Update Go toolchain to 1.22.4, which addresses two vulnerabilities in the Go
stdlib.
* CVE-2024-24789: impacts handling of certain types of invalid zip files, which
could be exploited to create a zip file with unexpected contents. This could
potentially impact Nomad users of `artifact` blocks who download untrusted
artifacts.
* CVE-2024-24790: impacts parsing of IPv4-mapped IPv6 addresses.
* build: upgrade to go1.22
* add cl
* build: use codecgen from go-msgpack v1.1.5+base32 and stringer 0.18.0
for compatability with go1.22
* ci: update golangci-lint to 1.56.2
* build: update hclogvet for go1.22
* build: bump to go1.22.1
Go 1.21.3 fixes an important HTTP2 CVE (see CVE-2023-39325 and
CVE-2023-44487). Nomad does not use HTTP2 and is not vulnerable. However we
should pick up the toolchain bump if for no other reason than we don't have to
answer questions about that.
* build: update to go1.21
* go: eliminate helpers in favor of min/max
* build: run go mod tidy
* build: swap depguard for semgrep
* command: fixup broken tls error check on go1.21
Go released a security update to fix build-time code injection and execution via
CGO. This doesn't impact already-released versions of Nomad, just the build
toolchain, so we won't be releasing a Nomad security update to go with it.
This PR update to Go 1.18.2. Also update the versions of hclfmt
and go-hclogfmt which includes newer dependencies necessary for dealing
with go1.18.
The hcl v2 branch is now 'nomad-v2.9.1+tweaks2', to include a fix for
newer macOS versions: 8927e75e82
* go get on the remote mac instance installs with read-only, allow for rm step
* Update scripts/release/mac-remote-build
Co-authored-by: Mahmood Ali <mahmood@hashicorp.com>
Co-authored-by: Mahmood Ali <mahmood@hashicorp.com>
Avoids setting the node version in the release Dockerfile, by using
an alias. This allows us to update the node version in one file only.
Co-authored-by: Michael Schurter <mschurter@hashicorp.com>
Noticed that the structs code-generated parsers is no longer committed
when we cut a release, starting with v0.12. We've been committing
generated code to ease reproduction and rebuilding the tag.
Note for example that `structs.generated.go` was present in the [0.11.3
commit](8918fc804a)
but not in the [0.12.1
one](14a6893a25).
We leave the files ignored, so developers don't accidentally commit them
in local development.
