From 059ff9c6b4c0a682bc3cc1c85f919c082e687b2c Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 10 Apr 2026 20:48:46 +0000 Subject: [PATCH] fix: update Go version from 1.26.1 to 1.26.2 in Dockerfile and documentation for security improvements --- Dockerfile | 6 +++--- docs/development/go_version_upgrades.md | 4 ++-- docs/plans/current_spec.md | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3430c9ec..19efb935 100644 --- a/Dockerfile +++ b/Dockerfile @@ -160,7 +160,7 @@ RUN set -eux; \ # Note: xx-go install puts binaries in /go/bin/TARGETOS_TARGETARCH/dlv if cross-compiling. # We find it and move it to /go/bin/dlv so it's in a consistent location for the next stage. # renovate: datasource=go depName=github.com/go-delve/delve -ARG DLV_VERSION=1.26.1 +ARG DLV_VERSION=1.26.2 # hadolint ignore=DL3059,DL4006 RUN CGO_ENABLED=0 xx-go install github.com/go-delve/delve/cmd/dlv@v${DLV_VERSION} && \ DLV_PATH=$(find /go/bin -name dlv -type f | head -n 1) && \ @@ -345,7 +345,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ rm -rf /tmp/buildenv_* /tmp/caddy-initial' # ---- CrowdSec Builder ---- -# Build CrowdSec from source to ensure we use Go 1.26.1+ and avoid stdlib vulnerabilities +# Build CrowdSec from source to ensure we use Go 1.26.2+ and avoid stdlib vulnerabilities # (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729) FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS crowdsec-builder COPY --from=xx / / @@ -516,7 +516,7 @@ COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy # Allow non-root to bind privileged ports (80/443) securely RUN setcap 'cap_net_bind_service=+ep' /usr/bin/caddy -# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.1+) +# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.2+) # This ensures we don't have stdlib vulnerabilities from older Go versions COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli diff --git a/docs/development/go_version_upgrades.md b/docs/development/go_version_upgrades.md index 58a1da52..09cc4597 100644 --- a/docs/development/go_version_upgrades.md +++ b/docs/development/go_version_upgrades.md @@ -251,13 +251,13 @@ Go releases **two major versions per year**: - February (e.g., Go 1.26.0) - August (e.g., Go 1.27.0) -Plus occasional patch releases (e.g., Go 1.26.1) for security fixes. +Plus occasional patch releases (e.g., Go 1.26.2) for security fixes. **Bottom line:** Expect to run `./scripts/rebuild-go-tools.sh` 2-3 times per year. ### Do I need to rebuild tools for patch releases? -**Usually no**, but it doesn't hurt. Patch releases (like 1.26.0 → 1.26.1) rarely break tool compatibility. +**Usually no**, but it doesn't hurt. Patch releases (like 1.26.0 → 1.26.2) rarely break tool compatibility. **Rebuild if:** diff --git a/docs/plans/current_spec.md b/docs/plans/current_spec.md index c4284cea..0e956d1d 100644 --- a/docs/plans/current_spec.md +++ b/docs/plans/current_spec.md @@ -252,7 +252,7 @@ No UI/UX changes — this is a dependency-only update. Existing E2E tests valida | Task | File(s) | Action | |------|---------|--------| -| 4.1 | `.github/skills/examples/gorm-scanner-ci-workflow.yml` | Bump Go version 1.26.1 → 1.26.2 | +| 4.1 | `.github/skills/examples/gorm-scanner-ci-workflow.yml` | Bump Go version 1.26.2 → 1.26.2 | ### Phase 5: Validation @@ -339,7 +339,7 @@ The `pgproto3/v2` module has **no patched release** — the fix exists only in ` | `backend/go.mod` | Dependency version bumps (grpc, otlptracehttp) | | `backend/go.sum` | Auto-generated checksum updates | | `Dockerfile` | Add `go get` patches in caddy-builder and crowdsec-builder stages | -| `.github/skills/examples/gorm-scanner-ci-workflow.yml` | Go version 1.26.1 → 1.26.2 | +| `.github/skills/examples/gorm-scanner-ci-workflow.yml` | Go version 1.26.2 → 1.26.2 | **Dependencies**: None (standalone)