diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 0f183395aff5dc..3227af2ca3021c 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -193,7 +193,7 @@ RUN curl -sSL "https://awscli.amazonaws.com/awscli-exe-linux-$(arch).zip" -o aws ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \ rm -rf awscliv2.zip ./aws -ENV GO_VERSION=1.24.9 +ENV GO_VERSION=1.24.13 ENV GOPATH=/root/go-packages ENV GOROOT=/root/go ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH diff --git a/.github/workflows/branch-build.yml b/.github/workflows/branch-build.yml index da5f52e66a3aa9..ec8644d4af8522 100644 --- a/.github/workflows/branch-build.yml +++ b/.github/workflows/branch-build.yml @@ -107,7 +107,7 @@ jobs: cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }} runs-on: ubuntu-latest-16-cores container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4 @@ -135,7 +135,7 @@ jobs: (needs.configuration.outputs.is_scheduled_run != 'true') runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root concurrency: group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure @@ -182,7 +182,7 @@ jobs: ports: - 6379:6379 container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root env: DB_HOST: "mysql" @@ -405,7 +405,7 @@ jobs: if: needs.configuration.outputs.is_scheduled_run != 'true' runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root concurrency: group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install @@ -458,7 +458,7 @@ jobs: environment: branch-build runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' concurrency: @@ -487,7 +487,7 @@ jobs: environment: branch-build runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true' concurrency: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b4b2b215297a02..28cd78d955a9dd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -110,7 +110,7 @@ jobs: cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }} runs-on: ubuntu-latest-16-cores container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4 @@ -138,7 +138,7 @@ jobs: (needs.configuration.outputs.is_scheduled_run != 'true') runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root concurrency: group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure @@ -185,7 +185,7 @@ jobs: ports: - 6379:6379 container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root env: DB_HOST: "mysql" @@ -443,7 +443,7 @@ jobs: if: needs.configuration.outputs.is_scheduled_run != 'true' runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root concurrency: group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install @@ -496,7 +496,7 @@ jobs: environment: main-build runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' concurrency: @@ -525,7 +525,7 @@ jobs: environment: main-build runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true' concurrency: diff --git a/.github/workflows/code-nightly.yml b/.github/workflows/code-nightly.yml index 80a45723f62899..ef3a98007ffcc8 100644 --- a/.github/workflows/code-nightly.yml +++ b/.github/workflows/code-nightly.yml @@ -11,7 +11,7 @@ jobs: build: runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4 diff --git a/.github/workflows/ide-integration-tests.yml b/.github/workflows/ide-integration-tests.yml index 83a63589bf3f77..f4f985b3f431ba 100644 --- a/.github/workflows/ide-integration-tests.yml +++ b/.github/workflows/ide-integration-tests.yml @@ -36,7 +36,7 @@ jobs: name: Configuration runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root outputs: name: ${{ steps.configuration.outputs.name }} @@ -93,7 +93,7 @@ jobs: needs: [configuration] runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root concurrency: group: ${{ needs.configuration.outputs.name }}-infrastructure @@ -126,7 +126,7 @@ jobs: needs: [configuration, infrastructure] runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root volumes: - /var/tmp:/var/tmp @@ -216,7 +216,7 @@ jobs: if: github.event.inputs.skip_delete != 'true' && always() runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4 diff --git a/.github/workflows/jetbrains-auto-update-template.yml b/.github/workflows/jetbrains-auto-update-template.yml index d096dcc821c155..be608ad08a3e94 100644 --- a/.github/workflows/jetbrains-auto-update-template.yml +++ b/.github/workflows/jetbrains-auto-update-template.yml @@ -15,7 +15,7 @@ jobs: update-jetbrains: runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2 diff --git a/.github/workflows/jetbrains-integration-test.yml b/.github/workflows/jetbrains-integration-test.yml index 496d14fb95f8ec..e066d936375c9f 100644 --- a/.github/workflows/jetbrains-integration-test.yml +++ b/.github/workflows/jetbrains-integration-test.yml @@ -34,7 +34,7 @@ on: jobs: jetbrains-smoke-test-linux: container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root runs-on: ubuntu-latest steps: diff --git a/.github/workflows/preview-env-check-regressions.yml b/.github/workflows/preview-env-check-regressions.yml index 4a79d4ce76fd8a..a77dd7f407c82a 100644 --- a/.github/workflows/preview-env-check-regressions.yml +++ b/.github/workflows/preview-env-check-regressions.yml @@ -60,7 +60,7 @@ jobs: needs: [configuration] runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root concurrency: group: ${{ needs.configuration.outputs.name }}-infrastructure @@ -93,7 +93,7 @@ jobs: if: ${{ needs.configuration.outputs.skip == 'false' }} runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root volumes: - /var/tmp:/var/tmp @@ -171,7 +171,7 @@ jobs: if: always() runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4 diff --git a/.github/workflows/preview-env-delete.yml b/.github/workflows/preview-env-delete.yml index af89e60614da2d..cdcb695ccdb6a5 100644 --- a/.github/workflows/preview-env-delete.yml +++ b/.github/workflows/preview-env-delete.yml @@ -15,7 +15,7 @@ jobs: if: github.event.ref_type == 'branch' || github.event.inputs.name != '' runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4 diff --git a/.github/workflows/preview-env-gc.yml b/.github/workflows/preview-env-gc.yml index dc7107bffafce0..4269c516954556 100644 --- a/.github/workflows/preview-env-gc.yml +++ b/.github/workflows/preview-env-gc.yml @@ -11,7 +11,7 @@ jobs: name: "Find stale preview environments" runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root outputs: names: ${{ steps.set-matrix.outputs.names }} @@ -43,7 +43,7 @@ jobs: needs: [stale] runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root if: ${{ needs.stale.outputs.count > 0 }} strategy: diff --git a/.github/workflows/workspace-integration-tests.yml b/.github/workflows/workspace-integration-tests.yml index 581c2750a48234..81e6c2cc894d68 100644 --- a/.github/workflows/workspace-integration-tests.yml +++ b/.github/workflows/workspace-integration-tests.yml @@ -52,7 +52,7 @@ jobs: name: Configuration runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root outputs: name: ${{ steps.configuration.outputs.name }} @@ -126,7 +126,7 @@ jobs: needs: [configuration] runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root concurrency: group: ${{ needs.configuration.outputs.name }}-infrastructure @@ -159,7 +159,7 @@ jobs: needs: [configuration, infrastructure] runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4 @@ -183,7 +183,7 @@ jobs: if: inputs.skip_delete != 'true' && always() runs-on: ubuntu-latest container: - image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 + image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 options: --user root steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4 diff --git a/.gitpod.yml b/.gitpod.yml index 0e6408f3a84ec7..bacd55591fcfbe 100644 --- a/.gitpod.yml +++ b/.gitpod.yml @@ -1,4 +1,4 @@ -image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42 +image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181 workspaceLocation: gitpod/gitpod-ws.code-workspace checkoutLocation: gitpod ports: diff --git a/components/ide-proxy/Dockerfile b/components/ide-proxy/Dockerfile index 3ade1df2774ec4..da7f644201c56b 100644 --- a/components/ide-proxy/Dockerfile +++ b/components/ide-proxy/Dockerfile @@ -22,6 +22,9 @@ RUN xcaddy build v2.11.1 --output /caddy FROM caddy/caddy:2.11-alpine +# Ensure latest packages are present, like security updates. +RUN apk upgrade --no-cache + COPY --from=caddy-builder /caddy /usr/bin/caddy COPY conf/Caddyfile /etc/caddy/Caddyfile COPY static /www/ diff --git a/components/local-app/go.mod b/components/local-app/go.mod index 3c5f09d2326d39..6e9d54baad1be8 100644 --- a/components/local-app/go.mod +++ b/components/local-app/go.mod @@ -2,7 +2,7 @@ module github.com/gitpod-io/local-app go 1.24 -toolchain go1.24.3 +toolchain go1.24.13 godebug tlsmlkem=0 diff --git a/dev/image/Dockerfile b/dev/image/Dockerfile index 7ad6e0eba44dab..538451684b3b4c 100644 --- a/dev/image/Dockerfile +++ b/dev/image/Dockerfile @@ -4,10 +4,21 @@ FROM gitpod/workspace-gitpod-dev:latest -ENV TRIGGER_REBUILD 43 +ENV TRIGGER_REBUILD 45 USER root +### Go ### +# Pin Go version explicitly to ensure all CI-built binaries use a +# non-vulnerable toolchain (CVE-2025-68121 requires >= 1.24.13). +ENV GO_VERSION=1.24.13 +RUN rm -rf /usr/local/go /home/gitpod/go /home/gitpod/.cache/go-build \ + && curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar -C /usr/local -xz \ + && ln -sf /usr/local/go/bin/go /usr/bin/go \ + && ln -sf /usr/local/go/bin/gofmt /usr/bin/gofmt +ENV GOROOT=/usr/local/go +ENV PATH=/usr/local/go/bin:$PATH + ### cloud_sql_proxy ### ARG CLOUD_SQL_PROXY=/usr/local/bin/cloud_sql_proxy RUN curl -fsSL https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 > $CLOUD_SQL_PROXY \ @@ -255,7 +266,7 @@ RUN brew install tmux tmuxinator \ && brew install redis \ # Install zed & spicedb CLI && brew install authzed/tap/zed \ - && brew install authzed/tap/spicedb \ + && (brew install authzed/tap/spicedb || brew install authzed/tap/spicedb) \ && brew cleanup # Copy our own tools @@ -273,7 +284,10 @@ ENV PREVIEW_ENV_DEV_SA_KEY_PATH=/home/gitpod/.config/gcloud/preview-environment- # So we can parse the report.html output by leeway, and remove the output produced by this image build # why? it's too verbose, exceeding the Github Actions summary limit -RUN go install github.com/ericchiang/pup@v0.4.0 +RUN curl -fsSL https://github.com/ericchiang/pup/releases/download/v0.4.0/pup_v0.4.0_linux_amd64.zip -o /tmp/pup.zip \ + && sudo unzip -o /tmp/pup.zip -d /usr/local/bin \ + && sudo chmod +x /usr/local/bin/pup \ + && rm /tmp/pup.zip # Install oci-tool RUN curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.0/oci-tool_0.2.0_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin \