Begin testing on go1.21rc2 with loopvar experiment (#6952)

aarongable · web-flow · commit cc596bd4ebbc · 2023-06-26T16:35:29.000-07:00
Add go1.21rc2 to the matrix of go versions we test against. Add a new step to our CI workflows (boulder-ci, try-release, and release) which sets the "GOEXPERIMENT=loopvar" environment variable if we're running go1.21. This experiment makes it so that loop variables are scoped only to their single loop iteration, rather than to the whole loop. This prevents bugs such as our CAA Rechecking incident (https://bugzilla.mozilla.org/show_bug.cgi?id=1619047). Also add a line to our docker setup to propagate this environment variable into the container, where it can affect builds. Finally, fix one TLS-ALPN-01 test to have the fake subscriber server actually willing to negotiate the acme-tls/1 protocol, so that the ACME server's tls client actually waits to (fail to) get the certificate, instead of dying immediately. This fix is related to the upgrade to go1.21, not the loopvar experiment. Fixes #6950
diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
@@ -37,6 +37,7 @@ jobs:
         # Add additional docker image tags here and all tests will be run with the additional image.
         BOULDER_TOOLS_TAG:
           - go1.20.5_2023-06-20
+          - go1.21rc2_2023-06-21
         # Tests command definitions. Use the entire "docker compose" command you want to run.
         tests:
           # Run ./test.sh --help for a description of each of the flags.
@@ -60,10 +61,10 @@ jobs:
           # container (used for service discovery).
           - "docker compose run --use-aliases netaccess ./test.sh --gomod-vendor"
 
-    # This sets the docker image tag for the boulder-tools repository to
-    # use in tests. It will be set appropriately for each tag in the list
-    # defined in the matrix.
     env:
+      # This sets the docker image tag for the boulder-tools repository to
+      # use in tests. It will be set appropriately for each tag in the list
+      # defined in the matrix.
       BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }}
 
     # Sequence of tasks that will be executed as part of the job.
@@ -95,6 +96,11 @@ jobs:
       - name: docker compose pull
         run: docker compose pull
 
+      # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on
+      # go1.21rc2 or higher. This experiment value is unknown in lower versions.
+      - if: startsWith(matrix.BOULDER_TOOLS_TAG, 'go1.21')
+        run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+
       # Run the test matrix. This will run
       - name: "Run Test: ${{ matrix.tests }}"
         run: ${{ matrix.tests }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,6 +16,7 @@ jobs:
       matrix:
         GO_VERSION:
           - "1.20.5"
+          - "1.21rc2"
     runs-on: ubuntu-20.04
     permissions:
       contents: write
@@ -24,6 +25,11 @@ jobs:
         with:
           persist-credentials: false
 
+      # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on
+      # go1.21rc2 or higher. This experiment value is unknown in lower versions.
+      - if: startsWith(matrix.GO_VERSION, '1.21')
+        run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+
       - name: Build .deb
         id: build
         env:
diff --git a/.github/workflows/try-release.yml b/.github/workflows/try-release.yml
@@ -16,12 +16,18 @@ jobs:
       matrix:
         GO_VERSION:
           - "1.20.5"
+          - "1.21rc2"
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v3
         with:
           persist-credentials: false
 
+      # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on
+      # go1.21rc2 or higher. This experiment value is unknown in lower versions.
+      - if: startsWith(matrix.GO_VERSION, '1.21')
+        run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+
       - name: Build .deb
         id: build
         env:
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -10,6 +10,8 @@ services:
       FAKE_DNS: 10.77.77.77
       BOULDER_CONFIG_DIR: &boulder_config_dir test/config
       GOFLAGS: -mod=vendor
+      # Forward the parent env's GOEXPERIMENT value into the container.
+      GOEXPERIMENT: ${GOEXPERIMENT}
     volumes:
       - .:/boulder:cached
       - ./.gocache:/root/.cache/go-build:cached
diff --git a/test/boulder-tools/tag_and_upload.sh b/test/boulder-tools/tag_and_upload.sh
@@ -12,7 +12,7 @@ DOCKER_REPO="letsencrypt/boulder-tools"
 # .github/workflows/release.yml,
 # .github/workflows/try-release.yml if appropriate,
 # and .github/workflows/boulder-ci.yml with the new container tag.
-GO_CI_VERSIONS=( "1.20.5" )
+GO_CI_VERSIONS=( "1.20.5" "1.21rc2" )
 # These versions are built for both platforms that boulder devs use.
 # When updating GO_DEV_VERSIONS, please also update
 # ../../docker-compose.yml's default Go version.
diff --git a/va/tlsalpn_test.go b/va/tlsalpn_test.go
@@ -157,6 +157,7 @@ func TestTLSALPN01FailIP(t *testing.T) {
 func slowTLSSrv() *httptest.Server {
 	server := httptest.NewUnstartedServer(http.DefaultServeMux)
 	server.TLS = &tls.Config{
+		NextProtos: []string{"http/1.1", ACMETLS1Protocol},
 		GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 			time.Sleep(100 * time.Millisecond)
 			return makeACert([]string{"nomatter"}), nil
@@ -196,6 +197,7 @@ func TestTLSALPNTimeoutAfterConnect(t *testing.T) {
 		t.Fatalf("Connection should've timed out")
 	}
 	test.AssertEquals(t, prob.Type, probs.ConnectionProblem)
+
 	expected := "127.0.0.1: Timeout after connect (your server may be slow or overloaded)"
 	if prob.Detail != expected {
 		t.Errorf("Wrong error detail. Expected %q, got %q", expected, prob.Detail)
