azure-container-networking/.pipelines/build/scripts/install-go.sh at 9750919d977c7593803ed6f4ca11d019afb810b0 · Azure/azure-container-networking · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/bin/bash
set -eux

# Install Go by extracting it from the msft-go container image.
# The golang image reference is read directly from the source Dockerfile for the
# current image (identified by $name), keeping the pipeline in sync with the build.
#
# Priority:
#   1. MSFT_GO_IMAGE env var (explicit override)
#   2. Parsed from the source Dockerfile for $name
#   3. Hardcoded fallback digest below
#
# To update the fallback, run:
#   skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.26-azurelinux3.0 --format "{{.Name}}@{{.Digest}}"
DEFAULT_IMAGE="mcr.microsoft.com/oss/go/microsoft/golang@sha256:5f95bf70f4c437de4a6ba1f72ef1532f69fca392c131fff2172993cabbea359c"

# Resolves the golang image from the source Dockerfile for the given $name.
# Echoes the image reference, or empty string if it cannot be determined.
resolve_go_image() {
  if [[ "${name:-}" == "npm" ]]; then
    # npm uses OS-specific Dockerfiles with a tag-based reference.
    # The image may be field 2 (no --platform) or field 3 (with --platform),
    # so extract the mcr.* token directly.
    # e.g. FROM mcr.../golang:1.25.5 AS builder
    # e.g. FROM --platform=linux/amd64 mcr.../golang:1.25.5 AS builder
    local buildfile="${REPO_ROOT}/npm/${OS:-linux}.Dockerfile"
    grep -m1 '^FROM.*golang' "${buildfile}" | grep -o 'mcr[^ ]*'

  else
    # All other images use a digest-pinned reference and always have --platform,
    # making the image consistently field 3: FROM --platform=X IMAGE AS alias
    local buildfile
    if [[ "${name:-}" == "ipv6-hp-bpf" ]]; then
      buildfile="${REPO_ROOT}/bpf-prog/ipv6-hp-bpf/linux.Dockerfile"
    elif [[ -n "${name:-}" ]]; then
      buildfile="${REPO_ROOT}/${name}/Dockerfile"
    fi

    if [[ -n "${buildfile:-}" && -f "${buildfile}" ]]; then
      grep -m1 '^FROM.*golang' "${buildfile}" | awk '{print $3}'
    fi
  fi
}

if [[ -z "${MSFT_GO_IMAGE:-}" ]]; then
  MSFT_GO_IMAGE="$(resolve_go_image)"
  MSFT_GO_IMAGE="${MSFT_GO_IMAGE:-$DEFAULT_IMAGE}"
fi

ARCH="${ARCH:-amd64}"

# Remove any pre-installed Go to prevent source file contamination.
# tar extract overlays onto the existing directory without deleting files that
# are absent from the archive. When the agent's pre-installed Go and msft-go
# have different source files (e.g. crypto/internal/fips140, internal/runtime),
# both sets survive the overlay, causing redeclaration and undefined-symbol
# build errors.
sudo rm -rf /usr/local/go

# Extract /usr/local/go from the image without needing a Docker daemon.
# crane export streams the full image filesystem; we extract just usr/local/go.
crane export --platform "linux/${ARCH}" "$MSFT_GO_IMAGE" - | sudo tar -xf - -C / usr/local/go

# Prevent the Go toolchain from auto-downloading upstream (non-FIPS) Go.
# With GOTOOLCHAIN=local, the build uses exactly the msft-go we just installed.
export GOTOOLCHAIN=local
echo "##vso[task.setvariable variable=GOTOOLCHAIN]local"

# Clear any build cache left by the agent's previous Go version.
/usr/local/go/bin/go clean -cache 2>/dev/null || true

echo "##vso[task.prependpath]/usr/local/go/bin"