Bump go 1.21.10 and 1.22.3

[ahrtr]

What would you like to be added?

Both 1.21.10 and 1.22.3 include security fixes

Why is this needed?

fix CVE

[ivanvc]

Completion tracking below:

• main: go v1.22.3 - dependency: upgrade go to 1.22.3 #17975
• release-3.5: go v1.21.10 - [3.5] dependency : update the go v1.21.10 #17980
• release-3.4: go v1.21.10 - [3.4] dependency: update golang to 1.21.10 #17981
• CHANGELOG - changelog: add 3.4 and 3.5 note about go 1.21.10 #18019
• etcd-io/bbolt main: go v1.22.3 - dependency : update go version to 1.22.3 bbolt#753
• etcd-io/bbolt release-1.3: v1.21.10 - [1.3] dependency : update the go version to 1.21.10 bbolt#754
• etcd-io/raft main: go v1.22.3 - dependency: update the go version to 1.22.3 raft#199

Refer to previous PRs as a reference, i.e., #17269

[ivanvc]

@ahrtr, do we want to update bbolt and raft? Based on recent conversations I'm unsure if that's the intention.

[lavishpal]

@ahrtr could you assign this issue to me ?

[ivanvc]

/assign @lavishpal

[ahrtr]

@ahrtr, do we want to update bbolt and raft? Based on recent conversations I'm unsure if that's the intention.

I think the answer is YES. We follow the same rule as documented in dependency_management.md#golang-versions for all repos, and also #17876

[ahrtr]

Can we submit the PRs of bumping golang version for etcd (including main, release-3.5 and release-3.4) this week? Otherwise we will keep seeing failed workflow checks.

We also need to release new patches for 3.5 and 3.4 soon.

[henrybear327]

Can we submit the PRs of bumping golang version for etcd (including main, release-3.5 and release-3.4) this week? Otherwise we will keep seeing failed workflow checks.

We also need to release new patches for 3.5 and 3.4 soon.

It would be nice to have it done ASAP since this is blocking #17973 as the CI will not pass (and we would not like this to spillover to next week).

@ahrtr Maybe I can take over the etcd main branch update so I can proceed with the dependency update normally, while in the meantime @lavishpal can take his/her time working on the rest of the branches? :)

[ivanvc]

Ping @lavishpal. Would you work on this this week? Otherwise, we may need to reassign to some collaborator who can help with it, as it is making it fail our CI jobs. Thanks.

[lavishpal]

I will complete this within 2 days .

[jmhbnz]

Hey @lavishpal - Do you have capacity to complete the remainder of the pull requests listed in the completion tracker above #17964 (comment)?

[lavishpal]

Hey @lavishpal - Do you have capacity to complete the remainder of the pull requests listed in the completion tracker above #17964 (comment)?

Yeah i will complete it by tomorrow.

[ivanvc]

Wow, that was very quick. Thanks for the PRs, @lavishpal. Please update the ' CHANGELOG ' after closing #17980 and #17981.

Thanks again.

[ivanvc]

Also, as reference 1.21.10/1.22.3 address CVE: CVE-2024-24787.

[ivanvc]

@lavishpal, do you have the capacity to update the CHANGELOGs? As a reference, this is the PR when we updated them to 1.20.13: #17309

Thanks

[lavishpal]

@lavishpal, do you have the capacity to update the CHANGELOGs? As a reference, this is the PR when we updated them to 1.20.13: #17309

Thanks

@ivanvc Sure i will finish it by tomorrow.

[ahrtr]

I think we are ready to release new patches for both 3.4 and 3.5. @jmhbnz @spzala

[jmhbnz]

I think we are ready to release new patches for both 3.4 and 3.5. @jmhbnz @spzala

Agree. I've opened the planning issues:

• Plan to release etcd v3.5.14 #18013
• Plan to release etcd v3.4.33 #18014

I am happy to be release lead for v3.5.14, @spzala do you have availability to lead v3.4.33 release?

[ivanvc]

With all the tasks completed, we can close this issue now. Thanks, @lavishpal, for helping with this.