Run CI tests on go1.20 (#6550)

Add go1.20 as a new version to run tests on, and to build release artifacts from. Fix one test which was failing because it was accidentally relying on consistent (i.e. unseeded) non-cryptographic random number generation, which go1.20 now automatically seeds at import time. Update the version of golangci-lint used in our docker containers to the new version that has go1.20 support. Remove a number of nolint comments that were required due to an old version of the gosec linter.
2023-02-03 11:57:07 -08:00 · 2023-02-03 11:57:07 -08:00 · 18216a7ea8
parent 122d841830
commit 18216a7ea8
13 changed files with 32 additions and 20 deletions
--- a/.github/workflows/boulder-ci.yml
+++ b/.github/workflows/boulder-ci.yml
@ -36,8 +36,8 @@ jobs:
      matrix:
        # Add additional docker image tags here and all tests will be run with the additional image.
        BOULDER_TOOLS_TAG:
-          - go1.19.2_2023-01-10
-          - go1.19.5_2023-01-10
+          - go1.19.5_2023-02-02
+          - go1.20_2023-02-02
        # Tests command definitions. Use the entire "docker compose" command you want to run.
        tests:
          # Run ./test.sh --help for a description of each of the flags.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -10,6 +10,12 @@ on:

 jobs:
  push-release:
+    strategy:
+      fail-fast: false
+      matrix:
+        GO_VERSION:
+          - 1.19.5
+          - 1.20
    runs-on: ubuntu-20.04
    permissions:
      contents: write
@ -21,7 +27,7 @@ jobs:
      - name: Build .deb
        id: build
        env:
-          GO_VERSION: 1.19.5
+          GO_VERSION: ${{ matrix.GO_VERSION }}
        run: ./tools/make-deb.sh

      - name: Create release
--- a/akamai/cache-client_test.go
+++ b/akamai/cache-client_test.go
@ -134,8 +134,7 @@ func TestV3Purge(t *testing.T) {
 		metrics.NoopRegisterer,
 	)
 	test.AssertNotError(t, err, "Failed to create CachePurgeClient")
-	fc := clock.NewFake()
-	client.clk = fc
+	client.clk = clock.NewFake()

 	err = client.Purge([]string{"http://test.com"})
 	test.AssertNotError(t, err, "Purge failed; expected 201 response")
@ -145,7 +144,10 @@ func TestV3Purge(t *testing.T) {
 	err = client.Purge([]string{"http://test.com"})
 	test.AssertError(t, err, "Purge succeeded; expected 500 response")
 	t.Log(client.clk.Since(started))
-	test.Assert(t, client.clk.Since(started) > (time.Second*4), "Retries should've taken at least 4.4 seconds")
+	// Given 3 retries, with a retry interval of 1 second, a growth factor of 1.3,
+	// and a jitter of 0.2, the minimum amount of elapsed time is:
+	// (1 * 0.8) + (1 * 1.3 * 0.8) + (1 * 1.3 * 1.3 * 0.8) = 3.192s
+	test.Assert(t, client.clk.Since(started) > (time.Second*3), "Retries should've taken at least 3.192 seconds")

 	started = client.clk.Now()
 	as.responseCode = http.StatusCreated
--- a/cmd/boulder-wfe2/main.go
+++ b/cmd/boulder-wfe2/main.go
@ -458,9 +458,6 @@ func main() {
 	logger.Infof("Server running, listening on %s....", c.WFE.ListenAddress)
 	handler := wfe.Handler(stats)

-	// The gosec linter complains that ReadHeaderTimeout is not set. That's fine,
-	// because that field inherits its value from ReadTimeout.
-	////nolint:gosec
 	srv := http.Server{
 		ReadTimeout:  30 * time.Second,
 		WriteTimeout: 120 * time.Second,
--- a/cmd/ocsp-responder/main.go
+++ b/cmd/ocsp-responder/main.go
@ -237,9 +237,6 @@ as generated by Boulder's ceremony command.

 	m := mux(c.OCSPResponder.Path, source, c.OCSPResponder.Timeout.Duration, scope, logger, c.OCSPResponder.LogSampleRate)

-	// The gosec linter complains that ReadHeaderTimeout is not set. That's fine,
-	// because that field inherits its value from ReadTimeout.
-	////nolint:gosec
 	srv := &http.Server{
 		ReadTimeout:  30 * time.Second,
 		WriteTimeout: 120 * time.Second,
--- a/cmd/shell.go
+++ b/cmd/shell.go
@ -258,12 +258,10 @@ func newStatsRegistry(addr string, logger blog.Logger) prometheus.Registerer {
 		ErrorLog: promLogger{logger},
 	}))

-	// The gosec linter complains that ReadHeaderTimeout is not set. That's fine,
-	// because this endpoint is not exposed to the internet.
-	////nolint:gosec
 	server := http.Server{
-		Addr:    addr,
-		Handler: mux,
+		Addr:        addr,
+		Handler:     mux,
+		ReadTimeout: time.Minute,
 	}
 	go func() {
 		err := server.ListenAndServe()
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -3,7 +3,7 @@ services:
  boulder:
    # When updating the Go version here, please also update
    # .github/workflows/release.yml and .github/workflows/try-release.yml
-    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.5_2023-01-10}
+    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.19.5_2023-02-02}
    environment:
      FAKE_DNS: 10.77.77.77
      BOULDER_CONFIG_DIR: &boulder_config_dir test/config
--- a/test/akamai-test-srv/main.go
+++ b/test/akamai-test-srv/main.go
@ -92,6 +92,9 @@ func main() {
 		w.Write(resp)
 	})

+	// The gosec linter complains that timeouts cannot be set here. That's fine,
+	// because this is test-only code.
+	////nolint:gosec
 	go log.Fatal(http.ListenAndServe(*listenAddr, nil))
 	cmd.CatchSignals(nil, nil)
 }
--- a/test/boulder-tools/build.sh
+++ b/test/boulder-tools/build.sh
@ -45,7 +45,7 @@ go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2.0
 go install github.com/rubenv/sql-migrate/...@v1.1.2
 go install golang.org/x/tools/cmd/stringer@latest
 go install github.com/letsencrypt/pebble/cmd/pebble-challtestsrv@master
-go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.47.1
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.0

 go clean -cache
 go clean -modcache
--- a/test/boulder-tools/tag_and_upload.sh
+++ b/test/boulder-tools/tag_and_upload.sh
@ -10,7 +10,7 @@ DOCKER_REPO="letsencrypt/boulder-tools"
 # When updating these GO_VERSIONS, please also update
 # .github/workflows/release.yml and
 # .github/workflows/try-release.yml if appropriate.
-GO_VERSIONS=( "1.19.2" "1.19.5" )
+GO_VERSIONS=( "1.19.5" "1.20" )

 echo "Please login to allow push to DockerHub"
 docker login
--- a/test/mail-test-srv/main.go
+++ b/test/mail-test-srv/main.go
@ -224,6 +224,9 @@ func main() {

 	srv.setupHTTP(http.DefaultServeMux)
 	go func() {
+		// The gosec linter complains that timeouts cannot be set here. That's fine,
+		// because this is test-only code.
+		////nolint:gosec
 		err := http.ListenAndServe(*listenAPI, http.DefaultServeMux)
 		if err != nil {
 			log.Fatalln("Couldn't start HTTP server", err)
--- a/test/ocsp/ocsp_forever/main.go
+++ b/test/ocsp/ocsp_forever/main.go
@ -86,6 +86,9 @@ func main() {
 	}
 	http.Handle("/metrics", promhttp.Handler())
 	go func() {
+		// The gosec linter complains that timeouts cannot be set here. That's fine,
+		// because this is test-only code.
+		////nolint:gosec
 		err := http.ListenAndServe(*listenAddress, nil)
 		if err != nil && err != http.ErrServerClosed {
 			log.Fatal(err)
--- a/test/s3-test-srv/main.go
+++ b/test/s3-test-srv/main.go
@ -93,6 +93,9 @@ func main() {
 	http.HandleFunc("/clear", srv.handleClear)
 	http.HandleFunc("/query", srv.handleQuery)

+	// The gosec linter complains that timeouts cannot be set here. That's fine,
+	// because this is test-only code.
+	////nolint:gosec
 	go log.Fatal(http.ListenAndServe(*listenAddr, nil))
 	cmd.CatchSignals(nil, nil)
 }