Go 1.14.4 contains two CVEs which are fixed in 1.14.5:
- [CVE-2020-15586](https://golang.org/issue/34902)
- [CVE-2020-14039](https://golang.org/issue/39360)
Upon consideration with HashiCorp security these CVEs are considered low
severity for Nomad and no new security fix binary will be released.
This is extracted from #8094, where I have run into some snags. Since
these ESLint fixes aren’t actually connected to the Ember 3.16 update
but involve changes to many files, we might as well address them
separately. Where possible I fixed the problems but in cases where
a fix seemed too involved, I added per-line or -file exceptions.
This PR switches the Nomad repository from using govendor to Go modules
for managing dependencies. Aspects of the Nomad workflow remain pretty
much the same. The usual Makefile targets should continue to work as
they always did. The API submodule simply defers to the parent Nomad
version on the repository, keeping the semantics of API versioning that
currently exists.
Always install go and vault: the check may accidentally use the CircleCI
pre-installed go version instead of the cached version.
Also, always install from sources without caching. Go/vault
installation is basically a tarball download. That's equivalent to
CirleCI caching without the complexity. These steps don't add much time
either.
Lastly, infer the OS when downloading tarball to avoid managing them in
the job spec.
This surfaces test failures more clearly on CircleCI by adding
testem-multi-reporter to report both via the default TAP reporter
as well as an xUnit reporter whose output is stored as an artefact.
make test-nomad sets 15 minute time out for build. Increase the ci
timeout to 20m, so we can get meaningful output and goroutine stack
traces rather than have test be simply killed by CircleCI.
The extra 5 minutes is a buffer for generating-structs and some
unnecessary padding.
This adopts pattern used by Vault, where we split CircleCI yaml config
into multiple files that get packed and translated to 2.0.
This has two motivations: First, to ease translating config to CircleCI
2.0 so it can run on Enterprise private repository. Second and most
importantly, it also adding Enterprise specific jobs in separate files
with reduced config file merging conflict resolution.
This is a remenant of the time we used a custom hashicorp docker image for CI.
Currently, we use the official golang image, so no longer need the job
or manage the dockerhub credentials.
`stable-website` branch is only meant for updating the nomadproject.io
website, and the backend tests are irrelevant. Also, the ci workflow
uses up the plans containers and may delay website deployments by 20
minutes or more while we are cutting a release.
Mahmood Ali