From 9402e828b6214223e832b1268900b1564c646adb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Feb 2024 13:03:05 -0700 Subject: [PATCH 01/17] fix(deps): update github.com/anchore/clio digest to 378d8c0 (#2294) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/anchore/clio](https://togithub.com/anchore/clio) | require | digest | `3ef5b3b` -> `378d8c0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 4854468f02..988005a55d 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/AlecAivazis/survey/v2 v2.3.7 github.com/Masterminds/semver/v3 v3.2.1 github.com/alecthomas/jsonschema v0.0.0-20220216202328-9eeeec9d044b - github.com/anchore/clio v0.0.0-20240202120828-3ef5b3b40ea3 + github.com/anchore/clio v0.0.0-20240208153717-378d8c0180f9 github.com/anchore/stereoscope v0.0.1 github.com/anchore/syft v0.100.0 github.com/derailed/k9s v0.31.7 @@ -46,7 +46,7 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 golang.org/x/crypto v0.18.0 golang.org/x/sync v0.6.0 - golang.org/x/term v0.16.0 + golang.org/x/term v0.17.0 helm.sh/helm/v3 v3.14.0 k8s.io/api v0.29.1 k8s.io/apimachinery v0.29.1 @@ -467,7 +467,7 @@ require ( golang.org/x/mod v0.14.0 // indirect golang.org/x/net v0.20.0 // indirect golang.org/x/oauth2 v0.16.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.17.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.16.1 // indirect diff --git a/go.sum b/go.sum index fe1ccc7f5b..5644706ccf 100644 --- a/go.sum +++ b/go.sum @@ -364,8 +364,8 @@ github.com/aliyun/credentials-go v1.3.1 h1:uq/0v7kWrxmoLGpqjx7vtQ/s03f0zR//0br/x github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9 h1:p0ZIe0htYOX284Y4axJaGBvXHU0VCCzLN5Wf5XbKStU= github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9/go.mod h1:3ZsFB9tzW3vl4gEiUeuSOMDnwroWxIxJelOOHUp8dSw= -github.com/anchore/clio v0.0.0-20240202120828-3ef5b3b40ea3 h1:DfXgeXMJi1v3zyzgkftWK4a4FUc0QUtRGOrTvYBCPMs= -github.com/anchore/clio v0.0.0-20240202120828-3ef5b3b40ea3/go.mod h1:CdT/JVbhkK6cPZFxBjwsX4lHIYJXg+XCv+T0hndWrSw= +github.com/anchore/clio v0.0.0-20240208153717-378d8c0180f9 h1:KiUb07yqKw0At2pK7ExxQxe4tJnTelRyrD5f8QG3w6s= +github.com/anchore/clio v0.0.0-20240208153717-378d8c0180f9/go.mod h1:8Jr7CjmwFVcBPtkJdTpaAGHimoGJGfbExypjzOu87Og= github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b h1:L/djgY7ZbZ/38+wUtdkk398W3PIBJLkt1N8nU/7e47A= github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b/go.mod h1:TLcE0RE5+8oIx2/NPWem/dq1DeaMoC+fPEH7hoSzPLo= github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a h1:nJ2G8zWKASyVClGVgG7sfM5mwoZlZ2zYpIzN2OhjWkw= @@ -2024,8 +2024,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -2038,8 +2038,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From d4d9ed671a2af803c7b84ac92fbba21c48fdf709 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 9 Feb 2024 12:07:29 -0700 Subject: [PATCH 02/17] fix(deps): update github.com/anchore/clio digest to 06cf78f (#2297) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/anchore/clio](https://togithub.com/anchore/clio) | require | digest | `378d8c0` -> `06cf78f` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 988005a55d..2c1cf9b38c 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/AlecAivazis/survey/v2 v2.3.7 github.com/Masterminds/semver/v3 v3.2.1 github.com/alecthomas/jsonschema v0.0.0-20220216202328-9eeeec9d044b - github.com/anchore/clio v0.0.0-20240208153717-378d8c0180f9 + github.com/anchore/clio v0.0.0-20240209170235-06cf78ff3446 github.com/anchore/stereoscope v0.0.1 github.com/anchore/syft v0.100.0 github.com/derailed/k9s v0.31.7 diff --git a/go.sum b/go.sum index 5644706ccf..ee127965b3 100644 --- a/go.sum +++ b/go.sum @@ -364,8 +364,8 @@ github.com/aliyun/credentials-go v1.3.1 h1:uq/0v7kWrxmoLGpqjx7vtQ/s03f0zR//0br/x github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9 h1:p0ZIe0htYOX284Y4axJaGBvXHU0VCCzLN5Wf5XbKStU= github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9/go.mod h1:3ZsFB9tzW3vl4gEiUeuSOMDnwroWxIxJelOOHUp8dSw= -github.com/anchore/clio v0.0.0-20240208153717-378d8c0180f9 h1:KiUb07yqKw0At2pK7ExxQxe4tJnTelRyrD5f8QG3w6s= -github.com/anchore/clio v0.0.0-20240208153717-378d8c0180f9/go.mod h1:8Jr7CjmwFVcBPtkJdTpaAGHimoGJGfbExypjzOu87Og= +github.com/anchore/clio v0.0.0-20240209170235-06cf78ff3446 h1:44e0L+vE5dYq20nAl/QOWUqYJcJQn8ThOXJCue50peM= +github.com/anchore/clio v0.0.0-20240209170235-06cf78ff3446/go.mod h1:8Jr7CjmwFVcBPtkJdTpaAGHimoGJGfbExypjzOu87Og= github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b h1:L/djgY7ZbZ/38+wUtdkk398W3PIBJLkt1N8nU/7e47A= github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b/go.mod h1:TLcE0RE5+8oIx2/NPWem/dq1DeaMoC+fPEH7hoSzPLo= github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a h1:nJ2G8zWKASyVClGVgG7sfM5mwoZlZ2zYpIzN2OhjWkw= From 576c672a138fe872a1c2a95cc2767624854d9a6a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 10 Feb 2024 14:21:50 -0700 Subject: [PATCH 03/17] fix(deps): update github.com/anchore/clio digest to cb94e40 (#2300) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/anchore/clio](https://togithub.com/anchore/clio) | require | digest | `06cf78f` -> `cb94e40` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2c1cf9b38c..2318894914 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/AlecAivazis/survey/v2 v2.3.7 github.com/Masterminds/semver/v3 v3.2.1 github.com/alecthomas/jsonschema v0.0.0-20220216202328-9eeeec9d044b - github.com/anchore/clio v0.0.0-20240209170235-06cf78ff3446 + github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65 github.com/anchore/stereoscope v0.0.1 github.com/anchore/syft v0.100.0 github.com/derailed/k9s v0.31.7 diff --git a/go.sum b/go.sum index ee127965b3..b016264ec2 100644 --- a/go.sum +++ b/go.sum @@ -364,8 +364,8 @@ github.com/aliyun/credentials-go v1.3.1 h1:uq/0v7kWrxmoLGpqjx7vtQ/s03f0zR//0br/x github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9 h1:p0ZIe0htYOX284Y4axJaGBvXHU0VCCzLN5Wf5XbKStU= github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9/go.mod h1:3ZsFB9tzW3vl4gEiUeuSOMDnwroWxIxJelOOHUp8dSw= -github.com/anchore/clio v0.0.0-20240209170235-06cf78ff3446 h1:44e0L+vE5dYq20nAl/QOWUqYJcJQn8ThOXJCue50peM= -github.com/anchore/clio v0.0.0-20240209170235-06cf78ff3446/go.mod h1:8Jr7CjmwFVcBPtkJdTpaAGHimoGJGfbExypjzOu87Og= +github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65 h1:u9XrEabKlGPsrmRvAER+kUKkwXiJfLyqGhmOTFsXjX4= +github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65/go.mod h1:8Jr7CjmwFVcBPtkJdTpaAGHimoGJGfbExypjzOu87Og= github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b h1:L/djgY7ZbZ/38+wUtdkk398W3PIBJLkt1N8nU/7e47A= github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b/go.mod h1:TLcE0RE5+8oIx2/NPWem/dq1DeaMoC+fPEH7hoSzPLo= github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a h1:nJ2G8zWKASyVClGVgG7sfM5mwoZlZ2zYpIzN2OhjWkw= From 7e91d3b9823b52fe6d0f563d692c8af57faa6005 Mon Sep 17 00:00:00 2001 From: Jon Date: Mon, 12 Feb 2024 09:01:55 -0700 Subject: [PATCH 04/17] fix: improve cmd failure messaging (#2301) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit …s with no retries ## Description Add check to see whether action failure was actually due to timeout or not. Currently Zarf reports an error of "timed out after 0 seconds" when a `cmd` within an action fails (with no retries) even if no timeout was set. ## Related Issue Fixes #2299 ## Type of change - [X] Bug fix (non-breaking change which fixes an issue) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr --- src/pkg/packager/actions.go | 11 +++++++---- src/test/e2e/02_component_actions_test.go | 2 ++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/pkg/packager/actions.go b/src/pkg/packager/actions.go index 78340d515f..f565bb727a 100644 --- a/src/pkg/packager/actions.go +++ b/src/pkg/packager/actions.go @@ -160,12 +160,15 @@ retryCmd: select { case <-timeout: - // If we reached this point, the timeout was reached. - return fmt.Errorf("command \"%s\" timed out after %d seconds", cmdEscaped, cfg.MaxTotalSeconds) - + // If we reached this point, the timeout was reached or command failed with no retries. + if cfg.MaxTotalSeconds < 1 { + return fmt.Errorf("command %q failed after %d retries", cmdEscaped, cfg.MaxRetries) + } else { + return fmt.Errorf("command %q timed out after %d seconds", cmdEscaped, cfg.MaxTotalSeconds) + } default: // If we reached this point, the retry limit was reached. - return fmt.Errorf("command \"%s\" failed after %d retries", cmdEscaped, cfg.MaxRetries) + return fmt.Errorf("command %q failed after %d retries", cmdEscaped, cfg.MaxRetries) } } diff --git a/src/test/e2e/02_component_actions_test.go b/src/test/e2e/02_component_actions_test.go index bb3b25ffd3..6eda343103 100644 --- a/src/test/e2e/02_component_actions_test.go +++ b/src/test/e2e/02_component_actions_test.go @@ -150,5 +150,7 @@ func TestComponentActions(t *testing.T) { stdOut, stdErr, err = e2e.Zarf("package", "deploy", path, "--components=on-deploy-immediate-failure", "--confirm") require.Error(t, err, stdOut, stdErr) require.Contains(t, stdErr, "Failed to deploy package") + // regression test to ensure that failed commands are not erroneously flagged as a timeout + require.NotContains(t, stdErr, "timed out") }) } From 0cc232840a5bee92bd24a455f772515cb2d516e8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 14:50:37 -0700 Subject: [PATCH 05/17] fix(deps): update module helm.sh/helm/v3 to v3.14.1 [security] (#2307) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [helm.sh/helm/v3](https://togithub.com/helm/helm) | `v3.14.0` -> `v3.14.1` | [![age](https://developer.mend.io/api/mc/badges/age/go/helm.sh%2fhelm%2fv3/v3.14.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/helm.sh%2fhelm%2fv3/v3.14.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/helm.sh%2fhelm%2fv3/v3.14.0/v3.14.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/helm.sh%2fhelm%2fv3/v3.14.0/v3.14.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-25620](https://togithub.com/helm/helm/security/advisories/GHSA-v53g-5gjp-272r) A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time. ### Impact When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. ### Patches This issue has been resolved in Helm v3.14.1. ### Workarounds Check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies. ### Credits Disclosed by Dominykas BlyΕΎΔ— at Nearform Ltd. --- ### Release Notes
helm/helm (helm.sh/helm/v3) ### [`v3.14.1`](https://togithub.com/helm/helm/releases/tag/v3.14.1): Helm v3.14.1 [Compare Source](https://togithub.com/helm/helm/compare/v3.14.0...v3.14.1) Helm v3.14.1 is a security (patch) release. Users are strongly recommended to update to this release. A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time. [Dominykas BlyΕΎΔ—](https://togithub.com/dominykas) with [Nearform Ltd.](https://www.nearform.com/) discovered the vulnerability. #### Installation and Upgrading Download Helm v3.14.1. The common platform binaries are here: - [MacOS amd64](https://get.helm.sh/helm-v3.14.1-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-darwin-amd64.tar.gz.sha256sum) / 67928236b37c4e780b9fb5e614fb3b9aece90d60f0b1b4cb7406ee292c2dae3b) - [MacOS arm64](https://get.helm.sh/helm-v3.14.1-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-darwin-arm64.tar.gz.sha256sum) / 96468f927cc6efb4a2b92fd9419f40ed21d634af2f3e84fb8efa59526c7a003b) - [Linux amd64](https://get.helm.sh/helm-v3.14.1-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-linux-amd64.tar.gz.sha256sum) / 75496ea824f92305ff7d28af37f4af57536bf5138399c824dff997b9d239dd42) - [Linux arm](https://get.helm.sh/helm-v3.14.1-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-linux-arm.tar.gz.sha256sum) / f50c00c262b74435530e677bcec07637aaeda1ed92ef809b49581a4e6182cbbe) - [Linux arm64](https://get.helm.sh/helm-v3.14.1-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-linux-arm64.tar.gz.sha256sum) / f865b8ad4228fd0990bbc5b50615eb6cb9eb31c9a9ca7238401ed897bbbe9033) - [Linux i386](https://get.helm.sh/helm-v3.14.1-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-linux-386.tar.gz.sha256sum) / 3c94ed0601e0e62c195a7e9b75262b18128c8284662aa0e080bb548dc6d47bcd) - [Linux ppc64le](https://get.helm.sh/helm-v3.14.1-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-linux-ppc64le.tar.gz.sha256sum) / 4d853ab8fe3462287c7272fbadd5f73531ecdd6fa0db37d31630e41ae1ae21de) - [Linux s390x](https://get.helm.sh/helm-v3.14.1-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-linux-s390x.tar.gz.sha256sum) / 19bf07999c7244bfeb0fd27152919b9faa1148cf43910edbb98efa9150058a98) - [Linux riscv64](https://get.helm.sh/helm-v3.14.1-linux-riscv64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.1-linux-riscv64.tar.gz.sha256sum) / 2660bd8eb37aafc071599b788a24bfe244e5d3ffa42da1599da5a5041dafa214) - [Windows amd64](https://get.helm.sh/helm-v3.14.1-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-v3.14.1-windows-amd64.zip.sha256sum) / 8a6c78a23a4e497ad8bd288138588adb3e5b49be8dbe82a3200fe7b297dac184) This release was signed with ` 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E ` and can be found at [@​mattfarina](https://togithub.com/mattfarina) [keybase account](https://keybase.io/mattfarina). Please use the attached signatures for verifying this release using `gpg`. The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3) on any system with `bash`. #### What's Next - 3.14.2 will contain only bug fixes and be released on March 13, 2024. - 3.15.0 is the next feature release and will be on May 08, 2024.
--- ### Configuration πŸ“… **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 2318894914..246c5bbb8f 100644 --- a/go.mod +++ b/go.mod @@ -47,7 +47,7 @@ require ( golang.org/x/crypto v0.18.0 golang.org/x/sync v0.6.0 golang.org/x/term v0.17.0 - helm.sh/helm/v3 v3.14.0 + helm.sh/helm/v3 v3.14.1 k8s.io/api v0.29.1 k8s.io/apimachinery v0.29.1 k8s.io/client-go v0.29.1 diff --git a/go.sum b/go.sum index b016264ec2..2fd98ddea2 100644 --- a/go.sum +++ b/go.sum @@ -2404,8 +2404,8 @@ gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls= gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.14.0 h1:TaZIH6uOchn7L27ptwnnuHJiFrT/BsD4dFdp/HLT2nM= -helm.sh/helm/v3 v3.14.0/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= +helm.sh/helm/v3 v3.14.1 h1:4AwRLx+wfzlPtvrsbDmWP5PUokGmf9/nAmEdk21vae8= +helm.sh/helm/v3 v3.14.1/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From 84b673ea6933dcb1ae4effed6fde465486df3144 Mon Sep 17 00:00:00 2001 From: Lucas Rodriguez Date: Mon, 19 Feb 2024 15:12:02 -0600 Subject: [PATCH 06/17] fix: revert storageclass checks for git server and seed registry (#2311) ## Description https://github.com/defenseunicorns/zarf/pull/2180 introduced a bug and this PR removes the cause of the bug. Actions conditionals are being added to Zarf in https://github.com/defenseunicorns/zarf/pull/2276 to allow these sort of checks to account for various use cases in a more clean way. Also reopened https://github.com/defenseunicorns/zarf/issues/1824 ## Related Issue Relates to https://github.com/defenseunicorns/zarf/issues/2273 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --- packages/gitea/zarf.yaml | 6 ----- packages/zarf-registry/zarf.yaml | 9 ------- src/test/e2e/20_zarf_init_test.go | 43 ------------------------------- 3 files changed, 58 deletions(-) diff --git a/packages/gitea/zarf.yaml b/packages/gitea/zarf.yaml index ab48a3e25f..f58fe4900e 100644 --- a/packages/gitea/zarf.yaml +++ b/packages/gitea/zarf.yaml @@ -66,12 +66,6 @@ components: actions: onDeploy: before: - - description: Check that the cluster has the specified storage class - maxTotalSeconds: 3 - wait: - cluster: - kind: storageclass - name: "\"${ZARF_STORAGE_CLASS}\"" - cmd: ./zarf internal update-gitea-pvc --no-progress setVariables: - name: GIT_SERVER_CREATE_PVC diff --git a/packages/zarf-registry/zarf.yaml b/packages/zarf-registry/zarf.yaml index 18dc05dbbd..38a13006c1 100644 --- a/packages/zarf-registry/zarf.yaml +++ b/packages/zarf-registry/zarf.yaml @@ -111,15 +111,6 @@ components: images: # The seed image (or images) that will be injected (see zarf-config.toml) - "###ZARF_PKG_TMPL_REGISTRY_IMAGE_DOMAIN######ZARF_PKG_TMPL_REGISTRY_IMAGE###:###ZARF_PKG_TMPL_REGISTRY_IMAGE_TAG###" - actions: - onDeploy: - before: - - description: Check that the cluster has the specified storage class - maxTotalSeconds: 3 - wait: - cluster: - kind: storageclass - name: "\"${ZARF_STORAGE_CLASS}\"" - name: zarf-registry description: | diff --git a/src/test/e2e/20_zarf_init_test.go b/src/test/e2e/20_zarf_init_test.go index 86f127fc83..fb1934561b 100644 --- a/src/test/e2e/20_zarf_init_test.go +++ b/src/test/e2e/20_zarf_init_test.go @@ -12,7 +12,6 @@ import ( "encoding/json" - "github.com/defenseunicorns/zarf/src/pkg/utils" "github.com/defenseunicorns/zarf/src/types" "github.com/stretchr/testify/require" ) @@ -50,8 +49,6 @@ func TestZarfInit(t *testing.T) { require.Contains(t, stdErr, expectedErrorMessage) } - initWithoutStorageClass(t) - if !e2e.ApplianceMode { // throw a pending pod into the cluster to ensure we can properly ignore them when selecting images _, _, err := e2e.Kubectl("apply", "-f", "https://raw.githubusercontent.com/kubernetes/website/main/content/en/examples/pods/pod-with-node-affinity.yaml") @@ -127,43 +124,3 @@ func checkLogForSensitiveState(t *testing.T, logText string, zarfState types.Zar require.NotContains(t, logText, zarfState.RegistryInfo.Secret) require.NotContains(t, logText, zarfState.LoggingSecret) } - -// Verify `zarf init` produces an error when there is no storage class in cluster. -func initWithoutStorageClass(t *testing.T) { - /* - Exit early if testing with Zarf-deployed k3s cluster. - This is a chicken-egg problem because we can't interact with a cluster that Zarf hasn't created yet. - Zarf deploys k3s with the Rancher local-path storage class out of the box, - so we don't expect any problems with no storage class in this case. - */ - if e2e.ApplianceMode { - return - } - - jsonPathQuery := `{range .items[?(@.metadata.annotations.storageclass\.kubernetes\.io/is-default-class=="true")]}{.metadata.name}{end}` - defaultStorageClassName, _, err := e2e.Kubectl("get", "storageclass", "-o=jsonpath="+jsonPathQuery) - require.NoError(t, err) - require.NotEmpty(t, defaultStorageClassName) - - storageClassYaml, _, err := e2e.Kubectl("get", "storageclass", defaultStorageClassName, "-o=yaml") - require.NoError(t, err) - - storageClassFileName := "storage-class.yaml" - - err = utils.WriteFile(storageClassFileName, []byte(storageClassYaml)) - require.NoError(t, err) - defer e2e.CleanFiles(storageClassFileName) - - _, _, err = e2e.Kubectl("delete", "storageclass", defaultStorageClassName) - require.NoError(t, err) - - _, stdErr, err := e2e.Zarf("init", "--confirm") - require.Error(t, err, stdErr) - require.Contains(t, stdErr, "unable to run component before action: command \"Check that the cluster has the specified storage class\"") - - _, _, err = e2e.Zarf("destroy", "--confirm") - require.NoError(t, err) - - _, _, err = e2e.Kubectl("apply", "-f", storageClassFileName) - require.NoError(t, err) -} From 883b4baf52a7ecfac44732f4fc15f80643565d5c Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 20 Feb 2024 12:07:10 -0600 Subject: [PATCH 07/17] feat(ci): included dependency review action (#2298) ## Description - Included dependency review action https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> Co-authored-by: Wayne Starr Co-authored-by: razzle --- .github/workflows/dependency-review.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..03833afb78 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,14 @@ +name: Dependency Review +on: pull_request + +permissions: + contents: read + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: Dependency Review + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 From ce3f125bb2304043583535e0efc8467cf72753df Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 11:39:00 -0700 Subject: [PATCH 08/17] chore(deps): update actions/checkout action to v4 (#2317) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | major | `v3.6.0` -> `v4.1.1` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes
actions/checkout (actions/checkout) ### [`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@​joshmgross](https://togithub.com/joshmgross) in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - Correct link to GitHub Docs by [@​peterbe](https://togithub.com/peterbe) in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) - Link to release page from what's new section by [@​cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514) ##### New Contributors - [@​joshmgross](https://togithub.com/joshmgross) made their first contribution in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - [@​peterbe](https://togithub.com/peterbe) made their first contribution in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) **Full Changelog**: https://github.com/actions/checkout/compare/v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://togithub.com/actions/checkout/pull/1396) ### [`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400) [Compare Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0) - [Support fetching without the --progress option](https://togithub.com/actions/checkout/pull/1067) - [Update to node20](https://togithub.com/actions/checkout/pull/1436)
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 03833afb78..e841940bc2 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Dependency Review uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 From a5ae1aaae1bd1f2c3b5e28a9dfa5bbf93fa5ca64 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 13:23:23 -0700 Subject: [PATCH 09/17] chore(deps): update actions/dependency-review-action action to v4 (#2318) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | major | `v2.5.1` -> `v4.1.3` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes
actions/dependency-review-action (actions/dependency-review-action) ### [`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3): 4.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3) Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see [https://github.com/actions/dependency-review-action/issues/697](https://togithub.com/actions/dependency-review-action/issues/697)). **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2): 4.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2) #### What's Changed - Expose dependency comment content by [@​jsoref](https://togithub.com/jsoref) in [https://github.com/actions/dependency-review-action/pull/696](https://togithub.com/actions/dependency-review-action/pull/696) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2 ### [`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1): 4.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1) #### What's Changed - Bump `undici` to fix [GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g) - Bump [@​types/node](https://togithub.com/types/node) from 20.11.17 to 20.11.19 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/693](https://togithub.com/actions/dependency-review-action/pull/693) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0): 4.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0) #### What's Changed - Add `warn-only` by [@​tgrall](https://togithub.com/tgrall) in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) Added a new configuration option (`warn-only`, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log. - Create stale.yaml by [@​jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - Use manual codeql config by [@​juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/678](https://togithub.com/actions/dependency-review-action/pull/678) - Multiple dependency updates (see the changelog below for more information) #### New Contributors - [@​jonjanego](https://togithub.com/jonjanego) made their first contribution in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - [@​tgrall](https://togithub.com/tgrall) made their first contribution in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0) - Update action to Node 20 by [@​takost](https://togithub.com/takost) in [https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639) - Dependabot updates, see the full changelog for more details. #### New Contributors - [@​takost](https://togithub.com/takost) made their first contribution in [https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0 ### [`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5): 3.1.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5) #### What's Changed - Smaller `per_page` when requesting diff by [@​hmaurer](https://togithub.com/hmaurer) in [https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649) - Update dependencies: - Bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.10.0 to 6.13.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630) - Bump prettier from 3.0.3 to 3.1.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629) - Bump [@​types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.11 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637) - Bump nodemon from 3.0.1 to 3.0.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636) - Replace pip -> pypi in PURL examples by [@​febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638) - Bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.12.0 to 6.15.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644) - Bump eslint from 8.53.0 to 8.56.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640) - Bump [@​typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.13.1 to 6.16.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645) - Bump prettier from 3.1.0 to 3.1.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5 ### [`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4): 3.1.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4) #### What's Changed - Fixed a [bug](https://togithub.com/actions/dependency-review-action/issues/618) with severity filtering when using the `allow_ghsas` option: [https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623). - Updates dependencies: - Bump [@​types/node](https://togithub.com/types/node) from 16.18.61 to 16.18.62 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619) action/pull/620 - Bump [@​typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.11.0 to 6.12.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625) - Bump typescript from 5.2.2 to 5.3.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.4 ### [`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3): 3.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3) #### What's Changed - Fixes purl "version must be percent-encoded" by [@​theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.3 ### [`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2): 3.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2) #### What's Changed - Fix a regression for setups using self-hosted runners behind HTTP proxies:[@​febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.2 ### [`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1): 3.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1) #### What's Changed - Update a bunch of dependencies, including major version upgrades for `octokit`, `@actions/github` and `typescript`. **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1 ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@​oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) #### New Contributors - [@​oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@​sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@​sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.8 ### [`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7): 3.0.7 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7) #### What's Changed - Make GHES support / setup more clear by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - Add an option to deny packages or groups of packages by [@​adrienpessu](https://togithub.com/adrienpessu) in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) #### New Contributors - [@​rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - [@​adrienpessu](https://togithub.com/adrienpessu) made their first contribution in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.7 ### [`v3.0.6`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.6): 3.0.6 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.5...v3.0.6) Fixes a bug introduced in 3.0.5 where we raised PURL errors when Dependency Graph returns an empty `package_url`. ### [`v3.0.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.5): 3.0.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.4...v3.0.5) #### What's Changed Thanks to [@​theztefan](https://togithub.com/theztefan), we now have a new `allow-dependencies-licenses` option that takes a list of dependencies that will be excluded from license checks. See the [configuration options](https://togithub.com/actions/dependency-review-action#configuration-options) for more information on how to use it. - Exclude dependencies from license checks by [@​theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) - Documentation examples by [@​theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) - Show snapshot warnings in the summary by [@​juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/439](https://togithub.com/actions/dependency-review-action/pull/439) - Fix default values for fail-on-severity by [@​febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/451](https://togithub.com/actions/dependency-review-action/pull/451) - Updated dependencies. #### New Contributors - [@​juxtin](https://togithub.com/juxtin) made their first contribution in [https://github.com/actions/dependency-review-action/pull/439](https://togithub.com/actions/dependency-review-action/pull/439) - [@​theztefan](https://togithub.com/theztefan) made their first contribution in [https://github.com/actions/dependency-review-action/pull/423](https://togithub.com/actions/dependency-review-action/pull/423) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.5 ### [`v3.0.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.4): 3.0.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.3...v3.0.4) #### What's New? The Action can now publish a comment in the pull request if the `comment-summary-in-pr` option is set. More information can be found in the [README](https://togithub.com/actions/dependency-review-action#configuration-options). #### New Contributors - [@​davelosert](https://togithub.com/davelosert) made their first contribution in [https://github.com/actions/dependency-review-action/pull/393](https://togithub.com/actions/dependency-review-action/pull/393) #### Changelog - Write Summary as comment to the pull request by [@​davelosert](https://togithub.com/davelosert) in [https://github.com/actions/dependency-review-action/pull/393](https://togithub.com/actions/dependency-review-action/pull/393) - Adjust summary format by [@​davelosert](https://togithub.com/davelosert) in [https://github.com/actions/dependency-review-action/pull/416](https://togithub.com/actions/dependency-review-action/pull/416) - Security updates. **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.4 ### [`v3.0.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.3): 3.0.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.2...v3.0.3) #### What's Changed - Use cache in check-dist.yml by [@​jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/dependency-review-action/pull/359](https://togithub.com/actions/dependency-review-action/pull/359) - Fix Dependency Review API response error handling by [@​felickz](https://togithub.com/felickz) in [https://github.com/actions/dependency-review-action/pull/370](https://togithub.com/actions/dependency-review-action/pull/370) - Security updates #### New Contributors - [@​jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/dependency-review-action/pull/359](https://togithub.com/actions/dependency-review-action/pull/359) - [@​felickz](https://togithub.com/felickz) made their first contribution in [https://github.com/actions/dependency-review-action/pull/370](https://togithub.com/actions/dependency-review-action/pull/370) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.3 ### [`v3.0.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.2): 3.0.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.1...v3.0.2) This release fixes spelling errors [https://github.com/actions/dependency-review-action/pull/348](https://togithub.com/actions/dependency-review-action/pull/348) and upgrades dependencies to fix known vulnerabilities **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.2 ### [`v3.0.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.1): 3.0.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.0...v3.0.1) This release contains the following bugfixes: - Fixing API URL for GHES: [https://github.com/actions/dependency-review-action/pull/331](https://togithub.com/actions/dependency-review-action/pull/331) - Improve list handling for external config files: [https://github.com/actions/dependency-review-action/pull/330](https://togithub.com/actions/dependency-review-action/pull/330) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.1 ### [`v3.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.0): 3.0.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v2.5.1...v3.0.0) #### Breaking Changes By default the action now expects [SPDX-compliant licenses](https://spdx.org/licenses/) everywhere. If you were previously using license names in the allow or deny lists make sure they're valid! #### What's Changed ##### Support for external configuration files You can now specify a [configuration file external to your repository](https://togithub.com/actions/dependency-review-action/#configuration-file). This allows organizations to have a single configuration file for all their repos. ##### Broader license support We've added support for a much broader set of project licenses by using GitHub's [Licenses API](https://docs.github.com/en/rest/licenses). ##### SPDX Compliance All of our license-related code now expects [SPDX-compliant licenses or expressions](https://spdx.org/licenses/). This allows us to standardize on a license naming scheme that already supports `OR`/`AND` expressions. ##### Disable individual checks You can now use the boolean options `license-check` and `vulnerability-check` to disable either one of the checks. More information in [our configuration options](https://togithub.com/actions/dependency-review-action/#configuration-options). #### Thanks Contributors for this release include: - [@​cnagadya](https://togithub.com/cnagadya) - [@​courtneycl](https://togithub.com/courtneycl) - [@​ericcornelissen](https://togithub.com/ericcornelissen) - [@​elireisman](https://togithub.com/elireisman) - [@​hmaurer](https://togithub.com/hmaurer) Thanks everyone! **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v2...v3.0.0
--- ### Configuration πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e841940bc2..89fd065a4d 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -11,4 +11,4 @@ jobs: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Dependency Review - uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 + uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 From 07541a61dc3b19452cdecd3bf800788cdc78e67a Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Tue, 20 Feb 2024 15:09:07 -0600 Subject: [PATCH 10/17] fix: multi-part tarballs being mismatched sizes (#2314) ## Description This fixes multipart tarballs being different sizes with `--max-package-size` ## Related Issue Fixes #2313 ## Type of change - [X] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> Co-authored-by: Lucas Rodriguez Co-authored-by: Lucas Rodriguez --- .gitignore | 1 + src/pkg/packager/sources/split.go | 5 ++++ src/pkg/utils/io.go | 28 ++++++++++-------- src/test/e2e/05_tarball_test.go | 35 ++++++++++++++++++++--- src/test/packages/05-multi-part/zarf.yaml | 9 ++++-- 5 files changed, 59 insertions(+), 19 deletions(-) diff --git a/.gitignore b/.gitignore index 4270dbb1fb..3d96988028 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,7 @@ *.bak *.key *.crt +*.dat *.run.zstd *.tar *.tar.gz diff --git a/src/pkg/packager/sources/split.go b/src/pkg/packager/sources/split.go index 1aade2eee5..34d736fabb 100644 --- a/src/pkg/packager/sources/split.go +++ b/src/pkg/packager/sources/split.go @@ -85,6 +85,11 @@ func (s *SplitTarballSource) Collect(dir string) (string, error) { if _, err = io.Copy(pkgFile, f); err != nil { return "", fmt.Errorf("unable to copy file %s: %w", file, err) } + + // Close the file when done copying + if err := f.Close(); err != nil { + return "", fmt.Errorf("unable to close file %s: %w", file, err) + } } if err := utils.SHAsMatch(reassembled, pkgData.Sha256Sum); err != nil { diff --git a/src/pkg/utils/io.go b/src/pkg/utils/io.go index 7bda78ff7f..bb6ae79db2 100755 --- a/src/pkg/utils/io.go +++ b/src/pkg/utils/io.go @@ -339,7 +339,7 @@ func ReadFileByChunks(path string, chunkSizeBytes int) (chunks [][]byte, sha256s // - fileNames: list of file paths srcFile was split across // - sha256sum: sha256sum of the srcFile before splitting // - err: any errors encountered -func SplitFile(srcFile string, chunkSizeBytes int) (err error) { +func SplitFile(srcPath string, chunkSizeBytes int) (err error) { var fileNames []string var sha256sum string hash := sha256.New() @@ -353,7 +353,7 @@ func SplitFile(srcFile string, chunkSizeBytes int) (err error) { buf := make([]byte, bufferSize) // get file size - fi, err := os.Stat(srcFile) + fi, err := os.Stat(srcPath) if err != nil { return err } @@ -364,15 +364,15 @@ func SplitFile(srcFile string, chunkSizeBytes int) (err error) { progressBar := message.NewProgressBar(fileSize, title) defer progressBar.Stop() - // open file - file, err := os.Open(srcFile) - defer file.Close() + // open srcFile + srcFile, err := os.Open(srcPath) if err != nil { return err } + defer srcFile.Close() // create file path starting from part 001 - path := fmt.Sprintf("%s.part001", srcFile) + path := fmt.Sprintf("%s.part001", srcPath) chunkFile, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0644) if err != nil { return err @@ -384,7 +384,7 @@ func SplitFile(srcFile string, chunkSizeBytes int) (err error) { chunkBytesRemaining := chunkSizeBytes // Loop over the tarball hashing as we go and breaking it into chunks based on the chunkSizeBytes for { - bytesRead, err := file.Read(buf) + bytesRead, err := srcFile.Read(buf) if err != nil { if err == io.EOF { @@ -404,10 +404,14 @@ func SplitFile(srcFile string, chunkSizeBytes int) (err error) { if err != nil { return err } + err = chunkFile.Close() + if err != nil { + return err + } // create new file - path = fmt.Sprintf("%s.part%03d", srcFile, len(fileNames)+1) - chunkFile, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0644) + path = fmt.Sprintf("%s.part%03d", srcPath, len(fileNames)+1) + chunkFile, err = os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0644) if err != nil { return err } @@ -435,8 +439,8 @@ func SplitFile(srcFile string, chunkSizeBytes int) (err error) { title := fmt.Sprintf("[%d/%d] MB bytes written", progressBar.GetCurrent()/1000/1000, fileSize/1000/1000) progressBar.UpdateTitle(title) } - file.Close() - _ = os.RemoveAll(srcFile) + srcFile.Close() + _ = os.RemoveAll(srcPath) // calculate sha256 sum sha256sum = fmt.Sprintf("%x", hash.Sum(nil)) @@ -452,7 +456,7 @@ func SplitFile(srcFile string, chunkSizeBytes int) (err error) { } // write header file - path = fmt.Sprintf("%s.part000", srcFile) + path = fmt.Sprintf("%s.part000", srcPath) if err := os.WriteFile(path, jsonData, 0644); err != nil { return fmt.Errorf("unable to write the file %s: %w", path, err) } diff --git a/src/test/e2e/05_tarball_test.go b/src/test/e2e/05_tarball_test.go index 1e0e3c8473..f6df5f7e1b 100644 --- a/src/test/e2e/05_tarball_test.go +++ b/src/test/e2e/05_tarball_test.go @@ -5,6 +5,7 @@ package test import ( + "encoding/json" "fmt" "os" "path/filepath" @@ -28,14 +29,29 @@ func TestMultiPartPackage(t *testing.T) { e2e.CleanFiles(deployPath, outputFile) - // Create the package with a max size of 1MB - stdOut, stdErr, err := e2e.Zarf("package", "create", createPath, "--max-package-size=1", "--confirm") + // Create the package with a max size of 20MB + stdOut, stdErr, err := e2e.Zarf("package", "create", createPath, "--max-package-size=20", "--confirm") require.NoError(t, err, stdOut, stdErr) parts, err := filepath.Glob("zarf-package-multi-part-*") require.NoError(t, err) - // Length is 7 because there are 6 parts and 1 manifest - require.Len(t, parts, 7) + // Length is 4 because there are 3 parts and 1 manifest + require.Len(t, parts, 4) + // Check the file sizes are even + part1FileInfo, err := os.Stat(parts[1]) + require.NoError(t, err) + require.Equal(t, int64(20000000), part1FileInfo.Size()) + part2FileInfo, err := os.Stat(parts[2]) + require.NoError(t, err) + require.Equal(t, int64(20000000), part2FileInfo.Size()) + // Check the package data is correct + pkgData := types.ZarfSplitPackageData{} + part0File, err := os.ReadFile(parts[0]) + require.NoError(t, err) + err = json.Unmarshal(part0File, &pkgData) + require.NoError(t, err) + require.Equal(t, pkgData.Count, 3) + fmt.Printf("%#v", pkgData) stdOut, stdErr, err = e2e.Zarf("package", "deploy", deployPath, "--confirm") require.NoError(t, err, stdOut, stdErr) @@ -45,6 +61,17 @@ func TestMultiPartPackage(t *testing.T) { // deploying package combines parts back into single archive, check dir again to find all files parts, err = filepath.Glob("zarf-package-multi-part-*") + require.NoError(t, err) + // Length is 1 because `zarf package deploy` will recombine the file + require.Len(t, parts, 1) + // Ensure that the number of pkgData bytes was correct + fullFileInfo, err := os.Stat(parts[0]) + require.NoError(t, err) + require.Equal(t, pkgData.Bytes, fullFileInfo.Size()) + // Ensure that the pkgData shasum was correct (should be checked during deploy as well, but this is to double check) + err = utils.SHAsMatch(parts[0], pkgData.Sha256Sum) + require.NoError(t, err) + e2e.CleanFiles(parts...) e2e.CleanFiles(outputFile) } diff --git a/src/test/packages/05-multi-part/zarf.yaml b/src/test/packages/05-multi-part/zarf.yaml index 78b47ba606..0fb4a75652 100644 --- a/src/test/packages/05-multi-part/zarf.yaml +++ b/src/test/packages/05-multi-part/zarf.yaml @@ -6,8 +6,11 @@ metadata: components: - name: big-ol-file required: true - description: Single 5 MB file needed to demonstrate a multi-part package + description: Include a 50 MB file needed to demonstrate a multi-part package + actions: + onCreate: + before: + - cmd: dd if=/dev/urandom of=multi-part-demo.dat bs=1048576 count=50 files: - - source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/examples/multi-part-demo.dat - shasum: 22ebd38c2f5e04821c87c924c910be57d2169c292f85b2936d53cae24ebf8055 + - source: multi-part-demo.dat target: multi-part-demo.dat From cf1d1e4f0030c28caaca9a81776c7c69f695d04e Mon Sep 17 00:00:00 2001 From: Chris North Date: Wed, 21 Feb 2024 11:01:55 -0800 Subject: [PATCH 11/17] fix: change text detect to check first and last 512 bytes (#2310) ## Description Alters text detection logic to read the first and last 512 bytes. Tested with 5 files: - [NVIDIA installer](https://us.download.nvidia.com/XFree86/Linux-x86_64/535.154.05/NVIDIA-Linux-x86_64-535.154.05.run) Detected as application type when reading last 512. - 3 4k size files of junk text with a ZARF_CONST replacement, in straight text, yaml, and json All 3 detected as text/plain, ZARF_CONST was replaced. - 1 small 100 byte file with a ZARF_CONST replacement. Was still detected as text and ZARF_CONST was replaced. Existing unit tests succeeded. ## Related Issue Fixes #2308 Relates to # ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr --- src/pkg/utils/io.go | 41 ++++++++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/src/pkg/utils/io.go b/src/pkg/utils/io.go index bb6ae79db2..f69599802e 100755 --- a/src/pkg/utils/io.go +++ b/src/pkg/utils/io.go @@ -475,22 +475,41 @@ func IsTextFile(path string) (bool, error) { } defer f.Close() // Make sure to close the file when we're done - // Read the first 512 bytes of the file - data := make([]byte, 512) - n, err := f.Read(data) - if err != nil && err != io.EOF { + // Get file stat + stat, err := f.Stat() + if err != nil { return false, err } - // Use http.DetectContentType to determine the MIME type of the file - mimeType := http.DetectContentType(data[:n]) + // Clip offset to minimum of 0 + lastOffset := max(0, stat.Size()-512) + + // Take two passes checking front and back of the file + offsetPasses := []int64{0, lastOffset} + isTextCheck := []bool{false, false} + for idx, offset := range offsetPasses { + // Create 512 byte buffer + data := make([]byte, 512) + + n, err := f.ReadAt(data, offset) + if err != nil && err != io.EOF { + return false, err + } - // Check if the MIME type indicates that the file is text - hasText := strings.HasPrefix(mimeType, "text/") - hasJSON := strings.Contains(mimeType, "json") - hasXML := strings.Contains(mimeType, "xml") + // Use http.DetectContentType to determine the MIME type of the file + mimeType := http.DetectContentType(data[:n]) + + // Check if the MIME type indicates that the file is text + hasText := strings.HasPrefix(mimeType, "text/") + hasJSON := strings.Contains(mimeType, "json") + hasXML := strings.Contains(mimeType, "xml") + + // Save result + isTextCheck[idx] = hasText || hasJSON || hasXML + } - return hasText || hasJSON || hasXML, nil + // Returns true if both front and back show they are text + return isTextCheck[0] && isTextCheck[1], nil } // IsTrashBin checks if the given directory path corresponds to an operating system's trash bin. From 5e1c6dfd04563d1b62cd451620a1404ceb792fc3 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Wed, 21 Feb 2024 13:25:49 -0700 Subject: [PATCH 12/17] chore: hotfix fix codeql issues across Zarf (#2322) ## Description This fixes the codeql issues that are currently in the Zarf codebase ## Related Issue Fixes #N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --- src/cmd/connect.go | 4 ++-- src/cmd/destroy.go | 2 +- src/cmd/dev.go | 12 ++++++------ src/cmd/initialize.go | 2 +- src/cmd/internal.go | 20 ++++++++++---------- src/cmd/package.go | 16 ++++++++-------- src/cmd/root.go | 2 +- src/cmd/tools/archiver.go | 4 ++-- src/cmd/tools/common.go | 2 +- src/cmd/tools/crane.go | 2 +- src/cmd/tools/helm/dependency.go | 2 +- src/cmd/tools/helm/dependency_build.go | 2 +- src/cmd/tools/helm/dependency_update.go | 2 +- src/cmd/tools/helm/flags.go | 2 +- src/cmd/tools/helm/load_plugins.go | 2 +- src/cmd/tools/helm/repo_add.go | 2 +- src/cmd/tools/helm/repo_index.go | 4 ++-- src/cmd/tools/helm/repo_list.go | 2 +- src/cmd/tools/helm/repo_remove.go | 4 ++-- src/cmd/tools/helm/repo_update.go | 4 ++-- src/cmd/tools/helm/root.go | 4 ++-- src/cmd/tools/k9s.go | 2 +- src/cmd/tools/kubectl.go | 2 +- src/cmd/tools/wait.go | 2 +- src/cmd/tools/zarf.go | 12 ++++++------ src/cmd/version.go | 4 ++-- src/internal/agent/http/proxy.go | 2 +- src/internal/agent/http/server.go | 2 +- src/internal/packager/images/pull.go | 2 +- src/pkg/k8s/common.go | 2 +- src/pkg/packager/common_test.go | 2 +- src/pkg/packager/sources/validate.go | 2 +- src/pkg/transform/git_test.go | 2 +- 33 files changed, 66 insertions(+), 66 deletions(-) diff --git a/src/cmd/connect.go b/src/cmd/connect.go index 73fab7665a..fe3442e395 100644 --- a/src/cmd/connect.go +++ b/src/cmd/connect.go @@ -31,7 +31,7 @@ var ( Aliases: []string{"c"}, Short: lang.CmdConnectShort, Long: lang.CmdConnectLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { var target string if len(args) > 0 { target = args[0] @@ -89,7 +89,7 @@ var ( Use: "list", Aliases: []string{"l"}, Short: lang.CmdConnectListShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { cluster.NewClusterOrDie().PrintConnectTable() }, } diff --git a/src/cmd/destroy.go b/src/cmd/destroy.go index be3ffbe2a9..0a60d05503 100644 --- a/src/cmd/destroy.go +++ b/src/cmd/destroy.go @@ -28,7 +28,7 @@ var destroyCmd = &cobra.Command{ Aliases: []string{"d"}, Short: lang.CmdDestroyShort, Long: lang.CmdDestroyLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { c, err := cluster.NewClusterWithWait(cluster.DefaultTimeout) if err != nil { message.Fatalf(err, lang.ErrNoClusterConnection) diff --git a/src/cmd/dev.go b/src/cmd/dev.go index 63426692ea..bccac8b781 100644 --- a/src/cmd/dev.go +++ b/src/cmd/dev.go @@ -39,7 +39,7 @@ var devDeployCmd = &cobra.Command{ Args: cobra.MaximumNArgs(1), Short: lang.CmdDevDeployShort, Long: lang.CmdDevDeployLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { common.SetBaseDirectory(args, &pkgConfig) v := common.GetViper() @@ -65,7 +65,7 @@ var devTransformGitLinksCmd = &cobra.Command{ Aliases: []string{"p"}, Short: lang.CmdDevPatchGitShort, Args: cobra.ExactArgs(2), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { host, fileName := args[0], args[1] // Read the contents of the given file @@ -108,7 +108,7 @@ var devSha256SumCmd = &cobra.Command{ Aliases: []string{"s"}, Short: lang.CmdDevSha256sumShort, Args: cobra.ExactArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { fileName := args[0] var tmp string @@ -184,7 +184,7 @@ var devFindImagesCmd = &cobra.Command{ Args: cobra.MaximumNArgs(1), Short: lang.CmdDevFindImagesShort, Long: lang.CmdDevFindImagesLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { // If a directory was provided, use that as the base directory common.SetBaseDirectory(args, &pkgConfig) @@ -210,7 +210,7 @@ var devGenConfigFileCmd = &cobra.Command{ Args: cobra.MaximumNArgs(1), Short: lang.CmdDevGenerateConfigShort, Long: lang.CmdDevGenerateConfigLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { fileName := "zarf-config.toml" // If a filename was provided, use that @@ -231,7 +231,7 @@ var devLintCmd = &cobra.Command{ Aliases: []string{"l"}, Short: lang.CmdDevLintShort, Long: lang.CmdDevLintLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { common.SetBaseDirectory(args, &pkgConfig) v := common.GetViper() pkgConfig.CreateOpts.SetVariables = helpers.TransformAndMergeMap( diff --git a/src/cmd/initialize.go b/src/cmd/initialize.go index 192fb961e0..906f484720 100644 --- a/src/cmd/initialize.go +++ b/src/cmd/initialize.go @@ -33,7 +33,7 @@ var initCmd = &cobra.Command{ Short: lang.CmdInitShort, Long: lang.CmdInitLong, Example: lang.CmdInitExample, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { zarfLogo := message.GetLogo() _, _ = fmt.Fprintln(os.Stderr, zarfLogo) diff --git a/src/cmd/internal.go b/src/cmd/internal.go index a10067398c..68e512d1c6 100644 --- a/src/cmd/internal.go +++ b/src/cmd/internal.go @@ -37,7 +37,7 @@ var agentCmd = &cobra.Command{ Use: "agent", Short: lang.CmdInternalAgentShort, Long: lang.CmdInternalAgentLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { agent.StartWebhook() }, } @@ -46,7 +46,7 @@ var httpProxyCmd = &cobra.Command{ Use: "http-proxy", Short: lang.CmdInternalProxyShort, Long: lang.CmdInternalProxyLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { agent.StartHTTPProxy() }, } @@ -54,7 +54,7 @@ var httpProxyCmd = &cobra.Command{ var genCLIDocs = &cobra.Command{ Use: "gen-cli-docs", Short: lang.CmdInternalGenerateCliDocsShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { // Don't include the datestamp in the output rootCmd.DisableAutoGenTag = true @@ -126,7 +126,7 @@ var genConfigSchemaCmd = &cobra.Command{ Use: "gen-config-schema", Aliases: []string{"gc"}, Short: lang.CmdInternalConfigSchemaShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { schema := jsonschema.Reflect(&types.ZarfPackage{}) output, err := json.MarshalIndent(schema, "", " ") if err != nil { @@ -146,7 +146,7 @@ var genTypesSchemaCmd = &cobra.Command{ Use: "gen-types-schema", Aliases: []string{"gt"}, Short: lang.CmdInternalTypesSchemaShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { schema := jsonschema.Reflect(&zarfTypes{}) output, err := json.MarshalIndent(schema, "", " ") if err != nil { @@ -160,7 +160,7 @@ var createReadOnlyGiteaUser = &cobra.Command{ Use: "create-read-only-gitea-user", Short: lang.CmdInternalCreateReadOnlyGiteaUserShort, Long: lang.CmdInternalCreateReadOnlyGiteaUserLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { // Load the state so we can get the credentials for the admin git user state, err := cluster.NewClusterOrDie().LoadZarfState() if err != nil { @@ -178,7 +178,7 @@ var createPackageRegistryToken = &cobra.Command{ Use: "create-artifact-registry-token", Short: lang.CmdInternalArtifactRegistryGiteaTokenShort, Long: lang.CmdInternalArtifactRegistryGiteaTokenLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { // Load the state so we can get the credentials for the admin git user c := cluster.NewClusterOrDie() state, err := c.LoadZarfState() @@ -204,7 +204,7 @@ var updateGiteaPVC = &cobra.Command{ Use: "update-gitea-pvc", Short: lang.CmdInternalUpdateGiteaPVCShort, Long: lang.CmdInternalUpdateGiteaPVCLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { // There is a possibility that the pvc does not yet exist and Gitea helm chart should create it helmShouldCreate, err := git.UpdateGiteaPVC(rollback) @@ -219,7 +219,7 @@ var updateGiteaPVC = &cobra.Command{ var isValidHostname = &cobra.Command{ Use: "is-valid-hostname", Short: lang.CmdInternalIsValidHostnameShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { if valid := helpers.IsValidHostName(); !valid { hostname, _ := os.Hostname() message.Fatalf(nil, lang.CmdInternalIsValidHostnameErr, hostname) @@ -232,7 +232,7 @@ var computeCrc32 = &cobra.Command{ Aliases: []string{"c"}, Short: lang.CmdInternalCrc32Short, Args: cobra.ExactArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { text := args[0] hash := helpers.GetCRCHash(text) fmt.Printf("%d\n", hash) diff --git a/src/cmd/package.go b/src/cmd/package.go index 1ccd3e3061..3e29b74b64 100644 --- a/src/cmd/package.go +++ b/src/cmd/package.go @@ -39,7 +39,7 @@ var packageCreateCmd = &cobra.Command{ Args: cobra.MaximumNArgs(1), Short: lang.CmdPackageCreateShort, Long: lang.CmdPackageCreateLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { common.SetBaseDirectory(args, &pkgConfig) var isCleanPathRegex = regexp.MustCompile(`^[a-zA-Z0-9\_\-\/\.\~\\:]+$`) @@ -70,7 +70,7 @@ var packageDeployCmd = &cobra.Command{ Short: lang.CmdPackageDeployShort, Long: lang.CmdPackageDeployLong, Args: cobra.MaximumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { pkgConfig.PkgOpts.PackageSource = choosePackage(args) // Ensure uppercase keys from viper and CLI --set @@ -98,7 +98,7 @@ var packageMirrorCmd = &cobra.Command{ Long: lang.CmdPackageMirrorLong, Example: lang.CmdPackageMirrorExample, Args: cobra.MaximumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { pkgConfig.PkgOpts.PackageSource = choosePackage(args) // Configure the packager @@ -118,7 +118,7 @@ var packageInspectCmd = &cobra.Command{ Short: lang.CmdPackageInspectShort, Long: lang.CmdPackageInspectLong, Args: cobra.MaximumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { pkgConfig.PkgOpts.PackageSource = choosePackage(args) src := identifyAndFallbackToClusterSource() @@ -139,7 +139,7 @@ var packageListCmd = &cobra.Command{ Use: "list", Aliases: []string{"l", "ls"}, Short: lang.CmdPackageListShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { // Get all the deployed packages deployedZarfPackages, errs := cluster.NewClusterOrDie().GetDeployedZarfPackages() if len(errs) > 0 && len(deployedZarfPackages) == 0 { @@ -177,7 +177,7 @@ var packageRemoveCmd = &cobra.Command{ Aliases: []string{"u", "rm"}, Args: cobra.MaximumNArgs(1), Short: lang.CmdPackageRemoveShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { pkgConfig.PkgOpts.PackageSource = choosePackage(args) src := identifyAndFallbackToClusterSource() @@ -197,7 +197,7 @@ var packagePublishCmd = &cobra.Command{ Short: lang.CmdPackagePublishShort, Example: lang.CmdPackagePublishExample, Args: cobra.ExactArgs(2), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { pkgConfig.PkgOpts.PackageSource = args[0] if !helpers.IsOCIURL(args[1]) { @@ -236,7 +236,7 @@ var packagePullCmd = &cobra.Command{ Short: lang.CmdPackagePullShort, Example: lang.CmdPackagePullExample, Args: cobra.ExactArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { pkgConfig.PkgOpts.PackageSource = args[0] // Configure the packager diff --git a/src/cmd/root.go b/src/cmd/root.go index 3d5660e8a2..9563f382d3 100644 --- a/src/cmd/root.go +++ b/src/cmd/root.go @@ -26,7 +26,7 @@ var ( var rootCmd = &cobra.Command{ Use: "zarf COMMAND", - PersistentPreRun: func(cmd *cobra.Command, args []string) { + PersistentPreRun: func(cmd *cobra.Command, _ []string) { // Skip for vendor-only commands if common.CheckVendorOnlyFromPath(cmd) { return diff --git a/src/cmd/tools/archiver.go b/src/cmd/tools/archiver.go index e392b8c3ad..b6110b7a18 100644 --- a/src/cmd/tools/archiver.go +++ b/src/cmd/tools/archiver.go @@ -28,7 +28,7 @@ var archiverCompressCmd = &cobra.Command{ Aliases: []string{"c"}, Short: lang.CmdToolsArchiverCompressShort, Args: cobra.MinimumNArgs(2), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { sourceFiles, destinationArchive := args[:len(args)-1], args[len(args)-1] err := archiver.Archive(sourceFiles, destinationArchive) if err != nil { @@ -44,7 +44,7 @@ var archiverDecompressCmd = &cobra.Command{ Aliases: []string{"d"}, Short: lang.CmdToolsArchiverDecompressShort, Args: cobra.ExactArgs(2), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { sourceArchive, destinationPath := args[0], args[1] err := archiver.Unarchive(sourceArchive, destinationPath) if err != nil { diff --git a/src/cmd/tools/common.go b/src/cmd/tools/common.go index 81d33af4ec..d0fa000e86 100644 --- a/src/cmd/tools/common.go +++ b/src/cmd/tools/common.go @@ -14,7 +14,7 @@ import ( var toolsCmd = &cobra.Command{ Use: "tools", Aliases: []string{"t"}, - PersistentPreRun: func(cmd *cobra.Command, args []string) { + PersistentPreRun: func(cmd *cobra.Command, _ []string) { config.SkipLogFile = true // Skip for vendor-only commands diff --git a/src/cmd/tools/crane.go b/src/cmd/tools/crane.go index 80030fd361..6d0919067d 100644 --- a/src/cmd/tools/crane.go +++ b/src/cmd/tools/crane.go @@ -37,7 +37,7 @@ func init() { Use: "registry", Aliases: []string{"r", "crane"}, Short: lang.CmdToolsRegistryShort, - PersistentPreRun: func(cmd *cobra.Command, args []string) { + PersistentPreRun: func(cmd *cobra.Command, _ []string) { exec.ExitOnInterrupt() diff --git a/src/cmd/tools/helm/dependency.go b/src/cmd/tools/helm/dependency.go index b96d1e39b2..4ab004b036 100644 --- a/src/cmd/tools/helm/dependency.go +++ b/src/cmd/tools/helm/dependency.go @@ -111,7 +111,7 @@ func newDependencyListCmd(out io.Writer) *cobra.Command { Short: "list the dependencies for the given chart", Long: dependencyListDesc, Args: require.MaximumNArgs(1), - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { chartpath := "." if len(args) > 0 { chartpath = filepath.Clean(args[0]) diff --git a/src/cmd/tools/helm/dependency_build.go b/src/cmd/tools/helm/dependency_build.go index 0e84e244bb..618c137174 100644 --- a/src/cmd/tools/helm/dependency_build.go +++ b/src/cmd/tools/helm/dependency_build.go @@ -54,7 +54,7 @@ func newDependencyBuildCmd(cfg *action.Configuration, out io.Writer) *cobra.Comm Short: "rebuild the charts/ directory based on the Chart.lock file", Long: dependencyBuildDesc, Args: require.MaximumNArgs(1), - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { chartpath := "." if len(args) > 0 { chartpath = filepath.Clean(args[0]) diff --git a/src/cmd/tools/helm/dependency_update.go b/src/cmd/tools/helm/dependency_update.go index 86c9f48de3..f069b7f59d 100644 --- a/src/cmd/tools/helm/dependency_update.go +++ b/src/cmd/tools/helm/dependency_update.go @@ -57,7 +57,7 @@ func newDependencyUpdateCmd(cfg *action.Configuration, out io.Writer) *cobra.Com Short: "update charts/ based on the contents of Chart.yaml", Long: dependencyUpDesc, Args: require.MaximumNArgs(1), - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { chartpath := "." if len(args) > 0 { chartpath = filepath.Clean(args[0]) diff --git a/src/cmd/tools/helm/flags.go b/src/cmd/tools/helm/flags.go index d567d920ec..d0130a6fb1 100644 --- a/src/cmd/tools/helm/flags.go +++ b/src/cmd/tools/helm/flags.go @@ -44,7 +44,7 @@ func bindOutputFlag(cmd *cobra.Command, varRef *output.Format) { cmd.Flags().VarP(newOutputValue(output.Table, varRef), outputFlag, "o", fmt.Sprintf("prints the output in the specified format. Allowed values: %s", strings.Join(output.Formats(), ", "))) - err := cmd.RegisterFlagCompletionFunc(outputFlag, func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + err := cmd.RegisterFlagCompletionFunc(outputFlag, func(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) { var formatNames []string for format, desc := range output.FormatsWithDesc() { formatNames = append(formatNames, fmt.Sprintf("%s\t%s", format, desc)) diff --git a/src/cmd/tools/helm/load_plugins.go b/src/cmd/tools/helm/load_plugins.go index 6890f52edc..39edb9c3d9 100644 --- a/src/cmd/tools/helm/load_plugins.go +++ b/src/cmd/tools/helm/load_plugins.go @@ -305,7 +305,7 @@ func addPluginCommands(plugin *plugin.Plugin, baseCmd *cobra.Command, cmds *plug // to the dynamic completion script of the plugin. DisableFlagParsing: true, // A Run is required for it to be a valid command without subcommands - Run: func(cmd *cobra.Command, args []string) {}, + Run: func(_ *cobra.Command, _ []string) {}, } baseCmd.AddCommand(subCmd) addPluginCommands(plugin, subCmd, &cmd) diff --git a/src/cmd/tools/helm/repo_add.go b/src/cmd/tools/helm/repo_add.go index ce2e236267..d167adc3fc 100644 --- a/src/cmd/tools/helm/repo_add.go +++ b/src/cmd/tools/helm/repo_add.go @@ -76,7 +76,7 @@ func newRepoAddCmd(out io.Writer) *cobra.Command { Use: "add [NAME] [URL]", Short: "add a chart repository", Args: require.ExactArgs(2), - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { o.name = args[0] o.url = args[1] o.repoFile = settings.RepositoryConfig diff --git a/src/cmd/tools/helm/repo_index.go b/src/cmd/tools/helm/repo_index.go index 79f941e79a..1770cedcf9 100644 --- a/src/cmd/tools/helm/repo_index.go +++ b/src/cmd/tools/helm/repo_index.go @@ -58,7 +58,7 @@ func newRepoIndexCmd(out io.Writer) *cobra.Command { Short: "generate an index file given a directory containing packaged charts", Long: repoIndexDesc, Args: require.ExactArgs(1), - ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + ValidArgsFunction: func(_ *cobra.Command, args []string, _ string) ([]string, cobra.ShellCompDirective) { if len(args) == 0 { // Allow file completion when completing the argument for the directory return nil, cobra.ShellCompDirectiveDefault @@ -66,7 +66,7 @@ func newRepoIndexCmd(out io.Writer) *cobra.Command { // No more completions, so disable file completion return nil, cobra.ShellCompDirectiveNoFileComp }, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { o.dir = args[0] return o.run(out) }, diff --git a/src/cmd/tools/helm/repo_list.go b/src/cmd/tools/helm/repo_list.go index 02b4e34d86..7bf65bc95f 100644 --- a/src/cmd/tools/helm/repo_list.go +++ b/src/cmd/tools/helm/repo_list.go @@ -41,7 +41,7 @@ func newRepoListCmd(out io.Writer) *cobra.Command { Aliases: []string{"ls"}, Short: "list chart repositories", Args: require.NoArgs, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, _ []string) error { f, _ := repo.LoadFile(settings.RepositoryConfig) if len(f.Repositories) == 0 && !(outfmt == output.JSON || outfmt == output.YAML) { return errors.New("no repositories to show") diff --git a/src/cmd/tools/helm/repo_remove.go b/src/cmd/tools/helm/repo_remove.go index 61340f8a49..13110072cd 100644 --- a/src/cmd/tools/helm/repo_remove.go +++ b/src/cmd/tools/helm/repo_remove.go @@ -49,10 +49,10 @@ func newRepoRemoveCmd(out io.Writer) *cobra.Command { Aliases: []string{"rm"}, Short: "remove one or more chart repositories", Args: require.MinimumNArgs(1), - ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + ValidArgsFunction: func(_ *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { return compListRepos(toComplete, args), cobra.ShellCompDirectiveNoFileComp }, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { o.repoFile = settings.RepositoryConfig o.repoCache = settings.RepositoryCache o.names = args diff --git a/src/cmd/tools/helm/repo_update.go b/src/cmd/tools/helm/repo_update.go index c74d1eae75..92f82e261e 100644 --- a/src/cmd/tools/helm/repo_update.go +++ b/src/cmd/tools/helm/repo_update.go @@ -62,10 +62,10 @@ func newRepoUpdateCmd(out io.Writer) *cobra.Command { Short: "update information of available charts locally from chart repositories", Long: updateDesc, Args: require.MinimumNArgs(0), - ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + ValidArgsFunction: func(_ *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { return compListRepos(toComplete, args), cobra.ShellCompDirectiveNoFileComp }, - RunE: func(cmd *cobra.Command, args []string) error { + RunE: func(_ *cobra.Command, args []string) error { o.repoFile = settings.RepositoryConfig o.repoCache = settings.RepositoryCache o.names = args diff --git a/src/cmd/tools/helm/root.go b/src/cmd/tools/helm/root.go index 63b9bf8f17..e496a93cec 100644 --- a/src/cmd/tools/helm/root.go +++ b/src/cmd/tools/helm/root.go @@ -105,7 +105,7 @@ func NewRootCmd(actionConfig *action.Configuration, out io.Writer, args []string addKlogFlags(flags) // Setup shell completion for the namespace flag - err := cmd.RegisterFlagCompletionFunc("namespace", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + err := cmd.RegisterFlagCompletionFunc("namespace", func(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) { if client, err := actionConfig.KubernetesClientSet(); err == nil { // Choose a long enough timeout that the user notices something is not working // but short enough that the user is not made to wait very long @@ -128,7 +128,7 @@ func NewRootCmd(actionConfig *action.Configuration, out io.Writer, args []string } // Setup shell completion for the kube-context flag - err = cmd.RegisterFlagCompletionFunc("kube-context", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) { + err = cmd.RegisterFlagCompletionFunc("kube-context", func(_ *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) { cobra.CompDebugln("About to get the different kube-contexts", settings.Debug) loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() diff --git a/src/cmd/tools/k9s.go b/src/cmd/tools/k9s.go index d38992ead9..ceabe6a547 100644 --- a/src/cmd/tools/k9s.go +++ b/src/cmd/tools/k9s.go @@ -23,7 +23,7 @@ func init() { Use: "monitor", Aliases: []string{"m", "k9s"}, Short: lang.CmdToolsMonitorShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { // Hack to make k9s think it's all alone os.Args = []string{os.Args[0]} k9s.Execute() diff --git a/src/cmd/tools/kubectl.go b/src/cmd/tools/kubectl.go index ab9f16e920..e9eb820ff5 100644 --- a/src/cmd/tools/kubectl.go +++ b/src/cmd/tools/kubectl.go @@ -22,7 +22,7 @@ func init() { // Kubectl stub command. kubectlCmd := &cobra.Command{ Short: lang.CmdToolsKubectlDocs, - Run: func(cmd *cobra.Command, args []string) {}, + Run: func(_ *cobra.Command, _ []string) {}, } // Only load this command if it is being called directly. diff --git a/src/cmd/tools/wait.go b/src/cmd/tools/wait.go index 183fd226e8..9977c58011 100644 --- a/src/cmd/tools/wait.go +++ b/src/cmd/tools/wait.go @@ -28,7 +28,7 @@ var waitForCmd = &cobra.Command{ Long: lang.CmdToolsWaitForLong, Example: lang.CmdToolsWaitForExample, Args: cobra.MinimumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { // Parse the timeout string timeout, err := time.ParseDuration(waitTimeout) if err != nil { diff --git a/src/cmd/tools/zarf.go b/src/cmd/tools/zarf.go index 27cc36da6a..f0820962f8 100644 --- a/src/cmd/tools/zarf.go +++ b/src/cmd/tools/zarf.go @@ -35,7 +35,7 @@ var deprecatedGetGitCredsCmd = &cobra.Command{ Hidden: true, Short: lang.CmdToolsGetGitPasswdShort, Long: lang.CmdToolsGetGitPasswdLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { message.Warn(lang.CmdToolsGetGitPasswdDeprecation) getCredsCmd.Run(getCredsCmd, []string{"git"}) }, @@ -48,7 +48,7 @@ var getCredsCmd = &cobra.Command{ Example: lang.CmdToolsGetCredsExample, Aliases: []string{"gc"}, Args: cobra.MaximumNArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { state, err := cluster.NewClusterOrDie().LoadZarfState() if err != nil || state.Distro == "" { // If no distro the zarf secret did not load properly @@ -168,7 +168,7 @@ var clearCacheCmd = &cobra.Command{ Use: "clear-cache", Aliases: []string{"c"}, Short: lang.CmdToolsClearCacheShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { message.Notef(lang.CmdToolsClearCacheDir, config.GetAbsCachePath()) if err := os.RemoveAll(config.GetAbsCachePath()); err != nil { message.Fatalf(err, lang.CmdToolsClearCacheErr, config.GetAbsCachePath()) @@ -180,7 +180,7 @@ var clearCacheCmd = &cobra.Command{ var downloadInitCmd = &cobra.Command{ Use: "download-init", Short: lang.CmdToolsDownloadInitShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { url := oci.GetInitPackageURL(config.CLIVersion) remote, err := oci.NewOrasRemote(url, oci.PlatformForArch(config.GetArch())) @@ -202,7 +202,7 @@ var generatePKICmd = &cobra.Command{ Aliases: []string{"pki"}, Short: lang.CmdToolsGenPkiShort, Args: cobra.ExactArgs(1), - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, args []string) { pki := pki.GeneratePKI(args[0], subAltNames...) if err := os.WriteFile("tls.ca", pki.CA, 0644); err != nil { message.Fatalf(err, lang.ErrWritingFile, "tls.ca", err.Error()) @@ -221,7 +221,7 @@ var generateKeyCmd = &cobra.Command{ Use: "gen-key", Aliases: []string{"key"}, Short: lang.CmdToolsGenKeyShort, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { // Utility function to prompt the user for the password to the private key passwordFunc := func(bool) ([]byte, error) { // perform the first prompt diff --git a/src/cmd/version.go b/src/cmd/version.go index 18984a6e82..1daa7af61f 100644 --- a/src/cmd/version.go +++ b/src/cmd/version.go @@ -24,12 +24,12 @@ var outputFormat string var versionCmd = &cobra.Command{ Use: "version", Aliases: []string{"v"}, - PersistentPreRun: func(cmd *cobra.Command, args []string) { + PersistentPreRun: func(_ *cobra.Command, _ []string) { config.SkipLogFile = true }, Short: lang.CmdVersionShort, Long: lang.CmdVersionLong, - Run: func(cmd *cobra.Command, args []string) { + Run: func(_ *cobra.Command, _ []string) { output := make(map[string]interface{}) buildInfo, ok := debug.ReadBuildInfo() diff --git a/src/internal/agent/http/proxy.go b/src/internal/agent/http/proxy.go index b805d53564..ea0a54f024 100644 --- a/src/internal/agent/http/proxy.go +++ b/src/internal/agent/http/proxy.go @@ -30,7 +30,7 @@ func ProxyHandler() http.HandlerFunc { return } - proxy := &httputil.ReverseProxy{Director: func(r *http.Request) {}, ModifyResponse: proxyResponseTransform} + proxy := &httputil.ReverseProxy{Director: func(_ *http.Request) {}, ModifyResponse: proxyResponseTransform} proxy.ServeHTTP(w, r) } } diff --git a/src/internal/agent/http/server.go b/src/internal/agent/http/server.go index aa86133d85..4087308d3a 100644 --- a/src/internal/agent/http/server.go +++ b/src/internal/agent/http/server.go @@ -55,7 +55,7 @@ func NewProxyServer(port string) *http.Server { } func healthz() http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { + return func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) w.Write([]byte("ok")) } diff --git a/src/internal/packager/images/pull.go b/src/internal/packager/images/pull.go index 160c0d506a..92ed0d5775 100644 --- a/src/internal/packager/images/pull.go +++ b/src/internal/packager/images/pull.go @@ -379,7 +379,7 @@ func (i *ImageConfig) PullAll() ([]ImgInfo, error) { }() } - onImageSavingProgress := func(finishedImage digestInfo, iteration int) { + onImageSavingProgress := func(finishedImage digestInfo, _ int) { referenceToDigest[finishedImage.refInfo.Reference] = finishedImage.digest } diff --git a/src/pkg/k8s/common.go b/src/pkg/k8s/common.go index bb678050e4..d11be666d2 100644 --- a/src/pkg/k8s/common.go +++ b/src/pkg/k8s/common.go @@ -22,7 +22,7 @@ import ( // New creates a new K8s client. func New(logger Log, defaultLabels Labels) (*K8s, error) { - klog.SetLogger(funcr.New(func(prefix, args string) { + klog.SetLogger(funcr.New(func(_, args string) { logger(args) }, funcr.Options{})) diff --git a/src/pkg/packager/common_test.go b/src/pkg/packager/common_test.go index 690837f6c3..105daf0242 100644 --- a/src/pkg/packager/common_test.go +++ b/src/pkg/packager/common_test.go @@ -104,7 +104,7 @@ func TestValidatePackageArchitecture(t *testing.T) { } // Set up test data for fetching cluster architecture. - mockClient.Fake.PrependReactor("list", "nodes", func(action k8sTesting.Action) (handled bool, ret runtime.Object, err error) { + mockClient.Fake.PrependReactor("list", "nodes", func(_ k8sTesting.Action) (bool, runtime.Object, error) { // Return an error for cases that test this error path. if testCase.getArchError != nil { return true, nil, testCase.getArchError diff --git a/src/pkg/packager/sources/validate.go b/src/pkg/packager/sources/validate.go index 2e06f85056..38e4581b0a 100644 --- a/src/pkg/packager/sources/validate.go +++ b/src/pkg/packager/sources/validate.go @@ -157,7 +157,7 @@ func pathCheckMap(dir string) (map[string]bool, error) { return nil } filepathMap[path] = false - return nil + return err }) return filepathMap, err } diff --git a/src/pkg/transform/git_test.go b/src/pkg/transform/git_test.go index 0bee04260d..70145275aa 100644 --- a/src/pkg/transform/git_test.go +++ b/src/pkg/transform/git_test.go @@ -44,7 +44,7 @@ var badGitURLs = []string{ } func TestMutateGitURLsInText(t *testing.T) { - dummyLogger := func(content string, args ...any) {} + dummyLogger := func(_ string, _ ...any) {} originalText := ` # Here we handle invalid URLs (see below comment) # We transform https://*/*.git URLs From 714f7c017bc13985f294ade45d47daca0137306c Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Wed, 21 Feb 2024 14:20:30 -0700 Subject: [PATCH 13/17] feat: improve `zarf tools registry prune` messaging (#2323) ## Description This PR fixes the `zarf tools registry prune` messaging to be more verbose. ## Related Issue Fixes #N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --- src/cmd/tools/crane.go | 14 ++++++++++++++ src/config/lang/english.go | 4 ++++ 2 files changed, 18 insertions(+) diff --git a/src/cmd/tools/crane.go b/src/cmd/tools/crane.go index 6d0919067d..c0a521c153 100644 --- a/src/cmd/tools/crane.go +++ b/src/cmd/tools/crane.go @@ -246,6 +246,9 @@ func pruneImages(_ *cobra.Command, _ []string) error { func doPruneImagesForPackages(zarfState *types.ZarfState, zarfPackages []types.DeployedPackage, registryEndpoint string) error { authOption := config.GetCraneAuthOption(zarfState.RegistryInfo.PushUsername, zarfState.RegistryInfo.PushPassword) + spinner := message.NewProgressSpinner(lang.CmdToolsRegistryPruneLookup) + defer spinner.Stop() + // Determine which image digests are currently used by Zarf packages pkgImages := map[string]bool{} for _, pkg := range zarfPackages { @@ -273,6 +276,8 @@ func doPruneImagesForPackages(zarfState *types.ZarfState, zarfPackages []types.D } } + spinner.Updatef(lang.CmdToolsRegistryPruneCatalog) + // Find which images and tags are in the registry currently imageCatalog, err := crane.Catalog(registryEndpoint, authOption) if err != nil { @@ -295,6 +300,8 @@ func doPruneImagesForPackages(zarfState *types.ZarfState, zarfPackages []types.D } } + spinner.Updatef(lang.CmdToolsRegistryPruneCalculate) + // Figure out which images are in the registry but not needed by packages imageDigestsToPrune := map[string]bool{} for digestRef, digest := range referenceToDigest { @@ -308,6 +315,8 @@ func doPruneImagesForPackages(zarfState *types.ZarfState, zarfPackages []types.D } } + spinner.Success() + if len(imageDigestsToPrune) > 0 { message.Note(lang.CmdToolsRegistryPruneImageList) @@ -328,6 +337,9 @@ func doPruneImagesForPackages(zarfState *types.ZarfState, zarfPackages []types.D } } if confirm { + spinner := message.NewProgressSpinner(lang.CmdToolsRegistryPruneDelete) + defer spinner.Stop() + // Delete the digest references that are to be pruned for digestRef := range imageDigestsToPrune { err = crane.Delete(digestRef, authOption) @@ -335,6 +347,8 @@ func doPruneImagesForPackages(zarfState *types.ZarfState, zarfPackages []types.D return err } } + + spinner.Success() } } else { message.Note(lang.CmdToolsRegistryPruneNoImages) diff --git a/src/config/lang/english.go b/src/config/lang/english.go index 6a666474d7..14e3b19887 100644 --- a/src/config/lang/english.go +++ b/src/config/lang/english.go @@ -455,6 +455,10 @@ $ zarf tools registry digest reg.example.com/stefanprodan/podinfo:6.4.0 CmdToolsRegistryPruneFlagConfirm = "Confirm the image prune action to prevent accidental deletions" CmdToolsRegistryPruneImageList = "The following image digests will be pruned from the registry:" CmdToolsRegistryPruneNoImages = "There are no images to prune" + CmdToolsRegistryPruneLookup = "Looking up images within package definitions" + CmdToolsRegistryPruneCatalog = "Cataloging images in the registry" + CmdToolsRegistryPruneCalculate = "Calculating images to prune" + CmdToolsRegistryPruneDelete = "Deleting unused images" CmdToolsRegistryInvalidPlatformErr = "Invalid platform '%s': %s" CmdToolsRegistryFlagVerbose = "Enable debug logs" From 58526033d7ccd52db182aeef4503063b910b46c1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 22 Feb 2024 19:19:05 -0700 Subject: [PATCH 14/17] fix(deps): update module helm.sh/helm/v3 to v3.14.2 [security] (#2329) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [helm.sh/helm/v3](https://togithub.com/helm/helm) | `v3.14.1` -> `v3.14.2` | [![age](https://developer.mend.io/api/mc/badges/age/go/helm.sh%2fhelm%2fv3/v3.14.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/helm.sh%2fhelm%2fv3/v3.14.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/helm.sh%2fhelm%2fv3/v3.14.1/v3.14.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/helm.sh%2fhelm%2fv3/v3.14.1/v3.14.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-26147](https://togithub.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6) A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. ### Impact When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. ### Patches This issue has been resolved in Helm v3.14.2. ### Workarounds If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic. ### For more information Helm's security policy is spelled out in detail in our [SECURITY](https://togithub.com/helm/community/blob/master/SECURITY.md) document. ### Credits Disclosed by Jakub Ciolek at AlphaSense. --- ### Release Notes
helm/helm (helm.sh/helm/v3) ### [`v3.14.2`](https://togithub.com/helm/helm/releases/tag/v3.14.2): Helm v3.14.2 [Compare Source](https://togithub.com/helm/helm/compare/v3.14.1...v3.14.2) Helm v3.14.2 is a security (patch) release. Users are strongly recommended to update to this release. A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. Jakub Ciolek with AlphaSense discovered the vulnerability. #### Installation and Upgrading Download Helm v3.14.2. The common platform binaries are here: - [MacOS amd64](https://get.helm.sh/helm-v3.14.2-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-darwin-amd64.tar.gz.sha256sum) / 64c633ae194bde77b7e7b7936a2814a7417817dc8b7bb7d270bd24a7a17b8d12) - [MacOS arm64](https://get.helm.sh/helm-v3.14.2-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-darwin-arm64.tar.gz.sha256sum) / ff502fd39b06497fa3d5a51ec2ced02b9fcfdb0e9a948d315fb1b2f13ddc39fb) - [Linux amd64](https://get.helm.sh/helm-v3.14.2-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-linux-amd64.tar.gz.sha256sum) / 0885a501d586c1e949e9b113bf3fb3290b0bbf74db9444a1d8c2723a143006a5) - [Linux arm](https://get.helm.sh/helm-v3.14.2-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-linux-arm.tar.gz.sha256sum) / b70fb6fa2cdf0a5c782320c9d7e7b155fcaec260169218c98316bb3cf0d431d9) - [Linux arm64](https://get.helm.sh/helm-v3.14.2-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-linux-arm64.tar.gz.sha256sum) / c65d6a9557bb359abc2c0d26670de850b52327dc3976ad6f9e14c298ea3e1b61) - [Linux i386](https://get.helm.sh/helm-v3.14.2-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-linux-386.tar.gz.sha256sum) / 0e08cd56cc952ab4646c57c5ec7cde2412c39373aec3df659a14597dd9874461) - [Linux ppc64le](https://get.helm.sh/helm-v3.14.2-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-linux-ppc64le.tar.gz.sha256sum) / f3bc8582ff151e619cd285d9cdf9fef1c5733ee5522d8bed2ef680ef07f87223) - [Linux s390x](https://get.helm.sh/helm-v3.14.2-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-linux-s390x.tar.gz.sha256sum) / 7bda34aa26638e5116b31385f3b781172572175bf4c1ae00c87d8b154458ed94) - [Linux riscv64](https://get.helm.sh/helm-v3.14.2-linux-riscv64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.14.2-linux-riscv64.tar.gz.sha256sum) / f6278facd3e2e6af52a5f6d038f2149428d115ba2b4523edbe5889d1170e9203) - [Windows amd64](https://get.helm.sh/helm-v3.14.2-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-v3.14.2-windows-amd64.zip.sha256sum) / aa094e435da74ad574f96924c37ecd0c75f0be707ac604ef97ed6021d6bc0784) This release was signed with ` 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E ` and can be found at [@​mattfarina](https://togithub.com/mattfarina) [keybase account](https://keybase.io/mattfarina). Please use the attached signatures for verifying this release using `gpg`. The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3) on any system with `bash`. #### What's Next - 3.14.3 will contain only bug fixes and be released on March 13, 2024. - 3.15.0 is the next feature release and will be on May 08, 2024.
--- ### Configuration πŸ“… **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. β™» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. πŸ”• **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 246c5bbb8f..bc118db11b 100644 --- a/go.mod +++ b/go.mod @@ -47,7 +47,7 @@ require ( golang.org/x/crypto v0.18.0 golang.org/x/sync v0.6.0 golang.org/x/term v0.17.0 - helm.sh/helm/v3 v3.14.1 + helm.sh/helm/v3 v3.14.2 k8s.io/api v0.29.1 k8s.io/apimachinery v0.29.1 k8s.io/client-go v0.29.1 diff --git a/go.sum b/go.sum index 2fd98ddea2..f7f6cb8c4b 100644 --- a/go.sum +++ b/go.sum @@ -2404,8 +2404,8 @@ gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls= gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.14.1 h1:4AwRLx+wfzlPtvrsbDmWP5PUokGmf9/nAmEdk21vae8= -helm.sh/helm/v3 v3.14.1/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= +helm.sh/helm/v3 v3.14.2 h1:V71fv+NGZv0icBlr+in1MJXuUIHCiPG1hW9gEBISTIA= +helm.sh/helm/v3 v3.14.2/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= From ed8319ce90ff83d78ab04b27ab7db6dc26c62c79 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Fri, 23 Feb 2024 09:16:25 -0700 Subject: [PATCH 15/17] chore: update Zarf roadmap per 2024 goals (#2305) ## Description This PR updates the Zarf roadmap per our 2024 project goals (delaying GA and focusing on OpenSSF donation). ## Related Issue Fixes #N/A ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Lucas Rodriguez Co-authored-by: Lucas Rodriguez --- docs/9-roadmap.md | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/docs/9-roadmap.md b/docs/9-roadmap.md index 8e97e9690a..23cc77f7e2 100644 --- a/docs/9-roadmap.md +++ b/docs/9-roadmap.md @@ -4,11 +4,40 @@ sidebar_position: 9 # Roadmap -The project roadmap for Zarf is hosted on a [GitHub Project Board](https://github.com/orgs/defenseunicorns/projects/1) that tracks the issues the Zarf team is working along with future work we are prioritizing. +## Issue Tracking + +The issue board for Zarf is hosted on a [GitHub Project Board](https://github.com/orgs/defenseunicorns/projects/1) that tracks the issues the Zarf team is working along with future work we are prioritizing. If you would like to add bug reports or feature requests, please [add an issue](https://github.com/defenseunicorns/zarf/issues) to the GitHub repository under the appropriate template. If you have a more general question about a feature, feel free to ask the team in the [Zarf Kubernetes Slack Channel](https://kubernetes.slack.com/archives/C03B6BJAUJ3). -We also accept contributions from the community (regardless of where a particular bug or feature is on the roadmap), so feel free to read our [contributing guidelines](./12-contribute-to-zarf/1-contributor-guide.md) and [submit a PR](https://github.com/defenseunicorns/zarf/pulls)! You can also ask any development related questions in the [Zarf Dev Kubernetes Slack Channel](https://kubernetes.slack.com/archives/C03BP9Z3CMA). +We also accept contributions from the community (regardless of where a particular bug or feature is in the queue), so feel free to read our [contributing guidelines](./12-contribute-to-zarf/1-contributor-guide.md) and [submit a PR](https://github.com/defenseunicorns/zarf/pulls)! You can also ask any development related questions in the [Zarf Dev Kubernetes Slack Channel](https://kubernetes.slack.com/archives/C03BP9Z3CMA). + +## 2024 General Roadmap + +### Q1: Community Building and Refactoring + +- [X] - Establish a [monthly community meetup](https://github.com/defenseunicorns/zarf/issues/2202) to engage members of the community and answer questions. +- [ ] - Refactor and add tests to library code shared with [UDS-CLI](https://github.com/defenseunicorns/uds-cli) and split into a new GitHub repository. +- [ ] - Gather OpenSSF donation requirements and clear off pre-reqs (additional maintainers and sponsor working group). + +### Q2 Consistency, Docs and Donation to OpenSSF + +- [ ] - Consolidate and improve consistency around features such as Zarf `variables` and component `required` schema. +- [ ] - Move [docs website](https://docs.zarf.dev) from Docusaurus to a different framework to improve maintainability going forward. +- [ ] - Finalize and submit Zarf's `sandbox` application to officially join the OpenSSF. + +### Q3: Transfer Project, Stabilize and Extend + +- [ ] - Transfer project and additional repos (`zarf-ui`, `zarf-init-aws`, `setup-zarf`, etc.) to a new GitHub organization. +- [ ] - Stabilize features after the consolidation of Q2 - clean up GA milestone in preparation for Q4. +- [ ] - Flesh out the extension system for new features / experiments to be more smoothly integrated with Zarf. +- [ ] - Make `zarf init` custom logic defineable in-schema and across all packages. + +### Q4: Post Donation and General Availability + +- [ ] - Continue stabilizing features and interfaces in preparation for GA release. +- [ ] - Gather and prepare to meet OpenSSF's `incubation` requirements. +- [ ] - Officially cut a GA v1.0.0 release of Zarf. ## Feature Stability @@ -48,4 +77,4 @@ While Zarf is pre-General Availability (see below) the above feature stability g Right now, Zarf itself is still in its 'beta' phase. We are working on some final things before we release the official 1.0 General Availability (GA) release. The work still needed for the GA release can be found in our issues with [this filter](https://github.com/defenseunicorns/zarf/issues?q=is%3Aopen+is%3Aissue+label%3Aga). -We are currently targeting Q4 2023 to have Zarf be generally available and will be pushing weekly releases until then to add necessary features and fix bugs as well as improve docs, architecture and test coverage behind the scenes. +We are currently targeting Q4 2024 to have Zarf be generally available and will be pushing weekly releases until then to add necessary features and fix bugs as well as improve docs, architecture and test coverage behind the scenes. From 51b78e18bf3ffbbc1200ff1823688a74eeeeb55f Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Fri, 23 Feb 2024 12:03:43 -0700 Subject: [PATCH 16/17] fix: add http request header timeout to help stalling image push (#2319) ## Description This is a test for fixes to intermittent hanging. ## Related Issue Relates to #1444 ## Type of change - [X] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --- src/internal/packager/images/push.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/internal/packager/images/push.go b/src/internal/packager/images/push.go index bc0e3aa4a8..bea71bddd8 100644 --- a/src/internal/packager/images/push.go +++ b/src/internal/packager/images/push.go @@ -7,6 +7,7 @@ package images import ( "fmt" "net/http" + "time" "github.com/defenseunicorns/zarf/src/config" "github.com/defenseunicorns/zarf/src/pkg/cluster" @@ -50,6 +51,8 @@ func (i *ImageConfig) PushToZarfRegistry() error { httpTransport := http.DefaultTransport.(*http.Transport).Clone() httpTransport.TLSClientConfig.InsecureSkipVerify = i.Insecure + // TODO (@WSTARR) This is set to match the TLSHandshakeTimeout to potentially mitigate effects of https://github.com/defenseunicorns/zarf/issues/1444 + httpTransport.ResponseHeaderTimeout = 10 * time.Second progressBar := message.NewProgressBar(totalSize, fmt.Sprintf("Pushing %d images to the zarf registry", len(i.ImageList))) defer progressBar.Stop() craneTransport := utils.NewTransport(httpTransport, progressBar) From f6b83e1c272a22ffd1815b7d38fb6c5f0f1003f9 Mon Sep 17 00:00:00 2001 From: Vibhav Bobade Date: Tue, 27 Feb 2024 02:01:01 +0530 Subject: [PATCH 17/17] fix: allow host+subpath as the source registry for registry-override (#2306) ## Description Instead of looking for refInfo.Host in the override map loop through the keys and values in i.RegistryOverrides, check if the refInfo.Reference begins with an override key and, if it does, replace that override text with the override value and set it back to actualSrc. Do not use ImageTransformHostWithoutChecksum since we already have the parsed ref and all the info we need to do the replacement. ## Related Issue Fixes #2135 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Signed-off-by: Vibhav Bobade Co-authored-by: Wayne Starr Co-authored-by: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> --- src/internal/packager/images/pull.go | 9 +++------ src/test/e2e/25_helm_test.go | 18 +++++++++++++++++- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/src/internal/packager/images/pull.go b/src/internal/packager/images/pull.go index 92ed0d5775..a8bb98d327 100644 --- a/src/internal/packager/images/pull.go +++ b/src/internal/packager/images/pull.go @@ -84,12 +84,9 @@ func (i *ImageConfig) PullAll() ([]ImgInfo, error) { } actualSrc := refInfo.Reference - if overrideHost, present := i.RegistryOverrides[refInfo.Host]; present { - var err error - actualSrc, err = transform.ImageTransformHostWithoutChecksum(overrideHost, refInfo.Reference) - if err != nil { - metadataImageConcurrency.ErrorChan <- fmt.Errorf("failed to swap override host %s for %s: %w", overrideHost, refInfo.Reference, err) - return + for k, v := range i.RegistryOverrides { + if strings.HasPrefix(refInfo.Reference, k) { + actualSrc = strings.Replace(refInfo.Reference, k, v, 1) } } diff --git a/src/test/e2e/25_helm_test.go b/src/test/e2e/25_helm_test.go index 38478d710c..fef3433e76 100644 --- a/src/test/e2e/25_helm_test.go +++ b/src/test/e2e/25_helm_test.go @@ -55,7 +55,23 @@ func testHelmChartsExample(t *testing.T) { require.Contains(t, e2e.StripMessageFormatting(stdErr), "chart \"asdf\" version \"6.4.0\" not found") require.Contains(t, e2e.StripMessageFormatting(stdErr), "Available charts and versions from \"https://stefanprodan.github.io/podinfo\":") - // Create the package (with a registry override to test that as well) + // Create a test package (with a registry override (host+subpath to host+subpath) to test that as well) + stdOut, stdErr, err = e2e.Zarf("package", "create", "examples/helm-charts", "-o", "build", "--registry-override", "ghcr.io/stefanprodan=docker.io/stefanprodan", "--tmpdir", tmpdir, "--confirm") + require.NoError(t, err, stdOut, stdErr) + + // Create a test package (with a registry override (host to host+subpath) to test that as well) + // expect to fail as ghcr.io is overriden and the expected final image doesn't exist but the override works well based on the error message in the output + stdOut, stdErr, err = e2e.Zarf("package", "create", "examples/helm-charts", "-o", "build", "--registry-override", "ghcr.io=localhost:555/noway", "--tmpdir", tmpdir, "--confirm") + require.Error(t, err, stdOut, stdErr) + require.Contains(t, string(stdErr), "localhost:555/noway") + + // Create a test package (with a registry override (host+subpath to host) to test that as well) + // works same as the above failing test + stdOut, stdErr, err = e2e.Zarf("package", "create", "examples/helm-charts", "-o", "build", "--registry-override", "ghcr.io/stefanprodan=localhost:555", "--tmpdir", tmpdir, "--confirm") + require.Error(t, err, stdOut, stdErr) + require.Contains(t, string(stdErr), "localhost:555") + + // Create the package (with a registry override (host to host) to test that as well) stdOut, stdErr, err = e2e.Zarf("package", "create", "examples/helm-charts", "-o", "build", "--registry-override", "ghcr.io=docker.io", "--tmpdir", tmpdir, "--confirm") require.NoError(t, err, stdOut, stdErr)