Modernize build: Go modules + current Go toolchain (1.0.1)#1
Merged
Conversation
Migrate off the dead Go 1.7 / godep / go-bindata toolchain to Go modules built with a current Go, clearing the Go-stdlib CVEs flagged on the shipped binary. v1.0.0 runtime behavior and CLI flags are unchanged. - add go.mod/go.sum (module github.com/cloud66/gotty); drop Godeps/ - swap deprecated deps: codegangsta/cli -> urfave/cli (v1, API-compatible), kr/pty -> creack/pty; bump gorilla/websocket -> v1.5.3 (CVE-2020-27813) - re-vendor with go mod vendor (keeps the unmaintained orphan deps in-repo) - replace the dead wercker pipeline with GitHub Actions (ci + release); release builds a static linux/amd64 gotty_linux_amd64_<ver>.tar.gz matching cloud66/central's installer contract - drop the libapps submodule; web assets stay baked in app/resource.go - minor: log.Print for no-verb logs, os.ReadFile over deprecated io/ioutil - bump Version 1.0.0 -> 1.0.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The shipped gotty binary is built with Go 1.7, which trips vulnerability scanners on the large set of Go-stdlib CVEs fixed since. This is the minimum change to get off the dead toolchain and onto Go modules built with a current Go — no rewrite, no behavior change. (Upstream
yudai/gottyonly moved on to an abandonedv2.0.0-alphathat changes the CLI/protocol and would breakcentral's integration, so modernizingv1.0.0in place is the right path.)What changed
go.mod/go.sum(modulegithub.com/cloud66/gotty); removedGodeps/and the pre-module vendor tree.codegangsta/cli→urfave/cli(v1, API-identical),kr/pty→creack/pty. Bumpedgorilla/websocket→ v1.5.3 (fixes CVE-2020-27813).go mod vendor— the unmaintained orphan deps (braintree/manners,yudai/hcl,yudai/umutex) stay committed in-repo as a supply-chain safety net.wercker.ymlwith GitHub Actions —ci.yml(gofmt + vet + build) andrelease.yml(on av*tag, builds a static CGO-freegotty_linux_amd64_<ver>.tar.gzand attaches it to the Release; optional S3 upload when creds are configured).libappssubmodule (assets remain baked into the generatedapp/resource.go); small log/iomodernizations;Version→ 1.0.1.Verification
go build/go vet/gofmtclean; binaries embedgo1.26.3(wasgo1.7).central's exact launch flags under TLS — all accepted; static assets serve200;auth_token.jskeepsapplication/javascript.Follow-ups (not in this repo)
gotty_linux_amd64_1_0_1.tar.gztos3://downloads.cloud66.com/gotty/(or wire therelease.ymlS3 secrets).cloud66/centralapp/models/versions/gotty.rbVERSION_LATEST1.0.0→1.0.1so servers install the rebuilt binary.