If an archive filename contains `/` characters, they can sneak into
Winget's `RelativeFilePath`.
In this PR, I make sure that `RelativeFilePath` only uses `\` directory
separators.
Bumps golang from `e959001` to `7839c9f`.
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.20.6-alpine&new-version=1.20.6-alpine)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This commit adds a `make_latest` boolean to the release configuration,
to allow signaling to GitHub if the release should be marked as latest.
Albeit being a boolean, the internal Go type is a string to allow
to distinguish an empty string (default behavior: `true`) from an
explicit `false`.
For more information around the GitHub API field, see
https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#create-a-release
I did not include the `legacy` option, to not adopt something which
appears to be scheduled for removal in the future.
In addition, I opted for `make_latest` over `latest` because the
option is only available for GitHub. Which keeps the latter key
reserved for e.g. future use of a config option which is used across
Git providers.
Fixes#4159
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
This commit adds a `make_latest` boolean to the release configuration,
to allow signaling to GitHub if the release should be marked as latest.
Albeit being a boolean, the internal Go type is a string to allow
to distinguish an empty string (default behavior: `true`) from an
explicit `false`.
For more information around the GitHub API field, see
https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#create-a-release
I did not include the `legacy` option, to not adopt something which
appears to be scheduled for removal in the future.
In addition, I opted for `make_latest` over `latest` because the
option is only available for GitHub. Which keeps the latter key
reserved for e.g. future use of a config option which is used across
Git providers.
Fixes#4159
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Bumps golang from 1.20.5-alpine to 1.20.6-alpine.
[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang&package-manager=docker&previous-version=1.20.5-alpine&new-version=1.20.6-alpine)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the gomod-deps group with 3 updates:
[golang.org/x/crypto](https://github.com/golang/crypto),
[golang.org/x/oauth2](https://github.com/golang/oauth2) and
[golang.org/x/tools](https://github.com/golang/tools).
Updates `golang.org/x/crypto` from 0.10.0 to 0.11.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e98487292d"><code>e984872</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="183630ada7"><code>183630a</code></a>
x509roots: generate a stable sort, for real this time</li>
<li><a
href="a9e447dde7"><code>a9e447d</code></a>
x509roots/fallback: add //go:build go1.20 to bundle.go</li>
<li><a
href="64c3993f5c"><code>64c3993</code></a>
ssh: add hmac-sha2-512</li>
<li><a
href="5fe8145aca"><code>5fe8145</code></a>
x509roots: remove list hash and generation date, change ordering</li>
<li><a
href="043e94c17a"><code>043e94c</code></a>
x509roots: fix generate script argument checking</li>
<li><a
href="0d502d7cd6"><code>0d502d7</code></a>
x509roots: use "generate" build tag</li>
<li><a
href="0ff60057bb"><code>0ff6005</code></a>
ssh/test: set a timeout and WaitDelay on sshd subcommands</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.10.0...v0.11.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/oauth2` from 0.9.0 to 0.10.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ec5679f607"><code>ec5679f</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="989acb1bfe"><code>989acb1</code></a>
all: update dependencies to their latest versions</li>
<li>See full diff in <a
href="https://github.com/golang/oauth2/compare/v0.9.0...v0.10.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `golang.org/x/tools` from 0.10.0 to 0.11.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/golang/tools/releases">golang.org/x/tools's
releases</a>.</em></p>
<blockquote>
<h2>gopls/v0.11.0</h2>
<p>This is a small release containing new integrations of vulnerability
analysis.</p>
<p>Vulnerability analysis for go.mod files can be enabled by configuring
the <a
href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#vulncheck-enum"><code>"vulncheck"</code></a>
setting to <code>"Imports"</code>. For more information on
vulnerability management, see the <a
href="https://go.dev/blog/vuln">Vulnerability Management for Go</a> blog
post.</p>
<h2>Support changes</h2>
<p>This release removes support for the
<code>"experimentalUseInvalidMetadata"</code> setting, as
described in the <a
href="https://github.com/golang/tools/releases/tag/gopls%2Fv0.10.0">v0.10.0</a>
release. Other settings slated for deprecation in that release remain
temporarily supported, but will be removed in v0.12.0.</p>
<h2>New Features</h2>
<h3>Analyzing dependencies for vulnerabilities</h3>
<p>This release offers two different options for detecting
vulnerabilities in dependencies. Both are backed by the Go vulnerability
database (<a href="https://vuln.go.dev">https://vuln.go.dev</a>) and
complement each other.</p>
<ul>
<li>Imports-based scanning, enabled by the <a
href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#vulncheck-enum"><code>"vulncheck":
"Imports"</code></a> setting, reports vulnerabilities by
scanning the set of packages imported in the workspace. This is fast,
but may report more false positives.</li>
<li>Integration of the <a
href="https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck">golang.org/x/vuln/cmd/govulncheck</a>
command-line tool performs a more precise analysis based on-call graph
reachability, with fewer false positives. Because it is slower to
compute, it must be manually triggered by using "Run govulncheck to
verify" code actions or the <a
href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#run-govulncheck"><code>"codelenses.run_govulncheck"</code></a>
code lens on <code>go.mod</code> files.</li>
</ul>
<p><a
href="https://user-images.githubusercontent.com/4999471/206977512-a821107d-9ffb-4456-9b27-6a6a4f900ba6.mp4">https://user-images.githubusercontent.com/4999471/206977512-a821107d-9ffb-4456-9b27-6a6a4f900ba6.mp4</a></p>
<!-- raw HTML omitted -->
<h3>Additional checks for the <code>loopclosure</code> analyzer</h3>
<p>The <a
href="https://github.com/golang/tools/blob/master/gopls/doc/analyzers.md#loopclosure"><code>loopclosure</code></a>
analyzer, which reports problematic references from a nested function to
a variable of an enclosing loop, has been improved to catch more cases.
In particular, it now reports when subtests <a
href="https://pkg.go.dev/testing#T.Parallel">run in parallel</a> with
the loop, a mistake that often results in all but the final test case
being skipped.</p>
<p><img
src="https://user-images.githubusercontent.com/57144380/206764370-7fc3c464-af04-4e4e-bb10-a6a0a89a99e3.png"
alt="image" /></p>
<h2>Configuration changes</h2>
<ul>
<li>The <a
href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#vulncheck-enum"><code>"vulncheck"</code></a>
setting controls vulnerability analysis based on the Go vulnerability
database. If set to <code>"Imports"</code>, gopls will compute
diagnostics related to vulnerabilities in dependencies, and will present
them in go.mod files.</li>
<li>The <a
href="https://github.com/golang/tools/blob/master/gopls/doc/settings.md#run-govulncheck"><code>"codelenses.run_govulncheck"</code></a>
setting controls the presence of code lenses that run the <a
href="https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck">govulncheck</a>
command, which takes longer but produces more accurate vulnerability
reporting based on call-graph reachability.</li>
</ul>
<h2>Bug fixes</h2>
<p>This version of gopls includes fixes to several bugs, notably:</p>
<ul>
<li><code>golang/go#57053</code></li>
<li><code>golang/go#55837</code><a
href="https://redirect.github.com/golang/go/issues/56450">golang/go#56450</a>).</li>
<li><code>golang/go#54816</code></li>
</ul>
<p>A full list of all issues fixed can be found in the <a
href="https://github.com/golang/go/milestone/293?closed=1">gopls/v0.11.0</a>
milestone.
To report a new problem, please file a new issue at <a
href="https://go.dev/issues/new">https://go.dev/issues/new</a>.</p>
<h2>Thank you to our contributors</h2>
<p><a href="https://github.com/Arsen6331"><code>@Arsen6331</code></a>,
<a href="https://github.com/SN9NV"><code>@SN9NV</code></a>, <a
href="https://github.com/adonovan"><code>@adonovan</code></a>, <a
href="https://github.com/bcmills"><code>@bcmills</code></a>, <a
href="https://github.com/dle8"><code>@dle8</code></a>, <a
href="https://github.com/findleyr"><code>@findleyr</code></a>, <a
href="https://github.com/hyangah"><code>@hyangah</code></a>, <a
href="https://github.com/pjweinbgo"><code>@pjweinbgo</code></a>, <a
href="https://github.com/suzmue"><code>@suzmue</code></a></p>
<h2>gopls/v0.10.1</h2>
<p>This release contains a fix for <a
href="https://redirect.github.com/golang/go/issues/56505">golang/go#56505</a>:
a new crash during method completion on variables of type
<code>*error</code>.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="675bf3c243"><code>675bf3c</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="ad52c1ca35"><code>ad52c1c</code></a>
go/ssa/interp: support conversions to slices of named bytes</li>
<li><a
href="14ec3c023f"><code>14ec3c0</code></a>
gopls/doc/contributing.md: document error handling strategies</li>
<li><a
href="c495364167"><code>c495364</code></a>
go/packages/gopackages: document -mode flag</li>
<li><a
href="87ad891fe3"><code>87ad891</code></a>
gopls/internal/lsp/source/typerefs: move test into _test.go</li>
<li><a
href="27fd94e099"><code>27fd94e</code></a>
internal/fastwalk: doc formatting fixes (including godoc links)</li>
<li><a
href="d362be0cdb"><code>d362be0</code></a>
gopls/internal/lsp/filecache: reduce GC frequency</li>
<li><a
href="969078be46"><code>969078b</code></a>
Revert "go/analysis: add Sizes that matches gc size
computations"</li>
<li><a
href="5aa6acb96f"><code>5aa6acb</code></a>
go/analysis: add Sizes that matches gc size computations</li>
<li><a
href="5a89a3bf26"><code>5a89a3b</code></a>
go/vcs: delete</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/tools/compare/v0.10.0...v0.11.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
<!--
Hi, thanks for contributing!
Please make sure you read our CONTRIBUTING guide.
Also, add tests and the respective documentation changes as well.
-->
<!-- If applied, this commit will... -->
As discussed in #4176, this PR adds syft to the Docker image.
<!-- Why is this change being made? -->
As mentioned in #4176, it simplifies CI when SBOM generation is needed.
<!-- # Provide links to any relevant tickets, URLs or other resources
-->
I tried to test by running `task goreleaser` in my dev environment. The
amd64 image has been built properly and syft is available:
```
docker run --rm -it --entrypoint="" goreleaser/goreleaser:v1.19.2-amd64 sh
/go # syft --version
syft 0.84.1
```
However I couldn't test other platforms since I got unrelated errors
when it tried to build the arm64 image.
<!--
Hi, thanks for contributing!
Please make sure you read our CONTRIBUTING guide.
Also, add tests and the respective documentation changes as well.
-->
<!-- If applied, this commit will... -->
This PR fixes the links to Go and Task installation pages.
<!-- Why is this change being made? -->
Official go site is now https://go.dev where the old link was
automatically redicting.
Task's website has been changed and the installation procedure is now on
its own page.
<!-- # Provide links to any relevant tickets, URLs or other resources
-->
<!--
Hi, thanks for contributing!
Please make sure you read our CONTRIBUTING guide.
Also, add tests and the respective documentation changes as well.
-->
<!-- If applied, this commit will... -->
Delete the temporary directory used for building Docker images.
<!-- Why is this change being made? -->
Leaving the temporary directory leads to wasted disk space.
<!-- # Provide links to any relevant tickets, URLs or other resources
-->
This adds missing fields:
- LicenseURL
- CopyrightURL
- Tags
As well as make several more fields templateable.
cc/ @twpayne
Co-authored-by: Tom Payne <tom.payne@flarm.com>