deps: bump Go to 1.21.4 (#2569)

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

.bazelversion

@@ -1 +1 @@
-6.3.2
+6.4.0

.github/workflows/build-ccm-gcp.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Setup Go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: "1.21.3"
+          go-version: "1.21.4"
           cache: false
 
       - name: Install Crane

.github/workflows/build-os-image-scheduled.yml

@@ -69,7 +69,7 @@ jobs:
       - name: Setup Go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: "1.21.3"
+          go-version: "1.21.4"
           cache: false
 
       - name: Determine version

.github/workflows/codeql.yml

@@ -40,7 +40,7 @@ jobs:
         if: matrix.language == 'go'
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: "1.21.3"
+          go-version: "1.21.4"
           cache: false
 
       - name: Initialize CodeQL

.github/workflows/release.yml

@@ -233,7 +233,7 @@ jobs:
       - name: Setup Go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: "1.21.3"
+          go-version: "1.21.4"
           cache: true
 
       - name: Build generateMeasurements tool

.github/workflows/test-integration.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Setup Go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: "1.21.3"
+          go-version: "1.21.4"
           cache: true
 
       - name: Install Dependencies

.github/workflows/test-operator-codegen.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Setup Go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
-          go-version: "1.21.3"
+          go-version: "1.21.4"
           cache: true
 
       - name: Run code generation

3rdparty/gcp-guest-agent/Dockerfile

@@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \
     git
 
 # Install Go
-ARG GO_VER=1.21.3
+ARG GO_VER=1.21.4
 RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
     tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
     rm go${GO_VER}.linux-amd64.tar.gz

WORKSPACE.bazel

@@ -17,8 +17,8 @@ load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_cc_configure", "ni
 
 nixpkgs_git_repository(
     name = "nixpkgs",
-    revision = "0c7ffbc66e6d78c50c38e717ec91a2a14e0622fb",
-    sha256 = "2c8c39259595441e2fe529b75b2e69eba486e0f3457e810bf9bb2b531822743e",
+    revision = "ec750fd01963ab6b20ee1f0cb488754e8036d89d",
+    sha256 = "9e809097a0c66334139cda3d1bec3bf73bdfad593e954259ff329c7b4a118041",
 )
 
 nixpkgs_flake_package(

bazel/container/Containerfile

@@ -3,7 +3,7 @@ FROM fedora:38
 
 ARG TARGETOS
 ARG TARGETARCH
-ARG BAZEL_VERSION=6.3.2
+ARG BAZEL_VERSION=6.4.0
 ARG BAZELISK_VERSION=v1.16.0
 ARG BAZELISK_SHA256=168851e70cf5f95c0e215e7f3aaca5132ffc3c8dd8f585a4157b0be2b53cfe32
 

bazel/container/container.sh

@@ -17,7 +17,7 @@ function setup {
 }
 
 function startBazelServer {
-  local containerImage="ghcr.io/edgelesssys/bazel-container:v6.3.2"
+  local containerImage="ghcr.io/edgelesssys/bazel-container:v6.4.0"
   local containerName="bazeld"
 
   setup

bazel/go/go.nix

@@ -1,10 +1,10 @@
 let
   pkgs = import <nixpkgs> { };
   goAttr = pkgs.go_1_21.overrideAttrs (_: rec {
-    version = "1.21.3";
+    version = "1.21.4";
     src = pkgs.fetchurl {
       url = "https://go.dev/dl/go${version}.src.tar.gz";
-      hash = "sha256-GG8rb4yLcE5paCGwmrIEGlwe4T3LwxVqE63PdZMe5Ig=";
+      hash = "sha256-R7Jqg9K2WjwcG8rOJztpvuSaentRaKdgTe09JqN714c=";
     };
   });
 in

dev-docs/workflows/bump-go-version.md

@@ -0,0 +1,17 @@
+# Bump Go version
+`govulncheck` from the bazel `check` target will fail if our code is vulnerable, which is often the case when a patch version was released with security fixes.
+
+## Steps
+
+1. Replace "1.xx.x" with the new version (see [example](https://github.com/edgelesssys/constellation/commit/9e1a0c06bfda0171958f0776633a9a53f521144d))
+2. Update the nix hash
+
+    Once updated run `bazel run //:tidy` and you will see a failure such as:
+
+    ```
+        > error: hash mismatch in fixed-output derivation '/nix/store/r85bdj6vrim7m5vlybdmzgca7d0kcb4n-go1.21.4.src.tar.gz.drv':
+      >          specified: sha256-GG8rb4yLcE5paCGwmrIEGlwe4T3LwxVqE63PdZMe5Ig=
+      >             got:    sha256-R7Jqg9K2WjwcG8rOJztpvuSaentRaKdgTe09JqN714c=
+    ```
+    Simple replace the hash with the got value.
+3. Ask @katexochen to build the thing and push it into his cache.

flake.lock

@@ -20,17 +20,17 @@
     },
     "nixpkgsUnstable": {
       "locked": {
-        "lastModified": 1697808392,
-        "narHash": "sha256-hHIWoHctiLmH9al5mU58lw5tMuaGerei/rUyJjVc+3o=",
+        "lastModified": 1699343069,
+        "narHash": "sha256-s7BBhyLA6MI6FuJgs4F/SgpntHBzz40/qV0xLPW6A1Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9ef2c8ddff172378496b118f709bfe81280a7e58",
+        "rev": "ec750fd01963ab6b20ee1f0cb488754e8036d89d",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
-        "rev": "9ef2c8ddff172378496b118f709bfe81280a7e58",
         "type": "github"
       }
     },

flake.nix

@@ -3,8 +3,7 @@
 
   inputs = {
     nixpkgsUnstable = {
-      # TODO(malt3): use github:NixOS/nixpkgs/nixpkgs-unstable after repart fix is upstreamed
-      url = "github:NixOS/nixpkgs/9ef2c8ddff172378496b118f709bfe81280a7e58";
+      url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     };
     flake-utils = {
       url = "github:numtide/flake-utils";

go.work

@@ -1,6 +1,6 @@
 go 1.21
 
-toolchain go1.21.3
+toolchain go1.21.4
 
 use (
 	.