-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build golangci-lint via go rather than curl | bash #396
Conversation
if [[ -z "$(command -v golangci-lint)" ]]; then | ||
echo "Cannot find golangci-lint. Installing golangci-lint..." | ||
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.31.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's only for testing, is there still security issue here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our vulnerability scanners don't distinguish for what the script is used for, only that it's in the repo. Even if it's in test it's still running in CI jobs etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
which vulnerability scanner are you referring?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Internal google ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's hard way not using curl in testing sometimes, I think it's better exclude test folder if that's configurable?
actually this hack/verify-golint.sh
could be deleted since there is already a github action doing same check:
csi-driver-smb/.github/workflows/static.yaml
Lines 12 to 16 in 40bce95
- name: Run linter | |
uses: golangci/golangci-lint-action@v2 | |
with: | |
version: v1.29 | |
args: -E=gofmt,golint,misspell --timeout=30m0s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Deleting this sounds even better to me! I'll update the PR.
Had to update golang.org/x/text to v0.3.7 |
/retest |
Pull Request Test Coverage Report for Build 1609514834
💛 - Coveralls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andyzhangx, mattcary The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Remove use of curl'ing an arbitrary internet file through bash, which is now considered a security issue. Instead just use go build.
I created this by go mod download'ing the golangci, then go installing golangci-lint, which produced a lot of errors asking to go get certain dependencies. I did that by hand, go mod tidy'd, and everything seems to work.
Release note:
/assign @jingxu97
/assign @lizhuqi