit d4ba5f93eec1 · 2025-04-01T19:16:43.000+02:00
diff --git a/.github/actions/bump-golang/action.yml b/.github/actions/bump-golang/action.yml
@@ -36,7 +36,7 @@ runs:
         uses: updatecli/updatecli-action@92a13b95c2cd9f1c6742c965509203c6a5635ed7 # v2.68.0
 
       - name: Run Updatecli in Apply mode
-        run: updatecli ${{ env.COMMAND }} --config ./.github/updatecli.d/bump-golang.yml
+        run: updatecli ${{ env.COMMAND }} --config ./.github/updatecli.d/
         env:
           COMMAND: ${{ inputs.command }}
           BRANCH: ${{ inputs.branch }}
diff --git a/.github/updatecli.d/bump-go-microsoft-version.sh b/.github/updatecli.d/bump-go-microsoft-version.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+#
+# Given the Golang microsoft version this script will bump the version.
+#
+# This script is executed by the automation we are putting in place
+#
+# Parameters:
+#	$1 -> the Golang release version to be bumped. Mandatory.
+#
+set -euo pipefail
+MSG="parameter missing."
+GO_RELEASE_VERSION=${1:?$MSG}
+OS=$(uname -s| tr '[:upper:]' '[:lower:]')
+if [ "${OS}" == "darwin" ] ; then
+	SED="sed -i .bck"
+else
+	SED="sed -i"
+fi
+
+MAJOR_MINOR_PATCH_VERSION=$(echo "$GO_RELEASE_VERSION" | sed -E -e "s#([0-9]+\.[0-9]+\.[0-9]+).*#\1#g")
+SECURITY_VERSION=$(echo "$GO_RELEASE_VERSION" | sed -E -e "s#([0-9]+\.[0-9]+\.[0-9]+)(.+)#\2#g")
+
+# Gather microsoft/go sha256 values
+MSFT_DOWNLOAD_METADATA=$(curl -s -L https://aka.ms/golang/release/latest/go${MAJOR_MINOR_PATCH_VERSION}.assets.json)
+MSFT_DOWNLOAD_SHA256_ARM=$(echo $MSFT_DOWNLOAD_METADATA | jq -r ".arches[] | select( .env.GOOS == \"linux\") | select( .env.GOARCH == \"arm64\") | .sha256")
+MSFT_DOWNLOAD_SHA256_AMD=$(echo $MSFT_DOWNLOAD_METADATA | jq -r ".arches[] | select( .env.GOOS == \"linux\") | select( .env.GOARCH == \"amd64\") | .sha256")
+
+echo "Update go version ${GO_RELEASE_VERSION}"
+
+find "go" -type f -name Dockerfile.tmpl -print0 |
+    while IFS= read -r -d '' line; do
+        ${SED} -E -e "s#(ARG GOLANG_VERSION)=[0-9]+\.[0-9]+(\.[0-9]+)?#\1=${MAJOR_MINOR_PATCH_VERSION}#g" "$line"
+        if echo "$line" | grep -q 'arm' ; then
+            ${SED} -E -e "s#(ARG MSFT_DOWNLOAD_SHA256)=.+#\1=${MSFT_DOWNLOAD_SHA256_ARM}#g" "$line"
+            ${SED} -E -e "s#(ARG SECURITY_VERSION)=.+#\1=${SECURITY_VERSION}#g" "$line"
+        else
+            ${SED} -E -e "s#(ARG MSFT_DOWNLOAD_SHA256)=.+#\1=${MSFT_DOWNLOAD_SHA256_AMD}#g" "$line"
+            ${SED} -E -e "s#(ARG SECURITY_VERSION)=.+#\1=${SECURITY_VERSION}#g" "$line"
+        fi
+    done
diff --git a/.github/updatecli.d/bump-microsoft.yml b/.github/updatecli.d/bump-microsoft.yml
@@ -0,0 +1,67 @@
+---
+name: Bump golang-microsoft to latest version
+pipelineid: 'bump-golang-microsoft-version-{{ requiredEnv "BRANCH" }}'
+
+scms:
+  githubConfig:
+    kind: github
+    spec:
+      user: '{{ requiredEnv "GITHUB_ACTOR" }}'
+      username: '{{ requiredEnv "GITHUB_ACTOR" }}'
+      owner: elastic
+      repository: golang-crossbuild
+      token: '{{ requiredEnv "GITHUB_TOKEN" }}'
+      branch: '{{ requiredEnv "BRANCH" }}'
+      commitusingapi: true
+
+actions:
+  default:
+    title: '[Automation] Bump Microsoft version to {{ source "latestGoVersion" }}'
+    kind: github/pullrequest
+    scmid: githubConfig
+    spec:
+      automerge: true
+      labels:
+        - automation
+        - dependencies
+        - backport-skip
+      description: |
+        See https://github.com/microsoft/go/releases/v{{ source "latestGoVersion" }}
+
+sources:
+  minor:
+    name: Get minor version
+    kind: shell
+    transformers:
+      - findsubmatch:
+          pattern: '^\d+.(\d+)'
+          captureindex: 1
+    spec:
+      command: echo {{ requiredEnv "GO_MINOR" }}
+
+  latestGoVersion:
+    name: Get Latest Go Release
+    kind: githubrelease
+    dependson:
+      - minor
+    transformers:
+      - trimprefix: v
+    spec:
+      owner: microsoft
+      repository: go
+      token: '{{ requiredEnv "GITHUB_TOKEN" }}'
+      username: '{{ requiredEnv "GITHUB_ACTOR" }}'
+      versionfilter:
+        kind: regex
+        pattern: v1\.{{ source "minor" }}\.(\d*)-(\d*)$
+
+targets:
+  update-go-versions:
+    name: 'Update go version {{ source "latestGoVersion" }}'
+    kind: shell
+    sourceid: latestGoVersion
+    scmid: githubConfig
+    spec:
+      command: .github/updatecli.d/bump-go-microsoft-version.sh
+      environments:
+        - name: PATH
diff --git a/go/base-arm/Dockerfile.tmpl b/go/base-arm/Dockerfile.tmpl
@@ -59,7 +59,8 @@ RUN \
 
 ARG GOLANG_VERSION=1.24.1
 {{- if eq .FIPS "true"}}
-ARG GOLANG_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$GOLANG_VERSION.linux-arm64.tar.gz
+ARG SECURITY_VERSION=
+ARG GOLANG_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$GOLANG_VERSION$SECURITY_VERSION.linux-arm64.tar.gz
 # Use a different arg name for microsoft/go sha so it can be handled seperately from the regular golang sha
 ARG MSFT_DOWNLOAD_SHA256=73b1befea457d5967632b2b0b93f8d2c0d899d5b6fbd1396c55d0a015292608b
 ARG DOWNLOAD_SHA256=$MSFT_DOWNLOAD_SHA256
diff --git a/go/base/Dockerfile.tmpl b/go/base/Dockerfile.tmpl
@@ -33,7 +33,8 @@ RUN ln -s /usr/bin/pip3 /usr/bin/pip
 
 ARG GOLANG_VERSION=1.24.1
 {{- if eq .FIPS "true"}}
-ARG GOLANG_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$GOLANG_VERSION.linux-amd64.tar.gz
+ARG SECURITY_VERSION=
+ARG GOLANG_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$GOLANG_VERSION$SECURITY_VERSION.linux-amd64.tar.gz
 # Use a different arg name for microsoft/go sha so it can be handled seperately from the regular golang sha
 ARG MSFT_DOWNLOAD_SHA256=b0ca85ecc435a93e2ddb626dd9ef7fb6689700a0847b0392eb3e146345a8dea0
 ARG DOWNLOAD_SHA256=$MSFT_DOWNLOAD_SHA256
