Fix the promql-cli vulnerabilities (#1)

Signed-off-by: uditgaurav <udit@chaosnative.com>

Author: uditgaurav

.github/workflows/build-image.yml

@@ -1,41 +1,43 @@
-name: build-and-push-image
-on:
-  push:
-    branches:
-      - main
-      - master
-    tags:
-      - "v*.*.*"
-jobs:
-  build_and_push:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Get tag metadata
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          images: |
-            ghcr.io/nalbury/promql-cli
-          tags: |
-            type=ref,event=branch
-            type=semver,pattern={{version}}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and Push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          push: true
+## NOTE: To build the image please uncomment the workflow
+
+# name: build-and-push-image
+# on:
+#   push:
+#     branches:
+#       - main
+#       - master
+#     tags:
+#       - "v*.*.*"
+# jobs:
+#   build_and_push:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - name: Checkout
+#         uses: actions/checkout@v2
+#       - name: Get tag metadata
+#         id: meta
+#         uses: docker/metadata-action@v3
+#         with:
+#           images: |
+#             ghcr.io/nalbury/promql-cli
+#           tags: |
+#             type=ref,event=branch
+#             type=semver,pattern={{version}}
+#       - name: Set up QEMU
+#         uses: docker/setup-qemu-action@v1
+#       - name: Set up Docker Buildx
+#         uses: docker/setup-buildx-action@v1
+#       - name: Login to GitHub Container Registry
+#         uses: docker/login-action@v1
+#         with:
+#           registry: ghcr.io
+#           username: ${{ github.repository_owner }}
+#           password: ${{ secrets.GITHUB_TOKEN }}
+#       - name: Build and Push
+#         uses: docker/build-push-action@v2
+#         with:
+#           context: .
+#           platforms: linux/amd64,linux/arm64
+#           tags: ${{ steps.meta.outputs.tags }}
+#           labels: ${{ steps.meta.outputs.labels }}
+#           push: true

.github/workflows/release.yml

@@ -1,28 +1,38 @@
 name: Release
 on:
-  push:
-    tags:
-    - 'v*'
+  workflow_dispatch:
+    inputs:   
+      release_tag:
+        description: 'release tag'
+        required: true
+      release_title:
+        description: 'release title'
+        required: false
+      release_notes:
+        description: 'release notes'     
+        required: false
+        default: ''
 jobs:
   release:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
       with:
-        go-version: 1.16.x
+        go-version: 1.17.x
     - name: Checkout code
       uses: actions/checkout@v2
+      
     - name: Create release artifacts
-      run: VERSION=$(awk -F '/' '{print $3}'<<< "$GITHUB_REF") make release
-    - name: Create release
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        VERSION=$(awk -F '/' '{print $3}'<<< "$GITHUB_REF")
-        for f in ./build/artifacts/*
-        do
-          [ -f "$f" ] && assets+=(-a "$f")
-        done
-        hub release create -m "Release ${VERSION}" \
-          "${assets[@]}" "${VERSION}"
+        OS="linux" ARCH="amd64" make build
+        OS="linux" ARCH="arm64" make build
+
+    - name: create release along with artifact
+      uses: ncipollo/release-action@v1
+      with:
+        artifacts: "./build/bin/*"
+        body: "${{ github.event.inputs.release_notes }}"
+        token: ${{ secrets.GITHUB_TOKEN }}
+        name: "${{ github.event.inputs.release_title }}"
+        tag: ${{ github.event.inputs.release_tag }}     

LICENSE

@@ -1,4 +1,3 @@
-
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/

Makefile

@@ -8,10 +8,10 @@ GOARCH = $(strip $(ARCH))
 V = $(strip $(VERSION))
 P = $(strip $(INSTALL_PATH))
 
-BUILD_PATH = ./build/bin/$(GOOS)/$(GOARCH)
+BUILD_PATH = ./build/bin
 ARTIFACT_PATH = ./build/artifacts
 
-export GO_BUILD=GOOS=$(GOOS) GOARCH=$(GOARCH) go build -o $(BUILD_PATH)/promql ./
+export GO_BUILD=GOOS=$(GOOS) GOARCH=$(GOARCH) go build -o $(BUILD_PATH)/promql_$(GOOS)_$(GOARCH) ./
 export TAR=tar -czvf $(ARTIFACT_PATH)/promql-$(V)-$(GOOS)-$(GOARCH).tar.gz -C $(BUILD_PATH) promql
 
 build: setup ## Build promql binary
@@ -30,7 +30,6 @@ build-all: ## Build binaries for linux and macOS
 
 build-artifact: setup ## Build binary and create release artifact
 		$(GO_BUILD)
-		$(TAR)
 
 release: ## Build binaries and create release artifacts for both linux and macOS
 		OS="darwin" ARCH="amd64" make build-artifact
@@ -52,4 +51,4 @@ help: ## Print Makefile help
 	@echo "#### Environment Variables ####"
 	@awk '$$4 == "##" {gsub(/\?=./, "", $$0); $$2="(default: "$$2")"; printf "-- %s \n", $$0}' Makefile
 	@echo "#### Targets ####"
-	@awk '$$1 ~ /^.*:$$/ {gsub(":", "", $$1);printf "-- %s \n", $$0}' Makefile
+	@awk '$$1 ~ /^.*:$$/ {gsub(":", "", $$1);printf "-- %s \n", $$0}' Makefile

go.mod

@@ -1,14 +1,50 @@
 module github.com/nalbury/promql-cli
 
-go 1.16
+go 1.17
 
 require (
 	github.com/guptarohit/asciigraph v0.4.2-0.20191006150553-f9506970428c
-	github.com/kr/pretty v0.2.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/prometheus/client_golang v1.10.0
 	github.com/prometheus/common v0.18.0
 	github.com/spf13/cobra v1.1.3
 	github.com/spf13/viper v1.7.0
 	github.com/stretchr/testify v1.6.1
 )
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fsnotify/fsnotify v1.4.7 // indirect
+	github.com/golang/protobuf v1.4.3 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jpillora/backoff v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.10 // indirect
+	github.com/kr/pretty v0.2.1 // indirect
+	github.com/magiconair/properties v1.8.1 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mitchellh/mapstructure v1.1.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
+	github.com/pelletier/go-toml v1.2.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
+	github.com/spf13/afero v1.1.2 // indirect
+	github.com/spf13/cast v1.3.0 // indirect
+	github.com/spf13/jwalterweatherman v1.0.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/subosito/gotenv v1.2.0 // indirect
+	golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect
+	golang.org/x/sys v0.0.0-20210309074719-68d13333faf2 // indirect
+	golang.org/x/text v0.3.2 // indirect
+	google.golang.org/protobuf v1.23.0 // indirect
+	gopkg.in/ini.v1 v1.51.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+)
+
+replace golang.org/x/text => golang.org/x/text v0.3.3

go.sum

@@ -447,10 +447,8 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210309074719-68d13333faf2 h1:46ULzRKLh1CwgRq2dC5SlBzEqqNCi8rreOZnNrbqcIY=
 golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=