From 47085ee0c92beb3196fa090dfdde10b22b743c26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Oliveirinha?= Date: Mon, 16 Jun 2025 14:50:28 +0000 Subject: [PATCH] TUN-9467: add vulncheck to cloudflared * TUN-9467: add vulncheck to cloudflared --- .gitlab-ci.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ Dockerfile | 2 +- Dockerfile.amd64 | 2 +- Dockerfile.arm64 | 2 +- Makefile | 4 ++++ 5 files changed, 49 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7bd7b7f6..9059de5e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,3 +1,20 @@ +variables: + # Define GOPATH within the project directory to allow GitLab CI to cache it. + # By default, Go places modules in GOMODCACHE, often outside the project. + # Explicitly setting GOMODCACHE ensures it's within the cached path. + GOPATH: "$CI_PROJECT_DIR/.go" + GOMODCACHE: "$GOPATH/pkg/mod" + GO_BIN_DIR: "$GOPATH/bin" + +cache: + # Cache Go modules and the binaries. + # The 'key' ensures a unique cache per branch, or you can use a fixed key + # for a shared cache across all branches if that fits your workflow. + key: "$CI_COMMIT_REF_SLUG" + paths: + - ${GOPATH}/pkg/mod/ # For Go modules + - ${GO_BIN_DIR}/ + stages: [build, release] default: @@ -37,6 +54,23 @@ default: when: always - when: never + +# Template for Go setup, including caching and installation +.go_setup: + image: docker-registry.cfdata.org/stash/devtools/ci-builders/golang-1.24/master:3090-3e32590@sha256:fc81df4f8322f022d93712ee40bb1e5752fdbe9868d1e5a23fd851ad6fbecb91 + before_script: + - mkdir -p ${GOPATH} ${GOMODCACHE} ${GO_BIN_DIR} + - export PATH=$PATH:${GO_BIN_DIR} + - go env -w GOMODCACHE=${GOMODCACHE} # Ensure go uses the cached module path + + # Check if govulncheck is already installed and install it if not + - if [ ! -f ${GO_BIN_DIR}/govulncheck ]; then + echo "govulncheck not found in cache, installing..."; + go install golang.org/x/vuln/cmd/govulncheck@latest; + else + echo "govulncheck found in cache, skipping installation."; + fi + # ----------------------------------------------- # Stage 1: Build on every PR # ----------------------------------------------- @@ -64,6 +98,14 @@ build_cloudflared_macos: &build - echo "Executing ${BUILD_SCRIPT}" - exec ${BUILD_SCRIPT} +vulncheck: + stage: build + extends: .go_setup + rules: + - !reference [.default_rules, run_on_branch] + script: + - make vulncheck + # ----------------------------------------------- # Stage 1: Build and sign only on releases # ----------------------------------------------- diff --git a/Dockerfile b/Dockerfile index 1f1387d4..d055fed1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # use a builder image for building cloudflare ARG TARGET_GOOS ARG TARGET_GOARCH -FROM golang:1.24.2 AS builder +FROM golang:1.24.4 AS builder ENV GO111MODULE=on \ CGO_ENABLED=0 \ TARGET_GOOS=${TARGET_GOOS} \ diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index 5050d170..4afb8827 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -1,5 +1,5 @@ # use a builder image for building cloudflare -FROM golang:1.24.2 AS builder +FROM golang:1.24.4 AS builder ENV GO111MODULE=on \ CGO_ENABLED=0 \ # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index cd731126..6e28377b 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -1,5 +1,5 @@ # use a builder image for building cloudflare -FROM golang:1.24.2 AS builder +FROM golang:1.24.4 AS builder ENV GO111MODULE=on \ CGO_ENABLED=0 \ # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual diff --git a/Makefile b/Makefile index a1ffedf0..7ea42e32 100644 --- a/Makefile +++ b/Makefile @@ -129,6 +129,10 @@ all: cloudflared test clean: go clean +.PHONY: vulncheck +vulncheck: + @govulncheck ./... + .PHONY: cloudflared cloudflared: ifeq ($(FIPS), true)