fix: Update to fix some CVEs

[zacharyblasczyk]

ref INFRA-520

Summary by CodeRabbit

Summary by CodeRabbit

• Documentation
  • Added a new section to guide users on installing Kubebuilder.
• Chores
  • Enhanced continuous integration with additional dependency validation steps.
  • Upgraded the build environment to Go version 1.24 and updated several dependencies for improved performance and reliability.
  • Updated version control settings to exclude the /tilt_bin directory for a cleaner project repository.

[coderabbitai]

Walkthrough

This pull request introduces several updates across the repository. A new dependency-check job has been added to the GitHub Actions workflow to enforce dependency consistency using go mod tidy and a git diff check. The Dockerfile and go.mod files have been updated to use Go 1.24 along with several dependency version bumps. Additionally, minor modifications include an extra ignore entry in the .gitignore file, formatting adjustments in the Tiltfile, and documentation updates in the README.md, including a new “Install Kubebuilder” section.

Changes

Files	Change Summary
.github/workflows/run-tests.yaml, .github/workflows/release.yaml	Added new job dependency-check in run-tests.yaml to enforce dependency consistency. Updated Go version from stable to 1.24 in both workflows.
.gitignore	Added new entry /tilt_bin, causing Git to ignore files or directories under this path.
Dockerfile, go.mod	Updated Go version: Dockerfile now uses golang:1.24 for the manager-builder stage; go.mod updated from go 1.23.0 to go 1.24.0 with several indirect dependency versions bumped (crypto, net, sync, sys, term, text).
README.md	Removed unnecessary line breaks after “Tilt”, added a new “Install Kubebuilder” section with installation instructions via Homebrew, and adjusted punctuation for consistency.
Tiltfile	Reformatted code: Adjusted alignment and indentation in function definitions and resource declarations, improving readability without affecting functionality.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Repo as Repository
    participant Go as Go Setup
    participant Diff as Diff Checker

    GH->>Repo: Checkout Code
    GH->>Go: Set Up Go (1.24)
    GH->>Repo: Run "go get ."
    GH->>Repo: Execute "go mod tidy"
    GH->>Diff: Run "git diff --exit-code go.mod go.sum"
    Diff-->>GH: Return clean/error status

Loading

Poem

I'm a rabbit, swift and keen,
Hopping through code, ever so serene.
New checks and tweaks in a neat little dance,
Go versions and docs now get a fresh chance.
With each small change, my joy multiplies—
In this digital warren, magic truly lies!

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba8d839 and 634e7e3.

📒 Files selected for processing (2)

• .github/workflows/release.yaml (2 hunks)
• .github/workflows/run-tests.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Test

🔇 Additional comments (4)

.github/workflows/run-tests.yaml (2)

18-18: Updated Go Version in Setup Step
The go-version field is now fixed to 1.24, which is consistent with the Go version update in the repository. This change ensures that tests run in a controlled environment that reflects the targeted runtime and addresses related CVE concerns.

---

24-38: Addition of Dependency-Check Job
A new job named dependency-check has been introduced. It checks that go mod tidy does not produce any unexpected changes in go.mod or go.sum by running a git diff. This is a valuable addition for maintaining dependency hygiene and mitigating risks related to dependency vulnerabilities (CVEs).

.github/workflows/release.yaml (2)

32-32: Minor Formatting Adjustment
A minor whitespace adjustment is observed between the "Login to Docker Hub" and "Versioning" steps. This change is non-functional and does not impact the workflow execution.

---

46-47: Consistent Go Version in Release Workflow
The go-version parameter in the release workflow has been updated to 1.24, aligning it with the testing workflow. This consistency helps ensure that builds and releases are performed under the same runtime environment, which is beneficial for security and stability, especially in the context of addressing CVEs.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/run-tests.yaml (1)

24-38: Dependency Check Job Implementation
The new dependency-check job is implemented well. It sets up Go, installs dependencies, and runs go mod tidy followed by a git diff check on go.mod and go.sum. This is effective for ensuring that any changes (or uncommitted modifications) to the dependency files are caught early.
For improved reproducibility—especially since go.mod now specifies Go 1.24.0—consider explicitly setting go-version: "1.24.0" instead of using stable so that the environment remains consistent over time.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6048c7b and ba8d839.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• .github/workflows/run-tests.yaml (1 hunks)
• .gitignore (1 hunks)
• Dockerfile (1 hunks)
• README.md (4 hunks)
• Tiltfile (4 hunks)
• go.mod (2 hunks)

✅ Files skipped from review due to trivial changes (3)

• .gitignore
• README.md
• Tiltfile

🔇 Additional comments (4)

.github/workflows/run-tests.yaml (1)

21-23: Review of the Testing Step
The "Tests" step calling make test remains unchanged and is correctly positioned in the workflow.

Dockerfile (1)

4-4: Update Base Image to Go 1.24
The update from golang:1.23 to golang:1.24 in the base image correctly aligns the build environment with the updated Go version specified in go.mod. This update is important for incorporating the latest security fixes and improvements.

go.mod (2)

3-3: Go Version Update
The Go version has been updated to 1.24.0, which ensures the project leverages the latest language features and security enhancements. This change is consistent with updates in other parts of the repository.

---

136-144: Dependency Version Updates
The dependency updates for the golang.org/x/* packages (crypto, net, sync, sys, term, and text) appear to address relevant security concerns and CVEs. Please verify these updates against the respective changelogs and ensure they do not introduce any breaking changes to the codebase.

[zacharyblasczyk]

New tilt setup.

Thank you @danielpanzella

[linear]

INFRA-520 [trivy scan] controller on 02-13-2025

[dacbd]

Suggested change

	git diff --exit-code go.mod go.sum
	git diff --exit-code

[dacbd]

nit, this looks like python.

Suggested change

	data = local('cd config/manager; kustomize edit set image controller=' +
	IMG + '; cd ../..; kustomize build config/manager')
	data = local(f'cd config/manager; kustomize edit set image controller={IMG}; cd ../..; kustomize build config/manager')

[jsbroks]

This PR is included in version 1.18.2 🎉