-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v2.8] Bump go toolchain #824
[v2.8] Bump go toolchain #824
Conversation
@@ -2,7 +2,7 @@ module github.com/rancher/eks-operator | |||
|
|||
go 1.22.0 | |||
|
|||
toolchain go1.22.5 | |||
toolchain go1.22.7 | |||
|
|||
replace k8s.io/client-go => k8s.io/client-go v0.28.6 | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering why no go dependencies were updated in this backport since go version is same across all other branches
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the reason why we didn't get any dependabot PRs for 2.8 is because it's still using the AWS SDK for Go (v1) which is in maintenance mode and is only receiving critical bug fixes and security updates. In addition to that, this version of the SDK (v1) is not using the same stdlib dependencies that the newer version of the SDK (v2) uses.
I think we should consider bumping this to its latest version but such a change should probably be done separately and be followed by sufficient testing.
I have responded to Vatsal's comment above.
What this PR does / why we need it:
Bump Go compiler version to address CVE-2024-34156
Also updated Scan workflow to use the image that is used for the operator instead of the e2e tests.
Checklist: