From df302436ed08ee7bf8fa1c993367eba285a91ecf Mon Sep 17 00:00:00 2001
From: yiannistri <8741709+yiannistri@users.noreply.github.com>
Date: Thu, 30 May 2024 16:51:26 +0100
Subject: [PATCH 1/2] fix: Replace  unapproved GH Actions with approved ones

---
 .github/workflows/apidiff.yaml               |  7 +--
 .github/workflows/build.yaml                 |  4 +-
 .github/workflows/e2e.yaml                   | 10 ++---
 .github/workflows/lint.yaml                  |  7 ++-
 .github/workflows/nightly-publish.yaml       |  4 +-
 .github/workflows/scan.yaml                  |  2 +-
 .github/workflows/unit.yaml                  |  4 +-
 .github/workflows/update-rancher-charts.yaml | 46 +++++++++++--------
 .github/workflows/update-rancher-dep.yaml    | 47 ++++++++++++--------
 .github/workflows/verify.yaml                |  4 +-
 Makefile                                     | 10 +++++
 11 files changed, 87 insertions(+), 58 deletions(-)

diff --git a/.github/workflows/apidiff.yaml b/.github/workflows/apidiff.yaml
index ebabbd36..474248c4 100644
--- a/.github/workflows/apidiff.yaml
+++ b/.github/workflows/apidiff.yaml
@@ -5,10 +5,11 @@ jobs:
   go-apidiff:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: actions/setup-go@v4
+    - uses: actions/setup-go@v5
       with:
         go-version: 1.20.x
-    - uses: joelanford/go-apidiff@main
+    - name: Generate API diff
+      run: make apidiff
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 6292781d..9ad19c53 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -9,9 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.20.x
       - uses: actions/cache@v3.3.1
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index be78bc61..0cbdc633 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Export tag
@@ -58,7 +58,7 @@ jobs:
             COMMITDATE=${{ steps.export_tag.outputs.commit_date }}
             COMMIT=${{ github.sha }}
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.20.x
       - uses: actions/cache@v3.3.1
@@ -69,10 +69,10 @@ jobs:
           key: ${{ runner.os }}-test-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-test-go-${{ hashFiles('**/go.sum') }}
-      - uses: engineerd/setup-kind@v0.5.0
+      - uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
         with:
-          version: "v0.16.0"
-          skipClusterCreation: "true"
+          version: v0.23.0
+          install_only: true
       - name: Create kind cluster
         run: make setup-kind
       - name: E2E tests
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 7a8d54ea..1044bc19 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -11,13 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Install Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.20.x
       - name: Analysis
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
           args: -v
-          skip-pkg-cache: true
diff --git a/.github/workflows/nightly-publish.yaml b/.github/workflows/nightly-publish.yaml
index a2ddedfa..487d3a2d 100644
--- a/.github/workflows/nightly-publish.yaml
+++ b/.github/workflows/nightly-publish.yaml
@@ -13,7 +13,7 @@ jobs:
       BUILD_DATE: ${{ steps.setoutputs.outputs.builddate}}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
             fetch-depth: 0
       - name: Set current date as env variable
@@ -49,7 +49,7 @@ jobs:
     needs: nightly_image
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
             fetch-depth: 0
       - name: Install Helm
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index 82266cbc..952ec7d6 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up Docker Buildx
diff --git a/.github/workflows/unit.yaml b/.github/workflows/unit.yaml
index 6a40cd3d..d9ba223e 100644
--- a/.github/workflows/unit.yaml
+++ b/.github/workflows/unit.yaml
@@ -8,9 +8,9 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Install Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: 1.20.x
     - uses: actions/cache@v3.3.1
diff --git a/.github/workflows/update-rancher-charts.yaml b/.github/workflows/update-rancher-charts.yaml
index cc85ed06..0fd95013 100644
--- a/.github/workflows/update-rancher-charts.yaml
+++ b/.github/workflows/update-rancher-charts.yaml
@@ -5,13 +5,13 @@ on:
       ref:
         description: "Branch to use for GitHub action workflow"
         required: true
-        default: "master"
+        default: "release-v2.7"
       charts_ref:
         description: "Submit PR against the following rancher/charts branch (e.g. dev-v2.7)"
         required: true
         default: "dev-v2.7"
       prev_aks_operator:
-        description: "Previous AKS operator version (e.g. 1.1.0-rc2)"
+        description: "Previous AKS operator version (e.g. 1.2.0-rc.1)"
         required: true
         default: ""
       new_aks_operator:
@@ -35,32 +35,42 @@ jobs:
   create-rancher-charts-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{github.event.inputs.ref}}
           path: aks-operator
+          persist-credentials: false
       - name: Checkout rancher/charts
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           repository: rancher/charts
           ref: ${{github.event.inputs.charts_ref}}
           path: charts
-      - name: Run release script
+          persist-credentials: false
+      - name: Run release script # release script is responsible for git add/commit
         run: ./aks-operator/.github/scripts/update-rancher-charts.sh ${{github.event.inputs.prev_aks_operator}} ${{github.event.inputs.new_aks_operator}} ${{github.event.inputs.prev_chart}}  ${{github.event.inputs.new_chart}}  ${{github.event.inputs.should_replace}}
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+      - name: Set timestamp
+        run: echo "TIMESTAMP=$(date +'%s')" >> "$GITHUB_ENV"
+      - name: Push changes
+        env:
+          USERNAME: highlander-ci-bot
+          TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+        run: |
+          git remote add bot-fork https://${USERNAME}:${TOKEN}@github.com/highlander-ci-bot/charts.git
+          git push bot-fork HEAD:${{github.event.inputs.new_aks_operator}}-${{env.TIMESTAMP}}
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
-          token: ${{secrets.CI_BOT_TOKEN}}
-          push-to-fork: highlander-ci-bot/charts
-          title: 'Update AKS operator to v${{github.event.inputs.new_aks_operator}}'
-          body: |
-            Update AKS operator to v${{github.event.inputs.new_aks_operator}}
+          github-token: ${{ secrets.CI_BOT_TOKEN }}
+          script: |
+            github.pulls.create({
+              owner: 'rancher',
+              repo: 'charts',
+              head: 'highlander-ci-bot:${{github.event.inputs.new_aks_operator}}-${{env.TIMESTAMP}}',
+              base: ${{github.event.inputs.charts_ref}},
+              title: 'Update AKS operator to v${{github.event.inputs.new_aks_operator}}',
+              body: 'Update AKS operator to v${{github.event.inputs.new_aks_operator}}\n\nChangelog: https://github.com/rancher/aks-operator/releases/tag/v${{github.event.inputs.new_aks_operator}}\n\ncc @rancher/highlander'
+            })
 
-            Changelog: https://github.com/rancher/aks-operator/releases/tag/v${{github.event.inputs.new_aks_operator}}
-
-            cc @rancher/highlander
-          branch-suffix: timestamp
-          base: ${{github.event.inputs.charts_ref}}
-          path: ./charts/
diff --git a/.github/workflows/update-rancher-dep.yaml b/.github/workflows/update-rancher-dep.yaml
index 3a43a945..f8cdafff 100644
--- a/.github/workflows/update-rancher-dep.yaml
+++ b/.github/workflows/update-rancher-dep.yaml
@@ -11,7 +11,7 @@ on:
         required: true
         default: "release/v2.7"
       new_aks:
-        description: "New AKS operator version (e.g. 1.1.0-rc2), don't include the 'v'"
+        description: "New AKS operator version (e.g. 1.2.0-rc.1), don't include the 'v'"
         required: true
         default: ""
 
@@ -24,35 +24,44 @@ jobs:
   create-rancher-pr:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           ref: ${{github.event.inputs.ref}}
           path: aks-operator
+          persist-credentials: false
       - name: Checkout rancher/rancher
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
           repository: rancher/rancher
           ref: ${{github.event.inputs.rancher_ref}}
           path: rancher
-      - uses: actions/setup-go@v4
+          persist-credentials: false
+      - uses: actions/setup-go@v5
         with:
           go-version: ${{ env.SETUP_GO_VERSION }}
-      - name: Run release script
+      - name: Run release script # release script is responsible for git add/commit
         run: ./aks-operator/.github/scripts/update-rancher-dep.sh ${{github.event.inputs.new_aks}}
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v5
+      - name: Set timestamp
+        run: echo "TIMESTAMP=$(date +'%s')" >> "$GITHUB_ENV"
+      - name: Push changes
+        env:
+          USERNAME: highlander-ci-bot
+          TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+        run: |
+          git remote add bot-fork https://${USERNAME}:${TOKEN}@github.com/highlander-ci-bot/rancher.git
+          git push bot-fork HEAD:${{github.event.inputs.new_aks}}-${{env.TIMESTAMP}}
+      - name: Create PR
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
-          token: ${{secrets.CI_BOT_TOKEN}}
-          push-to-fork: highlander-ci-bot/rancher
-          title: ' Update AKS operator to v${{github.event.inputs.new_aks}}'
-          body: |
-            Update AKS operator to v${{github.event.inputs.new_aks}}
-
-            Changelog: https://github.com/rancher/aks-operator/releases/tag/v${{github.event.inputs.new_aks}}
-
-            cc @rancher/highlander
-          branch-suffix: timestamp
-          base: ${{github.event.inputs.rancher_ref}}
-          path: ./rancher/
+          github-token: ${{secrets.CI_BOT_TOKEN}}
+          script: |
+            github.pulls.create({
+              owner: 'rancher',
+              repo: 'rancher',
+              head: 'highlander-ci-bot:${{github.event.inputs.new_aks}}-${{env.TIMESTAMP}}',
+              base: ${{github.event.inputs.rancher_ref}},
+              title: 'Update AKS operator to v${{github.event.inputs.new_aks}}',
+              body: 'Update AKS operator to v${{github.event.inputs.new_aks}}\n\nChangelog: https://github.com/rancher/aks-operator/releases/tag/v${{github.event.inputs.new_aks}}\n\ncc @rancher/highlander'
+            })
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
index 311486db..56b810af 100644
--- a/.github/workflows/verify.yaml
+++ b/.github/workflows/verify.yaml
@@ -8,9 +8,9 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Install Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: 1.20.x
     - uses: actions/cache@v3.3.1
diff --git a/Makefile b/Makefile
index a3073509..751a1600 100644
--- a/Makefile
+++ b/Makefile
@@ -29,6 +29,10 @@ GINKGO_VER := v2.17.1
 GINKGO_BIN := ginkgo
 GINKGO := $(BIN_DIR)/$(GINKGO_BIN)-$(GINKGO_VER)
 
+GO_APIDIFF_VER := v0.8.2
+GO_APIDIFF_BIN := go-apidiff
+GO_APIDIFF := $(BIN_DIR)/$(GO_APIDIFF_BIN)-$(GO_APIDIFF_VER)
+
 SETUP_ENVTEST_VER := v0.0.0-20211110210527-619e6b92dab9
 SETUP_ENVTEST_BIN := setup-envtest
 SETUP_ENVTEST := $(BIN_DIR)/$(SETUP_ENVTEST_BIN)-$(SETUP_ENVTEST_VER)
@@ -172,3 +176,9 @@ docker-build-e2e:
 .PHOHY: delete-local-kind-cluster
 delete-local-kind-cluster: ## Delete the local kind cluster
 	kind delete cluster --name=$(CLUSTER_NAME)
+
+APIDIFF_OLD_COMMIT ?= $(shell git rev-parse origin/release-v2.7)
+
+.PHONY: apidiff
+apidiff: $(GO_APIDIFF) ## Check for API differences
+	$(GO_APIDIFF) $(APIDIFF_OLD_COMMIT) --print-compatible
\ No newline at end of file

From 91d2f75ccdd4d2fbabb8741ed42ad793ed1f8dab Mon Sep 17 00:00:00 2001
From: yiannistri <8741709+yiannistri@users.noreply.github.com>
Date: Fri, 31 May 2024 08:11:17 +0100
Subject: [PATCH 2/2] fix: Explicitly ignore CVE-2023-45288 from trivy scan
 until we are able to upgrade to Go 1.21

---
 .trivyignore | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 00000000..cb588100
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,2 @@
+# Requires upgrading to Go 1.21 but we can't do this before Rancher v2.7 gets updated 
+CVE-2023-45288
\ No newline at end of file