From 3aa5d180f2da56fd96b8d99539a712ab66220677 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@mirantis.com>
Date: Fri, 25 Apr 2025 11:02:26 +0200
Subject: [PATCH 1/4] Bump version to 1.6.2

https://github.com/containernetworking/plugins/releases/tag/v1.6.2

Signed-off-by: Natanael Copa <ncopa@mirantis.com>
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index fc44b94..12694de 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,8 @@
 ARG \
   ALPINE_IMAGE=docker.io/library/alpine:3.21.3 \
   GOLANG_IMAGE=docker.io/library/golang:1.24.2-alpine \
-  VERSION=1.3.0 \
-  HASH=f9871b9f6ccb51d2b264532e96521e44f926928f91434b56ce135c95becf2901
+  VERSION=1.6.2 \
+  HASH=aa9a9401d27c1ad440627bbe7093d7e9ff47d325aac27b89a2cbdd56e25f3625
 
 FROM --platform=$BUILDPLATFORM $GOLANG_IMAGE as bins
 ARG VERSION HASH

From 904b1fdf02edf1d9947453d9ddd5f5cbdafa8a6d Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@mirantis.com>
Date: Fri, 25 Apr 2025 11:10:07 +0200
Subject: [PATCH 2/4] Bump versions of actions and enable riscv64 image

docker/setup-qemu-action: 3.0.0 -> 3.6.0
docker/setup-buildx-action: 3.0.0 -> 3.10.0
aquasecurity/trivy-action: 0.12.0 -> 0.30.0
quay.io/skopeo: 1.13.3 -> 1.18.0

Signed-off-by: Natanael Copa <ncopa@mirantis.com>
---
 .github/workflows/build.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 584f572..c480c44 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -37,20 +37,20 @@ jobs:
           } >>"$GITHUB_OUTPUT"
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.0.0
+        uses: docker/setup-qemu-action@v3.6.0
         with:
-          platforms: amd64,arm64,arm
+          platforms: amd64,arm64,arm,riscv64
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3.0.0
+        uses: docker/setup-buildx-action@v3.10.0
 
       - name: Build OCI image archive
         id: build
-        uses: docker/build-push-action@v5.0.0
+        uses: docker/build-push-action@v6.16.0
         with:
           builder: ${{ steps.buildx.outputs.name }}
-          platforms: linux/amd64,linux/arm64,linux/arm
+          platforms: linux/amd64,linux/arm64,linux/arm,linux/riscv64
           tags: ${{ format('{0}/{1}:{2}', steps.prep.outputs.registry, steps.prep.outputs.name, steps.prep.outputs.tag) }}
           outputs: type=oci,dest=oci-image.tar
 
@@ -75,7 +75,7 @@ jobs:
         run: mkdir image && tar xf oci-image.tar.zst -C image/
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.12.0
+        uses: aquasecurity/trivy-action@0.30.0
         with:
           input: image/
           format: table
@@ -106,5 +106,5 @@ jobs:
 
           set -x
           podman run "${podmanArgs[@]}" \
-            docker://quay.io/skopeo/stable:v1.13.3 copy "${skopeoArgs[@]}" \
+            docker://quay.io/skopeo/stable:v1.18.0 copy "${skopeoArgs[@]}" \
             oci-archive:/image.tar "docker://$REGISTRY/$NAME:$TAG"

From a4f65999ff9569c153d89931410e97d03bdaa66f Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@mirantis.com>
Date: Fri, 25 Apr 2025 12:49:29 +0200
Subject: [PATCH 3/4] Fix CVE-2025-22870 and CVE-2025-22872

ref: https://github.com/containernetworking/plugins/issues/1172

Signed-off-by: Natanael Copa <ncopa@mirantis.com>
---
 Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 12694de..a74327f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,6 +13,13 @@ RUN wget https://github.com/containernetworking/plugins/archive/refs/tags/v${VER
   && rm -- "v${VERSION}.tar.gz"
 
 WORKDIR /go/plugins-$VERSION
+
+# https://github.com/containernetworking/plugins/issues/1172
+RUN set -x \
+  && go get golang.org/x/net@v0.38.0 \
+  && go mod tidy \
+  && go mod vendor
+
 ARG TARGETPLATFORM
 RUN set -x \
   && apk add bash \

From faef0058064745fb6f9277d35e3caf0c2a361cde Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@mirantis.com>
Date: Fri, 25 Apr 2025 13:04:24 +0200
Subject: [PATCH 4/4] Fix github actions warning about case in Dockerfile

Fix the warning:
The 'as' keyword should match the case of the 'from' keyword

Signed-off-by: Natanael Copa <ncopa@mirantis.com>
---
 Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a74327f..903a494 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ ARG \
   VERSION=1.6.2 \
   HASH=aa9a9401d27c1ad440627bbe7093d7e9ff47d325aac27b89a2cbdd56e25f3625
 
-FROM --platform=$BUILDPLATFORM $GOLANG_IMAGE as bins
+FROM --platform=$BUILDPLATFORM $GOLANG_IMAGE AS bins
 ARG VERSION HASH
 
 RUN wget https://github.com/containernetworking/plugins/archive/refs/tags/v${VERSION}.tar.gz \
@@ -36,11 +36,11 @@ RUN set -x \
     -ldflags "-s -w -extldflags -static -X github.com/containernetworking/plugins/pkg/utils/buildversion.BuildVersion=v$VERSION"
 
 
-FROM $ALPINE_IMAGE as busybox
+FROM $ALPINE_IMAGE AS busybox
 RUN apk add busybox-static
 
 
-FROM $ALPINE_IMAGE as baselayout
+FROM $ALPINE_IMAGE AS baselayout
 COPY --from=busybox /bin/busybox.static /bin/busybox
 RUN /bin/busybox --install
 COPY src/cni-node /bin/cni-node