From 35206878bef174177c4a3649c55e582f244f63c6 Mon Sep 17 00:00:00 2001 From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com> Date: Sat, 6 Apr 2024 07:13:50 +0000 Subject: [PATCH 1/2] k3d/5.6.0-r9: fix GHSA-6q6q-88xp-6f2r/GHSA-ppp9-7jff-5vj2/GHSA-8c26-wmh5-6g9v/GHSA-j2rp-gmqv-frhv/GHSA-m425-mq94-257g/GHSA-c3h9-896r-86jm/GHSA-7f33-f4f5-xwgw/GHSA-vvpx-j8f3-3w6h/GHSA-m69r-9g56-7mv8/ --- k3d.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k3d.yaml b/k3d.yaml index b82f08c1ff8..32e29076d6f 100644 --- a/k3d.yaml +++ b/k3d.yaml @@ -1,7 +1,7 @@ package: name: k3d version: 5.6.0 - epoch: 10 + epoch: 11 description: Little helper to run CNCF's k3s in Docker copyright: - license: Apache-2.0 @@ -25,7 +25,7 @@ pipeline: - uses: go/bump with: - deps: golang.org/x/net@v0.17.0 github.com/docker/docker@v24.0.9 golang.org/x/crypto@v0.17.0 github.com/opencontainers/runc@v1.1.12 github.com/containerd/containerd@v1.7.11 google.golang.org/protobuf@v1.33.0 github.com/golang/protobuf@v1.5.4 + deps: golang.org/x/net@v0.17.0 github.com/docker/docker@v24.0.9 golang.org/x/crypto@v0.17.0 github.com/opencontainers/runc@v1.1.12 github.com/containerd/containerd@v1.7.11 google.golang.org/protobuf@v1.33.0 github.com/golang/protobuf@v1.5.4 github.com/hashicorp/consul@v1.11.9 github.com/aws/aws-sdk-go@v1.34.0 github.com/gogo/protobuf@v1.3.2 google.golang.org/grpc@v1.56.3 github.com/hashicorp/vault@v1.16.0 golang.org/x/text@v0.3.7 gopkg.in/yaml.v2@v2.2.4 - runs: | make build From de2b7950b0ae19c43314e5c8c99ca0fcb5489f12 Mon Sep 17 00:00:00 2001 From: Debasish Biswas Date: Sat, 6 Apr 2024 10:54:00 +0000 Subject: [PATCH 2/2] Update the proxy from forked one to the original one. K3d was using a fork of kelseyhightower/confd with almost no code update, just go version update with go.mod file that is not present in the original repo last relese. Now using this as deps are way more updated there compare to the forkes one k3d is using Signed-off-by: Debasish Biswas --- k3d.yaml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/k3d.yaml b/k3d.yaml index 32e29076d6f..74e33faa387 100644 --- a/k3d.yaml +++ b/k3d.yaml @@ -25,7 +25,7 @@ pipeline: - uses: go/bump with: - deps: golang.org/x/net@v0.17.0 github.com/docker/docker@v24.0.9 golang.org/x/crypto@v0.17.0 github.com/opencontainers/runc@v1.1.12 github.com/containerd/containerd@v1.7.11 google.golang.org/protobuf@v1.33.0 github.com/golang/protobuf@v1.5.4 github.com/hashicorp/consul@v1.11.9 github.com/aws/aws-sdk-go@v1.34.0 github.com/gogo/protobuf@v1.3.2 google.golang.org/grpc@v1.56.3 github.com/hashicorp/vault@v1.16.0 golang.org/x/text@v0.3.7 gopkg.in/yaml.v2@v2.2.4 + deps: golang.org/x/net@v0.17.0 golang.org/x/crypto@v0.17.0 github.com/docker/docker@v24.0.9 github.com/opencontainers/runc@v1.1.12 github.com/containerd/containerd@v1.7.11 google.golang.org/protobuf@v1.33.0 github.com/golang/protobuf@v1.5.4 - runs: | make build @@ -59,12 +59,16 @@ subpackages: mkdir -p "${{targets.subpkgdir}}"/etc/confd cp -ar templates "${{targets.subpkgdir}}"/etc/confd/ cp -ar conf.d "${{targets.subpkgdir}}"/etc/confd/ - - uses: git-checkout + - name: git-chekout-confd # There is not a new release in last 6 years + runs: | + git clone https://github.com/kelseyhightower/confd.git /home/confd + cd /home/confd + git fetch origin master + git checkout 919444eb6cf721d198b2bb18581d0f0b3734d107 + - uses: go/bump with: - repository: https://github.com/iwilltry42/confd - tag: v0.17.0 # NOTE: This pins us to a tag that we can't auto-bump, but this hasn't been updated in years - expected-commit: 6b806c9d9cf66333ca41f9b9175508db0e222a0b - destination: /home/confd + deps: golang.org/x/crypto@v0.17.0 google.golang.org/protobuf@v1.33.0 github.com/golang/protobuf@v1.5.4 github.com/go-jose/go-jose/v3@v3.0.3 + modroot: /home/confd - uses: go/build with: modroot: /home/confd