improve hack/verify-release.sh

Few improvements from previous minor release cycle: - add missing k8s.io/apiserver to module sync - change artefact to artifact for more common spelling - match container image detection from release notes to match the earlier change in the release tooling - rename some of the titles to be more descriptive - mutate go.mod files for osv-scanner so it can accurately report vulnerablities in golang stdlib (ie. mutate "go 1.21" directive to "go 1.21.9" with patch version read off from main Dockerfile Signed-off-by: Tuomo Tanskanen <[email protected]>
metal3-io · Apr 23, 2024 · 53b4303 · 53b4303
1 parent 1cbe050
commit 53b4303
Showing 1 changed file with 56 additions and 17 deletions.
diff --git a/hack/verify-release.sh b/hack/verify-release.sh
@@ -89,11 +89,11 @@ declare -a release_note_strings=(
 
 # required strings that are postfixed with correct release number
 declare -a release_note_tag_strings=(
-    "The container image for this release is: v${VERSION}"
+    "The image for this release is: v${VERSION}"
 )
 
-# release artefacts
-declare -a release_artefacts=(
+# release artifacts
+declare -a release_artifacts=(
 )
 
 # quay images
@@ -112,6 +112,7 @@ declare -A module_groups=(
         k8s.io/api
         k8s.io/apiextensions-apiserver
         k8s.io/apimachinery
+        k8s.io/apiserver
         k8s.io/client-go
         k8s.io/cluster-bootstrap
         k8s.io/component-base
@@ -365,15 +366,15 @@ verify_release_notes()
     echo -e "Done\n"
 }
 
-verify_release_artefacts()
+verify_release_artifacts()
 {
-    # check that the release json lists all artefacts as present
-    echo "Verifying release artefacts ..."
+    # check that the release json lists all artifacts as present
+    echo "Verifying release artifacts ..."
 
-    for artefact in "${release_artefacts[@]}"; do
+    for artifact in "${release_artifacts[@]}"; do
         # shellcheck disable=SC2076
-        if ! [[ "$(jq .assets[].name "${RELEASE_JSON}")" =~ "\"${artefact}\"" ]]; then
-            echo "ERROR: release artefact '${artefact}' not found in release"
+        if ! [[ "$(jq .assets[].name "${RELEASE_JSON}")" =~ "\"${artifact}\"" ]]; then
+            echo "ERROR: release artifact '${artifact}' not found in release"
         fi
     done
 
@@ -386,7 +387,7 @@ verify_container_images()
     # if tag doesn't appear, the build trigger might've been disabled
     local image tag
 
-    echo "Verifying container images ..."
+    echo "Verifying container images are built and tagged ..."
 
     for image_and_tag in "${container_images[@]}"; do
         image="${image_and_tag/:*}"
@@ -406,19 +407,30 @@ verify_container_images()
     echo -e "Done\n"
 }
 
-verify_container_base_image()
+_get_golang_version_from_dockerfile()
 {
-    # check if the golang used for container image build is latest of its minor
-    local image tag
-
-    echo "Verifying container base images ..."
+    # read golang version from Dockerfile and return
+    local image_and_tag image image_and_tag_without_sha tag tag_minor
 
     image_and_tag="$(grep "^ARG BUILD_IMAGE=" Dockerfile | cut -f2 -d=)"
     image="${image_and_tag/:*}"
     image_and_tag_without_sha="${image_and_tag/@sha256:*}"
     tag="${image_and_tag_without_sha/*:}"
     tag_minor="${tag%.*}"
 
+    echo "${image_and_tag} ${image} ${image_and_tag_without_sha} ${tag} ${tag_minor}"
+}
+
+verify_container_base_image()
+{
+    # check if the golang used for container image build is latest of its minor
+    local image_and_tag image image_and_tag_without_sha tag tag_minor
+
+    echo "Verifying container base images and up to date ..."
+
+    read -r image_and_tag image image_and_tag_without_sha tag tag_minor < \
+        <(_get_golang_version_from_dockerfile)
+
     # quay paginates 50 items at a time, so it is simpler to use gcrane
     # to list all the tags, than DIY parse the pagination logic
     if ! "${GCRANE_CMD[@]}" ls --platform "linux/amd64" "${image}" 2>/dev/null > "${TAG_LOG}"; then
@@ -582,16 +594,43 @@ verify_module_releases()
     echo -e "Done\n"
 }
 
+_mutate_gomod_files_for_osv_scanner()
+{
+    # mutate go.mod files to include go directive with exact patch version
+    # from main Dockerfile for correct golang stdlib vulnerability information
+    local image_and_tag image image_and_tag_without_sha tag tag_minor
+
+    read -r image_and_tag image image_and_tag_without_sha tag tag_minor < \
+        <(_get_golang_version_from_dockerfile)
+
+    for modfile in **/go.mod; do
+        sed -i.bak -e "s/^go [[:digit:]]\.[[:digit:]]\+/go ${tag}/" "${modfile}"
+    done
+}
+
+_restore_mutated_gomod_files()
+{
+    # restore mutated gomod files to original state
+    for bakfile in **/go.mod.bak; do
+        modfile="${bakfile/.bak}"
+        mv "${bakfile}" "${modfile}"
+    done
+}
+
 verify_vulnerabilities()
 {
     # run osv-scanner to verify if we have open vulnerabilities in deps
     echo "Verifying vulnerabilities ..."
 
-    "${OSVSCANNER_CMD[@]}" -r . > "${SCAN_LOG}" || true
+    _mutate_gomod_files_for_osv_scanner
+
+    "${OSVSCANNER_CMD[@]}" --skip-git -r . > "${SCAN_LOG}" || true
     if ! grep -q "No vulnerabilities found" "${SCAN_LOG}"; then
         cat "${SCAN_LOG}"
     fi
 
+    _restore_mutated_gomod_files
+
     echo -e "Done\n"
 }
 
@@ -612,7 +651,7 @@ if [[ -n "${TAG_EXISTS}" ]]; then
     verify_git_tag_types
     if [[ -n "${RELEASE_EXISTS}" ]]; then
         verify_release_notes
-        verify_release_artefacts
+        verify_release_artifacts
     fi
     verify_container_images
 fi