chore: update to go1.24 #3467
chore: update to go1.24 #3467
Conversation
rbtr
requested review from
ZetaoZhuang,
a team,
camrynl,
paulyufan2,
ashvindeodhar and
thatmattlong
as code owners
There was a problem hiding this comment.
PR Overview
This PR updates the Go version configuration across multiple CI workflows to align with the upgrade to Go 1.24, while also removing an obsolete tools registration file and updating some dependency configurations.
- Update go-version settings from fixed version ranges (e.g. "^1.23") to non-deterministic strings ("latest" or "stable").
- Remove the build/tools/tools.go file, which previously imported various tool dependencies.
- Adjust the invocation of go-junit-report in unit test pipelines.
Reviewed Changes
| File | Description |
|---|---|
| .github/workflows/cyclonus-netpol-extended-nightly-test.yaml | Updated go-version from "^1.23" to "latest" for Go version configuration. |
| .github/workflows/cyclonus-netpol-test.yaml | Updated go-version from '^1.23' to "latest". |
| .github/workflows/golangci.yaml | Switched go-version to "stable" and updated golangci-lint version to "latest". |
| .github/workflows/codeql.yaml | Updated go-version from "1.23" to "latest". |
| .github/dependabot.yaml | Removed a dependency block for "/build/tools". |
| .github/workflows/crdgen.yaml | Removed matrix configuration and set a fixed runner and go-version to "stable". |
| .pipelines/templates/unit-tests.stages.yaml | Changed go-junit-report invocation to use "go tool go-junit-report". |
| .pipelines/templates/run-unit-tests.yaml | Changed go-junit-report invocation to use "go tool go-junit-report". |
| build/tools/tools.go | Deleted file registering tool dependencies. |
Copilot reviewed 48 out of 48 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
build/tools/tools.go:1
- Removal of the tools.go file may affect dependencies on tool registration; please verify that no parts of the build or tooling process rely on these imports.
package tools
|
/azp run Azure Container Networking PR |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| strategy: | ||
| matrix: | ||
| go-version: ['1.22', '1.23'] | ||
| os: [ubuntu-latest] | ||
| name: CRDs are Generated | ||
| runs-on: ${{ matrix.os }} | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Going from matrix to a single job has changed the required status checks.
There was a problem hiding this comment.
This applies to all workflows
There was a problem hiding this comment.
that's what I want. the required status checks will be updated to match the new workflow names
| os: [ubuntu-latest, windows-latest] | ||
| name: Lint | ||
| runs-on: ${{ matrix.os }} | ||
| steps: | ||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: ${{ matrix.go-version }} |
There was a problem hiding this comment.
This will break all PRs every go minor version bump until we bump our go.mod to match. Is that acceptable?
There was a problem hiding this comment.
i think we can do go-version-file: go.mod here?
There was a problem hiding this comment.
This will break all PRs every go minor version bump
I'm not sure that's true, but I'm amenable to the go-version-file change anyway
| # skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.24-cbl-mariner2.0 --format "{{.Name}}@{{.Digest}}" | ||
| FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:15c9b9b8449f55446243ce20c5d3808cc18625d0b358d70aaad402fb73c0766f AS go |
There was a problem hiding this comment.
This image tag will be constantly overwritten. Using the sha here prevents us from pulling the newer versions which is counter to what I believe this is trying to do. New sha is 605d0a6f05734845927f450a62e081bd19c03dbe1fdbf993cfedc8506c9192b4
Also, we want reproducible and expected builds. Why not specify 1.24.X image tag?
There was a problem hiding this comment.
Using the sha here prevents us from pulling the newer versions
Yes, this is the goal with sha pinning. Pulling images via sha will allow us to control the exact image that we want to use across builds, hence reproducible and expected 🙂
There was a problem hiding this comment.
I want to be able to answer this question. What is the expected patch version?
I want to be able to update this later and know when I pull the sha for golang:1.24-cbl-mariner2.0 it is a certain version. Stdlib CVE updates have taken up residence in my mind.
There was a problem hiding this comment.
stdlib CVE updates come in new patch versions. Do you want to have to update the hint with that new patch version, or just rerun rerun it and copy/paste the SHA?
See also #3397
There was a problem hiding this comment.
Thought about this more and if I really wanted detailed information on the patch version being used, I would only care after trivy has informed me I need to update.
Signed-off-by: Evan Baker <rbtr@users.noreply.github.com>
|
This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
|
Pull request closed due to inactivity. |
|
This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
|
This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
|
Pull request closed due to inactivity. |
rbtr
added
go
|
This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
notably, this kills
hack/toolsin favor of the new tools directive in the go.mod.Go 1.24 now has FIPS certification of the 1P crypto, but we are currently still required to use MSFT Go...