search

confidential-containers / cloud-api-adaptor

Ability to create Kata pods using cloud provider APIs aka the peer-pods approach
Apache License 2.0
47 stars 79 forks source link

security: bump golang 1.21.10 to fix GO-2024-2824 #1836

Closed huoqifeng closed 4 months ago

huoqifeng commented 4 months ago

Fixes: #1825

huoqifeng commented 4 months ago

I'm thinking the PR checking failure is expected because the quay.io/confidential-containers/golang-fedora:1.21.10-38 is not available yet. I'm thinking the normal process is to merge it and monitor the merged build and fix the failure (if any) by re-run the failed actions?

stevenhorsman commented 4 months ago

I'm thinking the PR checking failure is expected because the quay.io/confidential-containers/golang-fedora:1.21.10-38 is not available yet. I'm thinking the normal process is to merge it and monitor the merged build and fix the failure (if any) by re-run the failed actions?

Yes - our options are either to merge like this with PR failures and monitor the build, or to do a two stage commit where we bump the Dockerfile for fedora-golang in one PR and then update in follow ones. I'm personally fine with either, but it's worth noting that we don't have a great track record of remembering to do the follow update, so have ended up on back level base images.

stevenhorsman commented 4 months ago

Yes - our options are either to merge like this with PR failures and monitor the build

Just to round this off, I waited for the fedora-golang image to build and publish and then re-ran the project image build workflow and it worked: https://github.com/confidential-containers/cloud-api-adaptor/actions/runs/8998478743

Thanks!