set go to 1.23.6

Signed-off-by: Fan Shang Xiang <[email protected]>

.github/workflows/codeql-analysis.yml

@@ -16,22 +16,24 @@ on:
   push:
     branches: [ master, 'release-**' ]
     paths:
-      - 'pkg/**.go'
+      - '.github/workflows/codeql-analysis.yaml'
       - 'cmd/**.go'
-      - 'tests/**.go'
+      - 'pkg/**.go'
       - 'go.*'
-      - 'hack/verify-updates.sh'
       - '!vendor/**'
+      - 'health-probe-proxy/**'
+      - '!pkg/provider/azclient/**.go'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ master, 'release-**' ]
     paths:
+      - '.github/workflows/codeql-analysis.yaml'
       - 'pkg/**.go'
-      - 'cmd/**.go'
-      - 'tests/**.go'
       - 'go.*'
       - 'hack/verify-updates.sh'
       - '!vendor/**'
+      - 'health-probe-proxy/**'
+      - '!pkg/provider/azclient/**.go'
   schedule:
     - cron: '0 */4 * * *'
 permissions:
@@ -64,8 +66,8 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
       with:
-        go-version: '>=1.20'
-        check-latest: true
+        go-version-file: go.mod
+        cache-dependency-path: go.sum
       id: go
 
     # Initializes the CodeQL tools for scanning.
@@ -82,7 +84,6 @@ jobs:
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
       run: |
-        make all
         go test -covermode=count -coverprofile=profile.cov.tmp ./pkg/...
         grep -v mock profile.cov.tmp > profile.cov
 

.github/workflows/release.yaml

@@ -33,6 +33,7 @@ jobs:
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: go.mod
+          cache-dependency-path: go.sum
       - name: Build binary
         run: |
           rm -rf ./bin
@@ -69,7 +70,7 @@ jobs:
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: go.mod
-          cache: true
+          cache-dependency-path: go.sum
       - name: Build binary for linux
         if: matrix.os == 'linux'
         run: |
@@ -121,6 +122,7 @@ jobs:
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version-file: go.mod
+          cache-dependency-path: go.sum
       - name: Build binary for linux
         if: matrix.os == 'linux'
         run: |

.github/workflows/staticcheck-azclient.yaml

@@ -0,0 +1,65 @@
+name: Static check scanner - azclient
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ master, 'release-**' ]
+    paths:
+      - '.github/workflows/staticcheck-azclient.yaml'
+      - 'pkg/azclient/**.go'
+  pull_request:
+    branches: [ master, 'release-**' ]
+    paths:
+      - '.github/workflows/staticcheck-azclient.yaml'
+      - 'pkg/azclient/**.go'
+  schedule:
+    - cron: '0 1 * * *'
+permissions:
+  contents: read
+jobs:
+  build:
+    permissions:
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      pull-requests: write # for actions/dependency-review-action to comment on PRs
+      checks: write # forgolangci/golangci-lint-action to annotate the code
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Golang
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@0adbc47a5910e47adb692df88187ec8c73c76778 # v6.4.0
+        with:
+          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
+          version: v1.64
+          args: -v
+          install-mode: goinstall
+          working-directory: './pkg/azclient'
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        with:
+          show-openssf-scorecard: true
+          comment-summary-in-pr: always
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # master
+        with:
+          scan-type: 'fs'
+          format: 'sarif'
+          output: 'aclient-results.sarif'
+          scan-ref: './pkg/azclient'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'aclient-results.sarif'

.github/workflows/trivy.yaml → .github/workflows/staticcheck.yaml

@@ -1,23 +1,25 @@
-name: Trivy scanner
+name: Static check scanner
 
 on:
   workflow_dispatch:
   push:
     branches: [ master, 'release-**' ]
     paths:
-      - '.github/workflows/trivy.yaml'
+      - '.github/workflows/staticcheck.yaml'
       - 'pkg/**.go'
       - '!kubetest2-aks/**.go'
+      - '!pkg/azclient/**.go'
       - 'cmd/**.go'
       - 'go.*'
       - '!vendor/**'
       - 'health-probe-proxy/**'
   pull_request:
     branches: [ master, 'release-**' ]
     paths:
-      - '.github/workflows/trivy.yaml'
+      - '.github/workflows/staticcheck.yaml'
       - 'pkg/**.go'
       - '!kubetest2-aks/**.go'
+      - '!pkg/azclient/**.go'
       - 'cmd/**.go'
       - 'go.*'
       - '!vendor/**'
@@ -30,6 +32,7 @@ jobs:
   build:
     permissions:
       contents: write # for sbom
+      pull-requests: write # for actions/dependency-review-action to comment on PRs
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     name: Build
     runs-on: ubuntu-latest
@@ -41,12 +44,51 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Set up Go 1.x
+      - name: Setup Golang
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
-          go-version: '>=1.20'
-          check-latest: true
-        id: go
+          go-version-file: go.mod
+          cache-dependency-path: go.sum
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@0adbc47a5910e47adb692df88187ec8c73c76778 # v6.4.0
+        with:
+          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
+          version: v1.64
+          args: -v
+          install-mode: goinstall
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        with:
+          show-openssf-scorecard: true
+          comment-summary-in-pr: always
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # master
+        with:
+          scan-type: 'fs'
+          format: 'sarif'
+          output: 'dependency-results.sarif'
+          scan-ref: '.'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'dependency-results.sarif'
+  build-acr-credential-provider:
+    permissions:
+      contents: read 
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Build acr-credential-provider
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Build images
         run: |
           export TAG=${{ github.sha }}
@@ -71,6 +113,20 @@ jobs:
         with:
           sarif_file: 'trivy-ccm-results.sarif'
           category: azure-cloud-controller-manager-image
+  build-cloud-node-manager:
+    permissions:
+      contents: read 
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Build cloud-node-manager
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run Trivy scanner CNM
         uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # master
         with:
@@ -87,6 +143,20 @@ jobs:
         with:
           sarif_file: 'trivy-cnm-linux-results.sarif'
           category: azure-cloud-node-manager-linux-image
+  build-health-probe-proxy:
+    permissions:
+      contents: read 
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Build health-probe-proxy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run Trivy scanner health-probe-proxy
         uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # master
         with:
@@ -104,13 +174,4 @@ jobs:
           sarif_file: 'trivy-health-probe-proxy-linux-results.sarif'
           category: health-probe-proxy-linux-image
 
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # master
-        with:
-          scan-type: 'fs'
-          format: 'github'
-          output: 'dependency-results.sbom.json'
-          scan-ref: '.'
-          github-pat: ${{ secrets.GITHUB_TOKEN }}
-        env:
-          TRIVY_SKIP_DB_UPDATE: true
+

cloudbuild.yaml

@@ -8,7 +8,7 @@ options:
   substitution_option: ALLOW_LOOSE
 steps:
   # gcb-docker-gcloud is published at https://testgrid.k8s.io/sig-testing-image-pushes#gcb-docker-gcloud
-  - name: "gcr.io/k8s-staging-test-infra/gcb-docker-gcloud@sha256:4e830b673791d5595719bc6c4ca62dce3746b4e20d749e45004254bc6ef0a140" # v20250116-2a05ea7e3d
+  - name: "gcr.io/k8s-staging-test-infra/gcb-docker-gcloud"
     entrypoint: make
     env:
       - TAG=${_GIT_TAG}

go.mod

@@ -1,8 +1,6 @@
 module sigs.k8s.io/cloud-provider-azure
 
-go 1.23.2
-
-godebug winsymlink=0
+go 1.23.6
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0

pkg/provider/azure_loadbalancer.go

@@ -2979,11 +2979,11 @@ func (az *Cloud) getExpectedLoadBalancingRulePropertiesForPort(
 	var lbIdleTimeout *int32
 	if lbIdleTimeout, err = consts.Getint32ValueFromK8sSvcAnnotation(service.Annotations, consts.ServiceAnnotationLoadBalancerIdleTimeout, func(val *int32) error {
 		const (
-			min = 4
-			max = 100
+			minIdleTimeout = 4
+			maxIdleTimeout = 100
 		)
-		if *val < min || *val > max {
-			return fmt.Errorf("idle timeout value must be a whole number representing minutes between %d and %d, actual value: %d", min, max, *val)
+		if *val < minIdleTimeout || *val > maxIdleTimeout {
+			return fmt.Errorf("idle timeout value must be a whole number representing minutes between %d and %d, actual value: %d", minIdleTimeout, maxIdleTimeout, *val)
 		}
 		return nil
 	}); err != nil {