[BUG] golang 1.15.8 is not in path

[roidelapluie]

Describe the Issue
Hello,

We have a workflow where we use chocolatey to update golang on a CI node:

It seems that since 1.15.8, the go binary is no longer in the expected location. Has anything changed? (not according to git..)

Thanks!

Full logs: https://app.circleci.com/pipelines/github/prometheus/prometheus/10641/workflows/07ebd6fd-0ec5-4fc4-8562-ef474f640b32/jobs/46848

[roidelapluie]

Note that previous version works: prometheus/prometheus#8448

[mikeee]

Cheers for raising, I've had a look at this working backwards from testing on my own machine to confirm and did notice a diff in the path that Go is using. I've checked the builder and there's a commit that references a change to the installation directory.

golang/build@024bd71

The previous default installation path, C:\Go, has default permissions
that are too permissive when adding a directory to the OS path. This
change moves the default installation target to "Program Files" or
"Program Files (x86)", which will inherit appropriate permissions, and
is the canonical place to install software on Windows.

The commit fixes/closes:

golang/go#42070

The installer appends 'C:\Go\bin' to the system path; This path should not be writable by low privileged users.

Appears that the previous version was built before the builder now writing to the default directory within your program files folder. I've confirmed that on an x64 system the path env var is C:\Program Files\Go\bin likewise on an x86 system it is C:\Program Files (x86)\Go\bin

Since this implementation is a security fix I would say for the majority of people it would be more appropriate to add a fix to the workflow temporarily. I've created a PR that in essence converts the workflow to PowerShell from Bash: prometheus/prometheus#8455

Refs:

• x/build/cmd/release: Go installer appends insecure path 'C:\Go\bin' to Windows system PATH golang/go#42070
• golang/build@024bd71

[roidelapluie]

Thank you!!!