vitalif
/
etcd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
19,072 Commits
21 Branches
406 Tags
79 MiB
Commit Graph

119 Commits (a4c1b3a9e2b32d64a3685ab35a39cbb62b3e08c7)

Author SHA1 Message Date
Benjamin Wang a60db1192d Added 'secrets.GITHUB_TOKEN' for the static-analysis workflow 
Refer to: https://github.com/arduino/setup-protoc/issues/63

Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-12-28 15:43:44 +08:00
dependabot[bot] 0fcd828de9
build(deps): bump ossf/scorecard-action from 2.1.0 to 2.1.2 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.0 to 2.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](937ffa90d7...e38b1902ae)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-26 17:18:42 +00:00
dependabot[bot] 429f66e12a build(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.0 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.0.6 to 2.1.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](99c53751e0...937ffa90d7)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-20 09:28:23 +08:00
dependabot[bot] ef02c159f2
build(deps): bump github/codeql-action from 2.1.36 to 2.1.37 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.36 to 2.1.37.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v2.1.36...959cbb7472c4d4ad70cdfe6f4976053fe48ab394)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-19 17:09:20 +00:00
ArkaSaha30 2d47811407
Move trivy scan workflow of specific versions to respective branches 
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
 2022-12-16 10:43:55 +05:30
dependabot[bot] a59276c171 build(deps): bump actions/setup-go from 2.2.0 to 3.5.0 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.2.0 to 3.5.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](bfdd3570ce...6edd4406fa)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-14 08:59:29 +08:00
Benjamin Wang cb5b7c2ec7
Merge pull request #14928 from ArkaSaha30/trivy-nightly-scan 
etcd: add `trivy-nightly-scan` for etcd images
 2022-12-14 08:52:44 +08:00
ArkaSaha30 f4d3fa91db
Add `permissions: read-all` to the workflow 
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
 2022-12-13 12:42:51 +05:30
Benjamin Wang 1d7d8a9016 dependabot: change schedule interval to weekly 
Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-12-13 14:38:32 +08:00
Benjamin Wang e103e2c18c
Merge pull request #14946 from etcd-io/dependabot/github_actions/actions/checkout-3.2.0 
build(deps): bump actions/checkout from 2.5.0 to 3.2.0
 2022-12-13 14:29:41 +08:00
Benjamin Wang 9cb4c817f3
Merge pull request #14940 from etcd-io/dependabot/github_actions/actions/upload-artifact-3.1.1 
build(deps): bump actions/upload-artifact from 2.3.1 to 3.1.1
 2022-12-13 14:28:12 +08:00
ArkaSaha30 941fe6b877 Add newline at end of file 
Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
 2022-12-13 11:34:57 +05:30
dependabot[bot] ffd26d6a0a
build(deps): bump actions/checkout from 2.5.0 to 3.2.0 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2.5.0 to 3.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2.5.0...755da8c3cf115ac066823e79a1e1788f8940201b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-13 03:36:57 +00:00
dependabot[bot] 7a55adcfd1
build(deps): bump actions/upload-artifact from 2.3.1 to 3.1.1 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2.3.1 to 3.1.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2.3.1...83fd05a356d7e2593de66fc9913b3002723633cb)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-13 03:36:52 +00:00
dependabot[bot] 0fabbebeaa
build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.3.0 to 3.3.1.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](07db5389c9...0ad9a0988b)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-12-13 03:36:49 +00:00
Benjamin Wang f538e18f3b security: add dependabot.yml 
Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-12-13 10:44:35 +08:00
Benjamin Wang ee9db729da
Merge pull request #14860 from ahrtr/fix_release_20221126 
Trigger release in current branch for github workflow case
 2022-12-12 17:46:19 +08:00
Benjamin Wang bf5c094f3c secure the github workflow 
https://app.stepsecurity.io/secureworkflow/etcd-io/etcd/tests.yaml/main?enable=pin
1. Copy the existing yaml file and paste into the textbox,
2. Click "SECURE WORKFLOW"
3. Copy the manifest from the textbox and paste into etcd repo.

Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-12-12 16:23:13 +08:00
ArkaSaha30 e30ced0d2f
etcd: add `trivy-nightly-scan` for etcd images 
This PR will add `trivy-nightly-scan` for etcd images with versions `3.4.22` and `3.5.6` to scan for vulnerabilities everyday at 2AM UTC.

Signed-off-by: ArkaSaha30 <arkasaha30@gmail.com>
 2022-12-12 12:33:13 +05:30
Benjamin Wang 5d78d6d4b1 release: support kick off release in current branch 
Currently when triggering release, it always pull remote repo and
checkout main branch. Any changes which are merged into the target
release branch (e.g. release-3.5) will be ignored. It isn't
convenient for test, including in github workflow and local environment.
So we need to support triggering release in current branch.

Note: --current-branch should only be called with DRY_RUN=true

Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-12-12 09:35:03 +08:00
Benjamin Wang 808099dc24 Pin govulncheck to v0.0.0-20221208180742-f2dca5ff4cc3 
go install golang.org/x/vuln/cmd/govulncheck@latest && govulncheck ./...
  shell: /usr/bin/bash -e {0}
  env:
    GOROOT: /opt/hostedtoolcache/go/1.19.4/x64
go: golang.org/x/vuln/cmd/govulncheck@latest: no matching versions for query "latest"

Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-12-09 18:23:53 +08:00
Marek Siarkowicz a8bc8ba28b tests: Increase test timeout for nighly runs to match job timeout minus ten minutes 
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
 2022-12-09 09:47:17 +01:00
Benjamin Wang dccc21bb69 bump go 1.19.4 
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 1 known vulnerability.

Vulnerability #1: GO-2022-1144
  An attacker can cause excessive memory growth in a Go server
  accepting HTTP/2 requests. HTTP/2 server connections contain a
  cache of HTTP header keys sent by the client. While the total
  number of entries in this cache is capped, an attacker sending
  very large keys can cause the server to allocate approximately
  64 MiB per open connection.

  Call stacks in your code:
      tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls golang.org/x/net/http2.ConfigureServer$1

  Found in: golang.org/x/net/http2@v0.2.0
  Fixed in: golang.org/x/net/http2@v1.19.4
  More info: https://pkg.go.dev/vuln/GO-2022-1144

Vulnerability #2: GO-2022-1144
  An attacker can cause excessive memory growth in a Go server
  accepting HTTP/2 requests. HTTP/2 server connections contain a
  cache of HTTP header keys sent by the client. While the total
  number of entries in this cache is capped, an attacker sending
  very large keys can cause the server to allocate approximately
  64 MiB per open connection.

  Call stacks in your code:
      contrib/lock/storage/storage.go:106:28: go.etcd.io/etcd/v3/contrib/lock/storage.main calls net/http.ListenAndServe
      contrib/raftexample/httpapi.go:113:31: go.etcd.io/etcd/v3/contrib/raftexample.serveHTTPKVAPI$1 calls net/http.Server.ListenAndServe
      tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls net/http.Serve
      tools/etcd-dump-metrics/main.go:159:31: go.etcd.io/etcd/v3/tools/etcd-dump-metrics.main$4 calls go.etcd.io/etcd/server/v3/embed.StartEtcd, which eventually calls net/http.Server.Serve

  Found in: net/http@go1.19.3
  Fixed in: net/http@go1.19.4
  More info: https://pkg.go.dev/vuln/GO-2022-1144

Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-12-09 07:39:57 +08:00
Benjamin Wang 4ba806a103
Merge pull request #14911 from tjungblu/linnight 
Create a nightly job for linearizability tests
 2022-12-08 07:19:00 +08:00
Thomas Jungblut 7c9c1b6c1c Create a nightly job for linearizability tests 
Start with a simple job against main that runs for 3h by repeating it
an order of magnitude more often than the PR job.

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
 2022-12-07 17:41:49 +01:00
Marek Siarkowicz 3e3be35f20
Merge pull request #14905 from joycebrum/main 
Set Github workflows default permissions to read-only
 2022-12-07 16:39:14 +01:00
Joyce Brum a92e06f132
fix: revoke write permissions from all workflows 
Signed-off-by: Joyce Brum <joycebrum@google.com>
 2022-12-07 13:51:22 +00:00
Joyce Brum 6adc81c664
fix: remove workflow dispatch used for testing 
Signed-off-by: Joyce Brum <joycebrum@google.com>
 2022-12-06 18:10:50 +00:00
Joyce Brum 4bcf401b7f
Squashed commit of the following: 
commit 9a3bf2c0ed6e63c718789679745fdaa24a2c2ba9
Author: Joyce Brum <joycebrum@google.com>
Date:   Tue Dec 6 17:59:42 2022 +0000

    fix: write permissions

    Signed-off-by: Joyce Brum <joycebrum@google.com>

commit 7716f3c00cd7cfe4debbbf97662b1cee7277ba00
Author: Joyce Brum <joycebrum@google.com>
Date:   Tue Dec 6 17:04:19 2022 +0000

    fix: typo on coverage workflow

    Signed-off-by: Joyce Brum <joycebrum@google.com>

commit cb5165401392f1a2de3683ec33ffe97dc0f1fe9f
Author: Joyce Brum <joycebrum@google.com>
Date:   Tue Dec 6 16:57:50 2022 +0000

    feat: test coverage workflow with write permissions

    Signed-off-by: Joyce Brum <joycebrum@google.com>

commit 235627f257d52139c9c73c2ca15c9ef7250cea2f
Author: Joyce Brum <joycebrum@google.com>
Date:   Tue Dec 6 16:44:21 2022 +0000

    fix: measure test read all and workflow dispatch

    Signed-off-by: Joyce Brum <joycebrum@google.com>

commit 81b1581f19945ba5ddd7fa74661910a457af7515
Author: Joyce Brum <joycebrum@google.com>
Date:   Tue Dec 6 14:50:12 2022 +0000

    feat: change from content read to read all

    Signed-off-by: Joyce Brum <joycebrum@google.com>

commit 95bd39f615924a9c0186e6d3e1ad6c205c7db428
Author: Joyce Brum <joycebrum@google.com>
Date:   Tue Dec 6 14:45:45 2022 +0000

    fix: add permission to write on e2e.yaml

    Signed-off-by: Joyce Brum <joycebrum@google.com>

commit f86661da253af3908cde9f5f71311fbca6b26c81
Author: Joyce Brum <joycebrum@google.com>
Date:   Mon Dec 5 17:04:44 2022 +0000

    feat: use read-only by default

    Signed-off-by: Joyce Brum <joycebrum@google.com>

Signed-off-by: Joyce Brum <joycebrum@google.com>
 2022-12-06 18:03:50 +00:00
Marek Siarkowicz a573d8af69 tests: Use golang count to repeat tests 
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
 2022-12-03 11:21:07 +01:00
Marek Siarkowicz dd4d69ca91 tests: Cleanup gofail 
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
 2022-11-27 20:35:39 +01:00
vivekpatani 0e65199e1a .github: make govuln-check generic 
Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
 2022-11-17 13:10:01 -08:00
Thomas Jungblut 89bfa4b95c Update CodeQL to v2 
CodeQL@v1 is going to be deprecated in three weeks. This PR updates the
branches to track only the currently maintained release branches and
moves the actions to its v2 version.

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
 2022-11-15 13:30:44 +01:00
Wei Fu 71d45461ff e2e: test DowngradeVersion with latest point release 
Signed-off-by: Wei Fu <fuweid89@gmail.com>
 2022-11-13 17:21:13 +08:00
Benjamin Wang 94e0c2410b bump go version to 1.19.3 to address security fixes 
FYI. https://groups.google.com/g/golang-announce/c/dRtDK7WS78g

Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-11-02 09:07:22 +08:00
spacewander e73a25a1d0 ci: ensure the generated code is up-to-date 
See https://github.com/etcd-io/etcd/pull/14612#issue-1419792069
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
 2022-10-31 19:58:21 +08:00
Benjamin Wang 70c57c5651
Merge pull request #14646 from joycebrum/main 
Fix error on Scorecard run by upgrading the action version
 2022-10-29 05:29:13 +08:00
Joyce Brum 0bc8895d7b
fix: upgrade scorecard github action to avoid crashes 
Signed-off-by: Joyce Brum <joycebrum@google.com>
 2022-10-28 17:26:04 -03:00
Marek Siarkowicz ac1b07626d
Merge pull request #14625 from vivekpatani/main 
.github: add govuln check
 2022-10-28 15:52:51 +02:00
vivekpatani 680310a6c9 *: bump to go1.19.2 from 1.19.1 
- update .github workflows
- update tests

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
 2022-10-27 18:45:02 -07:00
vivekpatani 5c0d653958 .github: add govuln check 
- add job for govuln job
- allow to continue on failure, until all issues are addressed
- address: https://github.com/etcd-io/etcd/issues/14449

Signed-off-by: vivekpatani <9080894+vivekpatani@users.noreply.github.com>
 2022-10-26 17:25:35 -07:00
Marek Siarkowicz 8ce81a1624
Merge pull request #14611 from serathius/issue14370 
tests: Add linearizability tests scenario for #14370
 2022-10-25 14:03:39 +02:00
Marek Siarkowicz 837819860b tests: Add linearizability tests scenario for #14370 
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
 2022-10-24 13:36:12 +02:00
Samuele Resca 37d62ba477 Updating fuzzing script with list of target. 
Signed-off-by: Samuele Resca <samuele.resca@gmail.com>
 2022-10-23 13:46:10 +01:00
Samuele Resca 3d9c5c6166 Adding fuzz test on v3rpc interfaces. 
Signed-off-by: Samuele Resca <sr7@ad.datcon.co.uk>
Signed-off-by: Samuele Resca <samuele.resca@gmail.com>
 2022-10-23 13:46:10 +01:00
Marek Siarkowicz 069e26e284 tests: Validate etcd linearizability 
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
 2022-10-23 06:41:38 +02:00
Manuel Rüger 0f4d6fbc5e .github/workflows: Replace egrep with grep -E 
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
 2022-10-09 21:22:36 +02:00
Joyce Brum 336bae2d4e github: enable the scorecard github action 
Signed-off-by: Joyce Brum <joycebrumu.u@gmail.com>
 2022-09-23 13:57:22 -03:00
Benjamin Wang cb5f7276c3 Bump go 1.19: upgrade go version to 1.19.1 in the pipeline 
Signed-off-by: Benjamin Wang <wachao@vmware.com>
 2022-09-22 08:47:46 +08:00
Marek Siarkowicz bea478266e makefile: Raname targets update* to fix* to distinquish from update_dep 
Signed-off-by: Marek Siarkowicz <siarkowicz@google.com>
 2022-09-20 13:58:17 +02:00