From f61a73ff9f6da6e39831c21f4de893a8c34fafe5 Mon Sep 17 00:00:00 2001 From: Ryan Wren Date: Tue, 1 Aug 2023 13:41:22 -0400 Subject: [PATCH 1/6] Add Snyk scanning & monitoring --- .circleci/config.yml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 7485d0566..44bd82f01 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,6 +2,7 @@ version: 2.1 orbs: shellcheck: circleci/shellcheck@1.2.0 + snyk: snyk/snyk@1.7.0 windows: circleci/windows@5.0.0 executors: @@ -304,6 +305,46 @@ jobs: command: choco push circleci-cli.nupkg --source https://chocolatey.org/ --apikey $env:CHOCO_API_KEY working_directory: chocolatey + vulnerability-scan: + executor: go + steps: + - checkout + - run: + name: Setup Scanning + command: | + git config --global url."https://$GITHUB_USER:$GITHUB_TOKEN@github.com/circleci/".insteadOf "https://github.com/circleci/" + - when: + condition: + or: + - equal: [ main, << pipeline.git.branch >> ] + steps: + - run: + name: Launching Snyk Orb Scanning + command: echo "Running snyk/scan on main; uploading the results" + - run: + name: Cleanup RemoteRepoURL + command: echo 'export REMOTE_REPO_URL="${CIRCLE_REPOSITORY_URL%".git"}"' >> "$BASH_ENV" + - snyk/scan: + organization: "circleci-public" + fail-on-issues: true + severity-threshold: high + monitor-on-build: true + additional-arguments: "--all-projects --remote-repo-url=${REMOTE_REPO_URL} -d" + - unless: + condition: + or: + - equal: [ main, << pipeline.git.branch >> ] + steps: + - run: + name: Launching Snyk Orb Scanning + command: echo "Running snyk/scan on branch; not uploading the results" + - snyk/scan: + organization: "circleci-public" + fail-on-issues: true + severity-threshold: high + monitor-on-build: false + additional-arguments: "--all-projects -d" + workflows: ci: jobs: @@ -317,6 +358,8 @@ workflows: - test_windows - coverage - lint + - vulnerability-scan: + context: org-global-employees - deploy-test - docs: requires: From 2a7086c37ff7c109f45adb05c00b53348c769a73 Mon Sep 17 00:00:00 2001 From: JulesFaucherre Date: Mon, 7 Aug 2023 14:50:58 +0200 Subject: [PATCH 2/6] put back good codeowners into codeowners file --- .github/CODEOWNERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ec9fce118..facff8db0 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,5 +1,5 @@ * @CircleCI-Public/developer-experience *orb*.go @CircleCI-Public/orb-publishers @CircleCI-Public/developer-experience -/api/runner @CircleCI-Public/runner -/cmd/runner @CircleCI-Public/runner +/api/runner @CircleCI-Public/on-prem +/cmd/runner @CircleCI-Public/on-prem From ed59493015279c783fe217657a8a46cd77187e4c Mon Sep 17 00:00:00 2001 From: Camilo Polymeris Date: Fri, 30 Jun 2023 08:59:03 +0200 Subject: [PATCH 3/6] feat: Bump the circleci-config version Diff: https://github.com/CircleCI-Public/circleci-config/compare/182164ce950a...c469d9e9936b Includes: - Improvements to Go, Python, Node & Ruby - Added support for Rust & PHP --- cmd/config_test.go | 4 ++-- go.mod | 2 +- go.sum | 2 ++ 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/cmd/config_test.go b/cmd/config_test.go index 3b1fb3089..9168b4146 100644 --- a/cmd/config_test.go +++ b/cmd/config_test.go @@ -257,7 +257,7 @@ var _ = Describe("Config", func() { session.Wait() Eventually(session.Err.Contents()).Should(BeEmpty()) - Eventually(session.Out.Contents()).Should(MatchRegexp("npm run test")) + Eventually(session.Out.Contents()).Should(MatchRegexp("npm test")) Eventually(session).Should(gexec.Exit(0)) }) @@ -273,7 +273,7 @@ var _ = Describe("Config", func() { session.Wait() Eventually(session.Err.Contents()).Should(BeEmpty()) - Eventually(session.Out.Contents()).Should(MatchRegexp("npm run test")) + Eventually(session.Out.Contents()).Should(MatchRegexp("npm test")) Eventually(session).Should(gexec.Exit(0)) }) }) diff --git a/go.mod b/go.mod index c1ac245cc..2385dbade 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( ) require ( - github.com/CircleCI-Public/circleci-config v0.0.0-20230609135034-182164ce950a + github.com/CircleCI-Public/circleci-config v0.0.0-20230629192034-c469d9e9936b github.com/a8m/envsubst v1.4.2 github.com/charmbracelet/lipgloss v0.5.0 github.com/erikgeiser/promptkit v0.7.0 diff --git a/go.sum b/go.sum index b5bcc5a28..5cfb50e97 100644 --- a/go.sum +++ b/go.sum @@ -4,6 +4,8 @@ github.com/CircleCI-Public/circle-policy-agent v0.0.683 h1:EzZaLy9mUGl4dwDNWceBH github.com/CircleCI-Public/circle-policy-agent v0.0.683/go.mod h1:72U4Q4OtvAGRGGo/GqlCCO0tARg1cSG9xwxWyz3ktQI= github.com/CircleCI-Public/circleci-config v0.0.0-20230609135034-182164ce950a h1:RqA4H9p77FsqV++HNNDBq8dJftYuJ+r+KdD9HAX28t4= github.com/CircleCI-Public/circleci-config v0.0.0-20230609135034-182164ce950a/go.mod h1:XZaQPj2ylXZaz5vW31dRdkUY/Ey8MdpbgrUHbHyzICY= +github.com/CircleCI-Public/circleci-config v0.0.0-20230629192034-c469d9e9936b h1:emg7uU3bRjVMlwSpOATBiybaBPXNWUIiFE/qbQQXZtE= +github.com/CircleCI-Public/circleci-config v0.0.0-20230629192034-c469d9e9936b/go.mod h1:0iW5+XMF4XtikTlfCElaBQjT/OTMjQRHM1DgSWxcWuE= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= From d6df28a8586994905aac79d701fe5f81e0987aa2 Mon Sep 17 00:00:00 2001 From: Charles Francoise Date: Mon, 10 Jul 2023 14:29:13 +0200 Subject: [PATCH 4/6] fix: don't create license file when initializing private orb (#962) --- cmd/orb.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/cmd/orb.go b/cmd/orb.go index 622387126..a7037c7d8 100644 --- a/cmd/orb.go +++ b/cmd/orb.go @@ -1218,7 +1218,8 @@ func initOrb(opts orbOptions) error { defer resp.Body.Close() // Create the file - out, err := os.Create(filepath.Join(os.TempDir(), "orb-template.zip")) + zipPath := filepath.Join(os.TempDir(), "orb-template.zip") + out, err := os.Create(zipPath) if err != nil { return err } @@ -1230,11 +1231,19 @@ func initOrb(opts orbOptions) error { return err } - err = unzipToOrbPath(filepath.Join(os.TempDir(), "orb-template.zip"), orbPath) + err = unzipToOrbPath(zipPath, orbPath) if err != nil { return err } + // Remove MIT License file if orb is private + if opts.private { + err = os.Remove(filepath.Join(orbPath, "LICENSE")) + if err != nil && !errors.Is(err, os.ErrNotExist) { + return err + } + } + if fullyAutomated == 1 { fmt.Println("Opted for manual setup, exiting") fmt.Printf("The Orb Project Template has been extracted to %s\n", orbPath) From 92911e34c3da53713496163c79e5199c794bee9e Mon Sep 17 00:00:00 2001 From: Charles Francoise Date: Mon, 10 Jul 2023 15:17:17 +0200 Subject: [PATCH 5/6] feat: build & release darwin/arm64 binary (#961) * update goreleaser version * install goreleaaser with apt * fix version * make apt quieter * fix dockerfiles * increase build executor resource class * remove cache --- .circleci/config.yml | 32 ++++++++++++++------------------ Dockerfile | 2 +- Dockerfile.alpine | 2 +- 3 files changed, 16 insertions(+), 20 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 44bd82f01..453bda49a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -9,6 +9,7 @@ executors: go: docker: - image: cimg/go:1.20 + resource_class: large environment: CGO_ENABLED: 0 mac: @@ -26,7 +27,7 @@ commands: # https://app.circleci.com/jobs/github/CircleCI-Public/circleci-cli/6480 # curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1) # The issue seems to be on the server-side, so force HTTP 1.1 - name: 'cURL: Force HTTP 1.1' + name: "cURL: Force HTTP 1.1" command: echo '--http1.1' >> ~/.curlrc build-docker-image: steps: @@ -42,36 +43,31 @@ commands: command: | docker build -t circleci/circleci-cli:0.1.$CIRCLE_BUILD_NUM-alpine --file Dockerfile.alpine . docker run --rm circleci/circleci-cli:0.1.$CIRCLE_BUILD_NUM-alpine update check - deploy-save-cache-workspace-and-artifacts: + deploy-save-workspace-and-artifacts: steps: - - save_cache: - key: v4-goreleaser-{{ checksum "~/goreleaser_amd64.deb" }} - paths: [~/goreleaser_amd64.deb] - persist_to_workspace: root: . paths: - - 'dist' + - "dist" - store_artifacts: path: ./dist destination: dist install-goreleaser: parameters: - GORELEASER_URL: + version: type: string - default: https://github.com/goreleaser/goreleaser/releases/download/v0.184.0/goreleaser_amd64.deb + default: "1.19.1" steps: - - restore_cache: - keys: [v5-goreleaser-] - run: name: Install GoReleaser command: | - [ -f ~/goreleaser_amd64.deb ] || curl --silent --location --fail --retry 3 << parameters.GORELEASER_URL >> > ~/goreleaser_amd64.deb - sudo apt-get update -y - sudo apt install ~/goreleaser_amd64.deb + echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list + sudo apt -q update -y + sudo apt -q install -y --no-install-recommends goreleaser=<< parameters.version >> gomod: steps: - restore_cache: - keys: ['v3-gomod-{{ arch }}-'] + keys: ["v3-gomod-{{ arch }}-"] - run: name: Download go module dependencies command: go mod download @@ -122,7 +118,7 @@ jobs: - persist_to_workspace: root: . paths: - - 'build' + - "build" cucumber: docker: - image: cimg/ruby:2.7 @@ -131,7 +127,7 @@ jobs: - attach_workspace: at: . - run: - name: 'Install CLI tool from workspace' + name: "Install CLI tool from workspace" command: sudo cp ~/project/build/linux/amd64/circleci /usr/local/bin/ - run: command: bundle install @@ -210,7 +206,7 @@ jobs: docker_layer_caching: true - build-docker-image - build-alpine-image - - deploy-save-cache-workspace-and-artifacts + - deploy-save-workspace-and-artifacts deploy: executor: go @@ -247,7 +243,7 @@ jobs: docker push circleci/circleci-cli:0.1.$CIRCLE_BUILD_NUM-alpine docker tag circleci/circleci-cli:0.1.$CIRCLE_BUILD_NUM-alpine circleci/circleci-cli:alpine docker push circleci/circleci-cli:alpine - - deploy-save-cache-workspace-and-artifacts + - deploy-save-workspace-and-artifacts snap: docker: diff --git a/Dockerfile b/Dockerfile index 7cdf842f2..88e84018c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,4 +4,4 @@ LABEL maintainer="Developer Experience Team " ENV CIRCLECI_CLI_SKIP_UPDATE_CHECK true -COPY ./dist/circleci-cli_linux_amd64/circleci /usr/local/bin +COPY ./dist/circleci-cli_linux_amd64_v1/circleci /usr/local/bin diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 71240212d..0983ed58d 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -2,7 +2,7 @@ FROM alpine:3.8 ENV CIRCLECI_CLI_SKIP_UPDATE_CHECK true -COPY ./dist/circleci-cli_linux_amd64/circleci /usr/local/bin +COPY ./dist/circleci-cli_linux_amd64_v1/circleci /usr/local/bin RUN apk add --no-cache --upgrade git openssh ca-certificates From 6e6f8f5d55743efefd5906c33d08578aae0d194c Mon Sep 17 00:00:00 2001 From: Charles Francoise Date: Tue, 18 Jul 2023 09:45:25 +0200 Subject: [PATCH 6/6] deps: remove replace directive for etcd from go.mod (#966) * deps: remove replace directive for etcd from go.mod * add a few miising dependencies to go.sum --- go.mod | 4 ---- go.sum | 4 ---- 2 files changed, 8 deletions(-) diff --git a/go.mod b/go.mod index 2385dbade..f305f8565 100644 --- a/go.mod +++ b/go.mod @@ -48,7 +48,6 @@ require ( github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect github.com/acomagu/bufpipe v1.0.4 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect - github.com/alessio/shellescape v1.4.1 // indirect github.com/atotto/clipboard v0.1.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect @@ -118,7 +117,4 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect ) -// fix vulnerability: CVE-2020-15114 in etcd v3.3.10+incompatible -replace github.com/coreos/etcd => github.com/coreos/etcd v3.3.24+incompatible - go 1.20 diff --git a/go.sum b/go.sum index 5cfb50e97..7ab560a5e 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,6 @@ github.com/AlecAivazis/survey/v2 v2.1.1 h1:LEMbHE0pLj75faaVEKClEX1TM4AJmmnOh9eim github.com/AlecAivazis/survey/v2 v2.1.1/go.mod h1:9FJRdMdDm8rnT+zHVbvQT2RTSTLq0Ttd6q3Vl2fahjk= github.com/CircleCI-Public/circle-policy-agent v0.0.683 h1:EzZaLy9mUGl4dwDNWceBHeDb3X0KAAjV4eFOk3C7lts= github.com/CircleCI-Public/circle-policy-agent v0.0.683/go.mod h1:72U4Q4OtvAGRGGo/GqlCCO0tARg1cSG9xwxWyz3ktQI= -github.com/CircleCI-Public/circleci-config v0.0.0-20230609135034-182164ce950a h1:RqA4H9p77FsqV++HNNDBq8dJftYuJ+r+KdD9HAX28t4= -github.com/CircleCI-Public/circleci-config v0.0.0-20230609135034-182164ce950a/go.mod h1:XZaQPj2ylXZaz5vW31dRdkUY/Ey8MdpbgrUHbHyzICY= github.com/CircleCI-Public/circleci-config v0.0.0-20230629192034-c469d9e9936b h1:emg7uU3bRjVMlwSpOATBiybaBPXNWUIiFE/qbQQXZtE= github.com/CircleCI-Public/circleci-config v0.0.0-20230629192034-c469d9e9936b/go.mod h1:0iW5+XMF4XtikTlfCElaBQjT/OTMjQRHM1DgSWxcWuE= github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITgsTc= @@ -22,8 +20,6 @@ github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= -github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= -github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de h1:FxWPpzIjnTlhPwqqXc4/vE0f7GvRjuAsbW+HOIe8KnA= github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de/go.mod h1:DCaWoUhZrYW9p1lxo/cm8EmUOOzAPSEZNGF2DK1dJgw=