Rebase

.docker/Dockerfile-alpine

@@ -1,8 +1,9 @@
-FROM alpine:3.18
+FROM alpine:3.20
 
 RUN addgroup -S ory; \
-    adduser -S ory -G ory -D -H -s /bin/nologin
-RUN apk --no-cache --upgrade add ca-certificates
+    adduser -S ory -G ory -D -H -s /bin/nologin && \
+    apk upgrade --no-cache && \
+    apk add --no-cache --upgrade ca-certificates
 
 COPY hydra /usr/bin/hydra
 

.docker/Dockerfile-build

@@ -1,4 +1,4 @@
-FROM golang:1.21 AS builder
+FROM golang:1.22 AS builder
 
 WORKDIR /go/src/github.com/ory/hydra
 
@@ -9,17 +9,16 @@ RUN apt-get update && apt-get upgrade -y &&\
 COPY go.mod go.sum ./
 COPY internal/httpclient/go.* ./internal/httpclient/
 
-ENV GO111MODULE on
-ENV CGO_ENABLED 1
+ENV CGO_ENABLED=1
 
 RUN go mod download
 
 COPY . .
-RUN go build -tags sqlite,json1 -o /usr/bin/hydra
+RUN go build -ldflags="-extldflags=-static" -tags sqlite,sqlite_omit_load_extension -o /usr/bin/hydra
 
 #########################
 
-FROM gcr.io/distroless/base-nossl-debian12:nonroot AS runner
+FROM gcr.io/distroless/static-debian12:nonroot AS runner
 
 COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/hydra /usr/bin/hydra

.docker/Dockerfile-hsm

@@ -1,4 +1,4 @@
-FROM golang:1.21 AS builder
+FROM golang:1.22 AS builder
 
 WORKDIR /go/src/github.com/ory/hydra
 
@@ -18,7 +18,7 @@ COPY . .
 ###############################
 
 FROM builder as build-hydra
-RUN go build -tags sqlite,json1,hsm -o /usr/bin/hydra
+RUN go build -tags sqlite,hsm -o /usr/bin/hydra
 
 ###############################
 

.docker/Dockerfile-scratch

@@ -1,6 +1,7 @@
-FROM alpine:3.18
+FROM alpine:3.20
 
-RUN apk --no-cache --upgrade --latest add ca-certificates
+RUN apk upgrade --no-cache && \
+    apk add --no-cache --upgrade ca-certificates
 
 # set up nsswitch.conf for Go's "netgo" implementation
 # - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275

.docker/Dockerfile-sqlite

@@ -1,4 +1,4 @@
-FROM alpine:3.18
+FROM alpine:3.20
 
 # Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
 # and declare /home/ory/sqlite a volume.
@@ -10,7 +10,8 @@ FROM alpine:3.18
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
     chown -R ory:ory /home/ory && \
-    apk --no-cache --upgrade --latest add ca-certificates sqlite
+    apk upgrade --no-cache && \
+    apk add --no-cache --upgrade --latest ca-certificates sqlite
 
 WORKDIR /home/ory
 

.github/CODEOWNERS

@@ -1,3 +1,3 @@
-*            @aeneasr @hperl
+*            @aeneasr @hperl @alnr
 
 /docs/       @ory/documenters

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -28,7 +28,7 @@ body:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
+            Newsletter](https://www.ory.sh/l/sign-up-newsletter)."
     id: checklist
     type: checkboxes
   - attributes:

.github/ISSUE_TEMPLATE/DESIGN-DOC.yml

@@ -39,7 +39,7 @@ body:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
+            Newsletter](https://www.ory.sh/l/sign-up-newsletter)."
     id: checklist
     type: checkboxes
   - attributes:

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -32,7 +32,7 @@ body:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
+            Newsletter](https://www.ory.sh/l/sign-up-newsletter)."
     id: checklist
     type: checkboxes
   - attributes:

.github/workflows/ci.yaml

@@ -25,7 +25,7 @@ jobs:
           fetch-depth: 2
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Start service
         run: ./test/conformance/start.sh
       - name: Run tests
@@ -49,15 +49,15 @@ jobs:
       - sdk-generate
     services:
       postgres:
-        image: postgres:11.8
+        image: postgres:16
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
           POSTGRES_USER: test
         ports:
           - 5432:5432
       mysql:
-        image: mysql:8.0.26
+        image: mysql:8.0
         env:
           MYSQL_ROOT_PASSWORD: test
         ports:
@@ -69,7 +69,7 @@ jobs:
     steps:
       - run: |
           docker create --name cockroach -p 26257:26257 \
-            cockroachdb/cockroach:v22.1.10 start-single-node --insecure
+            cockroachdb/cockroach:latest-v24.1 start-single-node --insecure
           docker start cockroach
         name: Start CockroachDB
       - uses: ory/ci/checkout@master
@@ -82,7 +82,7 @@ jobs:
           key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - run: go list -json > go.list
       - name: Run nancy
         uses: sonatype-nexus-community/[email protected]
@@ -94,12 +94,12 @@ jobs:
           GOGC: 100
         with:
           args: --timeout 10m0s
-          version: v1.55.2
+          version: v1.61.0
           skip-pkg-cache: true
       - name: Run go-acc (tests)
         run: |
           make .bin/go-acc
-          .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,json1
+          .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,sqlite_omit_load_extension
       - name: Submit to Codecov
         run: |
           bash <(curl -s https://codecov.io/bash)
@@ -125,7 +125,7 @@ jobs:
           key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: Setup HSM libs and packages
         run: |
           sudo apt install -y softhsm opensc
@@ -150,15 +150,15 @@ jobs:
         args: ["", "--jwt"]
     services:
       postgres:
-        image: postgres:11.8
+        image: postgres:16
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
           POSTGRES_USER: test
         ports:
           - 5432:5432
       mysql:
-        image: mysql:8.0.26
+        image: mysql:8.0
         env:
           MYSQL_ROOT_PASSWORD: test
         ports:
@@ -170,13 +170,13 @@ jobs:
     steps:
       - run: |
           docker create --name cockroach -p 26257:26257 \
-            cockroachdb/cockroach:v22.1.10 start-single-node --insecure
+            cockroachdb/cockroach:latest-v24.1 start-single-node --insecure
           docker start cockroach
         name: Start CockroachDB
       - uses: ory/ci/checkout@master
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - uses: actions/cache@v2
         with:
           path: ./test/e2e/hydra

.github/workflows/codeql-analysis.yml

@@ -43,7 +43,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - run: go version
 
       # Initializes the CodeQL tools for scanning.

.github/workflows/cve-scan.yaml

@@ -48,6 +48,15 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+      - name: Kubescape scanner
+        uses: kubescape/github-action@main
+        id: kubescape
+        with:
+          image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
+          verbose: true
+          format: pretty-printer
+          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
+          severityThreshold: critical
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}

.github/workflows/format.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - run: make format
       - name: Indicate formatting issues
         run: git diff HEAD --exit-code --color

.github/workflows/licenses.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - uses: actions/setup-node@v2
         with:
           node-version: "18"

.github/workflows/pm.yml

@@ -0,0 +1,29 @@
+name: Synchronize with product board
+
+on:
+  issues:
+    types:
+      - opened
+  pull_request:
+    types:
+      - opened
+      - ready_for_review
+
+jobs:
+  automate:
+    if: github.event.pull_request.head.repo.fork == false
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: ory-corp/[email protected]
+        with:
+          organization: ory-corp
+          project: 5
+          token: ${{ secrets.ORY_BOT_PAT }}
+          todoLabel: "Needs Triage"
+          statusName: Status
+          statusValue: "Needs Triage"
+          includeEffort: "false"
+          monthlyMilestoneName: Roadmap Monthly
+          quarterlyMilestoneName: Roadmap

.golangci.yml

@@ -8,11 +8,9 @@ linters:
     - goimports
   disable:
     - ineffassign
-    - deadcode
     - unused
-    - structcheck
 
-run:
-  skip-files:
+issues:
+  exclude-files:
     - ".+_test.go"
     - ".+_test_.+.go"