feat: Add CI checks to ensure system-agent dependencies match

.github/workflows/PR.yaml

@@ -7,6 +7,33 @@ permissions:
   contents: read
 
 jobs:
+  validate:
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: [ windows-2022 ]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      # This step is required otherwise the 'mage'
+      # command cannot be used in subsequent steps
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: 'stable'
+          cache: 'false'
+
+      - name: Install Dependencies
+        run: |
+          go install github.com/magefile/mage@v1.15.0
+          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.4.0
+
+      - name: Compare System Agent Replace Statements
+        run : |
+          set PSModulePath=&&powershell -command "mage EnsureSystemAgentDependencies"
+
   test:
     strategy:
       fail-fast: false

go.mod

@@ -52,6 +52,7 @@ replace (
 require (
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/Microsoft/hcsshim v0.13.0
+	github.com/blang/semver v3.5.1+incompatible
 	github.com/buger/jsonparser v1.1.1
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
@@ -71,6 +72,7 @@ require (
 	google.golang.org/grpc v1.76.0
 	inet.af/tcpproxy v0.0.0-20240214030015-3ce58045626c // replaced to github.com/inetaf/tcpproxy
 	k8s.io/api v0.34.1
+	sigs.k8s.io/cli-utils v0.37.2
 )
 
 require (

go.sum

@@ -15,6 +15,8 @@ github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9
 github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
+github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
@@ -470,6 +472,8 @@ k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
+sigs.k8s.io/cli-utils v0.37.2 h1:GOfKw5RV2HDQZDJlru5KkfLO1tbxqMoyn1IYUxqBpNg=
+sigs.k8s.io/cli-utils v0.37.2/go.mod h1:V+IZZr4UoGj7gMJXklWBg6t5xbdThFBcpj4MrZuCYco=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=

magefiles/magefile.go

@@ -6,15 +6,18 @@ import (
 	"crypto/sha256"
 	"crypto/sha512"
 	"fmt"
+	"github.com/blang/semver"
 	"io"
 	"log"
+	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/magefile/mage/mg"
 	"github.com/magefile/mage/sh"
 	"github.com/rancher/wins/magetools"
+	"sigs.k8s.io/cli-utils/pkg/multierror"
 )
 
 var Default = BuildAll
@@ -235,6 +238,63 @@ func CI() {
 	mg.Deps(TestAll)
 }
 
+func EnsureSystemAgentDependencies() error {
+	mod, err := os.ReadFile("./go.mod")
+	if err != nil {
+		return fmt.Errorf("failed to read local go.mod file: %v", err)
+	}
+
+	winsModFileMap := magetools.ParseModFile(string(mod))
+	systemAgentVersion := ""
+	for name, ver := range winsModFileMap {
+		if name == "github.com/rancher/system-agent" {
+			systemAgentVersion = ver
+			break
+		}
+	}
+
+	url := fmt.Sprintf("https://raw.githubusercontent.com/rancher/system-agent/refs/tags/%s/go.mod", systemAgentVersion)
+	resp, err := http.DefaultClient.Get(url)
+	if err != nil {
+		return fmt.Errorf("failed to download system-agent go.mod file: %v", err)
+	}
+
+	defer resp.Body.Close()
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("failed to read system-agent go.mod file: %v", err)
+	}
+
+	systemAgentModFileMap := magetools.ParseModFile(string(b))
+	errs := multierror.New()
+	for k, v := range winsModFileMap {
+		if sv, ok := systemAgentModFileMap[k]; ok {
+			// Allow wins to use more recent versions of dependencies, even if system-agent hasn't
+			// upgraded to them yet. This allows us to potentially address windows specific issues in our
+			// dependencies without having to wait on new system-agent versions.
+			systemAgentSemver := semver.MustParse(strings.TrimPrefix(sv, "v"))
+			winsAgentSemver := semver.MustParse(strings.TrimPrefix(v, "v"))
+			if sv != v {
+				if winsAgentSemver.LT(systemAgentSemver) {
+					errs.Causes = append(errs.Causes, fmt.Errorf("[FAIL] system-agent defines dependency '%s' at version '%s', given mod files uses version '%s'", k, sv, v))
+					continue
+				}
+				fmt.Println(fmt.Errorf("[WARN] system-agent defines dependency '%s' at version '%s', given mod file uses newer version '%s'", k, sv, v))
+			} else {
+				fmt.Println(fmt.Errorf("[OK] system-agent defines dependency '%s' at version '%s', given mod file matches version '%s'", k, sv, v))
+			}
+		}
+	}
+
+	if len(errs.Causes) == 0 {
+		return nil
+	}
+
+	errs.Causes = append(errs.Causes, fmt.Errorf("One or more dependencies used in system-agent version %s differ from the given go.mod file. Ensure that dependency versions used in rancher-wins match what is used in the system-agent to prevent CVE's and other unexpected behavior.", systemAgentVersion))
+
+	return errs
+}
+
 func flags(version string, commit string) string {
 	return fmt.Sprintf(`-s -w -X github.com/rancher/wins/pkg/defaults.AppVersion=%s -X github.com/rancher/wins/pkg/defaults.AppCommit=%s -extldflags "-static"`, version, commit)
 }

magetools/helpers.go

@@ -32,3 +32,48 @@ func GetCommit() (string, error) {
 	}
 	return strings.TrimSpace(result), nil
 }
+
+func ParseModFile(file string) map[string]string {
+	split := strings.Split(file, "\n")
+	modFileMap := make(map[string]string)
+	invalidKeyWords := []string{
+		"go", "replace", "module", ")", "(", "//", "require",
+	}
+
+	for _, entry := range split {
+		entry = strings.TrimSpace(strings.Trim(entry, "\t\n"))
+		shouldSkip := false
+		for _, e := range invalidKeyWords {
+			if strings.HasPrefix(entry, e) {
+				shouldSkip = true
+				break
+			}
+		}
+
+		if shouldSkip {
+			continue
+		}
+
+		if strings.HasSuffix(entry, "indirect") {
+			continue
+		}
+
+		var name, ver string
+		split := strings.Split(entry, " ")
+		if len(split) == 4 {
+			// replace statement
+			name = split[0]
+			ver = split[3]
+		} else if len(split) == 2 {
+			// standard dep
+			name = split[0]
+			ver = split[1]
+		} else {
+			continue
+		}
+
+		modFileMap[name] = ver
+	}
+
+	return modFileMap
+}