From f450a6da8cabb159dafd100db03060dc2ac51ca1 Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Wed, 6 May 2026 17:43:12 +0400 Subject: [PATCH 1/5] fix(security): harden Docker images and bump vulnerable Go modules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase 1 of CIS Docker Benchmark + OWASP Container Top 10 hardening pass. All 5 published images rebuilt; baseline → hardened CVE counts: kubectl: 1H → 0 cloud-helpers: 4H → 4H (glibc fix not yet in AL2023 dnf, deferred) caddy: 48 (5H/5M/3L+stdlib+core) → 10 (upstream transitives) github-actions: 38 (13 alpine + 25 binary + 2 secrets) → 2 (deferred) github-actions-staging: same as prod (synced) Dockerfile changes (CIS 4.1/4.2/4.3/4.6/4.7/4.9, OWASP Container 02): - All FROM bases pinned by @sha256: digest - Pulumi installer replaced with checksum-verified tarball download (no more `curl | sh`); checksums fetched per-version from GitHub Releases pulumi-${VERSION}-checksums.txt - Google Cloud SDK pinned to 567.0.0 with inline SHA-256 ARG - github-actions(+staging) split into builder/runtime stages; runtime drops py3-pip, binutils, upx, bundledpythonunix; image 1.51GB→1.24GB - urllib3 dummyserver test fixtures (Trivy "secret" findings) removed - kubectl runs as non-root UID 10001 - Caddy bumped 2.8.4 → 2.11.2; certmagic-gcs 0.1.2 → 0.1.7 - Alpine 3.19 → 3.21 in github-actions(+staging) (clears musl, openssh, busybox CVEs) - HEALTHCHECK added to kubectl, caddy, github-actions(+staging) - cloud-helpers ADD → COPY Go module bumps (clears 25 CVEs in the baked github-actions binary): google.golang.org/grpc 1.72.1 → 1.80.0 (CRIT CVE-2026-33186) go.opentelemetry.io/otel 1.36.0 → 1.43.0 (HIGH CVE-2026-29181) go.opentelemetry.io/otel/sdk 1.36.0 → 1.43.0 (HIGH CVE-2026-24051, CVE-2026-39883) github.com/go-git/go-git/v5 5.13.1 → 5.18.0 (HIGH CVE-2026-25934, CVE-2026-34165, CVE-2026-41506) github.com/go-jose/go-jose/v3 3.0.4 → 3.0.5 (HIGH CVE-2026-34986) github.com/go-jose/go-jose/v4 4.1.3 → 4.1.4 (HIGH CVE-2026-34986) github.com/aws/aws-sdk-go-v2 1.26.1 → 1.41.5 (MED GHSA-xmrv-pmrh-hhx2) github.com/aws/aws-sdk-go-v2/service/s3 1.53.1 → 1.97.3 (MED GHSA-xmrv-pmrh-hhx2) github.com/cloudflare/circl 1.6.1 → 1.6.3 (LOW CVE-2026-1229) toolchain go1.25.1 → go1.25.9 (clears ~15 stdlib CVEs incl. crypto/tls, crypto/x509, encoding/pem, net/url, html/template) Supersedes Dependabot PR #162 (go-git 5.13.1 → 5.16.5 — insufficient, needed 5.18.0 for CVE-2026-41506). Deferred (no upstream fix available): - github.com/docker/docker CVE-2026-34040/33997: Trivy points to v29.3.1 but only v28.5.2+incompatible is published on proxy.golang.org. Reachability: pkg/clouds/pulumi/docker/pull.go uses Docker client for image pulls in Pulumi flows; auth-bypass is exploitable only against a malicious Docker daemon. - glibc CVE-2026-4046 in cloud-helpers: AL2023 dnf has not yet shipped 2.34-231.amzn2023.0.4. Hardened Dockerfile runs `dnf upgrade` and will pick up the fix automatically. Reachability: glibc iconv() DoS via crafted charset; cloud-helpers Go binary doesn't call iconv. LOW risk. - Caddy upstream transitive deps in 2.11.2 binary (10 vulns): xcaddy can override direct deps via --with but not transitives in Caddy core's go.mod. Closes when Caddy 2.11.3+ ships. --- caddy.Dockerfile | 42 ++++-- cloud-helpers.aws.Dockerfile | 18 ++- github-actions-staging.Dockerfile | 187 +++++++++++++------------ github-actions.Dockerfile | 212 +++++++++++++++++----------- go.mod | 103 +++++++------- go.sum | 224 +++++++++++++++--------------- kubectl.Dockerfile | 20 ++- 7 files changed, 455 insertions(+), 351 deletions(-) diff --git a/caddy.Dockerfile b/caddy.Dockerfile index 795660df..3046fa4e 100644 --- a/caddy.Dockerfile +++ b/caddy.Dockerfile @@ -1,23 +1,39 @@ -# Declare version argument only once at the beginning -ARG version="2.8.4" +# Caddy version bump: 2.8.4 → 2.11.2 — clears Go stdlib CVEs that were present +# in the older Caddy binary (CVE-2025-58187/58188/58189, CVE-2025-61723/61724/ +# 61725/61727/61730, CVE-2026-27139/27142, CVE-2026-32282/32288/32289) and the +# Caddy-level CVE-2026-27586 (HIGH) reachable in <2.11.1. +ARG version="2.11.2" -# Use a builder image for compiling Caddy -FROM caddy:${version}-builder AS builder +# Pin builder by digest (CIS Docker 4.7). +# Refresh: docker buildx imagetools inspect caddy:${version}-builder +FROM caddy:2.11.2-builder@sha256:10ed0251c5cd1dbb4db0b71ad43121147961a51adfec35febce2c93ea25c24f4 AS builder -# Pass ARG version explicitly ARG version ENV CADDY_VERSION="${version}" -# Build Caddy with the required module using BuildKit cache mounts -# Cache mounts persist across builds on the same runner, more efficient than layer caching +# certmagic-gcs bumped 0.1.2 → 0.1.7 to align with current upstream. RUN --mount=type=cache,target=/go/pkg/mod,sharing=locked \ --mount=type=cache,target=/root/.cache,sharing=locked \ xcaddy build "v${CADDY_VERSION}" \ - --with github.com/grafana/certmagic-gcs@v0.1.2 && \ - caddy version + --with github.com/grafana/certmagic-gcs@v0.1.7 \ + && caddy version -# Final runtime image -FROM caddy:${version} +# Pin runtime by digest. +FROM caddy:2.11.2@sha256:25cdc846626b62d05f6b633b9b40c2c9f6ef89b515dc76133cefd920f7dbe562 -# Copy the compiled Caddy binary -COPY --from=builder /usr/bin/caddy /usr/bin/caddy \ No newline at end of file +# Pull post-tag distro security updates without bloating the layer. +RUN apk update \ + && apk upgrade --no-cache \ + && rm -rf /var/cache/apk/* + +# Replace upstream binary with the build that has certmagic-gcs. +COPY --from=builder /usr/bin/caddy /usr/bin/caddy + +# CIS Docker 4.6 — admin API health check (Caddy listens on 2019 by default). +HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ + CMD wget -qO- http://127.0.0.1:2019/config/ >/dev/null 2>&1 || exit 1 + +# Note on USER: upstream caddy:2.10.0 runs as root so it can bind 80/443. Switching +# to non-root requires setcap CAP_NET_BIND_SERVICE on the binary AND certmagic state +# directories owned by that user, which is intrusive given consumers mount their own +# volumes. Tracked for follow-up; defaults preserved here. diff --git a/cloud-helpers.aws.Dockerfile b/cloud-helpers.aws.Dockerfile index 5bb4fc10..d5699e32 100644 --- a/cloud-helpers.aws.Dockerfile +++ b/cloud-helpers.aws.Dockerfile @@ -1,10 +1,20 @@ -#FROM gcr.io/distroless/base-debian12 -FROM public.ecr.aws/lambda/provided:al2023 +# Pin AWS Lambda base image by digest (CIS Docker 4.7). +# public.ecr.aws/lambda/provided:al2023 @ 2026-05-06 → resolved digest below. +# Refresh via: docker buildx imagetools inspect public.ecr.aws/lambda/provided:al2023 +FROM public.ecr.aws/lambda/provided:al2023@sha256:a48275a6cb21dbd9cae6f8cc10ee8ccc416e1b48f9376d049c5b347985239456 + +# Pull post-tag glibc updates (CVE-2026-4046 was outstanding at scan time). +RUN dnf upgrade -y --setopt=tsflags=nodocs \ + && dnf clean all \ + && rm -rf /var/cache/dnf WORKDIR / -ADD dist/cloud-helpers /cloud-helpers +# CIS Docker 4.9 — prefer COPY over ADD (ADD adds tar/URL semantics not needed here). +COPY dist/cloud-helpers /cloud-helpers EXPOSE 8080 -ENTRYPOINT ["/cloud-helpers"] \ No newline at end of file +# Lambda execution environment overrides USER via the bootstrap, so USER is intentionally omitted. + +ENTRYPOINT ["/cloud-helpers"] diff --git a/github-actions-staging.Dockerfile b/github-actions-staging.Dockerfile index 7e797b60..cdfa7200 100644 --- a/github-actions-staging.Dockerfile +++ b/github-actions-staging.Dockerfile @@ -1,109 +1,120 @@ -# Staging GitHub Actions Dockerfile - Uses pre-built static github-actions binary for fast development iteration -# -# Development Workflow: -# 1. welder run build-github-actions-staging # Builds static ./bin/github-actions binary (Alpine/MUSL compatible) -# 2. Push to staging branch → triggers build-staging.yml workflow -# 3. BuildKit + GitHub Actions cache handles optimized Docker build with layer caching -# 4. Test with simplecontainer/github-actions:staging in your workflows -# -# This approach eliminates the need to rebuild Go dependencies in Docker for every test iteration -# Uses CGO_ENABLED=0 to build a static binary that works in Alpine (MUSL) environment -# Docker layers are optimized for caching and size: dependencies first, binary last +# Staging variant of github-actions.Dockerfile. Identical hardening; only +# difference is that it consumes ./bin/github-actions (built by welder) rather +# than dist/github-actions (built by CI). Keep these two files in sync — any +# change to base, tooling versions, or runtime layout MUST be mirrored in +# github-actions.Dockerfile. -# Use specific Alpine version for reproducibility and smaller size -FROM alpine:3.19 +# ───────────────────────────────────────────────────────────────────────────── +# Stage 1: tool downloader/builder +# ───────────────────────────────────────────────────────────────────────────── +FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS builder -# Install runtime dependencies in single layer with aggressive cleanup -RUN apk --no-cache add \ - ca-certificates \ - git \ - openssh-client \ - curl \ - jq \ - bash \ - python3 \ - py3-pip \ - upx \ - binutils \ - && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* +RUN apk update && apk upgrade --no-cache \ + && apk add --no-cache curl bash binutils upx ca-certificates tar python3 \ + && rm -rf /var/cache/apk/* +# python3 in the builder is required for `gcloud components install`; without it, +# gcloud falls back to its bundled Python (which is what we want to delete). -# Install Pulumi CLI - Required for Simple Container provisioning -# Read version from go.mod to ensure consistency with Go dependencies COPY go.mod /tmp/go.mod -RUN PULUMI_VERSION=$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//') && \ - echo "Installing Pulumi version: ${PULUMI_VERSION} (extracted from go.mod)" && \ - curl -fsSL https://get.pulumi.com | sh -s -- --version ${PULUMI_VERSION} && \ - # Optimize Pulumi binaries - strip debug symbols and compress - strip /root/.pulumi/bin/* 2>/dev/null || true && \ - upx --best --lzma /root/.pulumi/bin/* 2>/dev/null || true && \ - rm -rf /tmp/* /var/tmp/* +RUN PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \ + && echo "Installing Pulumi ${PULUMI_VERSION}" \ + && cd /tmp \ + && curl -fsSL -o pulumi.tar.gz \ + "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \ + && curl -fsSL -o pulumi-checksums.txt \ + "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-${PULUMI_VERSION}-checksums.txt" \ + && grep "pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" pulumi-checksums.txt \ + | awk '{print $1" pulumi.tar.gz"}' \ + | sha256sum -c - \ + && mkdir -p /opt/pulumi/bin \ + && tar -xzf pulumi.tar.gz -C /tmp \ + && mv /tmp/pulumi/* /opt/pulumi/bin/ \ + && rm -rf pulumi.tar.gz pulumi-checksums.txt /tmp/pulumi /tmp/go.mod \ + && strip /opt/pulumi/bin/* 2>/dev/null || true \ + && upx --best --lzma /opt/pulumi/bin/* 2>/dev/null || true -ENV PATH="/root/.pulumi/bin:${PATH}" +ARG GCLOUD_VERSION="567.0.0" +ARG GCLOUD_SHA256="bd5afc0d249609cb40d45f665209190fdd38b9937954291b8f9ae54206c75d83" +RUN cd /tmp \ + && curl -fsSL -o gcloud.tar.gz \ + "https://storage.googleapis.com/cloud-sdk-release/google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \ + && echo "${GCLOUD_SHA256} gcloud.tar.gz" | sha256sum -c - \ + && tar -xzf gcloud.tar.gz -C /opt \ + && rm -f gcloud.tar.gz \ + && /opt/google-cloud-sdk/install.sh --quiet \ + --usage-reporting=false --path-update=false --bash-completion=false \ + && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet -# Install Google Cloud SDK (gcloud CLI) - Fixed installation with proper cleanup -RUN cd /tmp && \ - curl -sSL https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz -o gcloud.tar.gz && \ - tar -xzf gcloud.tar.gz && \ - mv google-cloud-sdk /opt/ && \ - /opt/google-cloud-sdk/install.sh --quiet --usage-reporting=false --path-update=false --bash-completion=false && \ - # Remove unnecessary components, documentation, and cache files - rm -rf /opt/google-cloud-sdk/.install/.backup \ - /opt/google-cloud-sdk/.install/.download \ - /opt/google-cloud-sdk/bin/anthoscli \ - /opt/google-cloud-sdk/bin/docker-credential-gcloud \ - /opt/google-cloud-sdk/bin/git-credential-gcloud.sh \ - /opt/google-cloud-sdk/platform/bundledpythonunix \ - /opt/google-cloud-sdk/platform/gsutil/third_party/pyasn1* \ - /opt/google-cloud-sdk/platform/gsutil/third_party/rsa/doc \ - /opt/google-cloud-sdk/platform/gsutil/third_party/oauth2client/contrib \ - /opt/google-cloud-sdk/lib/third_party/grpc \ - /opt/google-cloud-sdk/lib/googlecloudsdk/api_lib/container/images \ - /opt/google-cloud-sdk/help \ - /opt/google-cloud-sdk/data/cli \ - /opt/google-cloud-sdk/completion.bash.inc \ - /opt/google-cloud-sdk/completion.zsh.inc \ - /opt/google-cloud-sdk/path.bash.inc \ - /opt/google-cloud-sdk/path.zsh.inc \ +# Slim gcloud SDK — see github-actions.Dockerfile for the full rationale; must +# run AFTER `gcloud components install` in a separate RUN, otherwise gcloud +# touches `bundledpythonunix` again and the rm in the same chain becomes a no-op. +RUN rm -rf \ + /opt/google-cloud-sdk/.install/.backup \ + /opt/google-cloud-sdk/.install/.download \ + /opt/google-cloud-sdk/bin/anthoscli \ + /opt/google-cloud-sdk/bin/docker-credential-gcloud \ + /opt/google-cloud-sdk/bin/git-credential-gcloud.sh \ + /opt/google-cloud-sdk/platform/bundledpythonunix \ + /opt/google-cloud-sdk/platform/gsutil/third_party/pyasn1* \ + /opt/google-cloud-sdk/platform/gsutil/third_party/rsa/doc \ + /opt/google-cloud-sdk/platform/gsutil/third_party/oauth2client/contrib \ + /opt/google-cloud-sdk/platform/gsutil/third_party/urllib3/dummyserver \ + /opt/google-cloud-sdk/lib/third_party/grpc \ + /opt/google-cloud-sdk/lib/googlecloudsdk/api_lib/container/images \ + /opt/google-cloud-sdk/help \ + /opt/google-cloud-sdk/data/cli \ + /opt/google-cloud-sdk/completion.bash.inc \ + /opt/google-cloud-sdk/completion.zsh.inc \ + /opt/google-cloud-sdk/path.bash.inc \ + /opt/google-cloud-sdk/path.zsh.inc \ + /root/.config/gcloud/logs \ + /root/.config/gcloud/.last_update_check.json \ + /root/.config/gcloud/.last_opt_in_prompt.yaml \ + /root/.config/gcloud/configurations \ && find /opt/google-cloud-sdk -name "*.pyc" -delete \ && find /opt/google-cloud-sdk -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true \ && find /opt/google-cloud-sdk -name "*.md" -delete \ && find /opt/google-cloud-sdk -name "*.txt" -delete \ && find /opt/google-cloud-sdk -name "COPYING*" -delete \ && find /opt/google-cloud-sdk -name "LICENSE*" -delete \ - && rm -rf /tmp/gcloud.tar.gz /tmp/google-cloud-sdk + && rm -rf /tmp/* /var/tmp/* + +# ───────────────────────────────────────────────────────────────────────────── +# Stage 2: runtime +# ───────────────────────────────────────────────────────────────────────────── +FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d -ENV PATH="/opt/google-cloud-sdk/bin:${PATH}" +RUN apk update && apk upgrade --no-cache \ + && apk add --no-cache \ + ca-certificates \ + git \ + openssh-client \ + curl \ + jq \ + bash \ + python3 \ + && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* -# Install only essential GKE components and clean up immediately -RUN gcloud components install gke-gcloud-auth-plugin --quiet && \ - # Clean up component installation cache and logs - rm -rf /root/.config/gcloud/logs \ - /root/.config/gcloud/.last_update_check.json \ - /root/.config/gcloud/.last_opt_in_prompt.yaml \ - /root/.config/gcloud/configurations \ - /tmp/* /var/tmp/* +COPY --from=builder /opt/pulumi /opt/pulumi +COPY --from=builder /opt/google-cloud-sdk /opt/google-cloud-sdk + +ENV PATH="/opt/pulumi/bin:/opt/google-cloud-sdk/bin:${PATH}" WORKDIR /root/ -# Copy the pre-built static github-actions binary and optimize it +# Staging path: welder writes the binary to ./bin/github-actions. COPY ./bin/github-actions ./github-actions -RUN chmod +x ./github-actions && \ - # Strip debug symbols if not already done (reduces binary size) - strip ./github-actions 2>/dev/null || true && \ - # Make 'sc' available in PATH for Pulumi local.Command subprocesses - # (security pipeline runs: sc image sign, sc image scan, sc sbom generate, etc.) - ln -s /root/github-actions /usr/local/bin/sc && \ - # Remove build tools no longer needed - apk del upx binutils && \ - rm -rf /var/cache/apk/* /tmp/* /var/tmp/* +RUN chmod +x ./github-actions \ + && ln -s /root/github-actions /usr/local/bin/sc + +RUN pulumi version > /dev/null \ + && gcloud version > /dev/null \ + && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \ + && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc -# Verify installations work (but remove verification output to reduce layer size) -RUN pulumi version > /dev/null && \ - gcloud version > /dev/null && \ - gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin && \ - test -L /usr/local/bin/sc && test -x /usr/local/bin/sc +HEALTHCHECK --interval=30s --timeout=5s --start-period=2s --retries=3 \ + CMD /root/github-actions --version >/dev/null 2>&1 || exit 1 -# Set the entrypoint to use the github-actions binary with absolute path -# GitHub Actions runner overrides WORKDIR with --workdir /github/workspace -# so we must use absolute path to avoid "./github-actions: no such file or directory" +# GitHub Actions runner overrides WORKDIR with --workdir /github/workspace, so +# the entrypoint needs to be an absolute path. ENTRYPOINT ["/root/github-actions"] diff --git a/github-actions.Dockerfile b/github-actions.Dockerfile index 85a8c18a..e92ed4ef 100644 --- a/github-actions.Dockerfile +++ b/github-actions.Dockerfile @@ -1,101 +1,151 @@ -# Simplified Dockerfile - uses pre-built binary from CI -# Binary is built in the workflow and copied here, avoiding Go module downloads and compilation in Docker +# GitHub Actions docker-action runtime image — multi-stage build. +# +# Stage 1 (builder): downloads + verifies + slims Pulumi and Google Cloud SDK, +# using build-only tools (binutils, upx, curl). These tools NEVER reach the +# runtime layer (CIS Docker 4.3 — minimal base image). +# +# Stage 2 (runtime): minimal Alpine + only what `github-actions` invokes via +# exec.LookPath: gcloud (Python-backed), pulumi, git, ssh-client, curl, jq, +# bash. The pre-built `github-actions` Go binary is copied in last. +# +# Note on USER: GitHub docker-based actions run with the workspace mounted at +# /github/workspace owned by root. Setting a non-root USER here causes git +# operations to fail with "dubious ownership" or perms errors. Tracked as a +# follow-up (would require GitHub's "self-hosted runner with userns" or +# `safe.directory '*'` workarounds applied at action invocation). -FROM alpine:3.19 +# ───────────────────────────────────────────────────────────────────────────── +# Stage 1: tool downloader/builder +# ───────────────────────────────────────────────────────────────────────────── +# alpine:3.21 pinned by digest (CIS Docker 4.7); refresh: +# docker buildx imagetools inspect alpine:3.21 +FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS builder -# Install runtime dependencies in single layer with aggressive cleanup -RUN apk --no-cache add \ - ca-certificates \ - git \ - openssh-client \ - curl \ - jq \ - bash \ - python3 \ - py3-pip \ - upx \ - binutils \ - && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* +RUN apk update && apk upgrade --no-cache \ + && apk add --no-cache curl bash binutils upx ca-certificates tar python3 \ + && rm -rf /var/cache/apk/* +# python3 in the builder is required for `gcloud components install`; without it, +# gcloud falls back to its bundled Python (which is what we want to delete). -# Install Pulumi CLI - Required for Simple Container provisioning -# Read version from go.mod to ensure consistency with Go dependencies +# Pulumi CLI — version is sourced from go.mod for consistency, downloaded +# from GitHub Releases, and verified against the per-version checksum file +# Pulumi publishes alongside each release. Replaces `curl … | sh -s -- --version` +# (CIS SSCS §5 — verify package/binary integrity; no `curl|bash`). COPY go.mod /tmp/go.mod -RUN --mount=type=cache,target=/tmp/pulumi-cache,sharing=locked \ - PULUMI_VERSION=$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//') && \ - echo "Installing Pulumi version: ${PULUMI_VERSION} (extracted from go.mod)" && \ - curl -fsSL https://get.pulumi.com | sh -s -- --version ${PULUMI_VERSION} && \ - # Optimize Pulumi binaries - strip debug symbols and compress - strip /root/.pulumi/bin/* 2>/dev/null || true && \ - upx --best --lzma /root/.pulumi/bin/* 2>/dev/null || true && \ - # Clean up temp files, but not BuildKit cache mounts - rm -f /tmp/go.mod && \ - rm -rf /var/tmp/* +RUN PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \ + && echo "Installing Pulumi ${PULUMI_VERSION}" \ + && cd /tmp \ + && curl -fsSL -o pulumi.tar.gz \ + "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \ + && curl -fsSL -o pulumi-checksums.txt \ + "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-${PULUMI_VERSION}-checksums.txt" \ + && grep "pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" pulumi-checksums.txt \ + | awk '{print $1" pulumi.tar.gz"}' \ + | sha256sum -c - \ + && mkdir -p /opt/pulumi/bin \ + && tar -xzf pulumi.tar.gz -C /tmp \ + && mv /tmp/pulumi/* /opt/pulumi/bin/ \ + && rm -rf pulumi.tar.gz pulumi-checksums.txt /tmp/pulumi /tmp/go.mod \ + && strip /opt/pulumi/bin/* 2>/dev/null || true \ + && upx --best --lzma /opt/pulumi/bin/* 2>/dev/null || true -ENV PATH="/root/.pulumi/bin:${PATH}" +# Google Cloud SDK — pinned version + SHA-256 against Google's published tarball. +# Refresh procedure (run on host): +# GCLOUD_VERSION= +# curl -sSLO "https://storage.googleapis.com/cloud-sdk-release/google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" +# sha256sum google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz +ARG GCLOUD_VERSION="567.0.0" +ARG GCLOUD_SHA256="bd5afc0d249609cb40d45f665209190fdd38b9937954291b8f9ae54206c75d83" +RUN cd /tmp \ + && curl -fsSL -o gcloud.tar.gz \ + "https://storage.googleapis.com/cloud-sdk-release/google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \ + && echo "${GCLOUD_SHA256} gcloud.tar.gz" | sha256sum -c - \ + && tar -xzf gcloud.tar.gz -C /opt \ + && rm -f gcloud.tar.gz \ + && /opt/google-cloud-sdk/install.sh --quiet \ + --usage-reporting=false --path-update=false --bash-completion=false \ + && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet -# Install Google Cloud SDK (gcloud CLI) - Fixed installation with proper cleanup -RUN --mount=type=cache,target=/tmp/gcloud-cache,sharing=locked \ - cd /tmp && \ - [ -f /tmp/gcloud-cache/google-cloud-cli-linux-x86_64.tar.gz ] || \ - curl -sSL https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz -o /tmp/gcloud-cache/google-cloud-cli-linux-x86_64.tar.gz && \ - tar -xzf /tmp/gcloud-cache/google-cloud-cli-linux-x86_64.tar.gz && \ - mv google-cloud-sdk /opt/ && \ - /opt/google-cloud-sdk/install.sh --quiet --usage-reporting=false --path-update=false --bash-completion=false && \ - # Remove unnecessary components, documentation, and cache files - rm -rf /opt/google-cloud-sdk/.install/.backup \ - /opt/google-cloud-sdk/.install/.download \ - /opt/google-cloud-sdk/bin/anthoscli \ - /opt/google-cloud-sdk/bin/docker-credential-gcloud \ - /opt/google-cloud-sdk/bin/git-credential-gcloud.sh \ - /opt/google-cloud-sdk/platform/bundledpythonunix \ - /opt/google-cloud-sdk/platform/gsutil/third_party/pyasn1* \ - /opt/google-cloud-sdk/platform/gsutil/third_party/rsa/doc \ - /opt/google-cloud-sdk/platform/gsutil/third_party/oauth2client/contrib \ - /opt/google-cloud-sdk/lib/third_party/grpc \ - /opt/google-cloud-sdk/lib/googlecloudsdk/api_lib/container/images \ - /opt/google-cloud-sdk/help \ - /opt/google-cloud-sdk/data/cli \ - /opt/google-cloud-sdk/completion.bash.inc \ - /opt/google-cloud-sdk/completion.zsh.inc \ - /opt/google-cloud-sdk/path.bash.inc \ - /opt/google-cloud-sdk/path.zsh.inc \ +# Slim gcloud SDK — separate RUN so it executes AFTER components install and +# any side-effects of gcloud invocations have settled. `bundledpythonunix` is +# regenerated by gcloud at runtime if the system Python (python3) is on PATH, +# and removing it inline alongside `gcloud components install` was a no-op +# because gcloud touched the dir after the rm chain item ran in the same RUN. +RUN rm -rf \ + /opt/google-cloud-sdk/.install/.backup \ + /opt/google-cloud-sdk/.install/.download \ + /opt/google-cloud-sdk/bin/anthoscli \ + /opt/google-cloud-sdk/bin/docker-credential-gcloud \ + /opt/google-cloud-sdk/bin/git-credential-gcloud.sh \ + /opt/google-cloud-sdk/platform/bundledpythonunix \ + /opt/google-cloud-sdk/platform/gsutil/third_party/pyasn1* \ + /opt/google-cloud-sdk/platform/gsutil/third_party/rsa/doc \ + /opt/google-cloud-sdk/platform/gsutil/third_party/oauth2client/contrib \ + /opt/google-cloud-sdk/platform/gsutil/third_party/urllib3/dummyserver \ + /opt/google-cloud-sdk/lib/third_party/grpc \ + /opt/google-cloud-sdk/lib/googlecloudsdk/api_lib/container/images \ + /opt/google-cloud-sdk/help \ + /opt/google-cloud-sdk/data/cli \ + /opt/google-cloud-sdk/completion.bash.inc \ + /opt/google-cloud-sdk/completion.zsh.inc \ + /opt/google-cloud-sdk/path.bash.inc \ + /opt/google-cloud-sdk/path.zsh.inc \ + /root/.config/gcloud/logs \ + /root/.config/gcloud/.last_update_check.json \ + /root/.config/gcloud/.last_opt_in_prompt.yaml \ + /root/.config/gcloud/configurations \ && find /opt/google-cloud-sdk -name "*.pyc" -delete \ && find /opt/google-cloud-sdk -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true \ && find /opt/google-cloud-sdk -name "*.md" -delete \ && find /opt/google-cloud-sdk -name "*.txt" -delete \ && find /opt/google-cloud-sdk -name "COPYING*" -delete \ - && find /opt/google-cloud-sdk -name "LICENSE*" -delete + && find /opt/google-cloud-sdk -name "LICENSE*" -delete \ + && rm -rf /tmp/* /var/tmp/* + +# ───────────────────────────────────────────────────────────────────────────── +# Stage 2: runtime +# ───────────────────────────────────────────────────────────────────────────── +# Alpine 3.19 → 3.21 (clears musl CVE-2026-40200 / CVE-2026-6042, openssh +# CVE-2023-51767, busybox CVE-2024-58251 / CVE-2025-46394). Pinned by digest. +FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d -ENV PATH="/opt/google-cloud-sdk/bin:${PATH}" +# Runtime-only deps. python3 is required because gcloud invokes Python; py3-pip +# was used only for transitive build steps — dropped per CIS Docker 4.3. +RUN apk update && apk upgrade --no-cache \ + && apk add --no-cache \ + ca-certificates \ + git \ + openssh-client \ + curl \ + jq \ + bash \ + python3 \ + && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* -# Install only essential GKE components and clean up immediately -RUN gcloud components install gke-gcloud-auth-plugin --quiet && \ - # Clean up component installation cache and logs - rm -rf /root/.config/gcloud/logs \ - /root/.config/gcloud/.last_update_check.json \ - /root/.config/gcloud/.last_opt_in_prompt.yaml \ - /root/.config/gcloud/configurations \ - /tmp/* /var/tmp/* +# Copy validated/slimmed tools from builder (no curl|bash, no build tools, no +# upx/binutils, no py3-pip in this layer). +COPY --from=builder /opt/pulumi /opt/pulumi +COPY --from=builder /opt/google-cloud-sdk /opt/google-cloud-sdk + +ENV PATH="/opt/pulumi/bin:/opt/google-cloud-sdk/bin:${PATH}" WORKDIR /root/ -# Copy the pre-built binary from CI +# Copy the pre-built github-actions binary from CI. COPY dist/github-actions ./github-actions -RUN chmod +x ./github-actions && \ - # Strip debug symbols if not already done (reduces binary size) - strip ./github-actions 2>/dev/null || true && \ - # Make 'sc' available in PATH for Pulumi local.Command subprocesses - # (security pipeline runs: sc image sign, sc image scan, sc sbom generate, etc.) - ln -s /root/github-actions /usr/local/bin/sc && \ - # Remove build tools no longer needed - apk del upx binutils && \ - rm -rf /var/cache/apk/* /tmp/* /var/tmp/* +RUN chmod +x ./github-actions \ + # Symlink `sc` so Pulumi local.Command subprocesses can invoke security + # commands (sc image sign / scan, sc sbom generate, etc.) on PATH. + && ln -s /root/github-actions /usr/local/bin/sc + +# Smoke test — fails the build if any tool wiring is broken. +RUN pulumi version > /dev/null \ + && gcloud version > /dev/null \ + && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \ + && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc -# Verify installations work (but remove verification output to reduce layer size) -RUN pulumi version > /dev/null && \ - gcloud version > /dev/null && \ - gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin && \ - test -L /usr/local/bin/sc && test -x /usr/local/bin/sc +# CIS Docker 4.6 — health probe (binary --version, no network, fast). +HEALTHCHECK --interval=30s --timeout=5s --start-period=2s --retries=3 \ + CMD /root/github-actions --version >/dev/null 2>&1 || exit 1 -# Set the entrypoint ENTRYPOINT ["/root/github-actions"] diff --git a/go.mod b/go.mod index d66ad9a8..a144c58c 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module github.com/simple-container-com/api go 1.25.0 +toolchain go1.25.9 + require ( cloud.google.com/go/storage v1.49.0 github.com/MShekow/directory-checksum v1.4.9 @@ -9,6 +11,7 @@ require ( github.com/antonmedv/expr v1.12.6 github.com/atombender/go-jsonschema v0.22.0 github.com/aws/aws-lambda-go v1.47.0 + github.com/aws/aws-sdk-go v1.50.36 github.com/aws/aws-secretsmanager-caching-go v1.1.3 github.com/cloudflare/cloudflare-go v0.104.0 github.com/compose-spec/compose-go v1.20.2 @@ -16,8 +19,8 @@ require ( github.com/docker/docker v28.5.2+incompatible github.com/fatih/color v1.18.0 github.com/go-delve/delve v1.26.1 - github.com/go-git/go-billy/v5 v5.6.1 - github.com/go-git/go-git/v5 v5.13.1 + github.com/go-git/go-billy/v5 v5.8.0 + github.com/go-git/go-git/v5 v5.18.0 github.com/golangci/golangci-lint v1.64.8 github.com/google/uuid v1.6.0 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef @@ -47,11 +50,11 @@ require ( github.com/vektra/mockery/v2 v2.53.6 go.mongodb.org/mongo-driver v1.16.1 go.uber.org/atomic v1.11.0 - golang.org/x/crypto v0.48.0 - golang.org/x/oauth2 v0.30.0 - golang.org/x/sync v0.19.0 - golang.org/x/term v0.40.0 - golang.org/x/text v0.34.0 + golang.org/x/crypto v0.49.0 + golang.org/x/oauth2 v0.35.0 + golang.org/x/sync v0.20.0 + golang.org/x/term v0.41.0 + golang.org/x/text v0.35.0 google.golang.org/api v0.223.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 @@ -63,11 +66,11 @@ require ( require ( 4d63.com/gocheckcompilerdirectives v1.3.0 // indirect 4d63.com/gochecknoglobals v0.2.2 // indirect - cel.dev/expr v0.20.0 // indirect + cel.dev/expr v0.25.1 // indirect cloud.google.com/go v0.116.0 // indirect cloud.google.com/go/auth v0.15.0 // indirect cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect - cloud.google.com/go/compute/metadata v0.6.0 // indirect + cloud.google.com/go/compute/metadata v0.9.0 // indirect cloud.google.com/go/iam v1.2.2 // indirect cloud.google.com/go/kms v1.20.1 // indirect cloud.google.com/go/logging v1.12.0 // indirect @@ -93,13 +96,13 @@ require ( github.com/Crocmagnon/fatcontext v0.7.1 // indirect github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect - github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0 // indirect + github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect - github.com/ProtonMail/go-crypto v1.1.3 // indirect + github.com/ProtonMail/go-crypto v1.1.6 // indirect github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect github.com/agext/levenshtein v1.2.3 // indirect github.com/alecthomas/go-check-sumtype v0.3.1 // indirect @@ -111,27 +114,26 @@ require ( github.com/ashanbrown/forbidigo v1.6.0 // indirect github.com/ashanbrown/makezero v1.2.0 // indirect github.com/atotto/clipboard v0.1.4 // indirect - github.com/aws/aws-sdk-go v1.50.36 // indirect - github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect - github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect + github.com/aws/aws-sdk-go-v2 v1.41.5 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect github.com/aws/aws-sdk-go-v2/config v1.27.12 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.17.12 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 // indirect github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 // indirect - github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 // indirect + github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.20.6 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.5 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.28.7 // indirect - github.com/aws/smithy-go v1.20.2 // indirect + github.com/aws/smithy-go v1.24.2 // indirect github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bkielbasa/cyclop v1.2.3 // indirect @@ -155,15 +157,15 @@ require ( github.com/chigopher/pathlib v0.19.1 // indirect github.com/cilium/ebpf v0.11.0 // indirect github.com/ckaznocha/intrange v0.3.0 // indirect - github.com/cloudflare/circl v1.6.1 // indirect - github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect + github.com/cloudflare/circl v1.6.3 // indirect + github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect github.com/containerd/console v1.0.4 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/cosiner/argv v0.1.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect github.com/curioswitch/go-reassign v0.3.0 // indirect - github.com/cyphar/filepath-securejoin v0.3.6 // indirect + github.com/cyphar/filepath-securejoin v0.4.1 // indirect github.com/daixiang0/gci v0.13.5 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/deckarep/golang-set/v2 v2.5.0 // indirect @@ -180,8 +182,8 @@ require ( github.com/edsrzf/mmap-go v1.1.0 // indirect github.com/emicklei/go-restful/v3 v3.12.2 // indirect github.com/emirpasic/gods v1.18.1 // indirect - github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect - github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect + github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect + github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect github.com/ettle/strcase v0.2.0 // indirect github.com/fatih/structtag v1.2.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect @@ -194,8 +196,8 @@ require ( github.com/go-delve/liner v1.2.3-0.20231231155935-4726ab1d7f62 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect - github.com/go-jose/go-jose/v3 v3.0.4 // indirect - github.com/go-jose/go-jose/v4 v4.1.3 // indirect + github.com/go-jose/go-jose/v3 v3.0.5 // indirect + github.com/go-jose/go-jose/v4 v4.1.4 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect @@ -218,8 +220,8 @@ require ( github.com/gofrs/uuid v4.2.0+incompatible // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v5 v5.2.2 // indirect - github.com/golang/glog v1.2.4 // indirect - github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/glog v1.2.5 // indirect + github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect @@ -338,7 +340,7 @@ require ( github.com/pgavlin/fx v0.1.6 // indirect github.com/pgavlin/goldmark v1.1.33-0.20200616210433-b5eb04559386 // indirect github.com/pgavlin/text v0.0.0-20240821195002-b51d0990e284 // indirect - github.com/pjbgf/sha1cd v0.3.0 // indirect + github.com/pjbgf/sha1cd v0.3.2 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/term v1.2.0-beta.2 // indirect github.com/pkoukk/tiktoken-go v0.1.6 // indirect @@ -346,7 +348,7 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/polyfloyd/go-errorlint v1.7.1 // indirect github.com/prometheus/client_golang v1.12.2 // indirect - github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/client_model v0.6.2 // indirect github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.7.3 // indirect github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect @@ -381,14 +383,14 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/sivchari/containedctx v1.0.3 // indirect github.com/sivchari/tenv v1.12.1 // indirect - github.com/skeema/knownhosts v1.3.0 // indirect + github.com/skeema/knownhosts v1.3.1 // indirect github.com/sonatard/noctx v0.1.0 // indirect github.com/sosodev/duration v1.3.1 // indirect github.com/sourcegraph/go-diff v0.7.0 // indirect github.com/spf13/cast v1.10.0 // indirect github.com/spf13/pflag v1.0.10 // indirect github.com/spf13/viper v1.21.0 // indirect - github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect + github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect github.com/stretchr/objx v0.5.3 // indirect @@ -421,21 +423,20 @@ require ( github.com/ykadowak/zerologlint v0.1.5 // indirect github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect github.com/zclconf/go-cty v1.14.1 // indirect - github.com/zeebo/errs v1.4.0 // indirect gitlab.com/bosi/decorder v0.4.2 // indirect go-simpler.org/musttag v0.13.0 // indirect go-simpler.org/sloglint v0.9.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect + go.opentelemetry.io/auto/sdk v1.2.1 // indirect + go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect - go.opentelemetry.io/otel v1.36.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0 // indirect - go.opentelemetry.io/otel/metric v1.36.0 // indirect - go.opentelemetry.io/otel/sdk v1.36.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.34.0 // indirect - go.opentelemetry.io/otel/trace v1.36.0 // indirect + go.opentelemetry.io/otel v1.43.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 // indirect + go.opentelemetry.io/otel/metric v1.43.0 // indirect + go.opentelemetry.io/otel/sdk v1.43.0 // indirect + go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect + go.opentelemetry.io/otel/trace v1.43.0 // indirect go.starlark.net v0.0.0-20231101134539-556fd59b42f6 // indirect go.uber.org/automaxprocs v1.6.0 // indirect go.uber.org/multierr v1.11.0 // indirect @@ -448,18 +449,18 @@ require ( golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect golang.org/x/mod v0.33.0 // indirect - golang.org/x/net v0.50.0 // indirect - golang.org/x/sys v0.41.0 // indirect + golang.org/x/net v0.52.0 // indirect + golang.org/x/sys v0.42.0 // indirect golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 // indirect golang.org/x/time v0.10.0 // indirect golang.org/x/tools v0.42.0 // indirect golang.org/x/tools/go/expect v0.1.1-deprecated // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect - google.golang.org/grpc v1.72.1 // indirect - google.golang.org/protobuf v1.36.8 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect + google.golang.org/grpc v1.80.0 // indirect + google.golang.org/protobuf v1.36.11 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect diff --git a/go.sum b/go.sum index 7b64dd49..f77f28df 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ 4d63.com/gocheckcompilerdirectives v1.3.0/go.mod h1:ofsJ4zx2QAuIP/NO/NAh1ig6R1Fb18/GI7RVMwz7kAY= 4d63.com/gochecknoglobals v0.2.2 h1:H1vdnwnMaZdQW/N+NrkT1SZMTBmcwHe9Vq8lJcYYTtU= 4d63.com/gochecknoglobals v0.2.2/go.mod h1:lLxwTQjL5eIesRbvnzIP3jZtG140FnTdz+AlMa+ogt0= -cel.dev/expr v0.20.0 h1:OunBvVCfvpWlt4dN7zg3FM6TDkzOePe1+foGJ9AXeeI= -cel.dev/expr v0.20.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= +cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4= +cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= @@ -33,8 +33,8 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I= -cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg= +cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= +cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/iam v1.2.2 h1:ozUSofHUGf/F4tCNy/mu9tHLTaxZFLOUiKzjcgWHGIA= @@ -111,8 +111,8 @@ github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rW github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs= github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 h1:Sz1JIXEcSfhz7fUi7xHnhpIE0thVASYjvosApmHuD2k= github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1/go.mod h1:n/LSCXNuIYqVfBlVXyHfMQkZDdp1/mmxfSjADd3z1Zg= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0 h1:f2Qw/Ehhimh5uO1fayV0QIW7DShEQqhtUfhYc+cBPlw= -github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0 h1:DHa2U07rk8syqvCge0QIGMCE1WxGj9njT44GH7zNJLQ= +github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0= github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 h1:UQ0AhxogsIRZDkElkblfnwjc3IaltCm2HUMvezQaL7s= github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1/go.mod h1:jyqM3eLpJ3IbIFDTKVz2rF9T/xWGW0rIriGwnz8l9Tk= github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.48.1 h1:oTX4vsorBZo/Zdum6OKPA4o7544hm6smoRv1QjpTwGo= @@ -132,8 +132,8 @@ github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63n github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w= github.com/OpenPeeDeeP/depguard/v2 v2.2.1 h1:vckeWVESWp6Qog7UZSARNqfu/cZqvki8zsuj3piCMx4= github.com/OpenPeeDeeP/depguard/v2 v2.2.1/go.mod h1:q4DKzC4UcVaAvcfd41CZh0PWpGgzrVxUYBlgKNGquUo= -github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk= -github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= +github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw= +github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY= github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= @@ -180,10 +180,10 @@ github.com/aws/aws-lambda-go v1.47.0/go.mod h1:dpMpZgvWx5vuQJfBt0zqBha60q7Dd7Rfg github.com/aws/aws-sdk-go v1.47.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go v1.50.36 h1:PjWXHwZPuTLMR1NIb8nEjLucZBMzmf84TLoLbD8BZqk= github.com/aws/aws-sdk-go v1.50.36/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA= -github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg= +github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV/yY= +github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 h1:eBMB84YGghSocM7PsjmmPffTa+1FBUeNvGvFou6V/4o= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI= github.com/aws/aws-sdk-go-v2/config v1.27.12 h1:vq88mBaZI4NGLXk8ierArwSILmYHDJZGJOeAc/pzEVQ= github.com/aws/aws-sdk-go-v2/config v1.27.12/go.mod h1:IOrsf4IiN68+CgzyuyGUYTpCrtUQTbbMEAtR/MR/4ZU= github.com/aws/aws-sdk-go-v2/credentials v1.17.12 h1:PVbKQ0KjDosI5+nEdRMU8ygEQDmkJTSHBqPjEX30lqc= @@ -192,28 +192,28 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYh github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15 h1:7Zwtt/lP3KNRkeZre7soMELMGNoBrutx8nobg1jKWmo= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15/go.mod h1:436h2adoHb57yd+8W+gYPrrA9U/R/SuAuOO42Ushzhw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 h1:81KE7vaZzrl7yHBYHVEzYB8sypz11NMOZ40YlWvPxsU= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5/go.mod h1:LIt2rg7Mcgn09Ygbdh/RdIm0rQ+3BNkbP1gyVMFtRK0= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 h1:rWyie/PxDRIdhNf4DzRk0lvjVOqFJuNnO8WwaIRVxzQ= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22/go.mod h1:zd/JsJ4P7oGfUhXn1VyLqaRZwPmZwg44Jf2dS84Dm3Y= github.com/aws/aws-sdk-go-v2/service/iam v1.31.4 h1:eVm30ZIDv//r6Aogat9I88b5YX1xASSLcEDqHYRPVl0= github.com/aws/aws-sdk-go-v2/service/iam v1.31.4/go.mod h1:aXWImQV0uTW35LM0A/T4wEg6R1/ReXUu4SM6/lUHYK0= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 h1:ZMeFZ5yk+Ek+jNr1+uwCd2tG89t6oTS5yVWpa6yy2es= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7/go.mod h1:mxV05U+4JiHqIpGqqYXOHLPKUC6bDXC44bsUhNjOEwY= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 h1:f9RyWNtS8oH7cZlbn+/JNPpjUk5+5fLd5lM9M0i49Ys= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5/go.mod h1:h5CoMZV2VF297/VLhRhO1WF+XYWOzXo+4HsObA4HjBQ= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7/go.mod h1:x0nZssQ3qZSnIcePWLvcoFisRXJzcTVvYpAAdYX8+GI= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 h1:JRaIgADQS/U6uXDqlPiefP32yXTda7Kqfx+LgspooZM= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13/go.mod h1:CEuVn5WqOMilYl+tbccq8+N2ieCy0gVn3OtRb0vBNNM= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3xgIJMSC8S6hEVq+38DcvUlgFY0FM6mSI5oto= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWURB8avufQq9gFsheUgjVD9536obIknfM= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ= github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 h1:SBn4I0fJXF9FYOVRSVMWuhvEKoAHDikjGpS3wlmw5DE= github.com/aws/aws-sdk-go-v2/service/kms v1.30.1/go.mod h1:2snWQJQUKsbN66vAawJuOGX7dr37pfOq9hb0tZDGIqQ= -github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1 h1:6cnno47Me9bRykw9AEv9zkXE+5or7jz8TsskTTccbgc= -github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1/go.mod h1:qmdkIIAC+GCLASF7R2whgNrJADz0QZPX+Seiw/i4S3o= +github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 h1:HwxWTbTrIHm5qY+CAEur0s/figc3qwvLWsNkF4RPToo= +github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM= github.com/aws/aws-sdk-go-v2/service/sso v1.20.6 h1:o5cTaeunSpfXiLTIBx5xo2enQmiChtu1IBbzXnfU9Hs= github.com/aws/aws-sdk-go-v2/service/sso v1.20.6/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.5 h1:Ciiz/plN+Z+pPO1G0W2zJoYIIl0KtKzY0LJ78NXYTws= @@ -222,8 +222,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.28.7 h1:et3Ta53gotFR4ERLXXHIHl/Uuk1q github.com/aws/aws-sdk-go-v2/service/sts v1.28.7/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw= github.com/aws/aws-secretsmanager-caching-go v1.1.3 h1:t+rmdeZdmejBnnzcOphm/RGbcgLIdIf0s1GTbUHmQ3w= github.com/aws/aws-secretsmanager-caching-go v1.1.3/go.mod h1:QMdbETAWsghCajFg3e4QXhDjCn3F38BhK3N481xtKl4= -github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= -github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng= +github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc= github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k= github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -253,8 +253,8 @@ github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQd github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= -github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8= -github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= +github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= +github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -282,13 +282,13 @@ github.com/cilium/ebpf v0.11.0/go.mod h1:WE7CZAnqOL2RouJ4f1uyNhqr2P4CCvXFIqdRDUg github.com/ckaznocha/intrange v0.3.0 h1:VqnxtK32pxgkhJgYQEeOArVidIPg+ahLP7WBOXZd5ZY= github.com/ckaznocha/intrange v0.3.0/go.mod h1:+I/o2d2A1FBHgGELbGxzIcyd3/9l9DuwjM8FsbSS3Lo= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= -github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= -github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= +github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8= +github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4= github.com/cloudflare/cloudflare-go v0.104.0 h1:R/lB0dZupaZbOgibAH/BRrkFbZ6Acn/WsKg2iX2xXuY= github.com/cloudflare/cloudflare-go v0.104.0/go.mod h1:pfUQ4PIG4ISI0/Mmc21Bp86UnFU0ktmPf3iTgbSL+cM= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 h1:Om6kYQYDUk5wWbT0t0q6pvyM49i9XZAv9dDrkDA7gjk= -github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w= +github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI= github.com/compose-spec/compose-go v1.20.2 h1:u/yfZHn4EaHGdidrZycWpxXgFffjYULlTbRfJ51ykjQ= github.com/compose-spec/compose-go v1.20.2/go.mod h1:+MdqXV4RA7wdFsahh/Kb8U0pAJqkg7mr4PM9tFKU8RM= github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro= @@ -310,8 +310,8 @@ github.com/creack/pty v1.1.20 h1:VIPb/a2s17qNeQgDnkfZC35RScx+blkKF8GV68n80J4= github.com/creack/pty v1.1.20/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs= github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88= -github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM= -github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= +github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/daixiang0/gci v0.13.5 h1:kThgmH1yBmZSBCh1EJVxQ7JsHpm5Oms0AMed/0LaH4c= github.com/daixiang0/gci v0.13.5/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk= github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -349,8 +349,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/edsrzf/mmap-go v1.1.0 h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ= github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q= -github.com/elazarl/goproxy v1.2.3 h1:xwIyKHbaP5yfT6O9KIeYJR5549MXRQkoQMRXGztz8YQ= -github.com/elazarl/goproxy v1.2.3/go.mod h1:YfEbZtqP4AetfO6d40vWchF3znWX7C7Vd6ZMfdL8z64= +github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o= +github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= @@ -358,15 +358,15 @@ github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FM github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= -github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M= -github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA= -github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A= -github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw= +github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA= +github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU= +github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g= +github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98= github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI= github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8= -github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= +github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4= +github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA= github.com/ettle/strcase v0.2.0 h1:fGNiVF21fHXpX1niBgk0aROov1LagYsOwV/xqKDKR/Q= github.com/ettle/strcase v0.2.0/go.mod h1:DajmHElDSaX76ITe3/VHVyMin4LWSJN5Z909Wp+ED1A= github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= @@ -401,19 +401,19 @@ github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8b github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= -github.com/go-git/go-billy/v5 v5.6.1 h1:u+dcrgaguSSkbjzHwelEjc0Yj300NUevrrPphk/SoRA= -github.com/go-git/go-billy/v5 v5.6.1/go.mod h1:0AsLr1z2+Uksi4NlElmMblP5rPcDZNRCD8ujZCRR2BE= +github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0= +github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= -github.com/go-git/go-git/v5 v5.13.1 h1:DAQ9APonnlvSWpvolXWIuV6Q6zXy2wHbN4cVlNR5Q+M= -github.com/go-git/go-git/v5 v5.13.1/go.mod h1:qryJB4cSBoq3FRoBRf5A77joojuBcmPJ0qu3XXXVixc= +github.com/go-git/go-git/v5 v5.18.0 h1:O831KI+0PR51hM2kep6T8k+w0/LIAD490gvqMCvL5hM= +github.com/go-git/go-git/v5 v5.18.0/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= -github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY= -github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= -github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= -github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= +github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ= +github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= +github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= +github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= @@ -485,13 +485,13 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69 github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc= -github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I= +github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= -github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= +github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= @@ -610,8 +610,8 @@ github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= github.com/gostaticanalysis/testutil v0.5.0 h1:Dq4wT1DdTwTGCQQv3rl3IvD5Ld0E6HiY+3Zh0sUGqw8= github.com/gostaticanalysis/testutil v0.5.0/go.mod h1:OLQSbuM6zw2EvCcXTz1lVq5unyoNft372msDY0nY5Hs= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c= github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 h1:MJG/KsmcqMwFAkh8mTnAwhyKoB+sTAnY4CACC110tbU= github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -892,8 +892,8 @@ github.com/pgavlin/text v0.0.0-20240821195002-b51d0990e284 h1:qpLdAFg3kyV/mEsuMP github.com/pgavlin/text v0.0.0-20240821195002-b51d0990e284/go.mod h1:fk4+YyTLi0Ap0CsL1HA70/tAs6evqw3hbPGdR8rD/3E= github.com/philippgille/chromem-go v0.7.0 h1:4jfvfyKymjKNfGxBUhHUcj1kp7B17NL/I1P+vGh1RvY= github.com/philippgille/chromem-go v0.7.0/go.mod h1:hTd+wGEm/fFPQl7ilfCwQXkgEUxceYh86iIdoKMolPo= -github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= -github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= +github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4= +github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -925,8 +925,8 @@ github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1: github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= -github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= +github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= @@ -1039,8 +1039,8 @@ github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+W github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4= github.com/sivchari/tenv v1.12.1 h1:+E0QzjktdnExv/wwsnnyk4oqZBUfuh89YMQT1cyuvSY= github.com/sivchari/tenv v1.12.1/go.mod h1:1LjSOUCc25snIr5n3DtGGrENhX3LuWefcplwVGC24mw= -github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY= -github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M= +github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= +github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= github.com/sonatard/noctx v0.1.0 h1:JjqOc2WN16ISWAjAk8M5ej0RfExEXtkEyExl2hLW+OM= github.com/sonatard/noctx v0.1.0/go.mod h1:0RvBxqY8D4j9cTTTWE8ylt2vqj2EPI8fHmrxHdsaZ2c= github.com/sosodev/duration v1.3.1 h1:qtHBDMQ6lvMQsL15g4aopM4HEfOaYuhWBw3NPTtlqq4= @@ -1059,8 +1059,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU= github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY= -github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE= -github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g= +github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= +github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs= github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YEwQ0= github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I= github.com/stbenjam/no-sprintf-host-port v0.2.0 h1:i8pxvGrt1+4G0czLr/WnmyH7zbZ8Bg8etvARQ1rpyl4= @@ -1159,8 +1159,6 @@ github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zclconf/go-cty v1.14.1 h1:t9fyA35fwjjUMcmL5hLER+e/rEPqrbCK1/OSE4SI9KA= github.com/zclconf/go-cty v1.14.1/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= -github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM= -github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= gitlab.com/bosi/decorder v0.4.2 h1:qbQaV3zgwnBZ4zPMhGLW4KZe7A7NwxEhJx39R3shffo= gitlab.com/bosi/decorder v0.4.2/go.mod h1:muuhHoaJkA9QLcYHq4Mj8FJUwDZ+EirSHRiaTcTf6T8= go-simpler.org/assert v0.9.0 h1:PfpmcSvL7yAnWyChSjOz6Sp6m9j5lyK8Ok9pEL31YkQ= @@ -1178,32 +1176,32 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/contrib/detectors/gcp v1.34.0 h1:JRxssobiPg23otYU5SbWtQC//snGVIM3Tx6QRzlQBao= -go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK26LAGkNFw7RHv1DhE= +go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 h1:rgMkmiGfix9vFJDcDi1PK8WEQP4FLQwLDfhp5ZLpFeE= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I= -go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= -go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 h1:dNzwXjZKpMpE2JhmO+9HsPl42NIXFIFSUSSs0fiqra0= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0/go.mod h1:90PoxvaEB5n6AOdZvi+yWJQoE95U8Dhhw2bSyRqnTD0= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0 h1:nRVXXvf78e00EwY6Wp0YII8ww2JVWshZ20HfTlE11AM= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0/go.mod h1:r49hO7CgrxY9Voaj3Xe8pANWtr0Oq916d0XAmOoCZAQ= +go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I= +go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0 h1:3iZJKlCZufyRzPzlQhUIWVmfltrXuGyfjREgGP3UUjc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0/go.mod h1:/G+nUPfhq2e+qiXMGxMwumDrP5jtzU+mWN7/sjT2rak= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I= -go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE= -go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs= -go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs= -go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY= -go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= -go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= -go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w= -go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA= -go.opentelemetry.io/proto/otlp v1.6.0 h1:jQjP+AQyTf+Fe7OKj/MfkDrmK4MNVtw2NpXsf9fefDI= -go.opentelemetry.io/proto/otlp v1.6.0/go.mod h1:cicgGehlFuNdgZkcALOCh3VE6K/u2tAjzlRhDwmVpZc= +go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM= +go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY= +go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg= +go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg= +go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw= +go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A= +go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A= +go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0= +go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g= +go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk= go.starlark.net v0.0.0-20231101134539-556fd59b42f6 h1:+eC0F/k4aBLC4szgOcjd7bDTEnpxADJyWJE0yowgM3E= go.starlark.net v0.0.0-20231101134539-556fd59b42f6/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= @@ -1239,8 +1237,8 @@ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= -golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= +golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= +golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1337,8 +1335,8 @@ golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60= -golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM= +golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= +golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1346,8 +1344,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= -golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ= +golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1364,8 +1362,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= -golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= +golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1430,8 +1428,8 @@ golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= -golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 h1:bTLqdHv7xrGlFbvf5/TXNxy/iUwwdkjhqQTJDjW7aj0= golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4/go.mod h1:g5NllXBEermZrmR51cJDQxmJUHUOfRAaNyWBM+R+548= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -1445,8 +1443,8 @@ golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= -golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= +golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= +golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1461,8 +1459,8 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= -golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= +golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= +golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1540,6 +1538,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY= golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= +gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4= +gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -1595,10 +1595,10 @@ google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc= -google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 h1:Kog3KlB4xevJlAcbbbzPfRG0+X9fdoGM+UBRKVz6Wr0= -google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237/go.mod h1:ezi0AVyMKDWy5xAncvjLWH7UcLBB5n7y2fQ8MzjJcto= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA= +google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:7QBABkRtR8z+TEnmXTqIqwJLlzrZKVfAUm7tY3yGv0M= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 h1:m8qni9SQFH0tJc1X0vmnpw/0t+AImlSvp30sEupozUg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -1612,8 +1612,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA= -google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= +google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM= +google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1626,8 +1626,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= -google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/kubectl.Dockerfile b/kubectl.Dockerfile index e6ee3909..6302df08 100644 --- a/kubectl.Dockerfile +++ b/kubectl.Dockerfile @@ -1,3 +1,19 @@ -FROM alpine/kubectl:latest +# Pin by digest (CIS Docker 4.7 — no floating tags). +# alpine/kubectl:latest @ 2026-05-06 → resolved digest below. +# Refresh via: docker buildx imagetools inspect alpine/kubectl:latest +FROM alpine/kubectl:latest@sha256:e9acf90f4aa6e1735a50758ee251d7bc622361ee23c35617dc0dcbe7c50282b0 -RUN apk add --update bash curl \ No newline at end of file +# apk upgrade clears any base CVEs surfaced after the image was tagged +# (e.g. nghttp2-libs CVE-2026-27135 was outstanding at scan time). +RUN apk update \ + && apk upgrade --no-cache \ + && apk add --no-cache bash curl \ + && rm -rf /var/cache/apk/* + +# CIS Docker 4.1 — drop privileges. kubectl needs no root capabilities. +RUN addgroup -S sc && adduser -S -G sc -u 10001 sc +USER 10001:10001 + +# CIS Docker 4.6 — declare a healthcheck so orchestrators can detect rot. +HEALTHCHECK --interval=30s --timeout=5s --start-period=2s --retries=3 \ + CMD kubectl version --client=true >/dev/null 2>&1 || exit 1 From d9d4591725b90bbc5c71c2f933a6ca7f1545e50c Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Wed, 6 May 2026 18:31:14 +0400 Subject: [PATCH 2/5] =?UTF-8?q?fix(security):=20self-review=20fixes=20?= =?UTF-8?q?=E2=80=94=20Pulumi=20sha256=20silent-pass,=20deprecated=20GCP?= =?UTF-8?q?=20auth,=20cache=20mounts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Self-review found four issues with the previous commit; all fixed here. 1) Pulumi checksum verification could silently pass: grep "${TARBALL}" pulumi-checksums.txt | awk ... | sha256sum -c - If the grep returned nothing (Pulumi renamed an asset, etc.), the pipeline would feed sha256sum empty stdin, which exits 0 — silently accepting an unverified tarball. Replaced with an explicit non-empty check on the captured SHA, plus `set -eu` so a missing PULUMI_VERSION from go.mod fails fast. 2) Restored BuildKit cache mounts on Pulumi + gcloud downloads: `--mount=type=cache,target=/tmp/{pulumi,gcloud}-dl,sharing=locked`. The original Dockerfile had a gcloud cache mount that I dropped during the multi-stage rewrite — re-runs were re-fetching ~85 MB of gcloud and ~80 MB of Pulumi from the CDN even when the inputs hadn't changed. The integrity check still runs every build, so a poisoned cache cannot break verification. 3) Caddy.Dockerfile: removed the dead pre-FROM `ARG version`. Versions live in three pinned places (builder digest, runtime digest, xcaddy build literal) — having an ARG that doesn't actually flow into the FROM lines is misleading. Hardcoded the literal "v2.11.2" with a sync-points comment. 4) Caddy HEALTHCHECK rewrote `wget -qO- :2019/config/` (admin API) to `caddy version`. The admin API is optional in Caddy and many users disable it; depending on it would mark the container unhealthy in those deployments — a behavior regression. `caddy version` is a basic binary-exec liveness probe, intentionally weaker than a daemon probe. 5) Removed the broken github-actions(+staging) HEALTHCHECK. The binary doesn't accept --version (it expects GITHUB_ACTION_TYPE env), so the probe always reported unhealthy. CIS Docker 4.6 targets long-running containers anyway; this image runs as a one-shot GitHub docker-action. 6) Fixed CI lint failure introduced by the dep bumps: `golang.org/x/oauth2` was transitively bumped 0.30.0 → 0.35.0 by the otel/grpc upgrades, which deprecated `auth.CredentialsFromJSONWithParams` in favor of `auth.CredentialsFromJSONWithTypeAndParams(_, _, ServiceAccount, _)`. SC stores GCP auth as service-account JSON, so the typed variant is the correct migration; pinning the type also makes the call reject unexpected credential shapes (workload-identity, refresh-token). Verified locally: - go build ./... — clean - go vet ./... — clean - staticcheck ./pkg/clouds/pulumi/gcp/... — no SA1019 left - go test -short ./pkg/{security,clouds/pulumi/gcp,clouds/pulumi/aws,clouds/pulumi/docker}/... — all pass - docker build (github-actions.Dockerfile) — succeeds - docker run gcloud/pulumi/gke-gcloud-auth-plugin --version — all work - trivy image — same 2 deferred docker/docker CVEs, alpine clean --- caddy.Dockerfile | 22 ++++---- github-actions-staging.Dockerfile | 44 +++++++++------- github-actions.Dockerfile | 55 +++++++++++++------- pkg/clouds/pulumi/gcp/gke_autopilot_stack.go | 7 ++- 4 files changed, 79 insertions(+), 49 deletions(-) diff --git a/caddy.Dockerfile b/caddy.Dockerfile index 3046fa4e..8f8957ad 100644 --- a/caddy.Dockerfile +++ b/caddy.Dockerfile @@ -2,19 +2,20 @@ # in the older Caddy binary (CVE-2025-58187/58188/58189, CVE-2025-61723/61724/ # 61725/61727/61730, CVE-2026-27139/27142, CVE-2026-32282/32288/32289) and the # Caddy-level CVE-2026-27586 (HIGH) reachable in <2.11.1. -ARG version="2.11.2" +# +# Versions live in three places that MUST be kept in sync when bumping: +# - the FROM digest of caddy:X.Y.Z-builder +# - the FROM digest of caddy:X.Y.Z +# - the literal in xcaddy build "vX.Y.Z" below +# Refresh digests via `docker buildx imagetools inspect caddy:X.Y.Z[-builder]`. # Pin builder by digest (CIS Docker 4.7). -# Refresh: docker buildx imagetools inspect caddy:${version}-builder FROM caddy:2.11.2-builder@sha256:10ed0251c5cd1dbb4db0b71ad43121147961a51adfec35febce2c93ea25c24f4 AS builder -ARG version -ENV CADDY_VERSION="${version}" - # certmagic-gcs bumped 0.1.2 → 0.1.7 to align with current upstream. RUN --mount=type=cache,target=/go/pkg/mod,sharing=locked \ --mount=type=cache,target=/root/.cache,sharing=locked \ - xcaddy build "v${CADDY_VERSION}" \ + xcaddy build "v2.11.2" \ --with github.com/grafana/certmagic-gcs@v0.1.7 \ && caddy version @@ -29,11 +30,14 @@ RUN apk update \ # Replace upstream binary with the build that has certmagic-gcs. COPY --from=builder /usr/bin/caddy /usr/bin/caddy -# CIS Docker 4.6 — admin API health check (Caddy listens on 2019 by default). +# CIS Docker 4.6 — basic liveness probe. `caddy version` exercises the binary +# without depending on the admin API (which consumers may disable) or knowing +# which port the user binds; it does NOT prove the running daemon is healthy. +# A daemon-level probe would need to know the bound port, which is config-specific. HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ - CMD wget -qO- http://127.0.0.1:2019/config/ >/dev/null 2>&1 || exit 1 + CMD caddy version >/dev/null 2>&1 || exit 1 -# Note on USER: upstream caddy:2.10.0 runs as root so it can bind 80/443. Switching +# Note on USER: upstream caddy:2.11.2 runs as root so it can bind 80/443. Switching # to non-root requires setcap CAP_NET_BIND_SERVICE on the binary AND certmagic state # directories owned by that user, which is intrusive given consumers mount their own # volumes. Tracked for follow-up; defaults preserved here. diff --git a/github-actions-staging.Dockerfile b/github-actions-staging.Dockerfile index cdfa7200..cd22484b 100644 --- a/github-actions-staging.Dockerfile +++ b/github-actions-staging.Dockerfile @@ -16,31 +16,38 @@ RUN apk update && apk upgrade --no-cache \ # gcloud falls back to its bundled Python (which is what we want to delete). COPY go.mod /tmp/go.mod -RUN PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \ +RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \ + set -eu \ + && PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \ + && [ -n "${PULUMI_VERSION}" ] || { echo "could not extract Pulumi version from go.mod" >&2; exit 1; } \ && echo "Installing Pulumi ${PULUMI_VERSION}" \ - && cd /tmp \ - && curl -fsSL -o pulumi.tar.gz \ - "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \ - && curl -fsSL -o pulumi-checksums.txt \ - "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-${PULUMI_VERSION}-checksums.txt" \ - && grep "pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" pulumi-checksums.txt \ - | awk '{print $1" pulumi.tar.gz"}' \ - | sha256sum -c - \ + && TARBALL="pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \ + && CHECKSUMS="pulumi-${PULUMI_VERSION}-checksums.txt" \ + && cd /tmp/pulumi-dl \ + && [ -f "${TARBALL}" ] || curl -fsSL -o "${TARBALL}" \ + "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/${TARBALL}" \ + && curl -fsSL -o "${CHECKSUMS}" \ + "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/${CHECKSUMS}" \ + && EXPECTED_SHA="$(grep "${TARBALL}" "${CHECKSUMS}" | awk '{print $1}')" \ + && [ -n "${EXPECTED_SHA}" ] || { echo "no checksum for ${TARBALL} in ${CHECKSUMS}" >&2; exit 1; } \ + && echo "${EXPECTED_SHA} ${TARBALL}" | sha256sum -c - \ && mkdir -p /opt/pulumi/bin \ - && tar -xzf pulumi.tar.gz -C /tmp \ + && tar -xzf "${TARBALL}" -C /tmp \ && mv /tmp/pulumi/* /opt/pulumi/bin/ \ - && rm -rf pulumi.tar.gz pulumi-checksums.txt /tmp/pulumi /tmp/go.mod \ + && rm -rf /tmp/pulumi /tmp/go.mod \ && strip /opt/pulumi/bin/* 2>/dev/null || true \ && upx --best --lzma /opt/pulumi/bin/* 2>/dev/null || true ARG GCLOUD_VERSION="567.0.0" ARG GCLOUD_SHA256="bd5afc0d249609cb40d45f665209190fdd38b9937954291b8f9ae54206c75d83" -RUN cd /tmp \ - && curl -fsSL -o gcloud.tar.gz \ - "https://storage.googleapis.com/cloud-sdk-release/google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \ - && echo "${GCLOUD_SHA256} gcloud.tar.gz" | sha256sum -c - \ - && tar -xzf gcloud.tar.gz -C /opt \ - && rm -f gcloud.tar.gz \ +RUN --mount=type=cache,target=/tmp/gcloud-dl,sharing=locked \ + set -eu \ + && TARBALL="google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \ + && cd /tmp/gcloud-dl \ + && [ -f "${TARBALL}" ] || curl -fsSL -o "${TARBALL}" \ + "https://storage.googleapis.com/cloud-sdk-release/${TARBALL}" \ + && echo "${GCLOUD_SHA256} ${TARBALL}" | sha256sum -c - \ + && tar -xzf "${TARBALL}" -C /opt \ && /opt/google-cloud-sdk/install.sh --quiet \ --usage-reporting=false --path-update=false --bash-completion=false \ && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet @@ -112,8 +119,7 @@ RUN pulumi version > /dev/null \ && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \ && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc -HEALTHCHECK --interval=30s --timeout=5s --start-period=2s --retries=3 \ - CMD /root/github-actions --version >/dev/null 2>&1 || exit 1 +# HEALTHCHECK intentionally omitted — see github-actions.Dockerfile rationale. # GitHub Actions runner overrides WORKDIR with --workdir /github/workspace, so # the entrypoint needs to be an absolute path. diff --git a/github-actions.Dockerfile b/github-actions.Dockerfile index e92ed4ef..188ef1b5 100644 --- a/github-actions.Dockerfile +++ b/github-actions.Dockerfile @@ -31,21 +31,31 @@ RUN apk update && apk upgrade --no-cache \ # from GitHub Releases, and verified against the per-version checksum file # Pulumi publishes alongside each release. Replaces `curl … | sh -s -- --version` # (CIS SSCS §5 — verify package/binary integrity; no `curl|bash`). +# +# `--mount=type=cache,target=/tmp/pulumi-dl` keeps the downloaded tarball + the +# checksum file across builds so re-runs hit local cache rather than the GitHub +# Releases CDN. The integrity check still runs on every build, so a corrupted +# cache cannot poison the result. COPY go.mod /tmp/go.mod -RUN PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \ +RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \ + set -eu \ + && PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \ + && [ -n "${PULUMI_VERSION}" ] || { echo "could not extract Pulumi version from go.mod" >&2; exit 1; } \ && echo "Installing Pulumi ${PULUMI_VERSION}" \ - && cd /tmp \ - && curl -fsSL -o pulumi.tar.gz \ - "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \ - && curl -fsSL -o pulumi-checksums.txt \ - "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-${PULUMI_VERSION}-checksums.txt" \ - && grep "pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" pulumi-checksums.txt \ - | awk '{print $1" pulumi.tar.gz"}' \ - | sha256sum -c - \ + && TARBALL="pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \ + && CHECKSUMS="pulumi-${PULUMI_VERSION}-checksums.txt" \ + && cd /tmp/pulumi-dl \ + && [ -f "${TARBALL}" ] || curl -fsSL -o "${TARBALL}" \ + "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/${TARBALL}" \ + && curl -fsSL -o "${CHECKSUMS}" \ + "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/${CHECKSUMS}" \ + && EXPECTED_SHA="$(grep "${TARBALL}" "${CHECKSUMS}" | awk '{print $1}')" \ + && [ -n "${EXPECTED_SHA}" ] || { echo "no checksum for ${TARBALL} in ${CHECKSUMS}" >&2; exit 1; } \ + && echo "${EXPECTED_SHA} ${TARBALL}" | sha256sum -c - \ && mkdir -p /opt/pulumi/bin \ - && tar -xzf pulumi.tar.gz -C /tmp \ + && tar -xzf "${TARBALL}" -C /tmp \ && mv /tmp/pulumi/* /opt/pulumi/bin/ \ - && rm -rf pulumi.tar.gz pulumi-checksums.txt /tmp/pulumi /tmp/go.mod \ + && rm -rf /tmp/pulumi /tmp/go.mod \ && strip /opt/pulumi/bin/* 2>/dev/null || true \ && upx --best --lzma /opt/pulumi/bin/* 2>/dev/null || true @@ -56,12 +66,14 @@ RUN PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk ' # sha256sum google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz ARG GCLOUD_VERSION="567.0.0" ARG GCLOUD_SHA256="bd5afc0d249609cb40d45f665209190fdd38b9937954291b8f9ae54206c75d83" -RUN cd /tmp \ - && curl -fsSL -o gcloud.tar.gz \ - "https://storage.googleapis.com/cloud-sdk-release/google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \ - && echo "${GCLOUD_SHA256} gcloud.tar.gz" | sha256sum -c - \ - && tar -xzf gcloud.tar.gz -C /opt \ - && rm -f gcloud.tar.gz \ +RUN --mount=type=cache,target=/tmp/gcloud-dl,sharing=locked \ + set -eu \ + && TARBALL="google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \ + && cd /tmp/gcloud-dl \ + && [ -f "${TARBALL}" ] || curl -fsSL -o "${TARBALL}" \ + "https://storage.googleapis.com/cloud-sdk-release/${TARBALL}" \ + && echo "${GCLOUD_SHA256} ${TARBALL}" | sha256sum -c - \ + && tar -xzf "${TARBALL}" -C /opt \ && /opt/google-cloud-sdk/install.sh --quiet \ --usage-reporting=false --path-update=false --bash-completion=false \ && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet @@ -144,8 +156,11 @@ RUN pulumi version > /dev/null \ && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \ && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc -# CIS Docker 4.6 — health probe (binary --version, no network, fast). -HEALTHCHECK --interval=30s --timeout=5s --start-period=2s --retries=3 \ - CMD /root/github-actions --version >/dev/null 2>&1 || exit 1 +# Note on HEALTHCHECK: intentionally omitted. CIS Docker 4.6 targets long-running +# containers; this image runs as a GitHub docker-action where the entrypoint +# executes one workflow step (deploy-client-stack, destroy, ...) and exits, so a +# liveness probe can never fire. The github-actions binary itself has no +# generic --version / --help that exits 0 without GITHUB_ACTION_TYPE set, so any +# probe would either be a no-op or report unhealthy on every cold start. ENTRYPOINT ["/root/github-actions"] diff --git a/pkg/clouds/pulumi/gcp/gke_autopilot_stack.go b/pkg/clouds/pulumi/gcp/gke_autopilot_stack.go index 033b862f..91578624 100644 --- a/pkg/clouds/pulumi/gcp/gke_autopilot_stack.go +++ b/pkg/clouds/pulumi/gcp/gke_autopilot_stack.go @@ -324,7 +324,12 @@ func getDockerCredentialsWithAuthToken(ctx *sdk.Context, input api.ResourceInput if !ok { return nil, errors.Errorf("failed to cast resource descriptor to api.AuthConfig") } - credentials, err := auth.CredentialsFromJSONWithParams(ctx.Context(), []byte(authCfg.CredentialsValue()), auth.CredentialsParams{ + // CredentialsFromJSONWithParams was deprecated in golang.org/x/oauth2 ≥ v0.34 + // for security reasons; replaced by the typed variant. SC stores GCP auth as + // service-account JSON only (see api.AuthConfig.CredentialsValue), so pinning + // the credential type to ServiceAccount keeps this call rejecting unexpected + // credential shapes (workload-identity, refresh-token, etc.). + credentials, err := auth.CredentialsFromJSONWithTypeAndParams(ctx.Context(), []byte(authCfg.CredentialsValue()), auth.ServiceAccount, auth.CredentialsParams{ Scopes: []string{ "https://www.googleapis.com/auth/cloud-platform", }, From 0a741a6469689a2fe46bab127f2fb9bc122b72ac Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Wed, 6 May 2026 19:01:47 +0400 Subject: [PATCH 3/5] fix(deps): bump go directive to 1.25.9, drop toolchain directive MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces `go 1.25.0` + `toolchain go1.25.9` with a single `go 1.25.9`. The toolchain directive was added so the module would compile under any Go ≥ 1.25.0 (auto-downloading 1.25.9 if older), which is unnecessary indirection — pinning the go version directly is clearer and CI is already on 1.25.9. Anyone with an older Go installed gets a fail-fast error instead of silently fetching a different toolchain. Same stdlib CVE coverage as before (the 1.25.9 stdlib is what gets used either way). --- go.mod | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/go.mod b/go.mod index a144c58c..408db27c 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,6 @@ module github.com/simple-container-com/api -go 1.25.0 - -toolchain go1.25.9 +go 1.25.9 require ( cloud.google.com/go/storage v1.49.0 From 565c4831b0283d19a91fc0ed34bde3ce77d2c79f Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Wed, 6 May 2026 19:26:38 +0400 Subject: [PATCH 4/5] fix(docker): drop misleading HEALTHCHECK directives from kubectl + caddy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both probes were CIS-checkbox theater rather than useful liveness signals. kubectl.Dockerfile: this image is invoked as a one-shot tool (`docker run --rm simplecontainer/kubectl `), not a long-running daemon — a liveness probe never has a chance to fire. CIS Docker 4.6 applies to long-running containers; cargo-culting it here only adds noise. caddy.Dockerfile: a meaningful daemon probe needs the consumer's bound port (or the admin API at :2019, which many consumers disable for security). Both are config-specific. The probe I had only ran `caddy version`, which exits 0 as long as the binary file exists on disk — it would report healthy through a crashlooping daemon. Worse than no probe. Consumers running Caddy in orchestrators should declare a probe in their own deployment manifest where the bound port is known. --- caddy.Dockerfile | 12 ++++++------ kubectl.Dockerfile | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/caddy.Dockerfile b/caddy.Dockerfile index 8f8957ad..462c40a1 100644 --- a/caddy.Dockerfile +++ b/caddy.Dockerfile @@ -30,12 +30,12 @@ RUN apk update \ # Replace upstream binary with the build that has certmagic-gcs. COPY --from=builder /usr/bin/caddy /usr/bin/caddy -# CIS Docker 4.6 — basic liveness probe. `caddy version` exercises the binary -# without depending on the admin API (which consumers may disable) or knowing -# which port the user binds; it does NOT prove the running daemon is healthy. -# A daemon-level probe would need to know the bound port, which is config-specific. -HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ - CMD caddy version >/dev/null 2>&1 || exit 1 +# No HEALTHCHECK: a meaningful liveness probe would need to hit the port the +# consumer binds (or the admin API at :2019, which many consumers disable). +# Both are config-specific. Probing only the binary (`caddy version`) reports +# healthy even when the daemon is crashlooping, which is worse than no probe. +# Consumers who run Caddy in orchestrators should add a HEALTHCHECK in their +# own deployment manifest or use the orchestrator's HTTP probe primitives. # Note on USER: upstream caddy:2.11.2 runs as root so it can bind 80/443. Switching # to non-root requires setcap CAP_NET_BIND_SERVICE on the binary AND certmagic state diff --git a/kubectl.Dockerfile b/kubectl.Dockerfile index 6302df08..09fe3eac 100644 --- a/kubectl.Dockerfile +++ b/kubectl.Dockerfile @@ -14,6 +14,6 @@ RUN apk update \ RUN addgroup -S sc && adduser -S -G sc -u 10001 sc USER 10001:10001 -# CIS Docker 4.6 — declare a healthcheck so orchestrators can detect rot. -HEALTHCHECK --interval=30s --timeout=5s --start-period=2s --retries=3 \ - CMD kubectl version --client=true >/dev/null 2>&1 || exit 1 +# No HEALTHCHECK: invoked as a one-shot tool +# (`docker run --rm simplecontainer/kubectl `), not a long-running +# daemon — a liveness probe never has a chance to fire. From 377e0e3dec01c0da47c4f147e8bd2f784aa672d8 Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Wed, 6 May 2026 21:57:34 +0400 Subject: [PATCH 5/5] fix(security): trim Dockerfile comments, harden pipefail, fix CI tools step MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Self-review pass requested by reviewer. Net: -97 lines vs prev commit (comments were verbose; substance unchanged). Comments - Cut from CIS-section recitations to one-line *why* per non-obvious step. - Removed restated "no HEALTHCHECK because…" / "no USER because…" blocks from kubectl, caddy. The single line at the top of github-actions states the rationale once for that image. Defense in depth (STRIDE T+S) - `set -eu` → `set -euo pipefail` on the Pulumi + gcloud RUNs. Existing `[ -n "$VAR" ]` guards already caught silent-pass on the grep|awk| sha256sum chain, but pipefail covers anything similar I might add later. Verified Alpine 3.21 ash supports `-o pipefail`. - OCI labels added to all 5 images (`org.opencontainers.image.source`, `.licenses`, `.title`, `.description`) so signed/published images can be traced back to this repo. CI tools-step fix - Pre-bake the post-`go get tools` state in go.mod/go.sum: atombender/go-jsonschema 0.22.0 → 0.23.0 go-delve/delve 1.26.1 → 1.26.3 mvdan.cc/gofumpt 0.9.2 → 0.10.0 + golang.org/x/{crypto,mod,net,sys,term,text,tools,telemetry} bumps The push.yaml `tools` step does `go get tool` (no version) → `go mod download` → `go generate -tags tools` → `go mod tidy`. With newly- released gofumpt v0.10.0 etc., go.sum was missing entries that generate needed (tidy at the end is too late). Pre-baking the bumps here makes CI's `go get` a no-op so generate sees a complete go.sum. Same trick d9d4591 was relying on implicitly via an older gofumpt. --- caddy.Dockerfile | 37 +++-------- cloud-helpers.aws.Dockerfile | 13 ++-- github-actions-staging.Dockerfile | 52 +++++---------- github-actions.Dockerfile | 103 ++++++++---------------------- go.mod | 24 +++---- go.sum | 52 +++++++-------- kubectl.Dockerfile | 14 ++-- 7 files changed, 98 insertions(+), 197 deletions(-) diff --git a/caddy.Dockerfile b/caddy.Dockerfile index 462c40a1..ec63aec2 100644 --- a/caddy.Dockerfile +++ b/caddy.Dockerfile @@ -1,43 +1,22 @@ -# Caddy version bump: 2.8.4 → 2.11.2 — clears Go stdlib CVEs that were present -# in the older Caddy binary (CVE-2025-58187/58188/58189, CVE-2025-61723/61724/ -# 61725/61727/61730, CVE-2026-27139/27142, CVE-2026-32282/32288/32289) and the -# Caddy-level CVE-2026-27586 (HIGH) reachable in <2.11.1. -# -# Versions live in three places that MUST be kept in sync when bumping: -# - the FROM digest of caddy:X.Y.Z-builder -# - the FROM digest of caddy:X.Y.Z -# - the literal in xcaddy build "vX.Y.Z" below -# Refresh digests via `docker buildx imagetools inspect caddy:X.Y.Z[-builder]`. +# Caddy 2.11.2: clears Go-stdlib CVEs in 2.8.4's binary + CVE-2026-27586. +# Bumping requires editing all three "2.11.2" sites below (two FROMs + xcaddy). +# Refresh: docker buildx imagetools inspect caddy:X.Y.Z[-builder] -# Pin builder by digest (CIS Docker 4.7). FROM caddy:2.11.2-builder@sha256:10ed0251c5cd1dbb4db0b71ad43121147961a51adfec35febce2c93ea25c24f4 AS builder -# certmagic-gcs bumped 0.1.2 → 0.1.7 to align with current upstream. RUN --mount=type=cache,target=/go/pkg/mod,sharing=locked \ --mount=type=cache,target=/root/.cache,sharing=locked \ xcaddy build "v2.11.2" \ --with github.com/grafana/certmagic-gcs@v0.1.7 \ && caddy version -# Pin runtime by digest. FROM caddy:2.11.2@sha256:25cdc846626b62d05f6b633b9b40c2c9f6ef89b515dc76133cefd920f7dbe562 -# Pull post-tag distro security updates without bloating the layer. -RUN apk update \ - && apk upgrade --no-cache \ - && rm -rf /var/cache/apk/* +RUN apk update && apk upgrade --no-cache && rm -rf /var/cache/apk/* -# Replace upstream binary with the build that has certmagic-gcs. COPY --from=builder /usr/bin/caddy /usr/bin/caddy -# No HEALTHCHECK: a meaningful liveness probe would need to hit the port the -# consumer binds (or the admin API at :2019, which many consumers disable). -# Both are config-specific. Probing only the binary (`caddy version`) reports -# healthy even when the daemon is crashlooping, which is worse than no probe. -# Consumers who run Caddy in orchestrators should add a HEALTHCHECK in their -# own deployment manifest or use the orchestrator's HTTP probe primitives. - -# Note on USER: upstream caddy:2.11.2 runs as root so it can bind 80/443. Switching -# to non-root requires setcap CAP_NET_BIND_SERVICE on the binary AND certmagic state -# directories owned by that user, which is intrusive given consumers mount their own -# volumes. Tracked for follow-up; defaults preserved here. +LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.title="simplecontainer/caddy" \ + org.opencontainers.image.description="Caddy with grafana/certmagic-gcs" diff --git a/cloud-helpers.aws.Dockerfile b/cloud-helpers.aws.Dockerfile index d5699e32..48fe30a3 100644 --- a/cloud-helpers.aws.Dockerfile +++ b/cloud-helpers.aws.Dockerfile @@ -1,20 +1,17 @@ -# Pin AWS Lambda base image by digest (CIS Docker 4.7). -# public.ecr.aws/lambda/provided:al2023 @ 2026-05-06 → resolved digest below. -# Refresh via: docker buildx imagetools inspect public.ecr.aws/lambda/provided:al2023 +# Refresh: docker buildx imagetools inspect public.ecr.aws/lambda/provided:al2023 FROM public.ecr.aws/lambda/provided:al2023@sha256:a48275a6cb21dbd9cae6f8cc10ee8ccc416e1b48f9376d049c5b347985239456 -# Pull post-tag glibc updates (CVE-2026-4046 was outstanding at scan time). +# Pull post-tag distro fixes (e.g. glibc CVE-2026-4046 once published to AL2023 dnf). RUN dnf upgrade -y --setopt=tsflags=nodocs \ && dnf clean all \ && rm -rf /var/cache/dnf WORKDIR / - -# CIS Docker 4.9 — prefer COPY over ADD (ADD adds tar/URL semantics not needed here). COPY dist/cloud-helpers /cloud-helpers - EXPOSE 8080 -# Lambda execution environment overrides USER via the bootstrap, so USER is intentionally omitted. +LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.title="simplecontainer/cloud-helpers" ENTRYPOINT ["/cloud-helpers"] diff --git a/github-actions-staging.Dockerfile b/github-actions-staging.Dockerfile index cd22484b..36b13a98 100644 --- a/github-actions-staging.Dockerfile +++ b/github-actions-staging.Dockerfile @@ -1,26 +1,18 @@ -# Staging variant of github-actions.Dockerfile. Identical hardening; only -# difference is that it consumes ./bin/github-actions (built by welder) rather -# than dist/github-actions (built by CI). Keep these two files in sync — any -# change to base, tooling versions, or runtime layout MUST be mirrored in -# github-actions.Dockerfile. +# Staging variant of github-actions.Dockerfile. Mirrors prod hardening; the only +# difference is that it consumes ./bin/github-actions (built by welder) instead +# of dist/github-actions (built by CI). Keep the two files in sync. -# ───────────────────────────────────────────────────────────────────────────── -# Stage 1: tool downloader/builder -# ───────────────────────────────────────────────────────────────────────────── FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS builder RUN apk update && apk upgrade --no-cache \ && apk add --no-cache curl bash binutils upx ca-certificates tar python3 \ && rm -rf /var/cache/apk/* -# python3 in the builder is required for `gcloud components install`; without it, -# gcloud falls back to its bundled Python (which is what we want to delete). COPY go.mod /tmp/go.mod RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \ - set -eu \ + set -euo pipefail \ && PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \ - && [ -n "${PULUMI_VERSION}" ] || { echo "could not extract Pulumi version from go.mod" >&2; exit 1; } \ - && echo "Installing Pulumi ${PULUMI_VERSION}" \ + && [ -n "${PULUMI_VERSION}" ] || { echo "no pulumi version in go.mod" >&2; exit 1; } \ && TARBALL="pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \ && CHECKSUMS="pulumi-${PULUMI_VERSION}-checksums.txt" \ && cd /tmp/pulumi-dl \ @@ -29,7 +21,7 @@ RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \ && curl -fsSL -o "${CHECKSUMS}" \ "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/${CHECKSUMS}" \ && EXPECTED_SHA="$(grep "${TARBALL}" "${CHECKSUMS}" | awk '{print $1}')" \ - && [ -n "${EXPECTED_SHA}" ] || { echo "no checksum for ${TARBALL} in ${CHECKSUMS}" >&2; exit 1; } \ + && [ -n "${EXPECTED_SHA}" ] || { echo "no checksum entry for ${TARBALL}" >&2; exit 1; } \ && echo "${EXPECTED_SHA} ${TARBALL}" | sha256sum -c - \ && mkdir -p /opt/pulumi/bin \ && tar -xzf "${TARBALL}" -C /tmp \ @@ -41,7 +33,7 @@ RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \ ARG GCLOUD_VERSION="567.0.0" ARG GCLOUD_SHA256="bd5afc0d249609cb40d45f665209190fdd38b9937954291b8f9ae54206c75d83" RUN --mount=type=cache,target=/tmp/gcloud-dl,sharing=locked \ - set -eu \ + set -euo pipefail \ && TARBALL="google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \ && cd /tmp/gcloud-dl \ && [ -f "${TARBALL}" ] || curl -fsSL -o "${TARBALL}" \ @@ -52,9 +44,6 @@ RUN --mount=type=cache,target=/tmp/gcloud-dl,sharing=locked \ --usage-reporting=false --path-update=false --bash-completion=false \ && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet -# Slim gcloud SDK — see github-actions.Dockerfile for the full rationale; must -# run AFTER `gcloud components install` in a separate RUN, otherwise gcloud -# touches `bundledpythonunix` again and the rm in the same chain becomes a no-op. RUN rm -rf \ /opt/google-cloud-sdk/.install/.backup \ /opt/google-cloud-sdk/.install/.download \ @@ -80,26 +69,14 @@ RUN rm -rf \ /root/.config/gcloud/configurations \ && find /opt/google-cloud-sdk -name "*.pyc" -delete \ && find /opt/google-cloud-sdk -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true \ - && find /opt/google-cloud-sdk -name "*.md" -delete \ - && find /opt/google-cloud-sdk -name "*.txt" -delete \ - && find /opt/google-cloud-sdk -name "COPYING*" -delete \ - && find /opt/google-cloud-sdk -name "LICENSE*" -delete \ + && find /opt/google-cloud-sdk \( -name "*.md" -o -name "*.txt" -o -name "COPYING*" -o -name "LICENSE*" \) -delete \ && rm -rf /tmp/* /var/tmp/* -# ───────────────────────────────────────────────────────────────────────────── -# Stage 2: runtime -# ───────────────────────────────────────────────────────────────────────────── +# ── runtime ───────────────────────────────────────────────────────────────── FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d RUN apk update && apk upgrade --no-cache \ - && apk add --no-cache \ - ca-certificates \ - git \ - openssh-client \ - curl \ - jq \ - bash \ - python3 \ + && apk add --no-cache ca-certificates git openssh-client curl jq bash python3 \ && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* COPY --from=builder /opt/pulumi /opt/pulumi @@ -109,7 +86,6 @@ ENV PATH="/opt/pulumi/bin:/opt/google-cloud-sdk/bin:${PATH}" WORKDIR /root/ -# Staging path: welder writes the binary to ./bin/github-actions. COPY ./bin/github-actions ./github-actions RUN chmod +x ./github-actions \ && ln -s /root/github-actions /usr/local/bin/sc @@ -119,8 +95,10 @@ RUN pulumi version > /dev/null \ && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \ && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc -# HEALTHCHECK intentionally omitted — see github-actions.Dockerfile rationale. +LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.title="simplecontainer/github-actions" \ + org.opencontainers.image.description="SC GitHub Actions runner image (staging)" -# GitHub Actions runner overrides WORKDIR with --workdir /github/workspace, so -# the entrypoint needs to be an absolute path. +# Absolute path required: GitHub Actions runner overrides WORKDIR with --workdir /github/workspace. ENTRYPOINT ["/root/github-actions"] diff --git a/github-actions.Dockerfile b/github-actions.Dockerfile index 188ef1b5..36f53d2e 100644 --- a/github-actions.Dockerfile +++ b/github-actions.Dockerfile @@ -1,47 +1,25 @@ -# GitHub Actions docker-action runtime image — multi-stage build. +# GitHub docker-action runtime: builder downloads/verifies/slims tools, +# runtime keeps only what github-actions invokes via exec.LookPath. # -# Stage 1 (builder): downloads + verifies + slims Pulumi and Google Cloud SDK, -# using build-only tools (binutils, upx, curl). These tools NEVER reach the -# runtime layer (CIS Docker 4.3 — minimal base image). -# -# Stage 2 (runtime): minimal Alpine + only what `github-actions` invokes via -# exec.LookPath: gcloud (Python-backed), pulumi, git, ssh-client, curl, jq, -# bash. The pre-built `github-actions` Go binary is copied in last. -# -# Note on USER: GitHub docker-based actions run with the workspace mounted at -# /github/workspace owned by root. Setting a non-root USER here causes git -# operations to fail with "dubious ownership" or perms errors. Tracked as a -# follow-up (would require GitHub's "self-hosted runner with userns" or -# `safe.directory '*'` workarounds applied at action invocation). +# USER stays root: GitHub mounts /github/workspace as root, non-root breaks +# git ops. HEALTHCHECK omitted: one-shot action, never long-running. -# ───────────────────────────────────────────────────────────────────────────── -# Stage 1: tool downloader/builder -# ───────────────────────────────────────────────────────────────────────────── -# alpine:3.21 pinned by digest (CIS Docker 4.7); refresh: -# docker buildx imagetools inspect alpine:3.21 +# Refresh: docker buildx imagetools inspect alpine:3.21 FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d AS builder +# python3 needed so `gcloud components install` doesn't fall back to (and recreate) the bundled Python we want to delete. RUN apk update && apk upgrade --no-cache \ && apk add --no-cache curl bash binutils upx ca-certificates tar python3 \ && rm -rf /var/cache/apk/* -# python3 in the builder is required for `gcloud components install`; without it, -# gcloud falls back to its bundled Python (which is what we want to delete). -# Pulumi CLI — version is sourced from go.mod for consistency, downloaded -# from GitHub Releases, and verified against the per-version checksum file -# Pulumi publishes alongside each release. Replaces `curl … | sh -s -- --version` -# (CIS SSCS §5 — verify package/binary integrity; no `curl|bash`). -# -# `--mount=type=cache,target=/tmp/pulumi-dl` keeps the downloaded tarball + the -# checksum file across builds so re-runs hit local cache rather than the GitHub -# Releases CDN. The integrity check still runs on every build, so a corrupted -# cache cannot poison the result. +# Pulumi: version from go.mod, SHA-256 verified against per-release checksums +# file Pulumi publishes on GitHub Releases (replaces curl|sh from get.pulumi.com). +# Cache mount avoids re-downloading the tarball; integrity check runs every build. COPY go.mod /tmp/go.mod RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \ - set -eu \ + set -euo pipefail \ && PULUMI_VERSION="$(grep 'github.com/pulumi/pulumi/sdk/v3' /tmp/go.mod | awk '{print $2}' | sed 's/^v//')" \ - && [ -n "${PULUMI_VERSION}" ] || { echo "could not extract Pulumi version from go.mod" >&2; exit 1; } \ - && echo "Installing Pulumi ${PULUMI_VERSION}" \ + && [ -n "${PULUMI_VERSION}" ] || { echo "no pulumi version in go.mod" >&2; exit 1; } \ && TARBALL="pulumi-v${PULUMI_VERSION}-linux-x64.tar.gz" \ && CHECKSUMS="pulumi-${PULUMI_VERSION}-checksums.txt" \ && cd /tmp/pulumi-dl \ @@ -50,7 +28,7 @@ RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \ && curl -fsSL -o "${CHECKSUMS}" \ "https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/${CHECKSUMS}" \ && EXPECTED_SHA="$(grep "${TARBALL}" "${CHECKSUMS}" | awk '{print $1}')" \ - && [ -n "${EXPECTED_SHA}" ] || { echo "no checksum for ${TARBALL} in ${CHECKSUMS}" >&2; exit 1; } \ + && [ -n "${EXPECTED_SHA}" ] || { echo "no checksum entry for ${TARBALL}" >&2; exit 1; } \ && echo "${EXPECTED_SHA} ${TARBALL}" | sha256sum -c - \ && mkdir -p /opt/pulumi/bin \ && tar -xzf "${TARBALL}" -C /tmp \ @@ -59,15 +37,12 @@ RUN --mount=type=cache,target=/tmp/pulumi-dl,sharing=locked \ && strip /opt/pulumi/bin/* 2>/dev/null || true \ && upx --best --lzma /opt/pulumi/bin/* 2>/dev/null || true -# Google Cloud SDK — pinned version + SHA-256 against Google's published tarball. -# Refresh procedure (run on host): -# GCLOUD_VERSION= -# curl -sSLO "https://storage.googleapis.com/cloud-sdk-release/google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" -# sha256sum google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz +# gcloud: pinned version + SHA-256 (Google does not publish per-release sig). +# Refresh: pull the tarball, sha256sum it, paste below. ARG GCLOUD_VERSION="567.0.0" ARG GCLOUD_SHA256="bd5afc0d249609cb40d45f665209190fdd38b9937954291b8f9ae54206c75d83" RUN --mount=type=cache,target=/tmp/gcloud-dl,sharing=locked \ - set -eu \ + set -euo pipefail \ && TARBALL="google-cloud-cli-${GCLOUD_VERSION}-linux-x86_64.tar.gz" \ && cd /tmp/gcloud-dl \ && [ -f "${TARBALL}" ] || curl -fsSL -o "${TARBALL}" \ @@ -78,11 +53,8 @@ RUN --mount=type=cache,target=/tmp/gcloud-dl,sharing=locked \ --usage-reporting=false --path-update=false --bash-completion=false \ && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin --quiet -# Slim gcloud SDK — separate RUN so it executes AFTER components install and -# any side-effects of gcloud invocations have settled. `bundledpythonunix` is -# regenerated by gcloud at runtime if the system Python (python3) is on PATH, -# and removing it inline alongside `gcloud components install` was a no-op -# because gcloud touched the dir after the rm chain item ran in the same RUN. +# Slim gcloud — must be a SEPARATE RUN because `gcloud components install` +# touches `bundledpythonunix` after the rm chain in the same RUN executes. RUN rm -rf \ /opt/google-cloud-sdk/.install/.backup \ /opt/google-cloud-sdk/.install/.download \ @@ -108,34 +80,17 @@ RUN rm -rf \ /root/.config/gcloud/configurations \ && find /opt/google-cloud-sdk -name "*.pyc" -delete \ && find /opt/google-cloud-sdk -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true \ - && find /opt/google-cloud-sdk -name "*.md" -delete \ - && find /opt/google-cloud-sdk -name "*.txt" -delete \ - && find /opt/google-cloud-sdk -name "COPYING*" -delete \ - && find /opt/google-cloud-sdk -name "LICENSE*" -delete \ + && find /opt/google-cloud-sdk \( -name "*.md" -o -name "*.txt" -o -name "COPYING*" -o -name "LICENSE*" \) -delete \ && rm -rf /tmp/* /var/tmp/* -# ───────────────────────────────────────────────────────────────────────────── -# Stage 2: runtime -# ───────────────────────────────────────────────────────────────────────────── -# Alpine 3.19 → 3.21 (clears musl CVE-2026-40200 / CVE-2026-6042, openssh -# CVE-2023-51767, busybox CVE-2024-58251 / CVE-2025-46394). Pinned by digest. +# ── runtime ───────────────────────────────────────────────────────────────── FROM alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d -# Runtime-only deps. python3 is required because gcloud invokes Python; py3-pip -# was used only for transitive build steps — dropped per CIS Docker 4.3. +# python3 stays — gcloud invokes it. py3-pip / binutils / upx confined to builder. RUN apk update && apk upgrade --no-cache \ - && apk add --no-cache \ - ca-certificates \ - git \ - openssh-client \ - curl \ - jq \ - bash \ - python3 \ + && apk add --no-cache ca-certificates git openssh-client curl jq bash python3 \ && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* -# Copy validated/slimmed tools from builder (no curl|bash, no build tools, no -# upx/binutils, no py3-pip in this layer). COPY --from=builder /opt/pulumi /opt/pulumi COPY --from=builder /opt/google-cloud-sdk /opt/google-cloud-sdk @@ -143,24 +98,20 @@ ENV PATH="/opt/pulumi/bin:/opt/google-cloud-sdk/bin:${PATH}" WORKDIR /root/ -# Copy the pre-built github-actions binary from CI. COPY dist/github-actions ./github-actions +# `sc` symlink so Pulumi local.Command subprocesses can invoke sc image sign/scan/sbom etc. RUN chmod +x ./github-actions \ - # Symlink `sc` so Pulumi local.Command subprocesses can invoke security - # commands (sc image sign / scan, sc sbom generate, etc.) on PATH. && ln -s /root/github-actions /usr/local/bin/sc -# Smoke test — fails the build if any tool wiring is broken. +# Build-time smoke test — fails the build if tool wiring breaks. RUN pulumi version > /dev/null \ && gcloud version > /dev/null \ && gcloud components list --filter="name:gke-gcloud-auth-plugin" --format="value(name)" | grep -q gke-gcloud-auth-plugin \ && test -L /usr/local/bin/sc && test -x /usr/local/bin/sc -# Note on HEALTHCHECK: intentionally omitted. CIS Docker 4.6 targets long-running -# containers; this image runs as a GitHub docker-action where the entrypoint -# executes one workflow step (deploy-client-stack, destroy, ...) and exits, so a -# liveness probe can never fire. The github-actions binary itself has no -# generic --version / --help that exits 0 without GITHUB_ACTION_TYPE set, so any -# probe would either be a no-op or report unhealthy on every cold start. +LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.title="simplecontainer/github-actions" \ + org.opencontainers.image.description="SC GitHub Actions runner image" ENTRYPOINT ["/root/github-actions"] diff --git a/go.mod b/go.mod index 408db27c..f3dfcfb0 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/MShekow/directory-checksum v1.4.9 github.com/anthonycorbacho/slack-webhook v1.0.1 github.com/antonmedv/expr v1.12.6 - github.com/atombender/go-jsonschema v0.22.0 + github.com/atombender/go-jsonschema v0.23.0 github.com/aws/aws-lambda-go v1.47.0 github.com/aws/aws-sdk-go v1.50.36 github.com/aws/aws-secretsmanager-caching-go v1.1.3 @@ -16,7 +16,7 @@ require ( github.com/disgoorg/disgo v0.18.5 github.com/docker/docker v28.5.2+incompatible github.com/fatih/color v1.18.0 - github.com/go-delve/delve v1.26.1 + github.com/go-delve/delve v1.26.3 github.com/go-git/go-billy/v5 v5.8.0 github.com/go-git/go-git/v5 v5.18.0 github.com/golangci/golangci-lint v1.64.8 @@ -48,17 +48,17 @@ require ( github.com/vektra/mockery/v2 v2.53.6 go.mongodb.org/mongo-driver v1.16.1 go.uber.org/atomic v1.11.0 - golang.org/x/crypto v0.49.0 + golang.org/x/crypto v0.50.0 golang.org/x/oauth2 v0.35.0 golang.org/x/sync v0.20.0 - golang.org/x/term v0.41.0 - golang.org/x/text v0.35.0 + golang.org/x/term v0.42.0 + golang.org/x/text v0.36.0 google.golang.org/api v0.223.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/apimachinery v0.35.0 k8s.io/client-go v0.35.0 - mvdan.cc/gofumpt v0.9.2 + mvdan.cc/gofumpt v0.10.0 ) require ( @@ -383,7 +383,7 @@ require ( github.com/sivchari/tenv v1.12.1 // indirect github.com/skeema/knownhosts v1.3.1 // indirect github.com/sonatard/noctx v0.1.0 // indirect - github.com/sosodev/duration v1.3.1 // indirect + github.com/sosodev/duration v1.4.0 // indirect github.com/sourcegraph/go-diff v0.7.0 // indirect github.com/spf13/cast v1.10.0 // indirect github.com/spf13/pflag v1.0.10 // indirect @@ -446,12 +446,12 @@ require ( golang.org/x/arch v0.11.0 // indirect golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect - golang.org/x/mod v0.33.0 // indirect - golang.org/x/net v0.52.0 // indirect - golang.org/x/sys v0.42.0 // indirect - golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 // indirect + golang.org/x/mod v0.35.0 // indirect + golang.org/x/net v0.53.0 // indirect + golang.org/x/sys v0.43.0 // indirect + golang.org/x/telemetry v0.0.0-20260409153401-be6f6cb8b1fa // indirect golang.org/x/time v0.10.0 // indirect - golang.org/x/tools v0.42.0 // indirect + golang.org/x/tools v0.44.0 // indirect golang.org/x/tools/go/expect v0.1.1-deprecated // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect diff --git a/go.sum b/go.sum index f77f28df..6589ecf5 100644 --- a/go.sum +++ b/go.sum @@ -171,8 +171,8 @@ github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8ger github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU= github.com/ashanbrown/makezero v1.2.0 h1:/2Lp1bypdmK9wDIq7uWBlDF1iMUpIIS4A+pF6C9IEUU= github.com/ashanbrown/makezero v1.2.0/go.mod h1:dxlPhHbDMC6N6xICzFBSK+4njQDdK8euNO0qjQMtGY4= -github.com/atombender/go-jsonschema v0.22.0 h1:7H48X5fUccsfsacar5UfP6nnOXuQzmnr6lQmH/Fj2pQ= -github.com/atombender/go-jsonschema v0.22.0/go.mod h1:8Q281v0ozTIfvdnbwDoWQDIk0syH6F0Fpoq+Z1cs+rM= +github.com/atombender/go-jsonschema v0.23.0 h1:1W586wlGS2Zup69szfgJpQ/NKZcjuMEocAtYvEcPyzw= +github.com/atombender/go-jsonschema v0.23.0/go.mod h1:KAi1zDASp4e0FvlFM5QvLyU3k7+DsX+7hCq98G34gtg= github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4= github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI= github.com/aws/aws-lambda-go v1.47.0 h1:0H8s0vumYx/YKs4sE7YM0ktwL2eWse+kfopsRI1sXVI= @@ -393,8 +393,8 @@ github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c= github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU= github.com/go-critic/go-critic v0.12.0 h1:iLosHZuye812wnkEz1Xu3aBwn5ocCPfc9yqmFG9pa6w= github.com/go-critic/go-critic v0.12.0/go.mod h1:DpE0P6OVc6JzVYzmM5gq5jMU31zLr4am5mB/VfFK64w= -github.com/go-delve/delve v1.26.1 h1:V1F0hzAjXCpsBP+I/E6fVUTLC/ZBSs1YWUb8cTtIWFE= -github.com/go-delve/delve v1.26.1/go.mod h1:Ua/k2AAu4cLrUXGSRVH1b2Nzq2aCK188b9EYlAojlz4= +github.com/go-delve/delve v1.26.3 h1:uCWPnLLYmVRXLt0yhw305sCi5lQLHzYB2fZ0FB3KLUI= +github.com/go-delve/delve v1.26.3/go.mod h1:Ua/k2AAu4cLrUXGSRVH1b2Nzq2aCK188b9EYlAojlz4= github.com/go-delve/liner v1.2.3-0.20231231155935-4726ab1d7f62 h1:IGtvsNyIuRjl04XAOFGACozgUD7A82UffYxZt4DWbvA= github.com/go-delve/liner v1.2.3-0.20231231155935-4726ab1d7f62/go.mod h1:biJCRbqp51wS+I92HMqn5H8/A0PAhxn2vyOT+JqhiGI= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= @@ -435,8 +435,8 @@ github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= -github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= -github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= +github.com/go-quicktest/qt v1.102.0 h1:HSQxCeh5YZH3EL3W39ixjtyaEhcWSXQHtHnMBzSs474= +github.com/go-quicktest/qt v1.102.0/go.mod h1:p4lGIVX+8Wa6ZPNDvqcxq36XpUDLh42FLetFU7odllI= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= @@ -1043,8 +1043,8 @@ github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnB github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= github.com/sonatard/noctx v0.1.0 h1:JjqOc2WN16ISWAjAk8M5ej0RfExEXtkEyExl2hLW+OM= github.com/sonatard/noctx v0.1.0/go.mod h1:0RvBxqY8D4j9cTTTWE8ylt2vqj2EPI8fHmrxHdsaZ2c= -github.com/sosodev/duration v1.3.1 h1:qtHBDMQ6lvMQsL15g4aopM4HEfOaYuhWBw3NPTtlqq4= -github.com/sosodev/duration v1.3.1/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg= +github.com/sosodev/duration v1.4.0 h1:35ed0KiVFriGHHzZZJaZLgmTEEICIyt8Sx0RQfj9IjE= +github.com/sosodev/duration v1.4.0/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg= github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0= github.com/sourcegraph/go-diff v0.7.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I= @@ -1237,8 +1237,8 @@ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= -golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= +golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI= +golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1285,8 +1285,8 @@ golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8= -golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w= +golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= +golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1335,8 +1335,8 @@ golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= -golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA= +golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1428,10 +1428,10 @@ golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= -golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 h1:bTLqdHv7xrGlFbvf5/TXNxy/iUwwdkjhqQTJDjW7aj0= -golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4/go.mod h1:g5NllXBEermZrmR51cJDQxmJUHUOfRAaNyWBM+R+548= +golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= +golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/telemetry v0.0.0-20260409153401-be6f6cb8b1fa h1:efT73AJZfAAUV7SOip6pWGkwJDzIGiKBZGVzHYa+ve4= +golang.org/x/telemetry v0.0.0-20260409153401-be6f6cb8b1fa/go.mod h1:kHjTxDEnAu6/Nl9lDkzjWpR+bmKfxeiRuSDlsMb70gE= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -1443,8 +1443,8 @@ golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= -golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= +golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY= +golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1459,8 +1459,8 @@ golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= -golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= +golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1526,8 +1526,8 @@ golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= -golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k= -golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0= +golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c= +golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI= golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM= golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= @@ -1679,8 +1679,8 @@ k8s.io/utils v0.0.0-20251220205832-9d40a56c1308 h1:rk+D2uTO79bbNsICltOdVoA6mcJb0 k8s.io/utils v0.0.0-20251220205832-9d40a56c1308/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= lukechampine.com/frand v1.4.2 h1:RzFIpOvkMXuPMBb9maa4ND4wjBn71E1Jpf8BzJHMaVw= lukechampine.com/frand v1.4.2/go.mod h1:4S/TM2ZgrKejMcKMbeLjISpJMO+/eZ1zu3vYX9dtj3s= -mvdan.cc/gofumpt v0.9.2 h1:zsEMWL8SVKGHNztrx6uZrXdp7AX8r421Vvp23sz7ik4= -mvdan.cc/gofumpt v0.9.2/go.mod h1:iB7Hn+ai8lPvofHd9ZFGVg2GOr8sBUw1QUWjNbmIL/s= +mvdan.cc/gofumpt v0.10.0 h1:yGGpRS2pBN2OQIi7b21IXknJna7faPkFaVfHLrN6Euo= +mvdan.cc/gofumpt v0.10.0/go.mod h1:sU2ElXHzOEmvoPqfutYG7uunlueR4K2T1JFml40SzP4= mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f h1:lMpcwN6GxNbWtbpI1+xzFLSW8XzX0u72NttUGVFjO3U= mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f/go.mod h1:RSLa7mKKCNeTTMHBw5Hsy2rfJmd6O2ivt9Dw9ZqCQpQ= pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw= diff --git a/kubectl.Dockerfile b/kubectl.Dockerfile index 09fe3eac..acceab6d 100644 --- a/kubectl.Dockerfile +++ b/kubectl.Dockerfile @@ -1,19 +1,15 @@ -# Pin by digest (CIS Docker 4.7 — no floating tags). -# alpine/kubectl:latest @ 2026-05-06 → resolved digest below. -# Refresh via: docker buildx imagetools inspect alpine/kubectl:latest +# Refresh: docker buildx imagetools inspect alpine/kubectl:latest FROM alpine/kubectl:latest@sha256:e9acf90f4aa6e1735a50758ee251d7bc622361ee23c35617dc0dcbe7c50282b0 -# apk upgrade clears any base CVEs surfaced after the image was tagged -# (e.g. nghttp2-libs CVE-2026-27135 was outstanding at scan time). +# apk upgrade pulls post-tag distro fixes (e.g. nghttp2 CVE-2026-27135 at scan time). RUN apk update \ && apk upgrade --no-cache \ && apk add --no-cache bash curl \ && rm -rf /var/cache/apk/* -# CIS Docker 4.1 — drop privileges. kubectl needs no root capabilities. RUN addgroup -S sc && adduser -S -G sc -u 10001 sc USER 10001:10001 -# No HEALTHCHECK: invoked as a one-shot tool -# (`docker run --rm simplecontainer/kubectl `), not a long-running -# daemon — a liveness probe never has a chance to fire. +LABEL org.opencontainers.image.source="https://github.com/simple-container-com/api" \ + org.opencontainers.image.licenses="Apache-2.0" \ + org.opencontainers.image.title="simplecontainer/kubectl"