Bugfix release for v2.6 to fix CVE-2023-24538 (#4798)

* Bugfix release to fix CVE-2023-24538

* updated jsonnet tests

* fixed Makefile merge

* updated Makefile

* update .golangci.yml

* make doc

* Update v2.6.md

---------

Co-authored-by: Arve Knudsen <[email protected]>

Author: aldernero

.github/workflows/compare-helm-with-jsonnet.yml

@@ -13,10 +13,10 @@ jobs:
   compare-manifests:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - uses: actions/setup-go@v3
       with:
-        go-version: '1.19.3'
+        go-version: '1.20.3'
     - uses: helm/[email protected]
     - name: Download yq
       uses: dsaltares/fetch-gh-release-asset@d9376dacd30fd38f49238586cd2e9295a8307f4c

.github/workflows/helm-ci.yml

@@ -18,10 +18,13 @@ jobs:
   conftest:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:pr3976-e7cae18e3
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - name: Check out repository
+        uses: actions/checkout@v3
+
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
 
       - name: Lint Rego Policies
         run: make BUILD_IN_CONTAINER=false check-conftest-fmt

.github/workflows/test-build-deploy.yml

@@ -20,10 +20,12 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:pr3976-e7cae18e3
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
         # Commands in the Makefile are hardcoded with an assumed file structure of the CI container
         # Symlink ensures paths specified in previous commands don’t break
       - name: Symlink Expected Path to Workspace
@@ -48,25 +50,26 @@ jobs:
   doc-validator:
     runs-on: ubuntu-latest
     container:
-      image: grafana/doc-validator:v1.5.0
+      image: grafana/doc-validator:v1.9.0
     steps:
-      - name: Checkout repository
-        # This workflow intentionally uses v1 of checkout because
-        # the doc-validator image does not contain the expected shared
-        # libraries for the NodeJS packages injected by later versions.
-        uses: actions/checkout@v1
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
       - name: Run doc-validator tool (mimir)
-        run: doc-validator ./docs/sources/mimir
+        run: doc-validator ./docs/sources/mimir /docs/mimir/latest
       - name: Run doc-validator tool (helm-charts)
-        run: doc-validator ./docs/sources/helm-charts
+        run: doc-validator ./docs/sources/helm-charts /docs/mimir/latest
 
   lint-jsonnet:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:pr3976-e7cae18e3
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
         # Commands in the Makefile are hardcoded with an assumed file structure of the CI container
         # Symlink ensures paths specified in previous commands don’t break
       - name: Symlink Expected Path to Workspace
@@ -87,18 +90,20 @@ jobs:
   lint-helm:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:pr3976-e7cae18e3
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
         # Commands in the Makefile are hardcoded with an assumed file structure of the CI container
         # Symlink ensures paths specified in previous commands don’t break
       - name: Symlink Expected Path to Workspace
         run: |
           mkdir -p /go/src/github.com/grafana/mimir
           ln -s $GITHUB_WORKSPACE/* /go/src/github.com/grafana/mimir
       - name: Set up Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v3
         with:
           version: v3.8.2
       - name: Check Helm Tests
@@ -114,10 +119,12 @@ jobs:
         test_group_id:    [0, 1, 2, 3]
         test_group_total: [4]
     container:
-      image: grafana/mimir-build-image:pr3976-e7cae18e3
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
       - name: Symlink Expected Path to Workspace
         run: |
           mkdir -p /go/src/github.com/grafana/mimir
@@ -130,8 +137,10 @@ jobs:
   test-docs:
     runs-on: ubuntu-latest
     steps:
-      - name: "Check out code"
-        uses: "actions/checkout@v3"
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
       - name: "Build website"
         run: |
           docker run \
@@ -145,17 +154,19 @@ jobs:
   build:
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:pr3976-e7cae18e3
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
       - name: Install Docker Client
         run: ./.github/workflows/scripts/install-docker.sh
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Symlink Expected Path to Workspace
         run: |
           mkdir -p /go/src/github.com/grafana/mimir
@@ -168,7 +179,7 @@ jobs:
         run: |
           tar cvf images.tar /tmp/images
       - name: Upload Archive with Docker Images
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: Docker Images
           path: ./images.tar
@@ -185,19 +196,21 @@ jobs:
         test_group_total: [4]
     steps:
       - name: Upgrade golang
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.19.3
-      - name: Checkout repository
-        uses: actions/checkout@v2
+          go-version: 1.20.3
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
       - name: Install Docker Client
         run: sudo ./.github/workflows/scripts/install-docker.sh
       - name: Symlink Expected Path to Workspace
         run: |
           sudo mkdir -p /go/src/github.com/grafana/mimir
           sudo ln -s $GITHUB_WORKSPACE/* /go/src/github.com/grafana/mimir
       - name: Download Archive with Docker Images
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: Docker Images
       - name: Extract Docker Images from Archive
@@ -231,18 +244,20 @@ jobs:
     if: (startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/heads/r') ) && github.event_name == 'push' && github.repository == 'grafana/mimir'
     runs-on: ubuntu-latest
     container:
-      image: grafana/mimir-build-image:pr3976-e7cae18e3
+      image: grafana/mimir-build-image:chore-upgrade-go-1203-5c4c29f01
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
+      - name: Check out repository
+        uses: actions/checkout@v3
+      - name: Run Git Config
+        run: git config --global --add safe.directory '*'
       - name: Install Docker Client
         run: ./.github/workflows/scripts/install-docker.sh
       - name: Symlink Expected Path to Workspace
         run: |
           mkdir -p /go/src/github.com/grafana/mimir
           ln -s $GITHUB_WORKSPACE/* /go/src/github.com/grafana/mimir
       - name: Download Archive with Docker Images
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: Docker Images
       - name: Extract Docker Images from Archive

.golangci.yml

@@ -2,6 +2,7 @@ output:
   format: line-number
 
 linters:
+  disable-all: true
   enable:
     - goimports
     - revive
@@ -30,6 +31,7 @@ linters-settings:
 
 run:
   timeout: 5m
+  go: '1.20'
 
   # List of build tags, all linters use it.
   build-tags:

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2.6.1
+
+### Grafana Mimir
+
+* [BUGFIX] Security: updates Go to version 1.20.3 to fix CVE-2023-24538 #4798
+
 ## 2.6.0
 
 ### Grafana Mimir

Makefile

@@ -198,7 +198,7 @@ mimir-build-image/$(UPTODATE): mimir-build-image/*
 # All the boiler plate for building golang follows:
 SUDO := $(shell docker info >/dev/null 2>&1 || echo "sudo -E")
 BUILD_IN_CONTAINER ?= true
-LATEST_BUILD_IMAGE_TAG ?= pr3976-e7cae18e3
+LATEST_BUILD_IMAGE_TAG ?= chore-upgrade-go-1203-5c4c29f01
 
 # TTY is parameterized to allow Google Cloud Builder to run builds,
 # as it currently disallows TTY devices. This value needs to be overridden
@@ -674,4 +674,4 @@ test-packages: packages packaging/rpm/centos-systemd/$(UPTODATE) packaging/deb/d
 	./tools/packaging/test-packages $(IMAGE_PREFIX) $(VERSION)
 
 include docs/docs.mk
-docs: doc
+docs: doc

VERSION

@@ -1 +1 @@
-2.6.0
+2.6.1

development/mimir-microservices-mode/dev.dockerfile

@@ -1,8 +1,8 @@
-FROM golang:1.19.3
+FROM golang:1.20.3
 ENV CGO_ENABLED=0
-RUN go install github.com/go-delve/delve/cmd/dlv@v1.9.1
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.20.2
 
-FROM alpine:3.17.1
+FROM alpine:3.17.3
 
 RUN     mkdir /mimir
 WORKDIR /mimir

development/mimir-read-write-mode/dev.dockerfile

@@ -1,8 +1,8 @@
-FROM golang:1.18.4
+FROM golang:1.20.3
 ENV CGO_ENABLED=0
-RUN go install github.com/go-delve/delve/cmd/dlv@v1.7.3
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.20.2
 
-FROM alpine:3.17.1
+FROM alpine:3.17.3
 
 RUN     mkdir /mimir
 WORKDIR /mimir

mimir-build-image/Dockerfile

@@ -4,8 +4,8 @@
 # Provenance-includes-copyright: The Cortex Authors.
 
 FROM k8s.gcr.io/kustomize/kustomize:v4.5.5 as kustomize
-FROM alpine/helm:3.8.2 as helm
-FROM golang:1.19.3-bullseye
+FROM alpine/helm:3.11.1 as helm
+FROM golang:1.20.3-bullseye
 ARG goproxyValue
 ENV GOPROXY=${goproxyValue}
 ENV SKOPEO_DEPS="libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config"
@@ -35,7 +35,7 @@ RUN GOARCH=$(go env GOARCH) && \
     curl -fSL -o "/usr/bin/tk" "https://github.com/grafana/tanka/releases/download/v${TANKA_VERSION}/tk-linux-${GOARCH}" && \
     chmod a+x /usr/bin/tk
 
-RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b /usr/bin v1.49.0
+RUN curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b /usr/bin v1.51.2
 
 ENV SKOPEO_VERSION=v1.10.0
 RUN git clone --depth 1 --branch ${SKOPEO_VERSION} https://github.com/containers/skopeo /go/src/github.com/containers/skopeo && \