diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index ba8b48f..94dc706 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "linkerd-dev", - "image": "ghcr.io/linkerd/dev:v46", + "image": "ghcr.io/linkerd/dev:v48", "customizations": { "vscode": { "extensions": [ diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9e725af..9bd0170 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,15 +1,11 @@ version: 2 updates: - package-ecosystem: "docker" - directory: "/.devcontainer" + directory: "/" schedule: - interval: daily - time: "05:00" - timezone: "UTC" + interval: "weekly" - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" - time: "04:00" - timezone: "UTC" + interval: "weekly" diff --git a/Dockerfile b/Dockerfile index 3227cc8..be1f776 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,8 +5,8 @@ ## -ARG GO_TAG=1.24 -ARG RUST_TAG=1.88.0 +ARG GO_TAG=1.25 +ARG RUST_TAG=1.90.0 # These layers include Debian apt caches, so layers that extend `apt-base` # should not be published. Instead, these layers should be used to provide @@ -45,13 +45,13 @@ RUN url="https://github.com/olix0r/j5j/releases/download/${J5J_VERSION}/j5j-${J5 # just runs build/test recipes. Like `make` but a bit more ergonomic. FROM apt-base as just -ARG JUST_VERSION=1.42.4 # repo=casey/just +ARG JUST_VERSION=1.43.0 # repo=casey/just RUN url="https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \ scurl "$url" | tar zvxf - -C /usr/local/bin just # yq is kind of like jq, but for YAML. FROM apt-base as yq -ARG YQ_VERSION=v4.47.1 # repo=mikefarah/yq +ARG YQ_VERSION=v4.47.2 # repo=mikefarah/yq RUN url="https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" ; \ scurl -o /yq "$url" && chmod +x /yq @@ -67,7 +67,7 @@ COPY --link bin/scurl /bin/ # helm templates kubernetes manifests. FROM apt-base as helm -ARG HELM_VERSION=v3.18.4 # repo=helm/helm +ARG HELM_VERSION=v3.19.0 # repo=helm/helm RUN url="https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" ; \ scurl "$url" | tar xzvf - --strip-components=1 -C /usr/local/bin linux-amd64/helm @@ -80,15 +80,13 @@ RUN url="https://github.com/norwoodj/helm-docs/releases/download/$HELM_DOCS_VERS # kubectl controls kubernetes clusters. FROM apt-base as kubectl -ARG KUBECTL_VERSION=v1.33.3 # repo=kubernetes/kubernetes +ARG KUBECTL_VERSION=v1.34.1 # repo=kubernetes/kubernetes RUN url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" ; \ scurl -o /usr/local/bin/kubectl "$url" && chmod +x /usr/local/bin/kubectl # k3d runs kubernetes clusters in docker. FROM apt-base as k3d -ARG K3D_VERSION=v5.8.3 # repo=rancher/k3d -RUN url="https://raw.githubusercontent.com/rancher/k3d/$K3D_VERSION/install.sh" ; \ - scurl "$url" | USE_SUDO=false K3D_INSTALL_DIR=/usr/local/bin bash +COPY --link --from=ghcr.io/k3d-io/k3d:5.8.3 /bin/k3d /usr/local/bin/ # just-k3d is a utility that encodes many of the common k3d commands we use. COPY --link bin/just-k3d /usr/local/bin/ # `K3S_IMAGES_JSON` configures just-k3d so that it uses a pinned version of k3s. @@ -96,12 +94,6 @@ COPY --link bin/just-k3d /usr/local/bin/ ENV K3S_IMAGES_JSON=/usr/local/etc/k3s-images.json COPY --link k3s-images.json "$K3S_IMAGES_JSON" -# step is a tool for managing certificates. -FROM apt-base as step -ARG STEP_VERSION=v0.28.7 # repo=smallstep/cli -RUN url="https://dl.smallstep.com/gh-release/cli/gh-release-header/${STEP_VERSION}/step_linux_${STEP_VERSION#v}_amd64.tar.gz" ; \ - scurl "$url" | tar xzvf - --strip-components=2 -C /usr/local/bin step_"${STEP_VERSION#v}"/bin/step - FROM scratch as tools-k8s COPY --link --from=helm /usr/local/bin/helm /bin/ COPY --link --from=helm-docs /usr/local/bin/helm-docs /bin/ @@ -109,21 +101,13 @@ COPY --link --from=k3d /usr/local/bin/* /bin/ ENV K3S_IMAGES_JSON=/etc/k3s-images.json COPY --link --from=k3d /usr/local/etc/k3s-images.json "$K3S_IMAGES_JSON" COPY --link --from=kubectl /usr/local/bin/kubectl /bin/ -COPY --link --from=step /usr/local/bin/step /bin/ - -FROM apt-base as syft -ARG SYFT_VERSION=v1.29.0 # repo=anchore/syft -RUN url="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/syft_${SYFT_VERSION#v}_linux_amd64.tar.gz" ; \ - scurl "$url" | tar xzvf - -C /usr/local/bin syft - -FROM apt-base as grype -ARG GRYPE_VERSION=v0.96.1 # repo=anchore/grype -RUN url="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}/grype_${GRYPE_VERSION#v}_linux_amd64.tar.gz" ; \ - scurl "$url" | tar xzvf - -C /usr/local/bin grype +COPY --link --from=docker.io/smallstep/step-cli:0.28.7 /usr/local/bin/step /bin/ FROM scratch as tools-oci -COPY --link --from=syft /usr/local/bin/syft /bin/ -COPY --link --from=grype /usr/local/bin/grype /bin/ +COPY --link --from=ghcr.io/sigstore/cosign/cosign:v2.6.0 /ko-app/cosign /bin/ +COPY --link --from=ghcr.io/oras-project/oras:v1.3.0 /bin/oras /bin/ +COPY --link --from=ghcr.io/anchore/syft:v1.33.0 /syft /bin/ +COPY --link --from=ghcr.io/anchore/grype:v0.96.1 /grype /bin/ ## ## Linting tools @@ -141,17 +125,10 @@ ARG CHECKSEC_VERSION=2.7.1 # ignore RUN url="https://raw.githubusercontent.com/slimm609/checksec/${CHECKSEC_VERSION}/checksec" ; \ scurl -o /usr/local/bin/checksec "$url" && chmod 755 /usr/local/bin/checksec -# shellcheck lints shell scripts. -FROM apt-base as shellcheck -ARG SHELLCHECK_VERSION=v0.10.0 # repo=koalaman/shellcheck -RUN url="https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" ; \ - scurl "$url" | tar xJvf - --strip-components=1 -C /usr/local/bin "shellcheck-${SHELLCHECK_VERSION}/shellcheck" -COPY --link bin/just-sh /usr/local/bin/ - FROM scratch as tools-lint COPY --link --from=actionlint /usr/local/bin/actionlint /bin/ COPY --link --from=checksec /usr/local/bin/checksec /bin/ -COPY --link --from=shellcheck /usr/local/bin/shellcheck /bin/ +COPY --link --from=docker.io/koalaman/shellcheck:v0.11.0 /bin/shellcheck /bin/ COPY --link bin/action-* bin/just-dev bin/just-sh /bin/ ## @@ -159,7 +136,7 @@ COPY --link bin/action-* bin/just-dev bin/just-sh /bin/ ## FROM apt-base as protobuf -ARG PROTOC_VERSION=v31.1 # repo=protocolbuffers/protobuf +ARG PROTOC_VERSION=v32.1 # repo=protocolbuffers/protobuf RUN url="https://github.com/google/protobuf/releases/download/$PROTOC_VERSION/protoc-${PROTOC_VERSION#v}-linux-$(uname -m).zip" ; \ cd $(mktemp -d) && \ scurl -o protoc.zip "$url" && \ @@ -186,13 +163,13 @@ RUN url="https://github.com/rust-secure-code/cargo-auditable/releases/download/$ # cargo-deny checks cargo dependencies for licensing and RUSTSEC security issues. FROM apt-base as cargo-deny -ARG CARGO_DENY_VERSION=0.18.3 # repo=EmbarkStudios/cargo-deny +ARG CARGO_DENY_VERSION=0.18.5 # repo=EmbarkStudios/cargo-deny RUN url="https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \ scurl "$url" | tar zvxf - --strip-components=1 -C /usr/local/bin "cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny" # cargo-nextest is a nicer test runner. FROM apt-base as cargo-nextest -ARG NEXTEST_VERSION=0.9.101 # repo=nextest-rs/nextest,prefix=cargo-nextest- +ARG NEXTEST_VERSION=0.9.104 # repo=nextest-rs/nextest,prefix=cargo-nextest- RUN url="https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-${NEXTEST_VERSION}/cargo-nextest-${NEXTEST_VERSION}-x86_64-unknown-linux-gnu.tar.gz" ; \ scurl "$url" | tar zvxf - -C /usr/local/bin cargo-nextest @@ -248,7 +225,7 @@ FROM docker.io/library/golang:${GO_TAG} as gotests RUN go install github.com/cweill/gotests/gotests@latest FROM docker.io/library/golang:${GO_TAG} as gotestsum -ARG GOTESTSUM_VERSION=v1.12.0 +ARG GOTESTSUM_VERSION=v1.13.0 # repo=gotestyourself/gotestsum RUN go install gotest.tools/gotestsum@${GOTESTSUM_VERSION} FROM scratch as tools-go @@ -310,6 +287,7 @@ RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \ cmake \ curl \ file \ + gh \ git \ jo \ jq \ @@ -344,6 +322,7 @@ RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \ --mount=type=cache,from=apt-base,source=/var/cache/apt,target=/var/cache/apt,sharing=locked \ --mount=type=cache,from=apt-base,source=/var/lib/apt/lists,target=/var/lib/apt/lists,sharing=locked \ DEBIAN_FRONTEND=noninteractive apt-get install -y \ + binutils-aarch64-linux-gnu \ g++-aarch64-linux-gnu \ gcc-aarch64-linux-gnu \ libc6-dev-arm64-cross diff --git a/actions/setup-go/action.yml b/actions/setup-go/action.yml index 7e344ec..18753ee 100644 --- a/actions/setup-go/action.yml +++ b/actions/setup-go/action.yml @@ -5,7 +5,7 @@ inputs: # TODO(ver): CI should validate at this version matches that in the Dockerfile version: description: Go version - default: 1.24 + default: 1.25 runs: using: composite diff --git a/actions/setup-rust/action.yml b/actions/setup-rust/action.yml index 530cc14..3eeab08 100644 --- a/actions/setup-rust/action.yml +++ b/actions/setup-rust/action.yml @@ -6,7 +6,7 @@ inputs: # TODO(ver): CI should validate at this version matches that in the Dockerfile version: description: Container image version - default: 1.88.0 + default: 1.90.0 components: description: Rust components to install diff --git a/actions/setup-tools/action.yml b/actions/setup-tools/action.yml index 435ee53..86b4970 100644 --- a/actions/setup-tools/action.yml +++ b/actions/setup-tools/action.yml @@ -5,27 +5,36 @@ inputs: # TODO(ver): CI should validate at this version matches the most recent release tag version: description: Container image version - default: v47 + default: v48 runs: using: composite steps: - - uses: docker/setup-buildx-action@v3 + - name: "Hack mandb" + shell: bash + run: | + sudo dpkg-divert --local --rename --add /usr/bin/mandb + sudo ln -sf /bin/true /usr/bin/mandb + + - shell: bash + run: sudo apt-get update && sudo apt-get install -y --no-install-recommends jo umoci - name: Extract tools shell: bash run: | set -xeuo pipefail - build=$(mktemp -d '${{ runner.temp }}/build.XXXX') - echo 'FROM ghcr.io/linkerd/dev:${{ inputs.version }}-tools' > "$build"/Dockerfile + oci_dir=$(mktemp -d '${{ runner.temp }}/oci.XXXX') + bundle_dir=$(mktemp -d '${{ runner.temp }}/bundle.XXXX') - tools=$(mktemp -d '${{ runner.temp }}/tools.XXXX') - docker buildx build "$build" --output="type=local,dest=$tools/" + skopeo copy \ + "docker://ghcr.io/linkerd/dev:${{ inputs.version }}-tools" \ + "oci:$oci_dir:tools" + + umoci unpack --rootless --image "$oci_dir:tools" "$bundle_dir" + + tools="$bundle_dir/rootfs" ( echo K3S_IMAGES_JSON="$tools/etc/k3s-images.json" echo PATH="$tools/bin:$PATH" ) >> "$GITHUB_ENV" - - - shell: bash - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends jo jq diff --git a/bin/just-cargo b/bin/just-cargo index d052ce8..c759763 100755 --- a/bin/just-cargo +++ b/bin/just-cargo @@ -9,7 +9,7 @@ profile := 'debug' # or 'release' _release := if profile == 'release' { '--release' } else { '' } toolchain := "" -export CARGO := env_var_or_default("CARGO", "cargo" + if toolchain != "" { " +" + toolchain } else { "" }) +export CARGO := env_var_or_default("CARGO", "cargo auditable" + if toolchain != "" { " +" + toolchain } else { "" }) target := '' _target := if target == '' { @@ -33,14 +33,12 @@ _rustflags-self-contained := "-Clink-self-contained=yes -Clinker=rust-lld -Clink # linux/arm64 + gnu export AR_aarch64_unknown_linux_gnu := _ar export CC_aarch64_unknown_linux_gnu := _clang -export CFLAGS_aarch64_unknown_linux_gnu := '--sysroot=/usr/aarch64-linux-gnu' export STRIP_aarch64_unknown_linux_gnu := _strip export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER := 'aarch64-linux-gnu-gcc' # linux/arm64 + musl export AR_aarch64_unknown_linux_musl := _ar export CC_aarch64_unknown_linux_musl := _clang -export CFLAGS_aarch64_unknown_linux_musl := '--sysroot=/usr/aarch64-linux-gnu' export STRIP_aarch64_unknown_linux_musl := _strip export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS := _rustflags-self-contained diff --git a/k3s-images.json b/k3s-images.json index d648e3b..f551680 100644 --- a/k3s-images.json +++ b/k3s-images.json @@ -1,8 +1,8 @@ { "name": "docker.io/rancher/k3s", "channels": { - "stable": "v1.32.6-k3s1", - "latest": "v1.33.2-k3s1", + "stable": "v1.33.5-k3s1", + "latest": "v1.34.1-k3s1", "v1.20": "v1.20.15-k3s1", "v1.21": "v1.21.14-k3s1", "v1.22": "v1.22.17-k3s1", @@ -13,10 +13,11 @@ "v1.27": "v1.27.16-k3s1", "v1.28": "v1.28.15-k3s1", "v1.29": "v1.29.15-k3s1", - "v1.30": "v1.30.14-k3s1", - "v1.31": "v1.31.10-k3s1", - "v1.32": "v1.32.6-k3s1", - "v1.33": "v1.33.2-k3s1" + "v1.30": "v1.30.14-k3s2", + "v1.31": "v1.31.13-k3s1", + "v1.32": "v1.32.9-k3s1", + "v1.33": "v1.33.5-k3s1", + "v1.34": "v1.34.1-k3s1" }, "digests": { "v1.20.15-k3s1": "sha256:0e49b63b8ee234e308ff578682f8f4f2f95bffda7ba75077e5da29548cd2a6b3", @@ -29,9 +30,10 @@ "v1.27.16-k3s1": "sha256:b7bca8255da9e25a9fdd95bae61f99f8cd424d90691fc5125621b2955bebdfd2", "v1.28.15-k3s1": "sha256:af4f882a4cfaf418cb03d52c59cd150f42bf2b72f084c4592c6a133f4856660d", "v1.29.15-k3s1": "sha256:8f782bd47a41509e89c1ad1d60b02998cc5b0f1310a36c65aa0f331cde866c80", - "v1.30.14-k3s1": "sha256:cbed71f50f16fc98a7f64c6ecf21fd8fc04efc41ad7d664fb46b199c7bd3fda7", - "v1.31.10-k3s1": "sha256:8c7032ab267c3a571bac4fafffbb54e249386dbc73ebe5532fb390fa998a7936", - "v1.32.6-k3s1": "sha256:4cd4ccd268089f92e4efcc64916b1313ecdd38291a48129508cf47fa32934006", - "v1.33.2-k3s1": "sha256:d8f05b9043d136c3fb01d6cf677caaef304568b8c99bdd359b86d3d7286de1df" + "v1.30.14-k3s2": "sha256:5f02ba89b28861574b1677d91943b57f55f5fe0b451d539f83e650c8925fd9a2", + "v1.31.13-k3s1": "sha256:3f43b78b337265dc1c0540e1f88af18ca4826910353120991a0edfeaa68d1269", + "v1.32.9-k3s1": "sha256:af1f66e58580ea4027eeef9a65ef95cc29554ff96c8eddb4fc1267c71fe15328", + "v1.33.5-k3s1": "sha256:fd4740667b7033055c27d424d0d2d660bf66cedbdb225d68e0eab6dd48aa0fd2", + "v1.34.1-k3s1": "sha256:5e0707cfd1239b358ef73f3254bc3eadc027dd30cd5ec6ca41e29e47652a1b8c" } }