fix CVEs and bump go to 1.24.11 (#825)

* bump go to 1.24.11

* fix cves

* upgrade actions/setup-go@v5

* fix ci

Author: freeznet

.github/workflows/bundle-release.yml

@@ -49,10 +49,10 @@ jobs:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Set up GO 1.24.10
-        uses: actions/setup-go@v1
+      - name: Set up GO 1.24.11
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.24.10
+          go-version: 1.24.11
         id: go
 
       - name: InstallKubebuilder
@@ -180,10 +180,10 @@ jobs:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Set up GO 1.24.10
-        uses: actions/setup-go@v1
+      - name: Set up GO 1.24.11
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.24.10
+          go-version: 1.24.11
         id: go
 
       - name: InstallKubebuilder

.github/workflows/olm-verify.yml

@@ -34,10 +34,10 @@ jobs:
       - name: checkout
         uses: actions/checkout@v2
 
-      - name: Set up GO 1.24.10
-        uses: actions/setup-go@v1
+      - name: Set up GO 1.24.11
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.24.10
+          go-version: 1.24.11
         id: go
 
       - name: InstallKubebuilder

.github/workflows/project.yml

@@ -18,7 +18,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.22.12, 1.24.10]
+        go-version: [1.22.12, 1.24.11]
     steps:
       - name: Free Disk Space (Ubuntu)
         uses: jlumbroso/[email protected]
@@ -36,7 +36,7 @@ jobs:
           swap-storage: true
 
       - name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
         id: go

.github/workflows/release.yml

@@ -37,10 +37,10 @@ jobs:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Set up GO 1.24.10
-        uses: actions/setup-go@v1
+      - name: Set up GO 1.24.11
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.24.10
+          go-version: 1.24.11
         id: go
 
       - name: InstallKubebuilder

.github/workflows/test-helm-charts.yml

@@ -83,11 +83,11 @@ jobs:
         run: hack/kind-cluster-build.sh --name chart-testing -c 1 -v 10 --k8sVersion v1.23.17
         if: steps.list-changed.outputs.changed == 'true'
 
-      - name: Set up GO 1.24.10
+      - name: Set up GO 1.24.11
         if: steps.list-changed.outputs.changed == 'true'
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.24.10
+          go-version: 1.24.11
         id: go
 
       - name: setup kubebuilder 3.6.0

.github/workflows/trivy.yml

@@ -27,17 +27,40 @@ jobs:
       TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
       TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
     steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/[email protected]
+        with:
+          # this might remove tools that are actually needed,
+          # if set to "true" but frees about 6 GB
+          tool-cache: false
+          # all of these default to true, but feel free to set to
+          # "false" if necessary for your workflow
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
+      # the runner machine has a disk /dev/sdb1 which mounted to /mnt, and it has more free disk than /dev/sda1.
+      # we can use it to save docker's data to avoid bookie error due to lack of disk.
+      - name: change docker data dir
+        run: |
+          sudo service docker stop
+          echo '{ "exec-opts": ["native.cgroupdriver=cgroupfs"], "cgroup-parent": "/actions_job", "data-root": "/mnt/docker" }' | sudo tee /etc/docker/daemon.json
+          sudo service docker start
+          
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
           repository: ${{github.event.pull_request.head.repo.full_name}}
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - name: Set up GO 1.24.10
-        uses: actions/setup-go@v1
+      - name: Set up GO 1.24.11
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.24.10
+          go-version: 1.24.11
         id: go
 
       - name: InstallKubebuilder

.github/workflows/trivy_scheduled_master.yml

@@ -38,17 +38,39 @@ jobs:
       TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
       TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
     steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/[email protected]
+        with:
+          # this might remove tools that are actually needed,
+          # if set to "true" but frees about 6 GB
+          tool-cache: false
+          # all of these default to true, but feel free to set to
+          # "false" if necessary for your workflow
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
+      # the runner machine has a disk /dev/sdb1 which mounted to /mnt, and it has more free disk than /dev/sda1.
+      # we can use it to save docker's data to avoid bookie error due to lack of disk.
+      - name: change docker data dir
+        run: |
+          sudo service docker stop
+          echo '{ "exec-opts": ["native.cgroupdriver=cgroupfs"], "cgroup-parent": "/actions_job", "data-root": "/mnt/docker" }' | sudo tee /etc/docker/daemon.json
+          sudo service docker start
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
           repository: ${{github.event.pull_request.head.repo.full_name}}
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - name: Set up GO 1.24.10
-        uses: actions/setup-go@v1
+      - name: Set up GO 1.24.11
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.24.10
+          go-version: 1.24.11
         id: go
 
       - name: InstallKubebuilder

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.24.10-trixie as builder
+FROM golang:1.24.11-trixie as builder
 
 WORKDIR /workspace/api
 COPY api/ .

api/go.mod

@@ -1,6 +1,6 @@
 module github.com/streamnative/function-mesh/api
 
-go 1.24.10
+go 1.24.11
 
 require (
 	k8s.io/api v0.30.9

go.mod

@@ -1,23 +1,23 @@
 module github.com/streamnative/function-mesh
 
-go 1.24.10
+go 1.24.11
 
 require (
-	github.com/apache/pulsar-client-go v0.9.1-0.20230816081803-fbee610ddcbf
+	github.com/apache/pulsar-client-go v0.17.0
 	github.com/go-logr/logr v1.4.2
 	github.com/golang/protobuf v1.5.4
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.35.1
 	github.com/prometheus/client_golang v1.20.5
 	github.com/streamnative/function-mesh/api v0.0.0
-	github.com/streamnative/pulsarctl v0.4.3-0.20240321142126-f3939fb0ed38
+	github.com/streamnative/pulsarctl v0.6.0
 	github.com/stretchr/testify v1.10.0
-	google.golang.org/protobuf v1.36.5
+	google.golang.org/protobuf v1.36.6
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.30.9
-	k8s.io/apimachinery v0.30.9
+	k8s.io/api v0.32.3
+	k8s.io/apimachinery v0.32.3
 	k8s.io/autoscaler/vertical-pod-autoscaler v0.11.0
-	k8s.io/client-go v0.30.9
+	k8s.io/client-go v0.32.3
 	sigs.k8s.io/controller-runtime v0.18.6
 	sigs.k8s.io/yaml v1.4.0
 )
@@ -32,7 +32,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/danieljoos/wincred v1.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/dvsekhvalnov/jose2go v1.6.0 // indirect
+	github.com/dvsekhvalnov/jose2go v1.7.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/fatih/color v1.7.0 // indirect
@@ -46,8 +46,8 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt v3.2.1+incompatible // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/cel-go v0.17.8 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
@@ -61,7 +61,7 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kris-nova/logger v0.0.0-20181127235838-fd0d87064b06 // indirect
 	github.com/kris-nova/lolgopher v0.0.0-20180921204813-313b3abb0d9b // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
@@ -83,28 +83,29 @@ require (
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect
-	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
+	google.golang.org/grpc v1.71.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -114,11 +115,17 @@ require (
 	k8s.io/component-base v0.30.9 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
-	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 )
 
+replace k8s.io/api => k8s.io/api v0.30.9
+
+replace k8s.io/apimachinery => k8s.io/apimachinery v0.30.9
+
+replace k8s.io/client-go => k8s.io/client-go v0.30.9
+
 replace github.com/streamnative/function-mesh/api => ./api