Skip to content

Commit

Permalink
Merge pull request #64 from datawire/rlane/update-go-version
Browse files Browse the repository at this point in the history
Update to Go 1.22
  • Loading branch information
rick-a-lane-ii authored Jun 25, 2024
2 parents ec921e4 + 0641302 commit 94fa0f7
Show file tree
Hide file tree
Showing 13 changed files with 80 additions and 1,250 deletions.
1 change: 0 additions & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,3 @@ DEPENDENCY_LICENSES.md
.git
.github
actions
tools
23 changes: 12 additions & 11 deletions .github/workflows/qa.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,37 +11,38 @@ jobs:
- macos-latest
#- windows-latest
go_version:
- '1.18.0'
- '1.19.0'
- '1.20.0'
- '1.21.0'
- '1.22.0'
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '~${{ matrix.go_version }}'
cache: true
- run: |
if [[ "${{runner.debug}}" == "1" ]]; then
DEBUG_FLAGS="-v"
fi
go test -race ${DEBUG_FLAGS} ./...
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
# Specify the most recent (1.Y.Z) Y release
go-version-file: go.mod
cache: true
- run: make lint
- uses: golangci/golangci-lint-action@v5
with:
version: latest
args: --timeout=10m
generate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/test-action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ jobs:
name: "Generate dependency information"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Setup Go environment
uses: actions/setup-go@v3
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true
Expand All @@ -37,14 +37,14 @@ jobs:
: > DEPENDENCY_LICENSES.md
: > DEPENDENCIES.md
git add DEPENDENCY_LICENSES.md DEPENDENCIES.md
# Generate license information
export GO_IMAGE=$(grep -e 'FROM golang:' "build-aux/docker/go_builder.dockerfile" | cut -d ' ' -f2 )
#Copy test data to another folder since it can't be used from there
cp -a ./test-data ./ui
export NPM_PACKAGES=$( echo -e "./ui/package.json\n./ui/package-lock.json" )
mkdir -p "${BUILD_TMP}"
build-aux/generate.sh --unparsable-packages ./unparsable-packages.yaml
Expand All @@ -58,7 +58,7 @@ jobs:
- name: "Check that action didn't do any changes"
run: |
if [[ "${{ steps.changed-by-dependabot.outputs.is_dirty }}" == 'true' ]]; then
echo "::error:: Action indicates that the repo was dirty"
echo "::error:: Action indicates that the repo was dirty"
exit 1
fi
Expand All @@ -74,18 +74,18 @@ jobs:
if: github.ref_type == 'branch'
run: |
if [[ "${{ steps.changed-by-dependabot2.outputs.license_information_committed }}" != 'true' ]]; then
echo "::error:: Action indicates that the repo was not dirty"
echo "::error:: Action indicates that the repo was not dirty"
exit 1
fi
DESTINATION_BRANCH="${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}"
DIFF=$(git diff --stat --cached origin/${DESTINATION_BRANCH})
if [[ -z "${DIFF}" ]]; then
echo "::error:: There weren't any files committed."
echo "::error:: There weren't any files committed."
exit 1
fi
if ! grep -e '^\s*DEPENDENCY_LICENSES.md' <(echo "${DIFF}") > /dev/null; then
echo "::error:: File DEPENDENCY_LICENSES.md was not modified, but it should have been."
echo "::error:: File DEPENDENCY_LICENSES.md was not modified, but it should have been."
exit 1
fi
7 changes: 0 additions & 7 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,6 @@ generate:
go generate ./...
.PHONY: generate

lint: tools/bin/golangci-lint
tools/bin/golangci-lint run ./...
.PHONY: lint

tools/bin/%: tools/src/%/pin.go tools/src/%/go.mod
cd $(<D) && GOOS= GOARCH= go build -o $(abspath $@) $$(sed -En 's,^import "(.*)".*,\1,p' pin.go)

.DELETE_ON_ERROR:
.PHONY: FORCE
FORCE:
109 changes: 56 additions & 53 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# go-mkopensource

## Command line tool Docs
* [go-mkopensource](/cmd/go-mkopensource/README.md)
* [js-mkopensource](/cmd/js-mkopensource/README.md)

- [go-mkopensource](/cmd/go-mkopensource/README.md)
- [js-mkopensource](/cmd/js-mkopensource/README.md)

## Building

Expand All @@ -18,87 +21,87 @@ package is good at detecting the licenses in a file
## Design

There are many existing packages to do license detection, such as
[go-license-detector][] or GitHub's [licensee][]. The reason these
[go-license-detector][] or GitHub's [licensee][]. The reason these
are not used is that they are meant to be _informative_, they provide
"best effort" identification of the license.

`go-mkopensource` isn't meant to just be _informative_, it is meant to
be used for _compliance_, if it has any reason at all to be even a
`go-mkopensource` isn't meant to just be informative, it is meant to
be used for compliance; if it has any reason at all to be even a
little skeptical of a result, rather than returning its best guess, it
blows up in your face, asking a human to verify the result.
asks a human to verify the result.

[go-license-detector]: https://github.com/go-enry/go-license-detector
[licensee]: https://github.com/licensee/licensee

## License scanning scripts

Folder `/build-aux` contains scripts to scan licenses for Go, Python
and Node.Js. Script will generate both `DEPENDENCY_LICENSES.md` and
Folder `/build-aux` contains scripts to scan licenses for Go, Python
and Node.Js. Script will generate both `DEPENDENCY_LICENSES.md` and
`DEPENDENCIES.md`

The following environment variables are used to configure the
The following environment variables are used to configure the
application behaviour.

* `APPLICATION`: Required. Name of the application being scanned.
- `APPLICATION`: Required. Name of the application being scanned.
It's used in the header of the license files.

* `APPLICATION_TYPE`: Required. Where will the application being
scanned run.
`internal` is used for anything running on Ambassador Labs servers,
and `external` for anything that's deployed to customer machines.
- `APPLICATION_TYPE`: Required. Where will the application being
scanned run.
`internal` is used for anything running on Ambassador Labs servers,
and `external` for anything that's deployed to customer machines.

* `BUILD_HOME` Required. Location of the root folder of the repo to
- `BUILD_HOME` Required. Location of the root folder of the repo to
scan.

* `BUILD_TMP`: Required. Folder to use for storing temporary files.
- `BUILD_TMP`: Required. Folder to use for storing temporary files.

* `GIT_TOKEN` Required. Git token with permissions to pull
- `GIT_TOKEN` Required. Git token with permissions to pull
repositories

* `GO_IMAGE` Required. Image to use for generating Go
- `GO_IMAGE` Required. Image to use for generating Go
dependencies.

* `PYTHON_PACKAGES`: Optional. List of requirement.txt files to scan.
Paths should be relative to `BUILD_HOME`.
- `PYTHON_PACKAGES`: Optional. List of requirement.txt files to scan.
Paths should be relative to `BUILD_HOME`.
Example:

`export PYTHON_PACKAGES="./python/requirements.txt ./builder/requirements.txt"`

* `PYTHON_IMAGE`: Required. Image to use for generating Python
- `PYTHON_IMAGE`: Required. Image to use for generating Python
dependencies.

* `NPM_PACKAGES`: Optional. List of package.json and package-lock.json
files to scan. Paths should be relative to `BUILD_HOME`.
- `NPM_PACKAGES`: Optional. List of package.json and package-lock.json
files to scan. Paths should be relative to `BUILD_HOME`.
Example:

`export NPM_PACKAGES="./tools/sandbox/grpc_web/package.json ./tools/sandbox/grpc_web/package-lock.json"`

* `EXCLUDED_PKG`: Optional. Semicolon separated list of npm packages names that we want to exclude for the validation.
*Important*: it will restrict the output to the packages (package@version) from being reported in DEPENDENCIES.md and DEPENDENCY_LICENSES.md,
- `EXCLUDED_PKG`: Optional. Semicolon separated list of npm packages names that we want to exclude for the validation.
_Important_: it will restrict the output to the packages (package@version) from being reported in DEPENDENCIES.md and DEPENDENCY_LICENSES.md,
before to use it, confirm if it is absolutely necessary.

Example:

`export EXCLUDED_PKG="[email protected];internal-2"`

* `NODE_IMAGE`: Required when `NPM_PACKAGES` is defined. Version
- `NODE_IMAGE`: Required when `NPM_PACKAGES` is defined. Version
of Node.JS to use when running npm dependency scan. Only valid
version numbers (X.Y.Z) are allowed.
version numbers (X.Y.Z) are allowed.
Example:

`NODE_IMAGE=node:14.13.1-alpine`

* `SCRIPTS_HOME`: Required. Location where `go-mkopensource` repo is
checked out, relative to `BUILD_HOME`
- `SCRIPTS_HOME`: Required. Location where `go-mkopensource` repo is
checked out, relative to `BUILD_HOME`

To update license information files, set the environment variables
To update license information files, set the environment variables
described above and run `build-aux/generate.sh`

Tips:

* Add a .dockerignore at the root of your repository and exclude any files that are not necessary for generating depdency
information, including DEPENDENCIES.md, DEPENDENCY_INFORMATION.md and temporary folders. See the
[saas_app .dockerignore](https://github.com/datawire/saas_app/blob/master/.dockerignore) for a list of suggested exclussions.
- Add a .dockerignore at the root of your repository and exclude any files that are not necessary for generating depdency
information, including DEPENDENCIES.md, DEPENDENCY_INFORMATION.md and temporary folders. See the
[saas_app .dockerignore](https://github.com/datawire/saas_app/blob/master/.dockerignore) for a list of suggested exclussions.

## When scanning fails

Expand All @@ -124,7 +127,7 @@ fatal: 2 license-detection errors:
```

A quick look at the package reveals that it uses an Apache License, but adds extra text at the top of the actual LICENSE
file indicating that it also uses files from golang/encoding/json. We know that golang uses a 3-clause BSD license. So we consult the [SPDX License List](https://spdx.org/licenses/) to get the canonical
file indicating that it also uses files from golang/encoding/json. We know that golang uses a 3-clause BSD license. So we consult the [SPDX License List](https://spdx.org/licenses/) to get the canonical
identifiers for the licenses, and add them to an `unparsable-packages.yaml` file to our build system
with the following contents:

Expand All @@ -146,28 +149,29 @@ the list of all the packages in the file "vendor/modules.txt" using the command
#26 18.24 go: downloading github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59
#26 18.28 go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
#26 36.85 github.com/datawire/saas_app/internal/pkg/kubernetes imports
#26 36.85 k8s.io/client-go/rest imports
#26 36.85 k8s.io/apimachinery/pkg/util/clock: no required module provides package k8s.io/apimachinery/pkg/util/clock; to add it:
#26 36.85 go get k8s.io/apimachinery/pkg/util/clock
#26 36.85 k8s.io/client-go/rest imports
#26 36.85 k8s.io/apimachinery/pkg/util/clock: no required module provides package k8s.io/apimachinery/pkg/util/clock; to add it:
#26 36.85 go get k8s.io/apimachinery/pkg/util/clock
#26 36.85 /scripts/go-mkopensource: fatal: ["go" "mod" "vendor"]: exit status 1
#26 ERROR: executor failed running [/bin/sh -c /scripts/scan-go.sh]: exit code: 1
```

Now the scanner is smart enough to follow the indications of the "go mod vendor" install the dependencies, and then
Now the scanner will follow the indications of the "go mod vendor", install the dependencies, and then
get the list of packages from the file ''vendor/modules.txt"

Sometimes it isn't possible to install the dependecies sugested by the "go mod vendor" command.
Sometimes it isn't possible to install the dependencies suggested by the "go mod vendor" command.
The scanner will complain with the message "Error installing dependency". In this case the project will require human intervention to solve the problem.

Another reason that may cause a failure is the use of our proprietary packages, like `github.com/datawire/telepresence-pro/rpc/proconnector`.
The error will message will be similar to this one:
Another reason that may cause a failure is the use of our proprietary packages, like `github.com/datawire/telepresence-pro/rpc/proconnector`.
The error will message will be similar to this one:

```bash
/scripts/go-mkopensource: fatal: 1 license-detection errors:
1. Package "github.com/datawire/telepresence-pro/rpc/proconnector": could not identify a license for all sources (had no global LICENSE file)
```

Fo exclude these packages, add a yaml file like this
To exclude these packages, add a yaml file like this:

```yaml
- github.com/datawire/telepresence-pro/rpc/userdaemon
- github.com/datawire/telepresence-pro/rpc/proconnector
Expand All @@ -180,19 +184,17 @@ And pass it to the generate.sh script using the argument `--proprietary-packages
./generate.sh" --proprietary-packages proprietary-packages.yaml;
```

### Remember to always create a ticket!
When a problem arise, remember to always create a ticket so that the problem can be fixed. This will help all users
of the `go-mkopensource` tool and in many cases also make the owner of the failing component aware of the problem.

## Dependabot PRs

When dependabot creates a PR, it's possible that license scanning will fail due so several factors:

1. A Go package is unavailable in the new version of a module
2. Dependency information is out of date.

To reduce friction merging dependabot PRs, there is an action (`save-dependabot-changes`) that will update a PR created by dependabot.

Use the action in a workflow as follows:

```yaml
name: "Verify licenses"
on: push
Expand All @@ -207,7 +209,7 @@ jobs:
id: changed-by-dependabot
uses: datawire/go-mkopensource/actions/[email protected]
with:
branches_to_skip: 'master'
branches_to_skip: "master"
- name: Abort if dependencies changed
if: steps.changed-by-dependabot.outputs.license_information_committed == 'true'
run: |
Expand All @@ -216,10 +218,11 @@ jobs:
# Continue with other steps
```

*Notes*:
- The GitHub token GITHUB_TOKEN should have at least `contents:write` and `actions: write`
**Notes**:

- The GitHub token GITHUB_TOKEN should have at least `contents:write` and `actions: write`
[privileges](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
- The workflow that invokes the action should have a `workflow_dispatch`
- The workflow that invokes the action should have a `workflow_dispatch`
[trigger](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch).

### Testing changes to the `save-dependabot-changes` action
Expand All @@ -231,5 +234,5 @@ to point to the new version of the action.
uses: datawire/go-mkopensource/actions/save-dependabot-changes@<VERSION>
```

Note: If you want to test your changes before they are complete, you could use a branch in the action reference, and
update it to a tag once you're ready to release.
Note: If you want to test your changes before they are complete, you could use a branch in the action reference, and
update it to a tag once you're ready to release.
2 changes: 1 addition & 1 deletion build-aux/docker/go_builder.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Go dependency scanner
########################################
ARG GO_IMAGE="base-image-unknown"
FROM golang:1.20.12-alpine3.19 as builder
FROM golang:1.22.4-alpine3.20 as builder

ENV GOCACHE=/root/.cache/go-build
RUN mkdir -p "${GOCACHE}"
Expand Down
2 changes: 1 addition & 1 deletion build-aux/docker/js_builder.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# builder for Js scanning
######################################################################
ARG NODE_IMAGE="need-a-base-image"
FROM golang:1.19-alpine3.15 as builder
FROM golang:1.22.4-alpine3.20 as builder

ENV GOCACHE=/root/.cache/go-build
RUN mkdir -p "${GOCACHE}"
Expand Down
2 changes: 1 addition & 1 deletion build-aux/docker/py_builder.dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Python dependency scanner
########################################
ARG PYTHON_IMAGE="need-a-base-image"
FROM golang:1.19-alpine3.15 as builder
FROM golang:1.22.4-alpine3.20 as builder

WORKDIR /src
COPY . ./
Expand Down
Loading

0 comments on commit 94fa0f7

Please sign in to comment.