Skip to content

Commit 3876c82

Browse files
lc525lc525
authored
build(deps): update Core 2 dependencies (#6574)
# Why Target fixing of CVEs in preparation for the 2.9.1 release ## Summary of changes - Update golang to 1.24.4 - Update golang dependencies across codebase - Update kubebuilder and operator dependencies - Update ubi-micro to 9.6 - Update dataflow dependencies - Update MLServer to 1.7.1 - Generate Docker images with SBOM metadata ## Changeset details * build(deps): Update golang to 1.24.4, together with dependencies In order to significantly reduce the number of CVEs in Core 2 images, we: - update to golang 1.24.4 - update all the package dependencies to their latest versions (this has required minor code fixes) - update the base Dockerfile builder images to ones using golang 1.24 - update github workflows to use golang 1.24 - during updates, the following changes have been manually made: * update `github.com/imdario/mergo` (deprecated) -> `dario.cat/mergo` * update `github.com/golang/protobuf` (deprecated) -> `google.golang.org/protobuf` * `google.golang.org/grpc/status` now requires messages (for example in `status.Errorf`) to have a printf format (like "%s") rather than pointing directly to a string. * feat(build): CI to create docker images with sbom metadata Adds makefile targets for production docker image builds that contain an automatically generated software bill of materials (SBOM) Update the Docker build images CI action to push images with SBOM metadata to dockerhub * build(deps): Update kubebuilder and operator support packages * build(deps): Update MLServer to 1.7.1 * build(deps): Update ubi-micro to 9.6 * build(deps): Update dataflow-engine dependencies * build(ci): update CI linter version to support golang 1.24
1 parent e99a00e commit 3876c82

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

67 files changed

+1769
-2107
lines changed

.github/workflows/draft-release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ jobs:
7171
- name: Setup Go
7272
uses: actions/setup-go@v5
7373
with:
74-
go-version: "1.23"
74+
go-version: "1.24"
7575
cache: false
7676

7777
- name: Setup Helm

.github/workflows/images.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020
- uses: actions/checkout@v4
2121
- uses: actions/setup-go@v5
2222
with:
23-
go-version: "1.23"
23+
go-version: "1.24"
2424
cache: false
2525
- name: test-operator
2626
run: make -C operator test
@@ -32,7 +32,7 @@ jobs:
3232
run: make -C components/tls test
3333
- name: test-components-kafka
3434
run: make -C components/kafka test
35-
35+
3636
docker:
3737
needs: test
3838
runs-on: ubuntu-latest
@@ -48,7 +48,7 @@ jobs:
4848
remove-docker-images: 'true'
4949
overprovision-lvm: 'true'
5050
swap-size-mb: 1024
51-
51+
5252
- name: Checkout Git Commit
5353
uses: actions/checkout@v4
5454

@@ -69,20 +69,20 @@ jobs:
6969

7070
- name: Push Docker Image for Operator
7171
working-directory: ./operator
72-
run: CUSTOM_IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make docker-build docker-push
72+
run: CUSTOM_IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make docker-build-and-push-prod
7373

7474
- name: Push Docker Image for Seldon Cli
7575
working-directory: ./operator
76-
run: CUSTOM_IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make docker-build-cli docker-push-cli
76+
run: CUSTOM_IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make docker-build-and-push-prod-cli
7777

7878
- name: Push Docker Images for Scheduler
7979
working-directory: ./scheduler
80-
run: CUSTOM_IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make docker-build-all docker-push-all
80+
run: CUSTOM_IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make docker-build-and-push-prod-all
8181

8282
- name: Push Docker Images for Hodometer
8383
working-directory: ./hodometer
84-
run: BUILD_VERSION=${{ steps.docker-tag.outputs.value }} IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make build-hodometer-docker push-hodometer-docker
85-
84+
run: BUILD_VERSION=${{ steps.docker-tag.outputs.value }} IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make build-and-push-prod-hodometer-docker
85+
8686
- name: Push Docker Image for k6 Load Testing
8787
working-directory: ./tests/k6
88-
run: CUSTOM_IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make docker-build docker-push
88+
run: CUSTOM_IMAGE_TAG=${{ steps.docker-tag.outputs.value }} make docker-build-and-push-prod

.github/workflows/license.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121
- name: Set up Go 1.23
2222
uses: actions/setup-go@v5
2323
with:
24-
go-version: "1.23"
24+
go-version: "1.24"
2525
cache: false
2626
- name: Install Dependencies
2727
run: |

.github/workflows/lint.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,33 +10,33 @@ jobs:
1010
- uses: actions/checkout@v4
1111
- uses: actions/setup-go@v4
1212
with:
13-
go-version: "1.23"
13+
go-version: "1.24"
1414
cache: false
1515
- name: lint-operator
1616
uses: golangci/golangci-lint-action@v3
1717
with:
18-
version: v1.63.4
18+
version: v1.64.8
1919
working-directory: operator
2020
skip-cache: true
2121
args: --timeout 10m --verbose
2222
- name: lint-scheduler
2323
uses: golangci/golangci-lint-action@v3
2424
with:
25-
version: v1.63.4
25+
version: v1.64.8
2626
working-directory: scheduler
2727
skip-cache: true
2828
args: --timeout 10m --verbose
2929
- name: lint-hodometer
3030
uses: golangci/golangci-lint-action@v3
3131
with:
32-
version: v1.63.4
32+
version: v1.64.8
3333
working-directory: hodometer
3434
skip-cache: true
3535
args: --timeout 10m --verbose
3636
- name: lint-tls
3737
uses: golangci/golangci-lint-action@v3
3838
with:
39-
version: v1.63.4
39+
version: v1.64.8
4040
working-directory: components/tls
4141
skip-cache: true
4242
args: --timeout 10m --verbose

.github/workflows/security_tests_v2.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ on:
1313
jobs:
1414
security-operator:
1515
runs-on: ubuntu-latest
16-
container: snyk/snyk:golang-1.23
16+
container: snyk/snyk:golang-1.24
1717
steps:
1818
- uses: actions/checkout@v4
1919
- name: security-golang
@@ -25,7 +25,7 @@ jobs:
2525
2626
security-scheduler:
2727
runs-on: ubuntu-latest
28-
container: snyk/snyk:golang-1.23
28+
container: snyk/snyk:golang-1.24
2929
steps:
3030
- uses: actions/checkout@v4
3131
- name: security-golang

.github/workflows/tests.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
- uses: actions/checkout@v4
1111
- uses: actions/setup-go@v5
1212
with:
13-
go-version: "1.23"
13+
go-version: "1.24"
1414
cache: false
1515
- name: test-operator
1616
run: make -C operator test

apis/go/go.mod

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,17 +2,17 @@ module github.com/seldonio/seldon-core/apis/go/v2
22

33
go 1.23.0
44

5-
toolchain go1.23.4
5+
toolchain go1.24.4
66

77
require (
8-
google.golang.org/grpc v1.70.0
8+
google.golang.org/grpc v1.73.0
99
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1
10-
google.golang.org/protobuf v1.36.4
10+
google.golang.org/protobuf v1.36.6
1111
)
1212

1313
require (
14-
golang.org/x/net v0.32.0 // indirect
15-
golang.org/x/sys v0.28.0 // indirect
16-
golang.org/x/text v0.21.0 // indirect
17-
google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect
14+
golang.org/x/net v0.41.0 // indirect
15+
golang.org/x/sys v0.33.0 // indirect
16+
golang.org/x/text v0.26.0 // indirect
17+
google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
1818
)

apis/go/go.sum

Lines changed: 26 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -4,31 +4,33 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
44
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
55
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
66
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
7-
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
8-
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
7+
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
8+
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
99
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
1010
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
11-
go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
12-
go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
13-
go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
14-
go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
15-
go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4=
16-
go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU=
17-
go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
18-
go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
19-
go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
20-
go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
21-
golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
22-
golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
23-
golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
24-
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
25-
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
26-
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
27-
google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a h1:hgh8P4EuoxpsuKMXX/To36nOFD7vixReXgn8lPGnt+o=
28-
google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
29-
google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
30-
google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
11+
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
12+
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
13+
go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
14+
go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
15+
go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
16+
go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
17+
go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
18+
go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
19+
go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
20+
go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
21+
go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
22+
go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
23+
golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
24+
golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
25+
golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
26+
golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
27+
golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
28+
golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
29+
google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE=
30+
google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
31+
google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
32+
google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
3133
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 h1:F29+wU6Ee6qgu9TddPgooOdaqsxTMunOoj8KA5yuS5A=
3234
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1/go.mod h1:5KF+wpkbTSbGcR9zteSqZV6fqFOWBl4Yde8En8MryZA=
33-
google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
34-
google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
35+
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
36+
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=

components/kafka/.golangci.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ linters:
2929
enable:
3030
# Sorted alphabetically.
3131
- errcheck
32-
- exportloopref
32+
- copyloopvar
3333
- gci
3434
- goimports # Also includes gofmt style formatting
3535
- gosimple
@@ -51,4 +51,4 @@ linters-settings:
5151
min-occurrences: 5
5252
govet:
5353
disable:
54-
- printf
54+
- printf

components/kafka/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ GO_LDFLAGS := -w $(patsubst %,-X %, $(GO_BUILD_VARS))
44
test:
55
go test ./pkg/... -coverprofile cover.out
66

7-
.GOLANGCILINT_VERSION := v1.63.4
7+
.GOLANGCILINT_VERSION := v1.64.8
88
.GOLANGCILINT_PATH := $(shell go env GOPATH)/bin/golangci-lint/$(.GOLANGCILINT_VERSION)
99

1010
${.GOLANGCILINT_PATH}/golangci-lint:

0 commit comments

Comments
 (0)