Skip to content

chore: update Go version to 1.26.4#2568

Open
fseldow wants to merge 1 commit into
notaryproject:v1-devfrom
fseldow:fix-govulncheck-go-1.26.4-v1-dev
Open

chore: update Go version to 1.26.4#2568
fseldow wants to merge 1 commit into
notaryproject:v1-devfrom
fseldow:fix-govulncheck-go-1.26.4-v1-dev

Conversation

@fseldow

@fseldow fseldow commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Update Go usage to 1.26.4 only where it affects vulnerability scanning or published image builds.

Motivation

Go 1.26.4 includes fixes for the Go standard library vulnerabilities reported by govulncheck:

Updating only the govulncheck workflow is not sufficient because GHCR-published Ratify images are built by Dockerfile builder stages. If the Dockerfile still uses Go 1.26.3, the resulting binary is still built with the vulnerable Go standard library.

Changes

  • Update scan-vulns govulncheck toolchain to Go 1.26.4
  • Update Docker builder image to Go 1.26.4 with pinned digest
  • Keep go.mod unchanged
  • Keep CI workflows that previously used minor-only Go versions (for example 1.26) minor-only; update only workflow references that were already patch-pinned to 1.26.3

Validation

  • Confirmed the final PR diff does not modify go.mod.
  • Confirmed Dockerfile builder image references Go 1.26.4.

@fseldow fseldow force-pushed the fix-govulncheck-go-1.26.4-v1-dev branch from 596a23c to 224502d Compare June 4, 2026 03:59
@fseldow fseldow changed the title fix: update govulncheck Go version fix: update Go version to 1.26.4 Jun 4, 2026
@fseldow fseldow force-pushed the fix-govulncheck-go-1.26.4-v1-dev branch from 224502d to 313e572 Compare June 4, 2026 04:50
@fseldow fseldow changed the title fix: update Go version to 1.26.4 chore: update Go version to 1.26.4 Jun 4, 2026
@fseldow fseldow force-pushed the fix-govulncheck-go-1.26.4-v1-dev branch from 313e572 to ff2002f Compare June 4, 2026 05:12
@susanshi susanshi enabled auto-merge (squash) June 4, 2026 08:17
@fseldow
fix: update Go version to 1.26.4
4fe3e6a 
Use Go 1.26.4 for vulnerability scanning and Docker builder images so published Ratify images are built with the patched standard library.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: xinhl <xinhl@microsoft.com>
auto-merge was automatically disabled June 12, 2026 03:53

Head branch was pushed to by a user without write access

@fseldow fseldow force-pushed the fix-govulncheck-go-1.26.4-v1-dev branch from ff2002f to 4fe3e6a Compare June 12, 2026 03:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@susanshi susanshi susanshi approved these changes

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fseldow @susanshi