chore(go.mod): fix dependabot alerts (#1210)

* chore(go.mod): fix dependabot alerts

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* chore(test): update image tags

We have cleaned up older golang images in the project.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci(gqlgen): fix gql schema validation GH workflow after npm upgrade

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

test/blackbox/annotations.bats

@@ -6,7 +6,7 @@ function setup_file() {
         exit 1
     fi
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.19 oci:${TEST_DATA_DIR}/golang:1.19
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
@@ -83,9 +83,9 @@ function teardown_file() {
 }
 
 @test "build image with stacker and specify annotations" {
-    run stacker --oci-dir ${BATS_FILE_TMPDIR}/stackeroci --stacker-dir ${BATS_FILE_TMPDIR}/.stacker --roots-dir ${BATS_FILE_TMPDIR}/roots build -f ${BATS_FILE_TMPDIR}/stacker.yaml --substitute IMAGE_NAME="ghcr.io/project-zot/golang" --substitute IMAGE_TAG="1.19" --substitute DESCRIPTION="mydesc" --substitute VENDOR="CentOs" --substitute LICENSES="GPLv2" --substitute COMMIT= --substitute OS=$OS --substitute ARCH=$ARCH
+    run stacker --oci-dir ${BATS_FILE_TMPDIR}/stackeroci --stacker-dir ${BATS_FILE_TMPDIR}/.stacker --roots-dir ${BATS_FILE_TMPDIR}/roots build -f ${BATS_FILE_TMPDIR}/stacker.yaml --substitute IMAGE_NAME="ghcr.io/project-zot/golang" --substitute IMAGE_TAG="1.20" --substitute DESCRIPTION="mydesc" --substitute VENDOR="CentOs" --substitute LICENSES="GPLv2" --substitute COMMIT= --substitute OS=$OS --substitute ARCH=$ARCH
     [ "$status" -eq 0 ]
-    run stacker --oci-dir ${BATS_FILE_TMPDIR}/stackeroci --stacker-dir ${BATS_FILE_TMPDIR}/.stacker --roots-dir ${BATS_FILE_TMPDIR}/roots publish -f ${BATS_FILE_TMPDIR}/stacker.yaml --substitute IMAGE_NAME="ghcr.io/project-zot/golang" --substitute IMAGE_TAG="1.19" --substitute DESCRIPTION="mydesc" --substitute VENDOR="CentOs" --substitute LICENSES="GPLv2" --url docker://127.0.0.1:8080 --tag 1.19 --skip-tls
+    run stacker --oci-dir ${BATS_FILE_TMPDIR}/stackeroci --stacker-dir ${BATS_FILE_TMPDIR}/.stacker --roots-dir ${BATS_FILE_TMPDIR}/roots publish -f ${BATS_FILE_TMPDIR}/stacker.yaml --substitute IMAGE_NAME="ghcr.io/project-zot/golang" --substitute IMAGE_TAG="1.20" --substitute DESCRIPTION="mydesc" --substitute VENDOR="CentOs" --substitute LICENSES="GPLv2" --url docker://127.0.0.1:8080 --tag 1.20 --skip-tls
     [ "$status" -eq 0 ]
     run curl -X POST -H "Content-Type: application/json" --data '{ "query": "{ ImageList(repo: \"ghcr.io/project-zot/golang\") { Results { RepoName Tag Digest ConfigDigest Size Layers {Size Digest } Description Vendor Licenses }}}"}' http://localhost:8080/v2/_zot/ext/search
     [ "$status" -eq 0 ]

test/blackbox/anonymous_policy.bats

@@ -7,7 +7,7 @@ function setup_file() {
     fi
 
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.18 oci:${TEST_DATA_DIR}/golang:1.18
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
@@ -67,22 +67,22 @@ function teardown_file() {
 
 @test "push image user policy" {
     run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.18 \
-        docker://127.0.0.1:8080/golang:1.18
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:8080/golang:1.20
     [ "$status" -eq 0 ]
 }
 
 @test "pull image anonymous policy" {
     local oci_data_dir=${BATS_FILE_TMPDIR}/oci
     run skopeo --insecure-policy copy --src-tls-verify=false \
-        docker://127.0.0.1:8080/golang:1.18 \
-        oci:${oci_data_dir}/golang:1.18
+        docker://127.0.0.1:8080/golang:1.20 \
+        oci:${oci_data_dir}/golang:1.20
     [ "$status" -eq 0 ]
 }
 
 @test "push image anonymous policy" {
     run skopeo --insecure-policy copy --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.18 \
-        docker://127.0.0.1:8080/golang:1.18
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:8080/golang:1.20
     [ "$status" -eq 1 ]
 }

test/blackbox/cve.bats

@@ -8,7 +8,7 @@ function setup_file() {
     fi
 
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.17 oci:${TEST_DATA_DIR}/golang:1.17
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
@@ -53,15 +53,15 @@ function teardown_file() {
 
 @test "cve by image name and tag" {
     run skopeo --insecure-policy copy --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.17 \
-        docker://127.0.0.1:8080/golang:1.17
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:8080/golang:1.20
     [ "$status" -eq 0 ]
     run curl http://127.0.0.1:8080/v2/_catalog
     [ "$status" -eq 0 ]
     [ $(echo "${lines[-1]}" | jq '.repositories[]') = '"golang"' ]
     run curl http://127.0.0.1:8080/v2/golang/tags/list
     [ "$status" -eq 0 ]
-    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.17"' ]
-    run ${ZLI_PATH} cve ${REGISTRY_NAME} -I golang:1.17
+    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.20"' ]
+    run ${ZLI_PATH} cve ${REGISTRY_NAME} -I golang:1.20
     [ "$status" -eq 0 ]
 }

test/blackbox/detect_manifest_collision.bats

@@ -7,7 +7,7 @@ function setup_file() {
     fi
 
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.19 oci:${TEST_DATA_DIR}/golang:1.19
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
@@ -72,12 +72,12 @@ function teardown_file() {
 
 @test "push 2 images with same manifest with user policy" {
     run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.19 \
-        docker://127.0.0.1:8080/golang:1.19
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:8080/golang:1.20
     [ "$status" -eq 0 ]
 
     run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.19 \
+        oci:${TEST_DATA_DIR}/golang:1.20 \
         docker://127.0.0.1:8080/golang:latest
     [ "$status" -eq 0 ]
 }
@@ -85,7 +85,7 @@ function teardown_file() {
 @test "skopeo delete image with anonymous policy should fail" {
     # skopeo deletes by digest, so it should fail with detectManifestCollision policy
     run skopeo --insecure-policy delete --tls-verify=false \
-        docker://127.0.0.1:8080/golang:1.19
+        docker://127.0.0.1:8080/golang:1.20
     [ "$status" -eq 1 ]
     # conflict status code
     [[ "$output" == *"409"* ]]
@@ -95,7 +95,7 @@ function teardown_file() {
     run regctl registry set localhost:8080 --tls disabled
     [ "$status" -eq 0 ]
 
-    run regctl image delete localhost:8080/golang:1.19 --force-tag-dereference
+    run regctl image delete localhost:8080/golang:1.20 --force-tag-dereference
     [ "$status" -eq 1 ]
     # conflict status code
     [[ "$output" == *"409"* ]]
@@ -104,6 +104,6 @@ function teardown_file() {
 @test "delete image with user policy should work" {
     # should work without detectManifestCollision policy
     run skopeo --insecure-policy delete --creds test:test --tls-verify=false \
-        docker://127.0.0.1:8080/golang:1.19
+        docker://127.0.0.1:8080/golang:1.20
     [ "$status" -eq 0 ]
 }

test/blackbox/metrics.bats

@@ -8,7 +8,7 @@ function setup_file() {
     fi
 
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.17 oci:${TEST_DATA_DIR}/golang:1.17
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
 
     # Setup zot server
     zot_root_dir=${BATS_FILE_TMPDIR}/zot

test/blackbox/pushpull.bats

@@ -6,7 +6,7 @@ function setup_file() {
         exit 1
     fi
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.19 oci:${TEST_DATA_DIR}/golang:1.19
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
@@ -43,26 +43,26 @@ function teardown_file() {
 
 @test "push image" {
     run skopeo --insecure-policy copy --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.19 \
-        docker://127.0.0.1:8080/golang:1.19
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:8080/golang:1.20
     [ "$status" -eq 0 ]
     run curl http://127.0.0.1:8080/v2/_catalog
     [ "$status" -eq 0 ]
     [ $(echo "${lines[-1]}" | jq '.repositories[]') = '"golang"' ]
     run curl http://127.0.0.1:8080/v2/golang/tags/list
     [ "$status" -eq 0 ]
-    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.19"' ]
+    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.20"' ]
 }
 
 @test "pull image" {
     local oci_data_dir=${BATS_FILE_TMPDIR}/oci
     run skopeo --insecure-policy copy --src-tls-verify=false \
-        docker://127.0.0.1:8080/golang:1.19 \
-        oci:${oci_data_dir}/golang:1.19
+        docker://127.0.0.1:8080/golang:1.20 \
+        oci:${oci_data_dir}/golang:1.20
     [ "$status" -eq 0 ]
     run cat ${BATS_FILE_TMPDIR}/oci/golang/index.json
     [ "$status" -eq 0 ]
-    [ $(echo "${lines[-1]}" | jq '.manifests[].annotations."org.opencontainers.image.ref.name"') = '"1.19"' ]
+    [ $(echo "${lines[-1]}" | jq '.manifests[].annotations."org.opencontainers.image.ref.name"') = '"1.20"' ]
 }
 
 @test "push image index" {
@@ -120,16 +120,16 @@ function teardown_file() {
 @test "attach oras artifacts" {
     # attach signature
     echo "{\"artifact\": \"\", \"signature\": \"pat hancock\"}" > signature.json
-    run oras attach --plain-http 127.0.0.1:8080/golang:1.19 --artifact-type 'signature/example' ./signature.json:application/json
+    run oras attach --plain-http 127.0.0.1:8080/golang:1.20 --artifact-type 'signature/example' ./signature.json:application/json
     [ "$status" -eq 0 ]
     # attach sbom
-    echo "{\"version\": \"0.0.0.0\", \"artifact\": \"'127.0.0.1:8080/golang:1.19'\", \"contents\": \"good\"}" > sbom.json
-    run oras attach --plain-http 127.0.0.1:8080/golang:1.19 --artifact-type 'sbom/example' ./sbom.json:application/json
+    echo "{\"version\": \"0.0.0.0\", \"artifact\": \"'127.0.0.1:8080/golang:1.20'\", \"contents\": \"good\"}" > sbom.json
+    run oras attach --plain-http 127.0.0.1:8080/golang:1.20 --artifact-type 'sbom/example' ./sbom.json:application/json
     [ "$status" -eq 0 ]
 }
 
 @test "discover oras artifacts" {
-    run oras discover --plain-http -o json 127.0.0.1:8080/golang:1.19
+    run oras discover --plain-http -o json 127.0.0.1:8080/golang:1.20
     [ "$status" -eq 0 ]
     [ $(echo "$output" | jq -r ".manifests | length") -eq 2 ]
 }
@@ -151,12 +151,12 @@ function teardown_file() {
 @test "push image with regclient" {
     run regctl registry set localhost:8080 --tls disabled
     [ "$status" -eq 0 ]
-    run regctl image copy ocidir://${TEST_DATA_DIR}/golang:1.19 localhost:8080/test-regclient
+    run regctl image copy ocidir://${TEST_DATA_DIR}/golang:1.20 localhost:8080/test-regclient
     [ "$status" -eq 0 ]
 }
 
 @test "pull image with regclient" {
-    run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/golang:1.19
+    run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/golang:1.20
     [ "$status" -eq 0 ]
 }
 

test/blackbox/scrub.bats

@@ -1,7 +1,7 @@
 load helpers_scrub
 
 function setup_file(){
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.17 oci:${TEST_DATA_DIR}/golang:1.17
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
 }
 
 function setup() {

test/blackbox/sync.bats

@@ -7,7 +7,7 @@ function setup_file() {
     fi
 
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.19 oci:${TEST_DATA_DIR}/golang:1.19
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
     # Setup zot server
     local zot_sync_per_root_dir=${BATS_FILE_TMPDIR}/zot-per
     local zot_sync_ondemand_root_dir=${BATS_FILE_TMPDIR}/zot-ondemand
@@ -134,8 +134,8 @@ function teardown_file() {
 # sync image
 @test "sync golang image periodically" {
     run skopeo --insecure-policy copy --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.19 \
-        docker://127.0.0.1:9000/golang:1.19
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:9000/golang:1.20
     [ "$status" -eq 0 ]
     run curl http://127.0.0.1:9000/v2/_catalog
     [ "$status" -eq 0 ]
@@ -143,7 +143,7 @@ function teardown_file() {
     run curl http://127.0.0.1:8081/v2/_catalog
     run curl http://127.0.0.1:9000/v2/golang/tags/list
     [ "$status" -eq 0 ]
-    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.19"' ]
+    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.20"' ]
     
     run sleep 20s
     
@@ -153,25 +153,25 @@ function teardown_file() {
 
     run curl http://127.0.0.1:8081/v2/golang/tags/list
     [ "$status" -eq 0 ]
-    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.19"' ]
+    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.20"' ]
 }
 
 @test "sync golang image ondemand" {
     run skopeo --insecure-policy copy --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.19 \
-        docker://127.0.0.1:9000/golang:1.19
+        oci:${TEST_DATA_DIR}/golang:1.20 \
+        docker://127.0.0.1:9000/golang:1.20
     [ "$status" -eq 0 ]
     run curl http://127.0.0.1:9000/v2/_catalog
     [ "$status" -eq 0 ]
     [ $(echo "${lines[-1]}" | jq '.repositories[]') = '"golang"' ]
 
     # sync golang on demand
-    run curl http://127.0.0.1:8082/v2/golang/manifests/1.19
+    run curl http://127.0.0.1:8082/v2/golang/manifests/1.20
     [ "$status" -eq 0 ]
 
     run curl http://127.0.0.1:9000/v2/golang/tags/list
     [ "$status" -eq 0 ]
-    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.19"' ]
+    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.20"' ]
 
     run curl http://127.0.0.1:8082/v2/_catalog
     [ "$status" -eq 0 ]
@@ -179,7 +179,7 @@ function teardown_file() {
 
     run curl http://127.0.0.1:8082/v2/golang/tags/list
     [ "$status" -eq 0 ]
-    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.19"' ]
+    [ $(echo "${lines[-1]}" | jq '.tags[]') = '"1.20"' ]
 }
 
 # sync index
@@ -241,9 +241,9 @@ function teardown_file() {
     [ "$status" -eq 0 ]
     run cosign generate-key-pair
     [ "$status" -eq 0 ]
-    run cosign sign --key cosign.key localhost:9000/golang:1.19 --yes
+    run cosign sign --key cosign.key localhost:9000/golang:1.20 --yes
     [ "$status" -eq 0 ]
-    run cosign verify --key cosign.pub localhost:9000/golang:1.19
+    run cosign verify --key cosign.pub localhost:9000/golang:1.20
     [ "$status" -eq 0 ]
 }
 
@@ -272,11 +272,11 @@ function teardown_file() {
 }
 EOF
 
-    run notation sign --key "notation-sign-sync-test" --plain-http localhost:9000/golang:1.19
+    run notation sign --key "notation-sign-sync-test" --plain-http localhost:9000/golang:1.20
     [ "$status" -eq 0 ]
-    run notation verify  --plain-http localhost:9000/golang:1.19
+    run notation verify  --plain-http localhost:9000/golang:1.20
     [ "$status" -eq 0 ]
-    run notation list --plain-http localhost:9000/golang:1.19
+    run notation list --plain-http localhost:9000/golang:1.20
     [ "$status" -eq 0 ]
 }
 
@@ -284,18 +284,18 @@ EOF
     # wait for signatures to be copied
     run sleep 5s
 
-    run notation verify --plain-http localhost:8081/golang:1.19
+    run notation verify --plain-http localhost:8081/golang:1.20
     [ "$status" -eq 0 ]
 
-    run cosign verify --key cosign.pub localhost:8081/golang:1.19
+    run cosign verify --key cosign.pub localhost:8081/golang:1.20
     [ "$status" -eq 0 ]
 }
 
 @test "sync signatures ondemand" {
-    run notation verify --plain-http localhost:8082/golang:1.19
+    run notation verify --plain-http localhost:8082/golang:1.20
     [ "$status" -eq 0 ]
 
-    run cosign verify --key cosign.pub localhost:8082/golang:1.19
+    run cosign verify --key cosign.pub localhost:8082/golang:1.20
     [ "$status" -eq 0 ]
 }