NE-2074: UPSTREAM: <carry>: Configure Renovate updates of images, go-toolset and CVEs #52
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@grzpiotrowski: This pull request references NE-2074 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-merge-robot
added
the
needs-rebase
|
Dry run results tested on the fork: $ npx renovate --token $GITHUB_TOKEN --dry-run=full grzpiotrowski/aws-load-balancer-controller
INFO: Repository started (repository=grzpiotrowski/aws-load-balancer-controller)
"renovateVersion": "41.46.4"
INFO: Dependency extraction complete (repository=grzpiotrowski/aws-load-balancer-controller, baseBranch=main)
"stats": {
"managers": {
"dockerfile": {"fileCount": 6, "depCount": 18},
"gomod": {"fileCount": 1, "depCount": 170}
},
"total": {"fileCount": 7, "depCount": 188}
}
INFO: DRY-RUN: Would commit files to branch renovate/go-github.com-containerd-containerd-vulnerability (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/go-github.com-containerd-containerd-vulnerability)
INFO: DRY-RUN: Would commit files to branch renovate/go-golang.org-x-crypto-vulnerability (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/go-golang.org-x-crypto-vulnerability)
INFO: DRY-RUN: Would commit files to branch renovate/go-golang.org-x-net-vulnerability (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/go-golang.org-x-net-vulnerability)
INFO: DRY-RUN: Would commit files to branch renovate/go-golang.org-x-oauth2-vulnerability (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/go-golang.org-x-oauth2-vulnerability)
INFO: DRY-RUN: Would commit files to branch renovate/go-helm.sh-helm-v3-vulnerability (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/go-helm.sh-helm-v3-vulnerability)
INFO: DRY-RUN: Would commit files to branch renovate/go-github.com-docker-docker-vulnerability (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/go-github.com-docker-docker-vulnerability)
INFO: DRY-RUN: Would commit files to branch renovate/registry.access.redhat.com-ubi9-go-toolset-1.x (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/registry.access.redhat.com-ubi9-go-toolset-1.x)
INFO: DRY-RUN: Would commit files to branch renovate/registry.access.redhat.com-ubi9-ubi-9.x (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/registry.access.redhat.com-ubi9-ubi-9.x)
INFO: DRY-RUN: Would commit files to branch renovate/alpine-3.x (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/alpine-3.x)
INFO: Cannot find replaceString in current file content. Was it already updated? (repository=grzpiotrowski/aws-load-balancer-controller, packageFile=vendor/github.com/rubenv/sql-migrate/Dockerfile, branch=renovate/golang-1.x)
"depName": "golang",
"existingContent": "ARG GO_VERSION=1.24.5\nARG ALPINE_VERSION=3.12\n\n### Vendor\nFROM golang:${GO_VERSION} as vendor\nCOPY . /project\nWORKDIR /project\nRUN go mod tidy && go mod vendor\n\n### Build binary\nFROM golang:${GO_VERSION} as build-binary\nCOPY . /project\nCOPY --from=vendor /project/vendor /project/vendor\nWORKDIR /project\nRUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 GO111MODULE=on go build \\\n -v \\\n -mod vendor \\\n -o /project/bin/sql-migrate \\\n /project/sql-migrate\n\n### Image\nFROM alpine:${ALPINE_VERSION} as image\nCOPY --from=build-binary /project/bin/sql-migrate /usr/local/bin/sql-migrate\nRUN chmod +x /usr/local/bin/sql-migrate\nENTRYPOINT [\"sql-migrate\"]\n",
"replaceString": "ARG GO_VERSION=1.20.6\n"
INFO: Cannot find replaceString in current file content. Was it already updated? (repository=grzpiotrowski/aws-load-balancer-controller, packageFile=vendor/github.com/docker/distribution/Dockerfile, branch=renovate/golang-1.x)
"depName": "golang",
"existingContent": "# syntax=docker/dockerfile:1\n\nARG GO_VERSION=1.19.9\nARG ALPINE_VERSION=3.16\nARG XX_VERSION=1.2.1\n\nFROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx\nFROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base\nCOPY --from=xx / /\nRUN apk add --no-cache bash coreutils file git\nENV GO111MODULE=auto\nENV CGO_ENABLED=0\nWORKDIR /go/src/github.com/docker/distribution\n\nFROM base AS version\nARG PKG=\"github.com/docker/distribution\"\nRUN --mount=target=. \\\n VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi); \\\n echo \"-X ${PKG}/version.Version=${VERSION#v} -X ${PKG}/version.Revision=${REVISION} -X ${PKG}/version.Package=${PKG}\" | tee /tmp/.ldflags; \\\n echo -n \"${VERSION}\" | tee /tmp/.version;\n\nFROM base AS build\nARG TARGETPLATFORM\nARG LDFLAGS=\"-s -w\"\nARG BUILDTAGS=\"include_oss include_gcs\"\nRUN --mount=type=bind,target=/go/src/github.com/docker/distribution,rw \\\n --mount=type=cache,target=/root/.cache/go-build \\\n --mount=target=/go/pkg/mod,type=cache \\\n --mount=type=bind,source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \\\n set -x ; xx-go build -trimpath -ldflags \"$(cat /tmp/.ldflags) ${LDFLAGS}\" -o /usr/bin/registry ./cmd/registry \\\n && xx-verify --static /usr/bin/registry\n\nFROM scratch AS binary\nCOPY --from=build /usr/bin/registry /\n\nFROM base AS releaser\nARG TARGETOS\nARG TARGETARCH\nARG TARGETVARIANT\nWORKDIR /work\nRUN --mount=from=binary,target=/build \\\n --mount=type=bind,target=/src \\\n --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \\\n VERSION=$(cat /tmp/.version) \\\n && mkdir -p /out \\\n && cp /build/registry /src/README.md /src/LICENSE . \\\n && tar -czvf \"/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz\" * \\\n && sha256sum -z \"/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz\" | awk '{ print $1 }' > \"/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz.sha256\"\n\nFROM scratch AS artifact\nCOPY --from=releaser /out /\n\nFROM alpine:${ALPINE_VERSION}\nRUN apk add --no-cache ca-certificates\nCOPY cmd/registry/config-dev.yml /etc/docker/registry/config.yml\nCOPY --from=binary /registry /bin/registry\nVOLUME [\"/var/lib/registry\"]\nEXPOSE 5000\nENTRYPOINT [\"registry\"]\nCMD [\"serve\", \"/etc/docker/registry/config.yml\"]\n",
"replaceString": "golang:1.19.9-alpine3.16"
INFO: DRY-RUN: Would commit files to branch renovate/golang-1.x (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/golang-1.x)
INFO: DRY-RUN: Would commit files to branch renovate/tonistiigi-xx-1.x (repository=grzpiotrowski/aws-load-balancer-controller, branch=renovate/tonistiigi-xx-1.x)
INFO: DRY-RUN: Would close Dependency Dashboard (repository=grzpiotrowski/aws-load-balancer-controller)
"title": "Dependency Dashboard"
INFO: DRY-RUN: Would save repository cache. (repository=grzpiotrowski/aws-load-balancer-controller)
INFO: Repository finished (repository=grzpiotrowski/aws-load-balancer-controller)
"cloned": true,
"durationMs": 75971
INFO: Renovate was run at log level "info". Set LOG_LEVEL=debug in environment variables to see extended debug logs. |
|
@grzpiotrowski: This pull request references NE-2074 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
grzpiotrowski
force-pushed
the
renovate-dependency-management
branch
from
db04b59 to
6108a08
Compare
openshift-merge-robot
removed
the
needs-rebase
|
@grzpiotrowski: This pull request references NE-2074 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@grzpiotrowski: This pull request references NE-2074 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
grzpiotrowski
force-pushed
the
renovate-dependency-management
branch
from
6108a08 to
f08e67b
Compare
| "enabled": true | ||
| }, | ||
| "commitMessagePrefix": "UPSTREAM: <carry>: " | ||
| "osvVulnerabilityAlerts": true |
There was a problem hiding this comment.
What's the difference between osvVulnerabilityAlerts and vulnerabilityAlerts? And why they are called alerts? Will this really trigger some alert?
There was a problem hiding this comment.
This I've taken from renovate docs: Security presets.
vulnerabilityAlerts uses Github advisory database as the source of information. It's also the config field that can be used to tweak CVE PRs, like specify the scheduling or prefixes, labels etc.
osvVulnerabilityAlerts is just a simple on/off switch to include osv.dev as the source of known vulnerabilities and I believe it covers more packages than github's database (?).
As for the alerts in the naming, as far as I researched there won't be any alerts apart from the PRs with bumps.
There was a problem hiding this comment.
vulnerabilityAlertsuses Github advisory database as the source of information. It's also the config field that can be used to tweak CVE PRs, like specify the scheduling or prefixes, labels etc.osvVulnerabilityAlertsis just a simple on/off switch to include osv.dev as the source of known vulnerabilities and I believe it covers more packages than github's database (?).
Do you think it's worth a comment or it's documented in Renovate docs?
There was a problem hiding this comment.
We can always follow up to add more comments, LGTM.
There was a problem hiding this comment.
Thank you. For the record I added the relevant docs links to the PR's description. The information is mentioned there.
…CVEs Configures base and builder images updates restricted to be only within the major version 9. Go version updates restricted to be within the minor version 1.22. Disables go module updates except for CVE related ones.
grzpiotrowski
force-pushed
the
renovate-dependency-management
branch
from
f08e67b to
c08aa7f
Compare
|
Here is the relevant fragment from a LOG_LEVEL=debug dry run. It shows exactly what package/image would be updated and to which version. One thing I noticed is that it would update the go-toolset from Note: To make the dry run work I pushed the changes to the main branch on my aws-load-balancer-controller fork and then ran: LOG_LEVEL=debug npx renovate@41.49.1 --token $GITHUB_TOKEN --dry-run=full grzpiotrowski/aws-load-balancer-controllerRelevant fragment of the output: DEBUG: Branch summary (repository=grzpiotrowski/aws-load-balancer-controller)
"cacheModified": undefined,
"baseBranches": [{"branchName": "main", "sha": "121a240338b1db7dc8b3b7c3189c7a1425e72629"}],
"branches": [],
"defaultBranch": "main",
"inactiveBranches": [
"renovate/go-github.com-containerd-containerd-vulnerability",
"renovate/go-golang.org-x-crypto-vulnerability",
"renovate/go-golang.org-x-net-vulnerability",
"renovate/go-golang.org-x-oauth2-vulnerability",
"renovate/go-helm.sh-helm-v3-vulnerability",
"renovate/go-github.com-docker-docker-vulnerability",
"renovate/registry.access.redhat.com-ubi9-go-toolset-1.x",
"renovate/registry.access.redhat.com-ubi9-ubi-9.x"
]
DEBUG: branches info extended (repository=grzpiotrowski/aws-load-balancer-controller)
"branchesInformation": [
{
"branchName": "renovate/go-github.com-containerd-containerd-vulnerability",
"prNo": null,
"prTitle": "UPSTREAM: <carry>: Update module github.com/containerd/containerd to v1.7.27 [SECURITY]",
"result": "no-work",
"upgrades": [
{
"datasource": "go",
"depName": "github.com/containerd/containerd",
"displayPending": "",
"fixedVersion": "v1.7.12",
"currentVersion": "v1.7.12",
"currentValue": "v1.7.12",
"newValue": "v1.7.27",
"newVersion": "v1.7.27",
"packageFile": "go.mod",
"updateType": "patch",
"packageName": "github.com/containerd/containerd"
}
]
},
{
"branchName": "renovate/go-golang.org-x-crypto-vulnerability",
"prNo": null,
"prTitle": "UPSTREAM: <carry>: Update module golang.org/x/crypto to v0.35.0 [SECURITY]",
"result": "no-work",
"upgrades": [
{
"datasource": "go",
"depName": "golang.org/x/crypto",
"displayPending": "",
"fixedVersion": "v0.21.0",
"currentVersion": "v0.21.0",
"currentValue": "v0.21.0",
"newValue": "v0.35.0",
"newVersion": "v0.35.0",
"packageFile": "go.mod",
"updateType": "minor",
"packageName": "golang.org/x/crypto"
}
]
},
{
"branchName": "renovate/go-golang.org-x-net-vulnerability",
"prNo": null,
"prTitle": "UPSTREAM: <carry>: Update module golang.org/x/net to v0.38.0 [SECURITY]",
"result": "no-work",
"upgrades": [
{
"datasource": "go",
"depName": "golang.org/x/net",
"displayPending": "",
"fixedVersion": "v0.23.0",
"currentVersion": "v0.23.0",
"currentValue": "v0.23.0",
"newValue": "v0.38.0",
"newVersion": "v0.38.0",
"packageFile": "go.mod",
"updateType": "minor",
"packageName": "golang.org/x/net"
}
]
},
{
"branchName": "renovate/go-golang.org-x-oauth2-vulnerability",
"prNo": null,
"prTitle": "UPSTREAM: <carry>: Update module golang.org/x/oauth2 to v0.27.0 [SECURITY]",
"result": "no-work",
"upgrades": [
{
"datasource": "go",
"depName": "golang.org/x/oauth2",
"displayPending": "",
"fixedVersion": "v0.12.0",
"currentVersion": "v0.12.0",
"currentValue": "v0.12.0",
"newValue": "v0.27.0",
"newVersion": "v0.27.0",
"packageFile": "go.mod",
"updateType": "minor",
"packageName": "golang.org/x/oauth2"
}
]
},
{
"branchName": "renovate/go-helm.sh-helm-v3-vulnerability",
"prNo": null,
"prTitle": "UPSTREAM: <carry>: Update module helm.sh/helm/v3 to v3.18.4 [SECURITY]",
"result": "no-work",
"upgrades": [
{
"datasource": "go",
"depName": "helm.sh/helm/v3",
"displayPending": "",
"fixedVersion": "v3.15.0",
"currentVersion": "v3.15.0",
"currentValue": "v3.15.0",
"newValue": "v3.18.4",
"newVersion": "v3.18.4",
"packageFile": "go.mod",
"updateType": "minor",
"packageName": "helm.sh/helm/v3"
}
]
},
{
"branchName": "renovate/go-github.com-docker-docker-vulnerability",
"prNo": null,
"prTitle": "UPSTREAM: <carry>: Update module github.com/docker/docker to v26 [SECURITY]",
"result": "no-work",
"upgrades": [
{
"datasource": "go",
"depName": "github.com/docker/docker",
"displayPending": "",
"fixedVersion": "v24.0.9+incompatible",
"currentVersion": "v24.0.9+incompatible",
"currentValue": "v24.0.9+incompatible",
"newValue": "v26.0.0+incompatible",
"newVersion": "v26.0.0+incompatible",
"packageFile": "go.mod",
"updateType": "major",
"packageName": "github.com/docker/docker"
}
]
},
{
"branchName": "renovate/registry.access.redhat.com-ubi9-go-toolset-1.x",
"prNo": null,
"prTitle": "UPSTREAM: <carry>: Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v1.22.9-1744194661",
"result": "no-work",
"upgrades": [
{
"datasource": "docker",
"depName": "registry.access.redhat.com/ubi9/go-toolset",
"displayPending": "",
"fixedVersion": "1.22",
"currentVersion": "1.22",
"currentValue": "1.22",
"newValue": "1.22.9-1744194661",
"newVersion": "1.22.9-1744194661",
"packageFile": "Containerfile.aws-load-balancer-controller",
"updateType": "patch",
"packageName": "registry.access.redhat.com/ubi9/go-toolset"
}
]
},
{
"branchName": "renovate/registry.access.redhat.com-ubi9-ubi-9.x",
"prNo": null,
"prTitle": "UPSTREAM: <carry>: Update registry.access.redhat.com/ubi9/ubi Docker tag to v9.6-1753978585",
"result": "no-work",
"upgrades": [
{
"datasource": "docker",
"depName": "registry.access.redhat.com/ubi9/ubi",
"displayPending": "",
"fixedVersion": "9.6-1751287003",
"currentVersion": "9.6-1751287003",
"currentValue": "9.6-1751287003",
"newValue": "9.6-1753978585",
"newVersion": "9.6-1753978585",
"packageFile": "Containerfile.aws-load-balancer-controller",
"updateType": "patch",
"packageName": "registry.access.redhat.com/ubi9/ubi"
}
]
}
]
|
|
@grzpiotrowski: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@grzpiotrowski : Can you please edit the previous comment with the exact command you used? Just for the record. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alebedev87 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
4 participants
Add Renovate configuration which:
Explicitly uses only
gomodanddockerfiledependency managers for the above, as the other updates would be carried from upstream.Renovate docs for the relevant fields and configurations:
Dry run testing done using the
renovateCLI npm package:LOG_LEVEL=debug npx renovate@41.49.1 --token $GITHUB_TOKEN --dry-run=full grzpiotrowski/aws-load-balancer-controller