Add govulncheck to CI

.github/workflows/boulder-ci.yml

@@ -105,6 +105,59 @@ jobs:
       - name: "Run Test: ${{ matrix.tests }}"
         run: ${{ matrix.tests }}
 
+  govulncheck:
+    runs-on: ubuntu-20.04
+    strategy:
+      # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true
+      fail-fast: false
+      matrix:
+        # Add additional docker image tags here and all tests will be run with the additional image.
+        BOULDER_TOOLS_TAG:
+          - go1.20.5_2023-06-20
+          - go1.21rc2_2023-06-21
+
+    env:
+      # This sets the docker image tag for the boulder-tools repository to
+      # use in tests. It will be set appropriately for each tag in the list
+      # defined in the matrix.
+      BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }}
+
+    steps:
+      # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Docker Login
+        # You may pin to the exact commit or the version.
+        # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
+        uses: docker/login-action@v2.1.0
+        with:
+          # Username used to log against the Docker registry
+          username: ${{ secrets.DOCKER_USERNAME}}
+          # Password or personal access token used to log against the Docker registry
+          password: ${{ secrets.DOCKER_PASSWORD}}
+          # Log out from the Docker registry at the end of a job
+          logout: true
+        continue-on-error: true
+
+      # Print the env variable being used to pull the docker image. For
+      # informational use.
+      - name: Print BOULDER_TOOLS_TAG
+        run: echo "Using BOULDER_TOOLS_TAG ${BOULDER_TOOLS_TAG}"
+
+      # Pre-pull the docker containers before running the tests.
+      - name: docker compose pull netaccess
+        run: docker compose pull netaccess
+
+      # Enable https://github.com/golang/go/wiki/LoopvarExperiment if we're on
+      # go1.21rc2 or higher. This experiment value is unknown in lower versions.
+      - if: startsWith(matrix.BOULDER_TOOLS_TAG, 'go1.21')
+        run: echo "GOEXPERIMENT=loopvar" >> "$GITHUB_ENV"
+
+      - name: Install and run govulncheck
+        run: docker compose run --use-aliases netaccess bash -c 'GOFLAGS="" GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest && govulncheck ./...'
+
   # This is a utility build job to detect if the status of any of the
   # above jobs have failed and fail if so. It is needed so there can be
   # one static job name that can be used to determine success of the job

test/boulder-tools/Dockerfile

@@ -11,13 +11,12 @@ COPY requirements.txt /tmp/requirements.txt
 COPY boulder.rsyslog.conf /etc/rsyslog.d/
 COPY build.sh /tmp/build.sh
 RUN /tmp/build.sh
+
 # Note: This arg and env variable should only be set _after_ build.sh installs
 # necessary apt packages. Otherwise, we will reinstall those apt packages for
 # each Go version, rather than reusing a cached layer.
 ARG GO_VERSION
 ENV GO_VERSION=$GO_VERSION
 COPY install-go.sh /tmp/install-go.sh
-RUN /tmp/install-go.sh
-RUN sed -i '/imklog/s/^/#/' /etc/rsyslog.conf
-RUN sed -i '/$ActionFileDefaultTemplate/s/^/#/' /etc/rsyslog.conf
-RUN sed -i '/$RepeatedMsgReduction on/s/^/#/' /etc/rsyslog.conf
+RUN /tmp/install-go.sh && \
+    sed -i -e '/imklog/s/^/#/' -e '/$ActionFileDefaultTemplate/s/^/#/' -e '/$RepeatedMsgReduction on/s/^/#/' /etc/rsyslog.conf

test/boulder-tools/README.md

@@ -48,7 +48,8 @@ to our workflow:
 2. We run the `tag_and_upload.sh` script to build, tag, and upload
    a `boulder-tools` image for each of the `GO_VERSIONS`.
 3. We update `.github/workflows/boulder-ci.yml` to add the new image tag(s).
-4. We update `docker-compose.yml` to update the default image tag (optional).
+4. We update the remaining `.github/workflows/` yaml files that use a `GO_VERSION` matrix with the new version of Go.
+5. We update `docker-compose.yml` to update the default image tag (optional).
 
 After some time when we have spot checked the new Go release and coordinated
 a staging/prod environment upgrade with the operations team we can remove the

test/boulder-tools/install-go.sh

@@ -18,8 +18,7 @@ go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2.0
 go install github.com/rubenv/sql-migrate/...@v1.1.2
 go install golang.org/x/tools/cmd/stringer@latest
 go install github.com/letsencrypt/pebble/cmd/pebble-challtestsrv@master
-go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.0
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.53.3
 
 go clean -cache
 go clean -modcache
-

test/boulder-tools/tag_and_upload.sh

@@ -29,9 +29,11 @@ build_and_push_image() {
   echo "Building boulder-tools image ${TAG_NAME}"
 
   # build, tag, and push the image.
-  docker buildx build --build-arg "GO_VERSION=${GO_VERSION}" \
+  docker buildx build \
+    --build-arg "GO_VERSION=${GO_VERSION}" \
     --progress plain \
-    --push --tag "${TAG_NAME}" \
+    --push \
+    --tag "${TAG_NAME}" \
     --platform "${PLATFORMS}" \
     .
 }