diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 36b1be13..35f6ba69 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -532,7 +532,7 @@ jobs: # Generate SBOM (Software Bill of Materials) for supply chain security # Only for production builds (main/development) - feature branches use downstream supply-chain-pr.yml - name: Generate SBOM - uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1 + uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2 if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true' with: image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 8072813a..c6e71920 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -271,7 +271,7 @@ jobs: name: sbom-nightly - name: Scan with Grype - uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1 + uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 with: sbom: sbom-nightly.json fail-build: false diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml index ca8c11df..d6a5aacd 100644 --- a/.github/workflows/supply-chain-pr.yml +++ b/.github/workflows/supply-chain-pr.yml @@ -216,7 +216,7 @@ jobs: # Generate SBOM using official Anchore action (auto-updated by Renovate) - name: Generate SBOM if: steps.check-artifact.outputs.artifact_found == 'true' - uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1 + uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2 id: sbom with: image: ${{ steps.load-image.outputs.image_name }} diff --git a/.github/workflows/supply-chain-verify.yml b/.github/workflows/supply-chain-verify.yml index 29a342b3..57f16805 100644 --- a/.github/workflows/supply-chain-verify.yml +++ b/.github/workflows/supply-chain-verify.yml @@ -114,7 +114,7 @@ jobs: # Generate SBOM using official Anchore action (auto-updated by Renovate) - name: Generate and Verify SBOM if: steps.image-check.outputs.exists == 'true' - uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1 + uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2 with: image: ghcr.io/${{ github.repository_owner }}/charon:${{ steps.tag.outputs.tag }} format: cyclonedx-json diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ab606237..ba2113ea 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -26,7 +26,7 @@ This project follows a Code of Conduct that all contributors are expected to adh -### Prerequisites -- **Go 1.25.6+** for backend development +- **go 1.25.7+** for backend development - **Node.js 20+** and npm for frontend development - Git for version control - A GitHub account @@ -63,9 +63,9 @@ golangci-lint --version ### CI/CD Go Version Management -GitHub Actions workflows automatically use Go 1.25.6 via `GOTOOLCHAIN: auto`, which allows the `setup-go` action to download and use the correct Go version even if the CI environment has an older version installed. This ensures consistent builds across all workflows. +GitHub Actions workflows automatically use go 1.25.7 via `GOTOOLCHAIN: auto`, which allows the `setup-go` action to download and use the correct Go version even if the CI environment has an older version installed. This ensures consistent builds across all workflows. -For local development, install Go 1.25.6+ from [go.dev/dl](https://go.dev/dl/). +For local development, install go 1.25.7+ from [go.dev/dl](https://go.dev/dl/). ### Fork and Clone diff --git a/Makefile b/Makefile index b0206f3c..ec79c8b2 100644 --- a/Makefile +++ b/Makefile @@ -37,9 +37,9 @@ install-tools: go install gotest.tools/gotestsum@latest @echo "Tools installed successfully" -# Install Go 1.25.6 system-wide and setup GOPATH/bin +# Install go 1.25.7 system-wide and setup GOPATH/bin install-go: - @echo "Installing Go 1.25.6 and gopls (requires sudo)" + @echo "Installing go 1.25.7 and gopls (requires sudo)" sudo ./scripts/install-go-1.25.6.sh # Clear Go and gopls caches diff --git a/README.md b/README.md index e705adef..57ecdd79 100644 --- a/README.md +++ b/README.md @@ -282,7 +282,7 @@ docker run -d \ **Requirements:** -- **Go 1.25.6+** — Download from [go.dev/dl](https://go.dev/dl/) +- **go 1.25.7+** — Download from [go.dev/dl](https://go.dev/dl/) - **Node.js 20+** and npm - Docker 20.10+ @@ -302,7 +302,7 @@ See [GORM Security Scanner Documentation](docs/implementation/gorm_security_scan See [CONTRIBUTING.md](CONTRIBUTING.md) for complete development environment setup. -**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use Go 1.25.6, even if your system has an older version installed. For local development, ensure you have Go 1.25.6+ installed. +**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use go 1.25.7, even if your system has an older version installed. For local development, ensure you have go 1.25.7+ installed. ### Environment Configuration diff --git a/SECURITY.md b/SECURITY.md index aaecf63d..654783ef 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -490,7 +490,7 @@ Charon maintains transparency about security issues and their resolution. Below ### Third-Party Dependencies -**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with Go 1.25.6+. +**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with go 1.25.7+. **Impact**: Low. These vulnerabilities are in CrowdSec's third-party binaries, not in Charon's application code. They affect HTTP/2, TLS certificate handling, and archive parsing—areas not directly exposed to attackers through Charon's interface. diff --git a/backend/go.mod b/backend/go.mod index 75c90fed..24122ea8 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -1,6 +1,6 @@ module github.com/Wikid82/charon/backend -go 1.25.6 +go 1.25.7 require ( github.com/containrrr/shoutrrr v0.8.0 diff --git a/docs/github-setup.md b/docs/github-setup.md index 95a9d02f..0b0fe4b7 100644 --- a/docs/github-setup.md +++ b/docs/github-setup.md @@ -173,7 +173,7 @@ If the secret is missing or invalid, the workflow will fail with a clear error m **Prerequisites:** -- Go 1.25.6+ (automatically managed via `GOTOOLCHAIN: auto` in CI) +- go 1.25.7+ (automatically managed via `GOTOOLCHAIN: auto` in CI) - Node.js 20+ for frontend builds **Triggers when:** diff --git a/docs/plans/alpine_migration_spec.md b/docs/plans/alpine_migration_spec.md index 5cfb3e60..9f7eac52 100644 --- a/docs/plans/alpine_migration_spec.md +++ b/docs/plans/alpine_migration_spec.md @@ -138,7 +138,7 @@ grype alpine:3.23 --only-fixed --fail-on critical,high #### musl vs glibc Compatibility **Charon Application Profile:** -- **Language:** Go 1.25.6 (static binaries with CGO_ENABLED=1 for SQLite) +- **Language:** go 1.25.7 (static binaries with CGO_ENABLED=1 for SQLite) - **C Dependencies:** SQLite (libsqlite3-dev) - **Go Stdlib Features:** Standard library calls only (net, crypto, http) diff --git a/docs/reports/qa_phase3_caddy_import_firefox_fix.md b/docs/reports/qa_phase3_caddy_import_firefox_fix.md index ea1f9d9b..a0d09f80 100644 --- a/docs/reports/qa_phase3_caddy_import_firefox_fix.md +++ b/docs/reports/qa_phase3_caddy_import_firefox_fix.md @@ -111,7 +111,7 @@ Complete Definition of Done validation executed after Docker image rebuild with **Assessment**: Minor coverage regression (92.0% → 84.0%) likely due to: 1. New uncovered code paths introduced in recent commits 2. Test cache refresh after Docker rebuild -3. Go 1.25.6 coverage calculation differences +3. go 1.25.7 coverage calculation differences **Risk Level**: **LOW** - 1% variance acceptable for non-production code. Coverage still strong across critical packages. @@ -735,14 +735,14 @@ Stage 1: Frontend Builder (Node 24.13.0-slim) - Output: 1.39MB JS bundle (407KB gzipped), 81KB CSS (14KB gzipped) - Duration: 18.2 seconds -Stage 2: Backend Builder (Go 1.25.6-trixie) +Stage 2: Backend Builder (go 1.25.7-trixie) - go mod download: Dependencies cached - CGO_ENABLED=1 build: Production optimized binary - Output: /app/charon binary with stripped symbols (-s -w) - Delve debugger: /usr/local/bin/dlv (for development) - Duration: 5.7 seconds -Stage 3: CrowdSec Builder (Go 1.25.6-trixie) +Stage 3: CrowdSec Builder (go 1.25.7-trixie) - Patched dependencies: expr@v1.17.7, crypto@v0.46.0 - Built: /crowdsec-out/crowdsec, /crowdsec-out/cscli - Version: v1.7.6 diff --git a/go.work b/go.work index 304bc7f7..9d280119 100644 --- a/go.work +++ b/go.work @@ -1,3 +1,3 @@ -go 1.25.6 +go 1.25.7 use ./backend diff --git a/scripts/install-go-1.25.6.sh b/scripts/install-go-1.25.6.sh index c9c467b7..43d5a88c 100755 --- a/scripts/install-go-1.25.6.sh +++ b/scripts/install-go-1.25.6.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -euo pipefail -# Script to install Go 1.25.6 to /usr/local/go +# Script to install go 1.25.7 to /usr/local/go # Usage: sudo ./scripts/install-go-1.25.6.sh GO_VERSION="1.25.6"