diff --git a/pulumi-kubernetes-operator.yaml b/pulumi-kubernetes-operator.yaml index 439fee52339..1f428995285 100644 --- a/pulumi-kubernetes-operator.yaml +++ b/pulumi-kubernetes-operator.yaml @@ -25,10 +25,17 @@ pipeline: - working-directory: ${{package.name}} pipeline: - runs: | - # Address CVE-2022-21698 + # Fix CVE-2022-21698 go get github.com/prometheus/client_golang@v1.11.1 - go mod tidy + # Fix CVE-2023-32731 / GHSA-cfgp-2977-2fmm + go get google.golang.org/grpc@v1.53.0 + + go mod tidy -compat=1.17 + + - working-directory: ${{package.name}} + pipeline: + - runs: | # Original Go build args found in ./scripts/build.sh CGO_ENABLED=0 go build -o "${{targets.destdir}}/usr/bin/${{package.name}}" \ -ldflags "-s -w -X github.com/pulumi/pulumi-kubernetes-operator/version.Version=v${{package.version}} -extldflags \"-static\"" \ diff --git a/pulumi-language-dotnet.yaml b/pulumi-language-dotnet.yaml index 405d1922ec3..61213f46190 100644 --- a/pulumi-language-dotnet.yaml +++ b/pulumi-language-dotnet.yaml @@ -1,7 +1,7 @@ package: name: pulumi-language-dotnet version: 3.55.1 - epoch: 2 + epoch: 3 description: Pulumi Language SDK for Dotnet copyright: - license: Apache-2.0 @@ -21,6 +21,13 @@ pipeline: tag: v${{package.version}} expected-commit: 41694b1e79ea3b7998b368166e0639db173ffa86 + - working-directory: pulumi-language-dotnet + runs: | + # Fix CVE-2023-32731 / GHSA-cfgp-2977-2fmm + go get google.golang.org/grpc@v1.53.0 + + go mod tidy + - uses: go/build with: packages: . diff --git a/pulumi-language-java.yaml b/pulumi-language-java.yaml index 6c15c4d2412..079387f2016 100644 --- a/pulumi-language-java.yaml +++ b/pulumi-language-java.yaml @@ -1,7 +1,7 @@ package: name: pulumi-language-java version: 0.9.4 - epoch: 0 + epoch: 1 description: Pulumi Language SDK for Java copyright: - license: Apache-2.0 @@ -27,8 +27,6 @@ pipeline: packages: ./cmd/pulumi-language-java output: pulumi-language-java ldflags: -s -w -X github.com/pulumi/pulumi-java/pkg/version.Version=v${{package.version}} - # Mitigate GHSA-hw7c-3rfg-p46j and CVE-2023-1732 - deps: google.golang.org/protobuf@v1.29.1 github.com/cloudflare/circl@v1.3.3 - uses: strip diff --git a/pulumi-language-yaml.yaml b/pulumi-language-yaml.yaml index 0535ec74be1..9a84d9e72c6 100644 --- a/pulumi-language-yaml.yaml +++ b/pulumi-language-yaml.yaml @@ -1,7 +1,7 @@ package: name: pulumi-language-yaml version: 1.1.1 - epoch: 2 + epoch: 3 description: Pulumi Language SDK for YAML copyright: - license: Apache-2.0 @@ -22,6 +22,13 @@ pipeline: destination: ${{package.name}} expected-commit: 7a48c05395d38ec59663de8907863ec740c489b1 + - working-directory: ${{package.name}} + runs: | + # Mitigate CVE-2023-32731 / GHSA-cfgp-2977-2fmm + go get google.golang.org/grpc@v1.53.0 + + go mod tidy -compat=1.17 + - working-directory: ${{package.name}} pipeline: - runs: | diff --git a/pulumi.yaml b/pulumi.yaml index e1f83bdfc39..4111b0c5fd6 100644 --- a/pulumi.yaml +++ b/pulumi.yaml @@ -1,7 +1,7 @@ package: name: pulumi version: 3.74.0 - epoch: 0 + epoch: 1 description: Infrastructure as Code in any programming language copyright: - license: Apache-2.0 @@ -18,6 +18,9 @@ environment: - python3 - python3-dev - patch + environment: + CGO_ENABLED: "0" + GO111MODULE: "on" pipeline: - uses: git-checkout @@ -29,25 +32,29 @@ pipeline: - working-directory: ${{package.name}} pipeline: + - runs: | + for d in pkg sdk; do + ( + cd $d + + # Mitigate CVE-2022-41723 + go mod edit -dropreplace golang.org/x/text + go get golang.org/x/text@v0.9.0 + + # Mitigate CVE-2023-32731 / GHSA-cfgp-2977-2fmm + go get google.golang.org/grpc@v1.55.0 + + go mod tidy + ) + done - runs: | set -x - export CGO_ENABLED=0 GO111MODULE=on export PULUMI_VERSION="v${{package.version}}" export PULUMI_ROOT="$(mktemp -d)" export GOBIN="${PULUMI_ROOT}/bin" mkdir -p "${{targets.destdir}}/usr/bin" - # Mitigate CVE-2022-41723 - cd pkg - go get golang.org/x/text@v0.9.0 - go mod tidy - cd ../sdk - go mod edit -dropreplace golang.org/x/text - go get golang.org/x/text@v0.9.0 - go mod tidy - cd .. - # Build the Pulumi CLI itself make install mv -v "${PULUMI_ROOT}"/bin/pulumi* "${{targets.destdir}}/usr/bin"