Skip to content

Fix release pipelines to pick up latest Go patch TT-16060 #7512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Razeen-Abdal-Rahman wants to merge 23 commits into from
Closed

Fix release pipelines to pick up latest Go patch TT-16060 #7512

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
c1a3287
Auto generated from templates by gromit
Nov 5, 2025
28aa058
update redishost (#7513)
Razeen-Abdal-Rahman Nov 5, 2025
39adeb3
upgrade tests debugging (#7515)
Razeen-Abdal-Rahman Nov 5, 2025
d05b992
update plugin compiler go version
Razeen-Abdal-Rahman Nov 5, 2025
c75e15d
update plugin compiler go version
Razeen-Abdal-Rahman Nov 5, 2025
75a1150
gromit sync (#7516)
Razeen-Abdal-Rahman Nov 6, 2025
d970606
upgrade test debugging
Razeen-Abdal-Rahman Nov 6, 2025
c0f91d5
upgrade test debugging
Razeen-Abdal-Rahman Nov 6, 2025
fcf20dc
upgrade test debugging - readd httpbin service
Razeen-Abdal-Rahman Nov 6, 2025
c4aa20c
upgrade test debugging - readd httpbin service
Razeen-Abdal-Rahman Nov 6, 2025
5916864
upgrade test debugging - revert changes
Razeen-Abdal-Rahman Nov 6, 2025
14680be
update plugin compiler go version to use tykio/golang-cross
Razeen-Abdal-Rahman Nov 6, 2025
3a5b234
update plugin compiler go version in workflow
Razeen-Abdal-Rahman Nov 6, 2025
9433831
debug upgrade tests add log dump
Razeen-Abdal-Rahman Nov 6, 2025
b01c78e
debug upgrade tests edit redis cmd
Razeen-Abdal-Rahman Nov 6, 2025
91ada7c
debug upgrade tests fix docker logs
Razeen-Abdal-Rahman Nov 6, 2025
8eeb230
debug upgrade tests fix docker logs
Razeen-Abdal-Rahman Nov 6, 2025
2334ed2
debug upgrade tests fix docker logs
Razeen-Abdal-Rahman Nov 6, 2025
cd90873
debug upgrade tests fix docker logs
Razeen-Abdal-Rahman Nov 6, 2025
ad2bea4
debug upgrade tests fix docker logs, remove --rm
Razeen-Abdal-Rahman Nov 6, 2025
2904ea1
debug upgrade tests fix docker logs, move log location for upgrade-deb
Razeen-Abdal-Rahman Nov 6, 2025
d1d0490
use updated bullseye image
Razeen-Abdal-Rahman Nov 10, 2025
a0e1395
Auto generated from templates by gromit
Nov 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 85 additions & 16 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,16 @@
fail-fast: false
matrix:
golang_cross:
- 1.24-bullseye
- 1.24-bookworm
include:
- golang_cross: 1.24-bullseye
- golang_cross: 1.24-bookworm
goreleaser: 'ci/goreleaser/goreleaser.yml'
cgo: 1
rpmvers: 'el/7 el/8 el/9 amazon/2 amazon/2023'
debvers: 'ubuntu/xenial ubuntu/bionic ubuntu/focal ubuntu/jammy ubuntu/noble debian/jessie debian/buster debian/bullseye debian/bookworm debian/trixie'
outputs:
ee_tags: ${{ steps.ci_metadata_ee.outputs.tags }}
fips_tags: ${{ steps.ci_metadata_fips.outputs.tags }}
std_tags: ${{ steps.ci_metadata_std.outputs.tags }}
commit_author: ${{ steps.set_outputs.outputs.commit_author}}
steps:
Expand Down Expand Up @@ -98,7 +99,7 @@
ci/bin/unlock-agent.sh
git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com"
git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk
goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign' || '' }}' | tee /tmp/build.sh
goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' | tee /tmp/build.sh
chmod +x /tmp/build.sh
docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \
-e GOPRIVATE=github.com/TykTechnologies \
Expand All @@ -124,16 +125,16 @@
role-to-assume: arn:aws:iam::754489498669:role/ecr_rw_tyk
role-session-name: cipush
aws-region: eu-central-1
# Don't mask to pass it across job boundaries
mask-aws-account-id: false

Check warning on line 129 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: architecture

architecture Issue 

The workflow uses a hardcoded Go version string '1.24-bookworm' in multiple 'if' conditions. This creates a maintenance burden, as every instance will need to be updated when the Go version in the matrix changes.
Raw output 
Since the matrix currently contains only one Go version, these 'if' conditions are redundant and can be removed. If the intent is to run these steps only for a specific 'primary' Go version when more versions are added to the matrix, define the primary version as a variable at the job or workflow level and reference that variable in the conditions. This avoids scattering the hardcoded version string throughout the file.
- uses: aws-actions/amazon-ecr-login@v2
id: ecr
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
with:
mask-password: 'true'
- name: Docker metadata for ee CI
id: ci_metadata_ee
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/metadata-action@v5
with:
images: |
Expand All @@ -148,7 +149,7 @@
type=semver,pattern={{major}}.{{minor}},prefix=v
type=semver,pattern={{version}},prefix=v
- name: push ee image to CI
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
Expand Down Expand Up @@ -182,7 +183,7 @@
org.opencontainers.image.vendor=tyk.io
org.opencontainers.image.version=${{ github.ref_name }}
- name: push ee image to prod
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
Expand All @@ -194,12 +195,77 @@
cache-to: type=gha,mode=max
push: ${{ startsWith(github.ref, 'refs/tags') }}
tags: ${{ steps.tag_metadata_ee.outputs.tags }}
labels: ${{ steps.tag_metadata_ee.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-ee
- name: Docker metadata for fips CI
id: ci_metadata_fips
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/metadata-action@v5
with:
images: |
${{ steps.ecr.outputs.registry }}/tyk
flavor: |
latest=false
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,format=long
type=semver,pattern={{major}},prefix=v
type=semver,pattern={{major}}.{{minor}},prefix=v
type=semver,pattern={{version}},prefix=v
- name: push fips image to CI
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
push: true
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ steps.ci_metadata_fips.outputs.tags }}
labels: ${{ steps.ci_metadata_fips.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-fips
- name: Docker metadata for fips tag push
id: tag_metadata_fips
uses: docker/metadata-action@v5
with:
images: |
tykio/tyk-gateway-fips
flavor: |
latest=false
prefix=v
tags: |
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.title=Tyk Gateway FIPS
org.opencontainers.image.description=Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols Built with boringssl
org.opencontainers.image.vendor=tyk.io
org.opencontainers.image.version=${{ github.ref_name }}
- name: push fips image to prod
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
platforms: linux/amd64
file: ci/Dockerfile.distroless
provenance: mode=max
sbom: true
cache-from: type=gha
cache-to: type=gha,mode=max
push: ${{ startsWith(github.ref, 'refs/tags') }}

Check failure on line 261 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: dependency

architecture Issue 

The pull request introduces a new FIPS-compliant build and publishes a new Docker image, `tykio/tyk-gateway-fips`. However, there is no corresponding change or linked pull request for the `tyk-charts` repository. Without updates to the Helm chart, users will have no standard way to deploy this new FIPS-enabled gateway variant, rendering the feature incomplete from a deployment perspective.
Raw output 
The `tyk-charts` repository requires updates to its `values.yaml` and deployment templates to support selecting this new image. A link to the corresponding `tyk-charts` PR should be included in this PR's description.
tags: ${{ steps.tag_metadata_fips.outputs.tags }}
labels: ${{ steps.tag_metadata_fips.outputs.labels }}
build-args: |
BUILD_PACKAGE_NAME=tyk-gateway-fips
- name: Docker metadata for std CI
id: ci_metadata_std
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/metadata-action@v5
with:
images: |

Check warning on line 271 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: quality

architecture Issue 

The addition of a FIPS build has introduced significant code duplication. The steps for Docker metadata generation, building, and pushing images are now repeated for `ee`, `fips`, and `std` variants. This makes the workflow file harder to read and maintain, as any change to the push logic must be applied in three separate places.
Raw output 
To improve maintainability and reduce redundancy, refactor the duplicated Docker build-and-push steps into a reusable workflow or a composite action. This would centralize the logic, making the main workflow cleaner and easier to manage.
Expand All @@ -214,7 +280,7 @@
type=semver,pattern={{major}}.{{minor}},prefix=v
type=semver,pattern={{version}},prefix=v
- name: push std image to CI
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
Expand Down Expand Up @@ -248,7 +314,7 @@
org.opencontainers.image.vendor=tyk.io
org.opencontainers.image.version=${{ github.ref_name }}
- name: push std image to prod
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
uses: docker/build-push-action@v6
with:
context: "dist"
Expand All @@ -265,7 +331,7 @@
BUILD_PACKAGE_NAME=tyk-gateway
- name: save deb
uses: actions/upload-artifact@v4
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
with:
name: deb
retention-days: 1
Expand All @@ -275,7 +341,7 @@
!dist/*fips*.deb
- name: save rpm
uses: actions/upload-artifact@v4
if: ${{ matrix.golang_cross == '1.24-bullseye' }}
if: ${{ matrix.golang_cross == '1.24-bookworm' }}
with:
name: rpm
retention-days: 1
Expand Down Expand Up @@ -363,7 +429,7 @@
timeout-minutes: 30
id: test_execution
with:
user_api_secret: ${{ steps.env_up.outputs.USER_API_SECRET }}

Check warning on line 432 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: quality

style Issue 

The upgrade test for Debian packages uses a hardcoded previous version (`3.0.8`). This 'magic number' lacks context and makes the test harder to understand and maintain, especially if this version needs to be updated in the future. A similar issue exists for the RPM test on line 484.
Raw output 
To improve clarity and maintainability, define the version as a variable at the job level (e.g., in `env`) and reference it in the `run` step. Alternatively, add a comment explaining why this specific version is used for upgrade testing.
- name: Generate test reports and collect logs
uses: TykTechnologies/github-actions/.github/actions/tests/reporting@main
if: always() && (steps.test_execution.conclusion != 'skipped')
Expand Down Expand Up @@ -420,13 +486,14 @@
echo 'FROM ${{ matrix.distro }}
ARG TARGETARCH
COPY tyk-gateway*_${TARGETARCH}.deb /tyk-gateway.deb
RUN apt-get update && apt-get install -y curl
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | bash && apt-get install -y tyk-gateway=3.0.8
RUN apt-get update && apt-get install -y curl redis-server
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | bash || echo "Repository setup failed, but continuing"

Check warning on line 490 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The CI workflow for upgrade tests uses `curl | bash` to download and execute a repository setup script from `packagecloud.io`. This pattern is risky as it executes remote code without an integrity check. If the remote server were compromised or a man-in-the-middle attack were successful (despite TLS), it could lead to arbitrary code execution within the CI runner, potentially exposing secrets or compromising build artifacts.
Raw output 
To mitigate this risk, download the script to a file, verify its integrity with a checksum (e.g., SHA256) if one is provided by the vendor, and only then execute it. If no checksum is available, consider replicating the script's commands directly within the Dockerfile to avoid executing unverified remote code.
RUN apt-get install -y tyk-gateway=3.0.8 || echo "Previous version not found, testing fresh install"
RUN dpkg -i /tyk-gateway.deb

RUN /opt/tyk-gateway/install/setup.sh --listenport=8080 --redishost=localhost --redisport=6379 --domain=""
COPY ci/tests/api-functionality/data/api.json /opt/tyk-gateway/apps/
CMD ["/opt/tyk-gateway/tyk", "--conf", "/opt/tyk-gateway/tyk.conf"]
CMD redis-server --daemonize yes && sleep 2 && /opt/tyk-gateway/tyk --conf /opt/tyk-gateway/tyk.conf
' | tee Dockerfile
- name: install on ${{ matrix.distro }}
uses: docker/build-push-action@v6
Expand Down Expand Up @@ -479,7 +546,9 @@
COPY tyk-gateway*.${RHELARCH}.rpm /tyk-gateway.rpm
RUN command -v curl || yum install -y curl
RUN command -v useradd || yum install -y shadow-utils
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.rpm.sh | bash && yum install -y tyk-gateway-3.0.8-1
RUN yum install -y redis
RUN curl -fsSL https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.rpm.sh | bash || echo "Repository setup failed, but continuing"

Check warning on line 550 in .github/workflows/release.yml

View check run for this annotation

probelabs / Visor: security

security Issue 

The CI workflow for upgrade tests uses `curl | bash` to download and execute a repository setup script from `packagecloud.io`. This pattern is risky as it executes remote code without an integrity check. If the remote server were compromised or a man-in-the-middle attack were successful (despite TLS), it could lead to arbitrary code execution within the CI runner, potentially exposing secrets or compromising build artifacts.
Raw output 
To mitigate this risk, download the script to a file, verify its integrity with a checksum (e.g., SHA256) if one is provided by the vendor, and only then execute it. If no checksum is available, consider replicating the script's commands directly within the Dockerfile to avoid executing unverified remote code.
RUN yum install -y tyk-gateway-3.0.8-1 || echo "Previous version not found, testing fresh install"
RUN curl https://keyserver.tyk.io/tyk.io.rpm.signing.key.2020 -o tyk-gateway.key && rpm --import tyk-gateway.key
RUN rpm --checksig /tyk-gateway.rpm
RUN rpm -Uvh --force /tyk-gateway.rpm
Expand Down
10 changes: 5 additions & 5 deletions ci/Dockerfile.std
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,17 @@ RUN apt-get update \
RUN dpkg --purge --force-remove-essential curl ncurses-base || true
RUN rm -fv /usr/bin/passwd /usr/sbin/adduser || true

# Comment this to test in dev
COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb /
RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete

# Clean up caches, unwanted .a and .o files
RUN rm -rf /root/.cache \
&& apt-get -y autoremove \
&& apt-get clean \
&& rm -rf /usr/include/* /var/cache/apt/archives /var/lib/{apt,dpkg,cache,log} \
&& rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \
&& find /usr/lib -type f -name '*.a' -o -name '*.o' -delete

# Comment this to test in dev
COPY ${BUILD_PACKAGE_NAME}_*${TARGETARCH}.deb /
RUN dpkg -i /${BUILD_PACKAGE_NAME}*${TARGETARCH}.deb && rm /*.deb

ARG PORTS

EXPOSE $PORTS
Expand Down
2 changes: 1 addition & 1 deletion ci/goreleaser/goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ builds:
env:
- NOP=nop # ignore this, it is jsut to avoid a complex conditional in the templates
- CC=gcc
- $env
- GOEXPERIMENT=boringcrypto
ldflags:
- -X github.com/TykTechnologies/tyk/internal/build.Version={{.Version}}
- -X github.com/TykTechnologies/tyk/internal/build.Commit={{.FullCommit}}
Expand Down
2 changes: 1 addition & 1 deletion ci/images/plugin-compiler/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
ARG BASE_IMAGE=tykio/golang-cross:1.24-bullseye
ARG BASE_IMAGE=golang:1.24-bookworm
Comment thread
Razeen-Abdal-Rahman marked this conversation as resolved.
Outdated
FROM ${BASE_IMAGE}

LABEL description="Image for plugin development"
Expand Down
8 changes: 4 additions & 4 deletions ci/install/post_install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ fi
cleanup() {
# After installing, remove files that were not needed on this platform / system
if [ "${use_systemctl}" = "True" ]; then
rm -f /lib/systemd/system/tyk-gateway.service
else
rm -f /etc/init.d/tyk-gateway
else
rm -f /lib/systemd/system/tyk-gateway.service
fi
}

Expand All @@ -39,8 +39,8 @@ restoreServices() {
setupOwnership() {
printf "\033[32m Post Install of the install directory ownership and permissions\033[0m\n"
[ "${change_ownership}" = "True" ] && chown -R tyk:tyk /opt/tyk-gateway
# Config file should never be world-readable
chmod 660 /opt/tyk-gateway/tyk.conf
# Config file should never be world-readable (only if it exists)
[ -f /opt/tyk-gateway/tyk.conf ] && chmod 660 /opt/tyk-gateway/tyk.conf
}

cleanInstall() {
Expand Down
Loading