From 34c022762ac2da45c73dabdc4a27c435add7802f Mon Sep 17 00:00:00 2001
From: LaunchDarklyReleaseBot
 <86431345+LaunchDarklyReleaseBot@users.noreply.github.com>
Date: Thu, 29 Dec 2022 13:00:15 -0800
Subject: [PATCH] prepare 6.7.15 release (#212)

* don't return 503 if SDK initialization has timed out

* add in-repo docs about error/503 behavior (#249)

* [ch102255] BigSegments DynamoDB (#245)

* add init timeout config option + better test coverage + misc refactoring (#250)

* fix example build command

* use public prerelease tags instead of private dependencies

* fix Go installation in CI

* update SDK dependencies for JSON number parsing bugfix

* update gorilla/mux to 1.8.0

* update OpenCensus packages

* add Go 1.16 CI + "latest Go" CI + use latest 1.15 patch for release

* cimg images use "current", not "latest"

* seems there isn't any cimg/go "latest" or "current"

* add daily package build test in CI

* job names

* bump SDK version for traffic allocation feature

* [ch113491] update alpine base image (#258)

* use latest prerelease SDK

* fix enabling of test tags in CI

* add DynamoDB docker image in CI

* set a polling base URI in end-to-end tests since big segments logic will use it

* fix initialization logic so SDK client creation errors aren't lost when big segments are enabled

* fix use of prefix key in DynamoDB + improve tests (#260)

* more debug logging, less info logging for big segments logic

* make logging of big segments patch version mismatch clearer and use Warn level

* fix log parameter

* fix DynamoDB updates for big segments metadata

* add test to make sure sync time and cursor can be updated independently

* only start big seg synchronizer if necessary

* use SDK GA releases

* change applyPatch to exit early on version mismatch; go back to restarting stream in this case

* add unit tests for version mismatch behavior + DRY tests

* add log assertion

* fix retry logic on big segments stream failure

* add more logging for big segments connection status

* fix logging assertion

* add more big segments integration tests

* fix overly-time-sensitive file data tests

* fix more flaky tests

* run big segments tests with DynamoDB too

* Migrate transitive dep (jwt-go) to use modern version without vulnerability.

* Edit doc

* move Relay release logic to .ldrelease script

* suppress SDK big segments status query if we've never synced big segments

* dump Relay logs including debug logs if integration test fails

* include environment prefix in BigSegmentSynchronizer logging

* increase big segment integration test timeout (#274)

* generate client-side stream pings if big segments have changed

* clear big segments cache as needed + simplify state management

* fix tests and simplify component creation

* use GA releases of SDK packages

* disable CI package-build-test in Go 1.16+

* Migrate Relay release to Releaser v2 and support dry run (#278)

* Adding degraded doc blurb for big segments (#280)

* respect Redis password & TLS options for big segments; add Redis password integration tests

* redact Redis URL password in logs and status resource

* update go-server-sdk-redis-redigo to 1.2.1 for Redis URL logging fix

* Part 1, add the config and the documentation for the new config

* Part 2, Add the configuration validation and test

* Part 3, the actual logic to include the headers in the CORS Access-Control-Allow-Headers

* Linter

* update Alpine version to 3.14.2 to fix openssl CVEs

* Fix the global variable modification

* Go format

* turn off unnecessary metrics integrations in config for Docker smoke test

* rename test.env to smoke-test.env to clarify what it's for

* fix setting of custom Access-Control-Allow-Origin and add test (#285)

* add more explanatory test output and more verbose debugging for big segments integration tests (#287)

* update to Go 1.16.10 + Alpine 3.14.3; add some docs about releases (#288)

* update go-server-sdk-consul version for Consul API version update

* override x/crypto dependency version for CVE-2020-29652

* bump Prometheus dependency to eliminate jwt-go vulnerability

* drop support for Go 1.14 & 1.15

* make sure defaults are always applied for base URL properties

* rm unused

* rm unnecessary linter directive

* add separate configuration for server-side/client-side SDK base URLs & update the defaults

* remove Whitesource CI job + remove obsolete dependency issue note

* don't include any big segment status info in status resource unless that feature is active (#296)

* don't include any big segment status info in status resource unless that feature is active

* fix Big Segments staleness logic in status resource

* documentation

* update x/text package for vulnerability GO-2021-0113

* add Trivy security scan to CI (#297)

* add daily re-scan with Trivy

* use long timeout when awaiting changes related to file mod watching

* update Go version to 1.17.6 (#301)

* always terminate if auto-config stream fails with a fatal error

* pass along tags header when proxying events

* comments, rm debugging

* fix auth header logic

* fix auth header logic some more

* comments

* add tags header to CORS header whitelist (#304)

* update to Alpine 3.14.4 for CVE-2022-0778 fix

* force upgrade of openssl in Alpine

* also upgrade libretls

* fix it in both files

* update to Alpine 3.14.5 for CVE-2022-0778/CVE-2018-25032 (#308)

* update to Alpine 3.14.5 for CVE-2022-0778

* revert patches that are now included in Alpine 3.14.5

* add scripts for checking and updating Go/Alpine versions (#309)

* update to Alpine 3.14.5 for CVE-2022-0778

* add scripts for checking and updating Go/Alpine versions

* also make sure the Docker images really exist

* update CONTRIBUTING.md

* fix file rename

* revert patches that are now included in Alpine 3.14.5

* update Alpine to 3.14.6 for CVE-2022-28391

* update SDK packages (includes sc-136333 fix)

* don't include "v" prefix in Docker image version

* update go-server-sdk-dynamodb for data size error fix & add docs (#316)

* update builds to use Go 1.17.9 and fix the update script

* update go-server-sdk-consul to latest release

* update remote Docker version

* update golang.org/x/crypto for CVE-2022-27191 (#321)

* update golang.org/x/crypto for CVE-2022-27191

* fix go.sum

* update eventsource for SSE output efficiency fix (#322)

* Cache the replay event in case we get multiple new client connections (#189)

* Cache the replay event in case we get multiple new client connections

* Use singleflight to ensure only one replay event is generated at a time

Co-authored-by: Moshe Good <moshe@squareup.com>

* don't install curl in Docker images

* fix makefile logic for lint step

* remove indirect curl-based request logic in integration tests

* fix linter installation

* update Go to 1.17.11, Alpine to 3.16.0

* improve concurrency test to verify that the data is or isn't from a separate query

* fix lint warnings and remove unnecessary error return

* update libssl & libcrypto versions for CVE-2022-2097

* add security scan of already-published Docker image (#328)

* update Alpine version and some Go libraries to address CVEs (#329)

* use Alpine 3.16.1

* update golang.org/x/net and golang.org/x/sync patch versions for CVEs

* update golang.org/x/sys patch version for CVE

* update Prometheus client library for CVE-2022-21698

* ensure that DynamoDB config is consistent between Big Segments and regular data store

* comment

* update Alpine to 3.16.2

* update golangci-lint and go-junit-report

* fix CI

* prevent traversal of directories outside target path when expanding archive

* enforce TLS >= 1.2 for secure Redis

* misc linter updates

* fix test message

* add Go 1.18 & 1.19 jobs

* make test expectation less Go-version-dependent

* linting

* revert unnecessary change

* fix installation of test coverage tool

* migrate to AWS Go SDK v2 for DynamoDB (#333)

* update to Go 1.19.2

* update golang.org/x/net for CVE-2022-27664

* update golang.org/x/text for CVE-2022-32149

* update Consul API dependency to avoid false report of CVE-2022-40716

* switch to fork of Stackdriver metrics client to remove AWS transitive dependency (#343)

* update to Go 1.19.4 and Alpine 3.16.3

* override golang.org/x/net for CVE-2022-41717 only when building executables for release

Co-authored-by: Eli Bishop <eli@launchdarkly.com>
Co-authored-by: LaunchDarklyCI <dev@launchdarkly.com>
Co-authored-by: hroederld <hroeder@launchdarkly.com>
Co-authored-by: LaunchDarklyReleaseBot <launchdarklyreleasebot@launchdarkly.com>
Co-authored-by: Dan Richelson <drichelson@launchdarkly.com>
Co-authored-by: Dan Richelson <drichelson@users.noreply.github.com>
Co-authored-by: Ben Woskow <48036130+bwoskow-ld@users.noreply.github.com>
Co-authored-by: Ben Woskow <bwoskow@launchdarkly.com>
Co-authored-by: Louis Chan <lchan@launchdarkly.com>
Co-authored-by: Louis Chan <91093020+louis-launchdarkly@users.noreply.github.com>
Co-authored-by: Moshe Good <moshegood@users.noreply.github.com>
Co-authored-by: Moshe Good <moshe@squareup.com>
---
 .circleci/config.yml      |  2 +-
 .ldrelease/config.yml     |  2 +-
 Dockerfile                |  4 ++--
 Dockerfile.goreleaser     |  2 +-
 Makefile                  |  4 ++--
 scripts/run-goreleaser.sh | 29 +++++++++++++++++++++++++++++
 6 files changed, 36 insertions(+), 7 deletions(-)
 create mode 100755 scripts/run-goreleaser.sh

diff --git a/.circleci/config.yml b/.circleci/config.yml
index f329e4a9..451790b3 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -9,7 +9,7 @@ parameters:
   # override it in any parameterized builds, but just as a convenient shareable constant
   go-release-version:
     type: string
-    default: "1.19.2"
+    default: "1.19.4"
 
   # We use a remote Docker host in some CI jobs that need to run Docker containers.
   # As of 2022-04-15, the default Docker daemon version was 17.09.0-ce, which started
diff --git a/.ldrelease/config.yml b/.ldrelease/config.yml
index 15386979..45657238 100644
--- a/.ldrelease/config.yml
+++ b/.ldrelease/config.yml
@@ -38,7 +38,7 @@ repo:
 
 jobs:
   - docker:
-      image: cimg/go:1.19.2   # See "Runtime platform versions" in CONTRIBUTING.md
+      image: cimg/go:1.19.4   # See "Runtime platform versions" in CONTRIBUTING.md
       copyGitHistory: true
     template:
       name: go
diff --git a/Dockerfile b/Dockerfile
index 16b197e7..8f4149d9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # This is a standalone Dockerfile that does not depend on goreleaser building the binary
 # It is NOT the version that is pushed to dockerhub
-FROM golang:1.19.2-alpine3.16 as builder
+FROM golang:1.19.4-alpine3.16 as builder
 # See "Runtime platform versions" in CONTRIBUTING.md
 
 RUN apk --no-cache add \
@@ -21,7 +21,7 @@ ENV GOPATH=/go
 
 RUN go build -a -o ldr .
 
-FROM alpine:3.16.2
+FROM alpine:3.16.3
 
 RUN addgroup -g 1000 -S ldr-user && \
     adduser -u 1000 -S ldr-user -G ldr-user && \
diff --git a/Dockerfile.goreleaser b/Dockerfile.goreleaser
index bd811452..fa6b5f0d 100644
--- a/Dockerfile.goreleaser
+++ b/Dockerfile.goreleaser
@@ -2,7 +2,7 @@
 
 # See .ldrelease/config.yml for an explanation of the build/release process.
 
-FROM alpine:3.16.2
+FROM alpine:3.16.3
 # See "Runtime platform versions" in CONTRIBUTING.md
 
 RUN apk add --no-cache \
diff --git a/Makefile b/Makefile
index ef13230b..4b16cc75 100644
--- a/Makefile
+++ b/Makefile
@@ -70,10 +70,10 @@ RELEASE_CMD=curl -sL https://git.io/goreleaser | GOPATH=$(mktemp -d) VERSION=$(G
 # because during a release, we may need to run this command under another account and we
 # don't want to mess up file permissions in the regular GOPATH.
 publish:
-	$(RELEASE_CMD)
+	./scripts/run-goreleaser.sh $(GORELEASER_VERSION)
 
 products-for-release:
-	$(RELEASE_CMD) --skip-publish --skip-validate
+	./scripts/run-goreleaser.sh $(GORELEASER_VERSION) --skip-publish --skip-validate
 
 DOCKER_COMPOSE_TEST=docker-compose -f docker-compose.test.yml
 
diff --git a/scripts/run-goreleaser.sh b/scripts/run-goreleaser.sh
new file mode 100755
index 00000000..26b287e8
--- /dev/null
+++ b/scripts/run-goreleaser.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# run-goreleaser.sh <goreleaser version> <any other goreleaser options>...
+#
+# Builds the Docker image and all other executables that we intend to publish.
+# This also pushes the image to DockerHub unless we have specifically told it not to with
+# the --skip-publish option.
+
+GORELEASER_VERSION=$1
+if [[ -z "${GORELEASER_VERSION}" ]]; then
+  echo "Must set GORELEASER_VERSION before calling this script"
+  exit 1
+fi
+shift
+
+# Get the lines added to the most recent changelog update (minus the first 2 lines)
+RELEASE_NOTES=`(GIT_EXTERNAL_DIFF='bash -c "diff --unchanged-line-format=\"\" $2 $5" || true' git log --ext-diff -1 --pretty= -p CHANGELOG.md)`
+
+# Temporarily add a package override to go.mod to fix CVE-2022-41717. In our 6.x releases, we can't just
+# have this override in go.mod all the time because it isn't compatible with Go 1.16. But we never use
+# Go 1.16 to build our published executables and we do want the fix in those.
+cp go.mod go.mod.bak
+cp go.sum go.sum.bak
+trap "mv go.mod.bak go.mod; mv go.sum.bak go.sum" EXIT
+go get golang.org/x/net@v0.4.0
+go mod tidy
+
+curl -sL https://git.io/goreleaser | GOPATH=`mktemp -d` VERSION=${GORELEASER_VERSION} bash -s -- \
+  --rm-dist --release-notes <(echo "${RELEASE_NOTES}") $@