From 7e3e91d83932daa89a2476e6c61129ace57a24fa Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Mon, 25 Sep 2023 17:55:22 -0300 Subject: [PATCH 1/4] ci: set minimal permisisons on github workflows (#325) Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/ci-v2.yaml | 3 +++ .github/workflows/ci.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci-v2.yaml b/.github/workflows/ci-v2.yaml index 60a19e87..095e89a6 100644 --- a/.github/workflows/ci-v2.yaml +++ b/.github/workflows/ci-v2.yaml @@ -6,6 +6,9 @@ on: pull_request: branches: [ master, qa ] +permissions: + contents: read + jobs: test-gomod-v2: runs-on: ubuntu-latest diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b9f917c..64d09c3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ master, qa ] +permissions: + contents: read + jobs: test-gomod: runs-on: ubuntu-latest From 0bd0398fa9e8a8e9dd9dc5c33d8374f6b7f5e17b Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Thu, 7 Dec 2023 13:37:04 -0300 Subject: [PATCH 2/4] Create Security Policy (#329) --- SECURITY.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..721976d3 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Security Policy + +## Supported Versions + +Security updates are applied only to the latest release. + +## Reporting a Vulnerability + +If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to evaluate and fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. + +Please disclose it at our [security advisory](https://github.com/golang/appengine/security/advisories/new). + +This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be handled and/or disclosed in a best effort base. From aabaab1e9a9b0f7fc697c36f97735c4d572be889 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Wed, 13 Dec 2023 15:53:22 -0300 Subject: [PATCH 3/4] Feature: Hash-pin sensitive workflow dependencies and enable dependabot for them (#332) * feat: hash-pin sensitive workflows Signed-off-by: Diogo Teles Sant'Anna * feat: configure dependabot to run over github actions This also is specifying how dependabot will work on updates for go modules. The config is set up to: - Update github actions together in a single monthly PR - Version updates for GO modules from "/go.mod" will be sent together in a weekly PR. - Version updates for GO modules from "/v2/go.mod" will be sent separately from the ones in "/go.mod", but will also be sent together in a weekly PR. Signed-off-by: Diogo Teles Sant'Anna --------- Signed-off-by: Diogo Teles Sant'Anna --- .github/dependabot.yml | 28 ++++++++++++++++++++++++ .github/workflows/ci-update-workflow.yml | 10 ++++----- 2 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..830dbcf1 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,28 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + groups: + github-actions: + patterns: + - "*" + + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + groups: + github-actions: + patterns: + - "*" + + - package-ecosystem: "gomod" + directory: "/v2" + schedule: + interval: "weekly" + groups: + github-actions: + patterns: + - "*" \ No newline at end of file diff --git a/.github/workflows/ci-update-workflow.yml b/.github/workflows/ci-update-workflow.yml index 96875231..91fcad07 100644 --- a/.github/workflows/ci-update-workflow.yml +++ b/.github/workflows/ci-update-workflow.yml @@ -19,12 +19,12 @@ jobs: id-token: write # Enable OIDC steps: - id: 'auth' - uses: 'google-github-actions/auth@v1' + uses: google-github-actions/auth@3a3c4c57d294ef65efaaee4ff17b22fa88dd3c69 # v1.3.0 with: credentials_json: '${{ secrets.GCP_CREDENTIALS }}' - name: 'Set up Cloud SDK' - uses: 'google-github-actions/setup-gcloud@v1' + uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1 - name: Get available Go versions run: | @@ -35,11 +35,11 @@ jobs: id: get_versions - name: Checkout appengine repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 # Sign the commit. # https://www.chainguard.dev/unchained/keyless-git-commit-signing-with-gitsign-and-github-actions - - uses: chainguard-dev/actions/setup-gitsign@main + - uses: chainguard-dev/actions/setup-gitsign@e74da3cd82dab55e35736f1ef031a12fa5b95299 # main - name: Update Go versions run: | @@ -58,7 +58,7 @@ jobs: sed -i "0,/^ go-version: \[.*/s// go-version: \[$versions_str\]/" .github/workflows/ci-v2.yaml - name: Create Pull Request - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4.2.4 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Update go-version matrix From 3ab9c40c53fc8b2b053d3fe76ccd03fdc3178ab6 Mon Sep 17 00:00:00 2001 From: Kenneth Ye <30275095+kennethye1@users.noreply.github.com> Date: Mon, 8 Apr 2024 14:36:47 -0700 Subject: [PATCH 4/4] Update go versions to 1.22 and remove end of support runtimes (#353) * Update go versions to 1.22 Signed-off-by: kennethye1 * Upgrade aetest to go122 Signed-off-by: kennethye1 --------- Signed-off-by: kennethye1 --- .github/workflows/ci-v2.yaml | 54 ++---------------------------------- .github/workflows/ci.yml | 49 +------------------------------- aetest/instance_vm.go | 2 +- v2/aetest/instance.go | 2 +- 4 files changed, 5 insertions(+), 102 deletions(-) diff --git a/.github/workflows/ci-v2.yaml b/.github/workflows/ci-v2.yaml index 095e89a6..5c568525 100644 --- a/.github/workflows/ci-v2.yaml +++ b/.github/workflows/ci-v2.yaml @@ -15,7 +15,7 @@ jobs: strategy: fail-fast: false matrix: - go-version: ['1.11.x', '1.13.x', '1.16.x', '1.18.x', '1.19.x', '1.20.x', '1.21.x'] + go-version: ['1.19.x', '1.20.x', '1.21.x', '1.22.x'] env: working-directory: ./v2 @@ -58,54 +58,4 @@ jobs: export CLOUDSDK_PYTHON="python3" go test -v -cover -race google.golang.org/appengine/v2/... # TestAPICallAllocations doesn't run under race detector. - go test -v -cover google.golang.org/appengine/v2/internal/... -run TestAPICallAllocations - - test-gopath-v2: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - # GOPATH is deprecated in go 1.13. - go-version: [ '1.11.x', '1.12.x'] - env: - working-directory: ./v2 - - steps: - - name: Update base image, intall Python2 and Python3 - run: | - sudo apt-get update - sudo apt-get install -y python2 - sudo apt-get install -y python3 - - name: Set up Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go-version }} - - name: Checkout - uses: actions/checkout@v2 - - name: Cache go modules - uses: actions/cache@v2 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - key: ${{ runner.os }}-${{ matrix.go-version }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ matrix.go-version }}-go- - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v0 - - name: Install - working-directory: ${{env.working-directory}} - env: - GO111MODULE: off - run: | - go get -u -v $(go list -f '{{join .Imports "\n"}}{{"\n"}}{{join .TestImports "\n"}}' ./... | sort | uniq | grep -v appengine) - go get -u google.golang.org/appengine/v2 - gcloud components install app-engine-python app-engine-go cloud-datastore-emulator app-engine-python-extras --quiet - - name: Test gopath v2 - working-directory: ${{env.working-directory}} - run: | - export APPENGINE_DEV_APPSERVER=$(which dev_appserver.py) - export CLOUDSDK_PYTHON="python3" - go test -v -cover -race google.golang.org/appengine/v2/... - # TestAPICallAllocations doesn't run under race detector. - go test -v -cover google.golang.org/appengine/v2/internal/... -run TestAPICallAllocations + go test -v -cover google.golang.org/appengine/v2/internal/... -run TestAPICallAllocations \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64d09c3f..f5441e4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: strategy: fail-fast: false matrix: - go-version: [ '1.11.x', '1.12.x', '1.13.x', '1.14.x', '1.15.x', '1.16.x', '1.18.x', '1.19.x', '1.20.x'] + go-version: ['1.19.x', '1.20.x', '1.21.x', '1.22.x'] steps: - name: Update base image, intall Python2 and Python3 @@ -56,50 +56,3 @@ jobs: go test -v -cover -race google.golang.org/appengine/... # TestAPICallAllocations doesn't run under race detector. go test -v -cover google.golang.org/appengine/internal/... -run TestAPICallAllocations - - test-gopath: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - # GOPATH is deprecated in go 1.13. - go-version: [ '1.11.x', '1.12.x'] - - steps: - - name: Update base image, intall Python2 and Python3 - run: | - sudo apt-get update - sudo apt-get install -y python2 - sudo apt-get install -y python3 - export CLOUDSDK_PYTHON="python3" - - name: Set up Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go-version }} - - name: Checkout - uses: actions/checkout@v2 - - name: Cache go modules - uses: actions/cache@v2 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - key: ${{ runner.os }}-${{ matrix.go-version }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-${{ matrix.go-version }}-go- - - name: Set up Cloud SDK - uses: google-github-actions/setup-gcloud@v0 - - name: Install - env: - GO111MODULE: off - run: | - go get -u -v $(go list -f '{{join .Imports "\n"}}{{"\n"}}{{join .TestImports "\n"}}' ./... | sort | uniq | grep -v appengine) - go get -u google.golang.org/appengine - gcloud components install app-engine-python app-engine-go cloud-datastore-emulator app-engine-python-extras --quiet - - name: Test gopath - run: | - export APPENGINE_DEV_APPSERVER=$(which dev_appserver.py) - export CLOUDSDK_PYTHON="python3" - go test -v -cover -race google.golang.org/appengine/... - # TestAPICallAllocations doesn't run under race detector. - go test -v -cover google.golang.org/appengine/internal/... -run TestAPICallAllocations diff --git a/aetest/instance_vm.go b/aetest/instance_vm.go index 1f36bbe6..c2685e80 100644 --- a/aetest/instance_vm.go +++ b/aetest/instance_vm.go @@ -275,7 +275,7 @@ func (i *instance) appYAML() string { const appYAMLTemplate = ` application: %s version: 1 -runtime: go111 +runtime: go122 handlers: - url: /.* diff --git a/v2/aetest/instance.go b/v2/aetest/instance.go index 5ca59f64..54f912ad 100644 --- a/v2/aetest/instance.go +++ b/v2/aetest/instance.go @@ -325,7 +325,7 @@ func (i *instance) appYAML() string { const appYAMLTemplate = ` application: %s version: 1 -runtime: go111 +runtime: go122 handlers: - url: /.*