Commit Graph

6211 Commits

Author SHA1 Message Date
Kir Kolyshkin 65aa700fc3 [1.1] runc run: fix mount leak
When preparing to mount container root, we need to make its parent mount
private (i.e. disable propagation), otherwise the new in-container
mounts are leaked to the host.

To find a parent mount, we use to read mountinfo and find the longest
entry which can be a parent of the container root directory.

Unfortunately, due to kernel bug in all Linux kernels older than v5.8
(see [1], [2]), sometimes mountinfo can't be read in its entirety. In
this case, getParentMount may occasionally return a wrong parent mount.

As a result, we do not change the mount propagation to private, and
container mounts are leaked.

Alas, we can not fix the kernel, and reading mountinfo a few times to
ensure its consistency (like it's done in, say, Kubernetes) does not
look like a good solution for performance reasons.

Fortunately, we don't need mountinfo. Let's just traverse the directory
tree, trying to remount it private until we find a mount point (any
error other than EINVAL means we just found it).

Fixes issue 2404.

[1]: https://github.com/kolyshkin/procfs-test
[2]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f6c61f96f2d97cbb5f
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 13a6f56097)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-10-03 10:54:49 -07:00
Akihiro Suda a4cebd3549 Merge pull request #4423 from rata/1-1-fix-CI
[1.1]: Increase memory.max in cgroups.bats
2024-10-04 01:55:49 +09:00
lifubang 719e2bc2c3 increase memory.max in cgroups.bats
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 65a1074c75)
2024-10-02 13:51:37 +02:00
Aleksa Sarai 3216d3b72e merge #4391 into opencontainers/runc:release-1.1
Aleksa Sarai (2):
  [1.1] seccomp: patchbpf: always include native architecture in stub
  [1.1] seccomp: patchbpf: rename nativeArch -> linuxAuditArch

Kir Kolyshkin (1):
  [1.1] libct/seccomp/patchbpf: rm duplicated code

LGTMs: kolyshkin rata
2024-09-11 02:18:18 +10:00
Kir Kolyshkin bd671b6a13 Merge pull request #4392 from cyphar/1.1-remove-bindfd
[1.1] nsenter: cloned_binary: remove bindfd logic entirely
2024-09-03 10:20:32 -07:00
Aleksa Sarai 614ce12f0e [1.1] nsenter: cloned_binary: remove bindfd logic entirely
(This is a cherry-pick of b999376fb237195265081a8b8ba3fd3bd6ef8c2c.)

While the ro-bind-mount trick did eliminate the memory overhead of
copying the runc binary for each "runc init" invocation, on machines
with very significant container churn, creating a temporary mount
namespace on every container invocation can trigger severe lock
contention on namespace_sem that makes containers fail to spawn.

The only reason we added bindfd in commit 16612d74de ("nsenter:
cloned_binary: try to ro-bind /proc/self/exe before copying") was due to
a Kubernetes e2e test failure where they had a ridiculously small memory
limit. It seems incredibly unlikely that real workloads are running
without 10MB to spare for the very short time that runc is interacting
with the container.

In addition, since the original cloned_binary implementation, cgroupv2
is now almost universally used on modern systems. Unlike cgroupv1, the
cgroupv2 memcg implementation does not migrate memory usage when
processes change cgroups (even cgroupv1 only did this if you had
memory.move_charge_at_immigrate enabled). In addition, because we do the
/proc/self/exe clone before synchronising the bootstrap data read, we
are guaranteed to do the clone before "runc init" is moved into the
container cgroup -- meaning that the memory used by the /proc/self/exe
clone is charged against the root cgroup, and thus container workloads
should not be affected at all with memfd cloning.

The long-term fix for this problem is to block the /proc/self/exe
re-opening attack entirely in-kernel, which is something I'm working
on[1]. Though it should also be noted that because the memfd is
completely separate to the host binary, even attacks like Dirty COW
against the runc binary can be defended against with the memfd approach.
Of course, once we have in-kernel protection against the /proc/self/exe
re-opening attack, we won't have that protection anymore...

[1]: https://lwn.net/Articles/934460/

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 13:23:05 +10:00
Aleksa Sarai 618e149e4a [1.1] seccomp: patchbpf: always include native architecture in stub
(This is a backport of ccc500c427da731554a181f2ea407adf99870423.)

It turns out that on ppc64le (at least), Docker doesn't include any
architectures in the list of allowed architectures. libseccomp
interprets this as "just include the default architecture" but patchbpf
would return a no-op ENOSYS stub, which would lead to the exact issues
that commit 7a8d7162f9 ("seccomp: prepend -ENOSYS stub to all
filters") fixed for other architectures.

So, just always include the running architecture in the list. There's
no real downside.

Ref: https://bugzilla.suse.com/show_bug.cgi?id=1192051#c6
Fixes: 7a8d7162f9 ("seccomp: prepend -ENOSYS stub to all filters")
Reported-by: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 13:17:47 +10:00
Aleksa Sarai d85b58388f [1.1] seccomp: patchbpf: rename nativeArch -> linuxAuditArch
(This is a backport of b288abeaa58816aae1235dbd527b79cec5df644b.)

Calling the Linux AUDIT_* architecture constants "native" leads to
confusing code when we are getting the actual native architecture of the
running system.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 13:13:38 +10:00
Kir Kolyshkin 6223a65d5d [1.1] libct/seccomp/patchbpf: rm duplicated code
(This is a cherry-pick of 2cd05e44b662fb79c46d5ebfd6c71e9ebc98d40c.)

In findLastSyscalls, we convert libseccomp.ArchNative to the real
libseccomp architecture, but archToNative already does that, so
this code is redundant.

Remove the redundant code, and move its comment to archToNative.

Fixes: 7a8d7162f9 ("seccomp: prepend -ENOSYS stub to all filters")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 13:13:34 +10:00
Aleksa Sarai 2655e7c5a8 VERSION: back to development
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 11:15:44 +10:00
Aleksa Sarai 2c9f5602f0 VERSION: release 1.1.14
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
v1.1.14
2024-09-03 11:15:41 +10:00
Aleksa Sarai a86c3d8837 Merge commit from fork
[1.1] rootfs: try to scope MkdirAll to stay inside the rootfs
2024-09-03 10:55:23 +10:00
Aleksa Sarai f0b652ea61 [1.1] rootfs: try to scope MkdirAll to stay inside the rootfs
While we use SecureJoin to try to make all of our target paths inside
the container safe, SecureJoin is not safe against an attacker than can
change the path after we "resolve" it.

os.MkdirAll can inadvertently follow symlinks and thus an attacker could
end up tricking runc into creating empty directories on the host (note
that the container doesn't get access to these directories, and the host
just sees empty directories). However, this could potentially cause DoS
issues by (for instance) creating a directory in a conf.d directory for
a daemon that doesn't handle subdirectories properly.

In addition, the handling for creating file bind-mounts did a plain
open(O_CREAT) on the SecureJoin'd path, which is even more obviously
unsafe (luckily we didn't use O_TRUNC, or this bug could've allowed an
attacker to cause data loss...). Regardless of the symlink issue,
opening an untrusted file could result in a DoS if the file is a hung
tty or some other "nasty" file. We can use mknodat to safely create a
regular file without opening anything anyway (O_CREAT|O_EXCL would also
work but it makes the logic a bit more complicated, and we don't want to
open the file for any particular reason anyway).

libpathrs[1] is the long-term solution for these kinds of problems, but
for now we can patch this particular issue by creating a more restricted
MkdirAll that refuses to resolve symlinks and does the creation using
file descriptors. This is loosely based on a more secure version that
filepath-securejoin now has[2] and will be added to libpathrs soon[3].

[1]: https://github.com/openSUSE/libpathrs
[2]: https://github.com/cyphar/filepath-securejoin/releases/tag/v0.3.0
[3]: https://github.com/openSUSE/libpathrs/issues/10

Fixes: CVE-2024-45310
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 02:34:53 +10:00
Aleksa Sarai 8781993968 [1.1] rootfs: consolidate mountpoint creation logic
The logic for how we create mountpoints is spread over each mountpoint
preparation function, when in reality the behaviour is pretty uniform
with only a handful of exceptions. So just move it all to one function
that is easier to understand.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-09-03 02:32:45 +10:00
Sebastiaan van Stijn 6419fbabfb Merge pull request #4382 from rata/Makefile-override-fixes
[1.1] Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION
2024-08-23 22:36:03 +02:00
Rodrigo Campos 0514204d6f Makefile: Add EXTRA_VERSION
Add this new make variable so users can specify build information
without modifying the runc version nor the source code.

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cherry picked from commit cc2078ccdd)
2024-08-19 16:55:02 +02:00
Rodrigo Campos 18cdc3476f Revert "allow overriding VERSION value in Makefile"
This reverts commit 9d9273c926.

This commit broke the build for several other projects (see comments
here: https://github.com/opencontainers/runc/pull/4270, after the merge)
and we don't really need this to be able to set the version without
changing the file.

With this commit reverted, we can still run:

	make VERSION="1.2.3"

and it just works. It doesn't take it from an env variable, but that is
what broke all the other projects (VERSION is just too generic as an env
var, especially for a project like runc that is embedded in many
others).

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
(cherry picked from commit f4cc3d8313)
2024-08-19 16:52:10 +02:00
Akihiro Suda f3f71a9347 Merge pull request #4372 from kolyshkin/1.1-go123
[1.1] Add Go 1.23, drop 1.21
2024-08-14 19:20:04 +09:00
Kir Kolyshkin 7f75aec407 [1.1] Add Go 1.23, drop 1.21
As of commit 096e6f88f0 we are ready for Go 1.23.

All that's left to do is:
 - Cirrus CI: switch from Go 1.21 to Go 1.22;
 - GHA CI: drop go 1.21, add 1.23 to test matrix;
 - Dockerfile: switch from Go 1.21.x to 1.22.x.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-08-13 15:26:40 -07:00
Kir Kolyshkin 931f46304b Merge pull request #4361 from austinvazquez/backport-protobuf-updates-to-1.1
[1.1 backport] vendor: google.golang.org/protobuf 1.33.0
2024-08-01 01:22:08 -07:00
dependabot[bot] 1f587049fd build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0
Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 7ab66b187c)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:42:49 +00:00
dependabot[bot] 31f29447d3 build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0
Bumps google.golang.org/protobuf from 1.31.0 to 1.32.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 43306be3f0)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:42:10 +00:00
dependabot[bot] ac5fc48ad1 build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0
Bumps google.golang.org/protobuf from 1.30.0 to 1.31.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a57d94d3ad)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:40:41 +00:00
dependabot[bot] 3b5bf8f2a9 build(deps): bump google.golang.org/protobuf from 1.29.1 to 1.30.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.1 to 1.30.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 8f0d0c4dc8)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:39:09 +00:00
dependabot[bot] 81461edc12 build(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.29.0 to 1.29.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit a7046b8387)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:38:13 +00:00
dependabot[bot] 2a9acb99b4 build(deps): bump google.golang.org/protobuf from 1.28.1 to 1.29.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.1 to 1.29.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 6b41f8ed26)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:37:23 +00:00
dependabot[bot] 19c47f652d build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.28.0 to 1.28.1.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 450dd3e237)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:36:23 +00:00
dependabot[bot] 88f54b20fc build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 82bc042d27)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-07-29 22:34:00 +00:00
lfbzhm 615068f17a Merge pull request #4334 from cyphar/1.1-rootfs-mountfd
[1.1] rootfs: fix 'can we mount on top of /proc' check
2024-07-05 12:02:49 +08:00
Aleksa Sarai a0292ca6ff [1.1] rootfs: fix 'can we mount on top of /proc' check
(This is a cherry-pick of cdff09ab87 but
modified so that changes like 8e8b136c49 and a60933bb24 don't also
need to be backported. Ideally we would backport the entire "remove all
mount logic from nsexec" series, but that would be a bit too much.)

Our previous test for whether we can mount on top of /proc incorrectly
assumed that it would only be called with bind-mount sources. This meant
that having a non bind-mount entry for a pseudo-filesystem (like
overlayfs) with a dummy source set to /proc on the host would let you
bypass the check, which could easily lead to security issues.

In addition, the check should be applied more uniformly to all mount
types, so fix that as well. And add some tests for some of the tricky
cases to make sure we protect against them properly.

Fixes: 331692baa7 ("Only allow proc mount if it is procfs")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-07-04 14:18:41 +10:00
Kir Kolyshkin b36a0f4537 Merge pull request #4336 from cyphar/1.1-rm-c7
[1.1] ci/cirrus: switch from CentOS to Almalinux
2024-07-02 22:35:26 -07:00
Kir Kolyshkin 5b89027afc [1.1] ci/cirrus: switch from CentOS to Almalinux
(This is a backport of b18d052bb83cbf0a6ad79aa1e79d5c9f75eddda7.)

Remove CentOS 7 as it is EOL.

Add back RHEL 8 clone (CentOS Stream 8 was removed by commit
40bb9c468e).

Switch from CentOS Stream 9 to Almalinux 9.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2024-07-03 10:54:30 +10:00
Kir Kolyshkin ed406952fc Merge pull request #4318 from lifubang/release-1.1.13
Release 1.1.13
2024-06-13 08:05:44 -07:00
lifubang ec1bc45d46 VERSION: back to development
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-13 18:23:57 +08:00
lifubang 58aa9203c1 VERSION: release 1.1.13
Signed-off-by: lifubang <lifubang@acmcoder.com>
v1.1.13
2024-06-13 18:23:48 +08:00
Kir Kolyshkin 2b3a2472d1 Merge pull request #4316 from lifubang/backport-4189
[1.1] script/*: fix gpg usage wrt keyboxd
2024-06-11 16:55:14 -07:00
Kir Kolyshkin 3507adac19 Merge pull request #4315 from lifubang/backport-4311
[1.1] fix a debug msg for user ns in nsexec
2024-06-11 16:54:55 -07:00
Kir Kolyshkin 0f7150ade8 script/*: fix gpg usage wrt keyboxd
I used script/keyring_validate.sh, which gave me this error:

> [*] User cyphar in runc.keyring is not a maintainer!

Apparently, when gnupg 2.4.1+ sees a fresh install (i.e. no ~/.gnupg
directory), it configures itself to use keyboxd instead of keyring
files, and when just silently ignores options like --keyring and
--no-default-keyring, working with keyboxd all the time.

The only way I found to make it not use keyboxd is to set --homedir.
Let's do that when we explicitly want a separate keyring.

Similar change is made to script/release_key.sh.

Also, change "--import --import-options=show-only" to "--show-keys"
which is a shortcut. When using this, there is no need to protect
the default keyring since this command does not read or modify it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 760105ab11)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-10 07:26:54 +08:00
lfbzhm 80186fec5c fix a debug msg for user ns in nsexec
Signed-off-by: lfbzhm <lifubang@acmcoder.com>
(cherry picked from commit 24c2d28d1f)
Signed-off-by: lifubang <lifubang@acmcoder.com>
2024-06-10 07:18:53 +08:00
lfbzhm 8407d3c602 Merge pull request #4313 from kolyshkin/1.1-backport-4292
[1.1] Support Go 1.22, bump some CI deps
2024-06-10 06:46:19 +08:00
Kir Kolyshkin 7219e0afff Dockerfile: bump Debian to 12, Go to 1.21
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit b74b33c439)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:37:56 -07:00
Kir Kolyshkin c9beabc8d8 ci: switch to go 1.22 as main version
Now when Go 1.22.4 is out it should no longer be a problem.

Leave Go 1.21 for CentOS testing (CentOS 7 and 8 have older glibc)
and Dockerfile (Debian 11 have older glibc).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit a3302f2054)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:37:56 -07:00
Kir Kolyshkin 4578c6c5db libct/nsenter: stop blacklisting go 1.22+
Go 1.23 includes a fix (https://go.dev/cl/587919) so go1.23.x can be
used. This fix is also backported to 1.22.4, so go1.22.x can also be
used (when x >= 4). Finally, for glibc >= 2.32 it doesn't really matter.

Add a note about Go 1.22.x > 1.22.4 to README as well.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e660ef61a5)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:37:56 -07:00
lifubang c488d13a53 use go mod instead of go get in spec.bats
Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 75e02193c2)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:37:54 -07:00
Kir Kolyshkin ae85f058cc ci/gha: bump golangci-lint to v1.57
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d63018c252)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:33:03 -07:00
Kir Kolyshkin 327e07e968 ci/gha: bump golangci-lint to v1.54
Currently, it is at v1.54.2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 17e7e230bd)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:33:03 -07:00
Kir Kolyshkin 65bdf604dd libct/user: gofumpt -w
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:32:50 -07:00
Kir Kolyshkin 4d097af534 ci/gha: bump golangci-lint-action from 5 to 6
Note that github-actions output format is deprecated and no longer supported,
and it is also no longer needed since setup-go problem matcher already
handles default golangci-lint output format ("colored-line-number").

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f452f667c0)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
Kir Kolyshkin fb23608437 ci/gha: bump golangci/golangci-lint-action to v5
Since v5 removes caching [1], re-enable setup-go cache.

[1] https://github.com/golangci/golangci-lint-action/pull/1024

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6bcc736122)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00
Akihiro Suda 8bfc75a25d CI: run apt with -y
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 30dc98f577)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-06-07 11:18:12 -07:00