From 0d5e062ec6c1e9d6fd0a8f6df98da64c4c35dae1 Mon Sep 17 00:00:00 2001
From: debasishbsws <debasishbsws.dev@gmail.com>
Date: Sun, 28 Jan 2024 23:54:14 +0530
Subject: [PATCH] thanos package update to 0.34.0

Signed-off-by: debasishbsws <debasishbsws.dev@gmail.com>
---
 thanos.yaml                         | 16 ++++----
 thanos/upgrade-grpc-to-1.57.2.patch | 63 +++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 9 deletions(-)
 create mode 100644 thanos/upgrade-grpc-to-1.57.2.patch

diff --git a/thanos.yaml b/thanos.yaml
index 4aeaa7abafa..71e5711e99d 100644
--- a/thanos.yaml
+++ b/thanos.yaml
@@ -1,6 +1,6 @@
 package:
   name: thanos
-  version: 0.33.0
+  version: 0.34.0
   epoch: 0
   description: Highly available Prometheus setup with long term storage capabilities.
   copyright:
@@ -18,21 +18,19 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: 0f025f1ff97826a632435ba8fdcb9e3bc248bb27
+      expected-commit: 18d740f2921ab9dfc4fe5c4650bf21cd6d7a1c64
       repository: https://github.com/thanos-io/thanos
       tag: v${{package.version}}
 
+  - uses: patch
+    with:
+      patches: upgrade-grpc-to-1.57.2.patch
+
   - uses: go/bump
     with:
-      deps: golang.org/x/crypto@v0.17.0 golang.org/x/crypto@v0.17.0
+      deps: golang.org/x/crypto@v0.17.0
 
   - runs: |
-      # Mitigate GHSA-m425-mq94-257g
-      go mod edit -dropreplace=google.golang.org/grpc
-      go get google.golang.org/grpc@v1.58.3
-      go mod edit -replace github.com/sercand/kuberesolver=github.com/sercand/kuberesolver/v5@v5.1.1
-
-      go mod tidy
       make build
 
   - runs: |
diff --git a/thanos/upgrade-grpc-to-1.57.2.patch b/thanos/upgrade-grpc-to-1.57.2.patch
new file mode 100644
index 00000000000..5c2cad80f1b
--- /dev/null
+++ b/thanos/upgrade-grpc-to-1.57.2.patch
@@ -0,0 +1,63 @@
+From effaa8ac16b266c70b3b12273b3cc4d495a49e68 Mon Sep 17 00:00:00 2001
+From: hanyuting8 <hytxidian@163.com>
+Date: Fri, 19 Jan 2024 21:24:17 +0800
+Subject: [PATCH] Upgrade grpc to 1.57.2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+1、In the replace of go.mod, due to weaveworks/common#239, The grpc version is 1.45.0, but there are vulnerabilities in this version. In order to fix CVE-2023-44478, the grpc version needs to be upgraded to 1.57.2
+2、In order to upgrade GRPC, the version of weaveworks/common also needs to be upgraded, otherwise the build will fail
+
+Signed-off-by: hanyuting8 <hytxidian@163.com>
+---
+ go.mod |   7 +-
+ go.sum | 863 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 852 insertions(+), 18 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index 0faf225636..2d1347885c 100644
+--- a/go.mod
++++ b/go.mod
+@@ -33,7 +33,6 @@ require (
+ 	github.com/googleapis/gax-go v2.0.2+incompatible
+ 	github.com/gorilla/mux v1.8.0 // indirect
+ 	github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd // indirect
+-	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
+ 	github.com/grpc-ecosystem/go-grpc-middleware/providers/kit/v2 v2.0.0-20201002093600-73cf2ae9d891
+ 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0-rc.2.0.20201207153454-9f6bf00c00a7
+ 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
+@@ -70,7 +69,7 @@ require (
+ 	github.com/uber/jaeger-client-go v2.30.0+incompatible
+ 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
+ 	github.com/vimeo/galaxycache v0.0.0-20210323154928-b7e5d71c067a
+-	github.com/weaveworks/common v0.0.0-20221201103051-7c2720a9024d
++	github.com/weaveworks/common v0.0.0-20230728070032-dd9e68f319d5
+ 	go.elastic.co/apm v1.11.0
+ 	go.elastic.co/apm/module/apmot v1.11.0
+ 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
+@@ -136,6 +135,7 @@ require (
+ 	github.com/metalmatze/signal v0.0.0-20210307161603-1c9aa721a97a // indirect
+ 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+ 	github.com/onsi/ginkgo v1.16.5 // indirect
++	github.com/sercand/kuberesolver/v4 v4.0.0 // indirect
+ 	github.com/zhangyunhao116/umap v0.0.0-20221211160557-cb7705fafa39 // indirect
+ 	go.opentelemetry.io/collector/featuregate v1.0.0 // indirect
+ 	go.opentelemetry.io/collector/pdata v1.0.0 // indirect
+@@ -232,7 +232,6 @@ require (
+ 	github.com/rivo/uniseg v0.2.0 // indirect
+ 	github.com/rs/xid v1.5.0 // indirect
+ 	github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect
+-	github.com/sercand/kuberesolver v2.4.0+incompatible // indirect
+ 	github.com/shirou/gopsutil/v3 v3.22.9 // indirect
+ 	github.com/sirupsen/logrus v1.9.3 // indirect
+ 	github.com/spaolacci/murmur3 v1.1.0 // indirect
+@@ -273,7 +272,7 @@ replace (
+ 	github.com/vimeo/galaxycache => github.com/thanos-community/galaxycache v0.0.0-20211122094458-3a32041a1f1e
+ 
+ 	// Override due to https://github.com/weaveworks/common/issues/239
+-	google.golang.org/grpc => google.golang.org/grpc v1.45.0
++	google.golang.org/grpc => google.golang.org/grpc v1.57.2
+ 
+ 	// Overriding to use latest commit.
+ 	gopkg.in/alecthomas/kingpin.v2 => github.com/alecthomas/kingpin v1.3.8-0.20210301060133-17f40c25f497
\ No newline at end of file