Update Go dependencies, builder images, GHAs:#180
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR modernizes the project’s Go module graph and build/release tooling to unblock upgrades and reduce exposure to outdated, EOL dependencies. It updates multiple action images to build with newer Go builder images, migrates ORAS usage to oras.land/oras-go, and adjusts code for updated dependency APIs.
Changes:
- Updated Go dependencies (notably
containerd/containerd,go-diskfs) and migrated fromgithub.qkg1.top/deislabs/orastooras.land/oras-go. - Bumped action builder images to
golang:1.26-alpineand switched several builds toCGO_ENABLED=0with simplified linker flags. - Updated GitHub Actions workflow dependencies and fixed a
nproctypo in the release workflow.
Reviewed changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
writefile/Dockerfile |
Bump Go builder image; disable CGO and simplify build flags. |
syslinux/Dockerfile |
Bump Go builder image; disable CGO and simplify build flags. |
slurp/Dockerfile |
Bump Go builder image; disable CGO and simplify build flags. |
rootio/storage/partition.go |
Port disk flush/close logic to newer go-diskfs APIs. |
rootio/Dockerfile |
Bump Go builder image; disable CGO and simplify build flags. |
qemuimg2disk/Dockerfile |
Bump Go builder image; replace go mod tidy with go mod download; disable CGO. |
oci2disk/image/writer.go |
Replace oras content import; add resolver/pusher shims for oras.Copy. |
oci2disk/image/image.go |
Replace oras.Pull with oras.Copy from oras.land/oras-go. |
oci2disk/Dockerfile |
Bump Go builder image; disable CGO and simplify build flags. |
kexec/Dockerfile |
Bump Go builder image; disable CGO and simplify build flags. |
image2disk/Dockerfile |
Bump Go builder image; disable CGO and simplify build flags. |
grub2disk/Dockerfile |
Bump Go builder image; disable CGO and update build flags. |
archive2disk/Dockerfile |
Bump Go builder image; disable CGO and simplify build flags. |
archive2disk/archive/utils.go |
Replace github.com/pkg/errors import with stdlib errors. |
.github/workflows/release.yml |
Bump action versions; fix nproc typo. |
.github/workflows/ci.yml |
Bump actions/checkout version. |
go.mod |
Bump Go version and refresh required/indirect dependencies; add oras.land/oras-go. |
go.sum |
Updated checksums to match refreshed module graph. |
Comments suppressed due to low confidence (1)
grub2disk/Dockerfile:7
- This stage installs
gcc/musl-devbut the build now usesCGO_ENABLED=0, so the C toolchain is likely unused. Consider dropping these packages (andgitif modules come from the proxy) to speed up builds and reduce the image footprint.
RUN apk add --no-cache grub grub-bios git ca-certificates gcc musl-dev
FROM base AS build-arm64
RUN apk add --no-cache grub git ca-certificates gcc musl-dev
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The previously pinned deps are years old and pull in long-EOL containerd/oras releases, blocking any further upgrades and leaving known CVEs in the build. Refresh the module graph to currently supported versions, drop the deislabs/oras fork in favor of upstream oras.land/oras-go, and bump the builder/runtime base images to match. Code that touched removed APIs (go-diskfs Disk.File, oras.Pull) is ported to the supported equivalents. Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
The rootio partition helpers only closed the disk handle on the success path, so any error from GetPartitionTable, Backend.Sys, Sync or the partition writes leaked the underlying file descriptor against a block device the caller intends to keep operating on. Move the close into a defer so every return path releases it. The rootio and grub2disk builder stages still installed git, gcc, musl-dev and friends from when those builds used cgo; since they now build with CGO_ENABLED=0 those packages are dead weight in the image and slow the build for no benefit. A dependabot config is added so the Go module, GitHub Actions and Docker base image bumps that this branch had to do by hand happen automatically going forward. Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
alpine:3.13 has been EOL for years and ships unfixed CVEs. Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 33 out of 35 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
cexec/main.go:102
maincreates a signal-cancellable context, butsettings.cexecnow ignores it (_ context.Context) and continues to useexec.Commandwithout any cancellation. This makes SIGTERM/SIGINT handling ineffective for long-running child processes. Please thread the context through and useexec.CommandContext(and/or propagate cancellation to the executed command paths) so the action terminates promptly and predictably.
}
func (s settings) cexec(_ context.Context, log *slog.Logger) error {
log.Info("CEXEC - Chroot Exec")
if s.blockDevice == "" {
return errors.New("no Block Device speified with Environment Variable [BLOCK_DEVICE]")
writefile relied on a deferred unmount that never ran because the error paths all called os.Exit, risking a mount leak into the host namespace. A nolint comment had been added to silence the warning with a justification that was simply wrong. The v2 golangci-lint migration dropped the explicit runtime timeout; the upstream default of 1m is not enough for this repo under GitHub Actions and the lint job started flaking. One builder stage still pulled compiler toolchain packages even though the build no longer uses cgo, wasting build time and diverging from its sibling stage. Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 33 out of 35 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
cexec/main.go:103
- Typo in error message: "speified" should be "specified".
func (s settings) cexec(_ context.Context, log *slog.Logger) error {
log.Info("CEXEC - Chroot Exec")
if s.blockDevice == "" {
return errors.New("no Block Device speified with Environment Variable [BLOCK_DEVICE]")
}
oci2disk unconditionally disabled TLS verification against the registry, which is unsafe against anything other than a local insecure registry. Make it opt-in via SKIP_VERIFY so the default is a verified TLS connection. writefile created the /mountAction mountpoint with os.ModeDir as the mode, which is the directory type bit — not permission bits — so the resulting directory had no usable permissions. Use 0o755, and MkdirAll so a pre-existing mountpoint isn't an error. Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 35 out of 37 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
Lint.mk:28
- After extracting shellcheck, the cleanup step removes
.../shellcheck(a path that no longer exists after themv). This leaves the extractedout/linters/shellcheck-$(SHELLCHECK_VERSION)directory behind. Consider deleting the whole extracted directory instead to keepout/linterstidy.
mkdir -p out/linters
rm -rf out/linters/shellcheck-*
curl -sSfL https://github.com/koalaman/shellcheck/releases/download/$(SHELLCHECK_VERSION)/shellcheck-$(SHELLCHECK_VERSION).$(LINT_OS_LOWER).$(LINT_ARCH).tar.xz | tar -C out/linters -xJf -
mv out/linters/shellcheck-$(SHELLCHECK_VERSION)/shellcheck $@
rm -rf out/linters/shellcheck-$(SHELLCHECK_VERSION)/shellcheck
Signed-off-by: Jacob Weinstock <jakobweinstock@gmail.com>
Contributor
Merge Queue Status
This pull request spent 3 minutes 46 seconds in the queue, including 3 minutes running CI. Required conditions to merge
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The previously pinned deps are years old and pull in long-EOL containerd/oras releases, blocking any further upgrades and leaving known CVEs in the build. Refresh the module graph to currently supported versions, drop the deislabs/oras fork in favor of upstream oras.land/oras-go, and bump the builder/runtime base images to match. Code that touched removed APIs (go-diskfs Disk.File, oras.Pull) is ported to the supported equivalents.
Fixes: #
How Has This Been Tested?
How are existing users impacted? What migration steps/scripts do we need?
Checklist:
I have: