Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v2.8] Bump go toolchain #824

Merged
merged 3 commits into from
Sep 11, 2024
Merged

[v2.8] Bump go toolchain #824

merged 3 commits into from
Sep 11, 2024

Conversation

yiannistri
Copy link
Contributor

What this PR does / why we need it:

Bump Go compiler version to address CVE-2024-34156

Also updated Scan workflow to use the image that is used for the operator instead of the e2e tests.

Checklist:

  • squashed commits into logical changes
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests
  • backport needed

@yiannistri yiannistri added dependencies Pull requests that update a dependency file area/CI labels Sep 10, 2024
@yiannistri yiannistri marked this pull request as ready for review September 10, 2024 11:15
@yiannistri yiannistri requested a review from a team as a code owner September 10, 2024 11:15
vatsalparekh
vatsalparekh previously requested changes Sep 10, 2024
View reviewed changes
go.mod
@@ -2,7 +2,7 @@ module github.com/rancher/eks-operator

go 1.22.0

toolchain go1.22.5
toolchain go1.22.7

replace k8s.io/client-go => k8s.io/client-go v0.28.6

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering why no go dependencies were updated in this backport since go version is same across all other branches

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the reason why we didn't get any dependabot PRs for 2.8 is because it's still using the AWS SDK for Go (v1) which is in maintenance mode and is only receiving critical bug fixes and security updates. In addition to that, this version of the SDK (v1) is not using the same stdlib dependencies that the newer version of the SDK (v2) uses.

I think we should consider bumping this to its latest version but such a change should probably be done separately and be followed by sufficient testing.

@yiannistri yiannistri dismissed vatsalparekh’s stale review September 11, 2024 11:56

I have responded to Vatsal's comment above.

@yiannistri yiannistri merged commit 943e255 into rancher:release-v2.8 Sep 11, 2024
6 checks passed
@yiannistri yiannistri deleted the bump-go-toolchain-release-v2.8 branch September 11, 2024 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@furkatgofurov7 furkatgofurov7 furkatgofurov7 approved these changes

@vatsalparekh vatsalparekh Awaiting requested review from vatsalparekh

Assignees
No one assigned
Labels
area/CI dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yiannistri @vatsalparekh @furkatgofurov7