vcs had a release due to a CVE. This updates to the latest version
that mitigates the CVE.
Note, the Makefile was updated so that `make build` would build
without cgo just like gox does in the CI pipeline. They should
both build without cgo so we can catch issues before merging to
master where a canary build would pick up the problem.
Signed-off-by: Matt Farina <matt@mattfarina.com>
(cherry picked from commit 3490f1e7b6)
CircleCI has been failing on 'make test-style' because of a timeout.
This commit increases the timeout.
Signed-off-by: Marc Khouzam <marc.khouzam@montreal.ca>
* Reduce linting severity for users of out-of-date kubernetes
Fixes#8596
Signed-off-by: Joe Julian <me@joejulian.name>
* add more verbose deprecation info
Signed-off-by: Joe Julian <me@joejulian.name>
* use new upstream deprecations
Signed-off-by: Joe Julian <me@joejulian.name>
* do not error for custom resources
Signed-off-by: Joe Julian <me@joejulian.name>
* Define deprecation version in lint rules by LDFLAG
Signed-off-by: Joe Julian <me@joejulian.name>
* make comment clearer
Signed-off-by: Joe Julian <me@joejulian.name>
* Extend the k8s version discovery and constants to chartutil
Signed-off-by: Joe Julian <me@joejulian.name>
* remove awk dependency
Signed-off-by: Joe Julian <me@joejulian.name>
* align k8s version constant names between capabilities.go and deprecations.go
Signed-off-by: Joe Julian <me@joejulian.name>
* show the error if the unexpected happens
Signed-off-by: Joe Julian <me@joejulian.name>
* bump k8sVersionMinor and golden chart templates for k8s 1.20
Signed-off-by: Joe Julian <me@joejulian.name>
* bump for tests to match 1.20.1
Signed-off-by: Joe Julian <me@joejulian.name>
Previously, when there is no *.{gz,zip} files under _dist, the wildcard
will be expanded to 2 strings '_dist/*.gz' and '_dist/*.zip'(see below).
helm$ ls _dist
helm$ make checksum
for f in _dist/*.{gz,zip} ; do \
shasum -a 256 "${f}" | sed 's/_dist\///' > "${f}.sha256sum" ; \
shasum -a 256 "${f}" | awk '{print $1}' > "${f}.sha256" ; \
done
shasum: _dist/*.gz:
shasum: _dist/*.gz:
shasum: _dist/*.zip:
shasum: _dist/*.zip:
helm$ ls _dist
'*.gz.sha256' '*.gz.sha256sum' '*.zip.sha256' '*.zip.sha256sum'
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
When distributions build software it's desirable to have the ability to
define own linker flags, or Go flags. As `-ldflags` defined in `go
build` overrides `-ldflags` defined in the env variable `GOFLAGS`, there
is a distinct need to be able to replace the default values with new
ones or append to them.
Fixes#8645
Signed-off-by: Morten Linderud <morten@linderud.pw>
Fetching these files is part of the release process. When the new
file type was added this step was missed. It will cause the sign
make target to fail.
Signed-off-by: Matt Farina <matt@mattfarina.com>
When #7277 was merged is was intended to create shasums accessible
in a way shasum -c or sha256sum could use to verify the files the
Helm project ships. The solution created a new file named
shasums.txt. This setup contained a few problems:
1. The new file file was not uploaded to get.helm.sh for someone
to download and use.
2. The file had not version in the naming or path. This means that
each new release of Helm will overwrite it. Downloading and
validating an old file is impossible.
3. If one downloads a single file, the shasums.txt file, and uses
shasum -c it will return an exit code that is 1. This is because
of missing files as it is looking for all the files from the
release.
4. The shasums.txt file is not signed for verification like the
other files.
This change fixes these problems with the following changes:
* Instead of a shasums.txt file there is a .sha256sum file for
each package. For example, helm-3.1.0-linux-amd64.zip.sha256sum.
This file will can be used with `shasum -a 256 -c` to verify
the single file helm-3.1.0-linux-amd64.zip. The exit code of
checking a single file is 0 if the file passes.
* This new .sha256sum file is signed just like the .tar.gz, .zip,
and .sha256 files. The provenance can be verified.
* The file name starts with `helm-` meaning the existing upload
script in the deploy.sh file will move it to get.helm.sh.
Note, the existing .sha256 file can be deprecated and removed
in Helm v4 with the new .sha256sum file taking over. But,
for backwards compatibility with scripts it needs to be kept
during v3.
Closes#7567
Signed-off-by: Matt Farina <matt@mattfarina.com>
With Helm using go modules, its git repo need not reside under
$GOPATH/src/helm.sh anymore. In fact it may be desirable for a user to
move it to another location (e.g., to get the debugger to work).
In the same train of thought, the acceptance-testing repo, which is not
even a go program, need not be in the GOPATH.
This commit reduces the requirement on the location of the
acceptance-testing repo to a relative path to the helm repo, instead
of an absolute path within GOPATH.
Signed-off-by: Marc Khouzam <marc.khouzam@montreal.ca>
Commands shasum -a 256 -c (or) sha256sum -c can read the SHA sum and validate the TAR/ZIP archive
Example:
Download helm-v3.0.2-darwin-amd64.tar.gz.sha256 and helm-v3.0.2-darwin-amd64.tar.gz and running below will resule in
shasum -a 256 -c helm-v3.0.2-darwin-amd64.tar.gz.sha256
helm-v3.0.2-darwin-amd64.tar.gz: OK
Closes#4968
Signed-off-by: Thilak Somasundaram <t2same@gmail.com>
These make targets are used as part of the release process. They
had yet to be brought over to the v3 branch from the v2 branch
as they were developed after the branching happened.
Signed-off-by: Matt Farina <matt@mattfarina.com>
Circleci is used to build the release artifacts and embeds build paths
into the binary release. To reproduce the release binaries we then need
to also build in the same path as a result.
$ strings linux-amd64/helm | grep "home/circleci" | wc -l
174
Go 1.13 introduces `-trimpath` which strips the build path from all
compiled binaries. This should enable people to reproduce the
distributed helm binaries.
https://reproducible-builds.org/docs/source-date-epoch/https://golang.org/doc/go1.13#go-command
Signed-off-by: Morten Linderud <morten@linderud.pw>
* Allow to run acceptance tests from main Helm repo
To run the acceptance tests, one can now do:
make test-acceptance
Signed-off-by: Marc Khouzam <marc.khouzam@ville.montreal.qc.ca>
* Allow to run completion tests from main Helm repo
To run the completion tests, one can now do:
make test-completion
Signed-off-by: Marc Khouzam <marc.khouzam@ville.montreal.qc.ca>
* Use the word 'clone' instead
Signed-off-by: Marc Khouzam <marc.khouzam@ville.montreal.qc.ca>
* Use test-acceptance-completion naming
Signed-off-by: Marc Khouzam <marc.khouzam@ville.montreal.qc.ca>