From 763e64827ae707060e2b5644fd93f087ac5d9707 Mon Sep 17 00:00:00 2001 From: Chris Banks Date: Sun, 23 Jul 2023 15:17:23 +0100 Subject: [PATCH] Eliminate patch version update toil. We always want to use the latest patch version of our pinned minor version of Go by default. This eliminates the toil of keeping the patch version up-to-date and, more importantly, eliminates human forgetfulness from the security update path. In the extremely unlikely event of a golang patch release causing a regression, it's still trivial to pin the patch version until it's fixed. This also stops us pinning the Go version in 3 different places, which was getting rather silly. go.mod is now the only place where the Go version (major.minor) should normally be specified. --- .github/dependabot.yml | 8 ++++---- .github/workflows/ci.yml | 2 +- .go-version | 1 - Dockerfile | 2 +- README.md | 27 +++++---------------------- 5 files changed, 11 insertions(+), 29 deletions(-) delete mode 100644 .go-version diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1afc37e9..c8d9b7f7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,11 +1,11 @@ +--- version: 2 updates: - - package-ecosystem: gomod + - package-ecosystem: docker directory: / schedule: interval: daily - - - package-ecosystem: docker + - package-ecosystem: gomod directory: / schedule: - interval: weekly + interval: daily diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1647fe50..f528da70 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,7 +18,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: - go-version: '1.20.4' + go-version-file: go.mod - run: make unit_tests - run: make integration_tests env: diff --git a/.go-version b/.go-version deleted file mode 100644 index 0bd54efd..00000000 --- a/.go-version +++ /dev/null @@ -1 +0,0 @@ -1.20.4 diff --git a/Dockerfile b/Dockerfile index e22f3070..6929371d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20.5-alpine AS builder +FROM golang:1.20-alpine AS builder ARG TARGETARCH TARGETOS WORKDIR /src COPY . ./ diff --git a/README.md b/README.md index d822c83b..abdbb7a0 100644 --- a/README.md +++ b/README.md @@ -77,35 +77,18 @@ DEBUG=1 DEBUG_ROUTER=1 make test This project uses [Go Modules](https://github.com/golang/go/wiki/Modules) to vendor its dependencies. To update the dependencies: - go mod vendor +1. Run `go mod tidy && go mod vendor`. +1. Check for any errors and commit. -### Updating the version of Go +Occasionally an old module may need updating explicitly via `go get -u +`, for example `go get -u github.com/streadway/quantile` -Dependabot raises PR's to update the dependencies for Router. This includes raising a PR when a new version of Go is available. However to update the version of Go, it's necessary to do more than just merge this dependabot PR. Here is an [example PR](https://github.com/alphagov/router/pull/345/files) with all the below changes, and here are the steps: - -1. Dependabot's PR will modify the Go version in the Dockerfile (and thus what is build in the Kubernetes engine), but you also need to update the version number in the file `.go-version`. -2. You will also have to update the Go version in `go.mod`. This will necessitate having Go installed on your local machine, changing the version number and running in terminal `go mod tidy` and `go mod vendor` in sequence to update correctly. This may have no changes at all, but see [example pr](https://github.com/alphagov/router/pull/307/commits/c0e4d753a48c71e84a3e4734389191e36bae9611) for a larger update. Also see [Upgrading Go Modules](#upgrading-go-modules). -3. Finally you need to update the go version in `ci.yml`. -4. Before you merge this PR, put the branch onto staging and leave it there for a couple of weekdays. Check for anything unexpected in icinga and sentry. -5. If you are confident that the version bump is safe for production, you can merge your PR and deploy it to production. It is best to do this at a quiet time of the day (such as 7am) to minimise any potential disruption. -6. Make sure govuk-docker is updated to match the new version. See [here](https://github.com/alphagov/govuk-docker/pull/643/files). - -#### Upgrading Go Modules - -Sometimes modules will need to be manually upgraded after the above steps. This will satisfy dependencies that are old and do not use the `go.mod` file management system. Most likely you will see errors that require this when there is a failure to properly vendor `go.mod` due to an unsupported feature call in a dependency. - -To do this, you'll require GoLang installed on your machine. - -1. First, follow point 3 of the above [guide for upgrating](#updating-the-version-of-go) the version of Go. -2. If you determine through test failures that a module will need to be upgraded, in terminal at the root of `router` type in the following: `go get -u [repo-of-module]` - For example: `go get -u github.com/streadway/quantile` -3. Run `go mod tidy` and `go mod vendor`. Check for any errors and commit. ### Further documentation - [Data structure](docs/data-structure.md) - [Original thinking behind the router](https://gdstechnology.blog.gov.uk/2013/12/05/building-a-new-router-for-gov-uk) -- [Example of adding a metric](https://github.com/alphagov/router/commit/b443d3dd9cf776143eed270d01bd98d2233caea6) using the [Go prometheus client library](https://godoc.org/github.com/dnesting/client_golang/prometheus) - +- [Example of adding a metric](https://github.com/alphagov/router/commit/b443d3d) using the [Go prometheus client library](https://godoc.org/github.com/dnesting/client_golang/prometheus) ## Licence