akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

chore: update Go version to 1.26.0 across documentation and workflows

Browse Source
This commit is contained in:
GitHub Actions
2026-02-10 22:21:25 +00:00
parent ef00d7e133
commit 9b2d8e5455
21 changed files with 103 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/instructions/ARCHITECTURE.instructions.md
+3 -3
View File
@@ -122,7 +122,7 @@ graph TB
| Component | Technology | Version | Purpose |
|-----------|-----------|---------|---------|
| **Language** | Go | 1.25.7 | Primary backend language |
| **Language** | Go | 1.26.0 | Primary backend language |
| **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling |
| **Database** | SQLite | 3.x | Embedded database |
| **ORM** | GORM | Latest | Database abstraction layer |
@@ -751,7 +751,7 @@ COPY frontend/ ./
RUN npm run build
# Stage 2: Build backend
FROM golang:1.25-bookworm AS backend-builder
FROM golang:1.26-bookworm AS backend-builder
WORKDIR /app/backend
COPY backend/go.* ./
RUN go mod download
@@ -858,7 +858,7 @@ services:
1. **Prerequisites:**
```bash
- Go 1.25+ (backend development)
- Go 1.26+ (backend development)
- Node.js 23+ and npm (frontend development)
- Docker 24+ (E2E testing)
- SQLite 3.x (database)
.github/workflows/benchmark.yml
+1 -1
View File
@@ -11,7 +11,7 @@ concurrency:
cancel-in-progress: true
env:
GO_VERSION: '1.25.7'
GO_VERSION: '1.26.0'
GOTOOLCHAIN: auto
# Minimal permissions at workflow level; write permissions granted at job level for push only
.github/workflows/codecov-upload.yml
+1 -1
View File
@@ -23,7 +23,7 @@ concurrency:
cancel-in-progress: true
env:
GO_VERSION: '1.25.7'
GO_VERSION: '1.26.0'
NODE_VERSION: '24.12.0'
GOTOOLCHAIN: auto
.github/workflows/codeql.yml
+1 -1
View File
@@ -10,7 +10,7 @@ concurrency:
cancel-in-progress: true
env:
GO_VERSION: '1.25.7'
GO_VERSION: '1.26.0'
GOTOOLCHAIN: auto
permissions:
.github/workflows/e2e-tests-split.yml
+1 -1
View File
@@ -86,7 +86,7 @@ on:
env:
NODE_VERSION: '20'
GO_VERSION: '1.25.7'
GO_VERSION: '1.26.0'
GOTOOLCHAIN: auto
DOCKERHUB_REGISTRY: docker.io
IMAGE_NAME: ${{ github.repository_owner }}/charon
.github/workflows/nightly-build.yml
+1 -1
View File
@@ -15,7 +15,7 @@ on:
default: "false"
env:
GO_VERSION: '1.25.7'
GO_VERSION: '1.26.0'
NODE_VERSION: '24.12.0'
GOTOOLCHAIN: auto
GHCR_REGISTRY: ghcr.io
.github/workflows/quality-checks.yml
+1 -1
View File
@@ -13,7 +13,7 @@ permissions:
checks: write
env:
GO_VERSION: '1.25.7'
GO_VERSION: '1.26.0'
NODE_VERSION: '24.12.0'
GOTOOLCHAIN: auto
.github/workflows/release-goreleaser.yml
+1 -1
View File
@@ -10,7 +10,7 @@ concurrency:
cancel-in-progress: false
env:
GO_VERSION: '1.25.7'
GO_VERSION: '1.26.0'
NODE_VERSION: '24.12.0'
GOTOOLCHAIN: auto
.gitignore
+1
View File
@@ -306,3 +306,4 @@ docs/plans/design.md
docs/plans/tasks.md
frontend/coverage_output.txt
frontend/temp**
playwright-output/**
ARCHITECTURE.md
+3 -3
View File
@@ -122,7 +122,7 @@ graph TB
| Component | Technology | Version | Purpose |
|-----------|-----------|---------|---------|
| **Language** | Go | 1.25.7 | Primary backend language |
| **Language** | Go | 1.26.0 | Primary backend language |
| **HTTP Framework** | Gin | Latest | Routing, middleware, HTTP handling |
| **Database** | SQLite | 3.x | Embedded database |
| **ORM** | GORM | Latest | Database abstraction layer |
@@ -816,7 +816,7 @@ COPY frontend/ ./
RUN npm run build
# Stage 2: Build backend
FROM golang:1.25-bookworm AS backend-builder
FROM golang:1.26-bookworm AS backend-builder
WORKDIR /app/backend
COPY backend/go.* ./
RUN go mod download
@@ -923,7 +923,7 @@ services:
1. **Prerequisites:**
```bash
- Go 1.25+ (backend development)
- Go 1.26+ (backend development)
- Node.js 23+ and npm (frontend development)
- Docker 24+ (E2E testing)
- SQLite 3.x (database)
CONTRIBUTING.md
+3 -3
View File
@@ -26,7 +26,7 @@ This project follows a Code of Conduct that all contributors are expected to adh
-### Prerequisites
- **go 1.25.7+** for backend development
- **go 1.26.0+** for backend development
- **Node.js 20+** and npm for frontend development
- Git for version control
- A GitHub account
@@ -63,9 +63,9 @@ golangci-lint --version
### CI/CD Go Version Management
GitHub Actions workflows automatically use go 1.25.7 via `GOTOOLCHAIN: auto`, which allows the `setup-go` action to download and use the correct Go version even if the CI environment has an older version installed. This ensures consistent builds across all workflows.
GitHub Actions workflows automatically use go 1.26.0 via `GOTOOLCHAIN: auto`, which allows the `setup-go` action to download and use the correct Go version even if the CI environment has an older version installed. This ensures consistent builds across all workflows.
For local development, install go 1.25.7+ from [go.dev/dl](https://go.dev/dl/).
For local development, install go 1.26.0+ from [go.dev/dl](https://go.dev/dl/).
### Fork and Clone
Dockerfile
+9 -9
View File
@@ -34,7 +34,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0@sha256:c64defb9ed5a91eacb37f9
# CVEs fixed: CVE-2023-24531, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404,
# CVE-2023-29405, CVE-2024-24790, CVE-2025-22871, and 15 more
# renovate: datasource=docker depName=golang
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS gosu-builder
FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS gosu-builder
COPY --from=xx / /
WORKDIR /tmp/gosu
@@ -89,7 +89,7 @@ RUN --mount=type=cache,target=/app/frontend/node_modules/.cache \
# ---- Backend Builder ----
# renovate: datasource=docker depName=golang
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS backend-builder
FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS backend-builder
# Copy xx helpers for cross-compilation
COPY --from=xx / /
@@ -155,7 +155,7 @@ ARG BUILD_DEBUG=0
# Build the Go binary with version information injected via ldflags
# xx-go handles CGO and cross-compilation flags automatically
# Note: Go 1.25 defaults to gold linker for ARM64, but clang doesn't support -fuse-ld=gold
# Note: Go 1.26 defaults to gold linker for ARM64, but clang doesn't support -fuse-ld=gold
# Use lld for ARM64 cross-linking; keep bfd for amd64 to preserve prior behavior
# PIE is required for arm64 cross-linking with lld to avoid relocation conflicts under
# QEMU emulation and improves security posture.
@@ -192,7 +192,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
# Build Caddy from source to ensure we use the latest Go version and dependencies
# This fixes vulnerabilities found in the pre-built Caddy images (e.g. CVE-2025-59530, stdlib issues)
# renovate: datasource=docker depName=golang
FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS caddy-builder
FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS caddy-builder
ARG TARGETOS
ARG TARGETARCH
ARG CADDY_VERSION
@@ -254,10 +254,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
rm -rf /tmp/buildenv_* /tmp/caddy-initial'
# ---- CrowdSec Builder ----
# Build CrowdSec from source to ensure we use Go 1.25.5+ and avoid stdlib vulnerabilities
# Build CrowdSec from source to ensure we use Go 1.26.0+ and avoid stdlib vulnerabilities
# (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729)
# renovate: datasource=docker depName=golang versioning=docker
FROM --platform=$BUILDPLATFORM golang:1.25.7-alpine AS crowdsec-builder
FROM --platform=$BUILDPLATFORM golang:1.26.0-alpine AS crowdsec-builder
COPY --from=xx / /
WORKDIR /tmp/crowdsec
@@ -368,7 +368,7 @@ RUN apk add --no-cache \
bash ca-certificates sqlite-libs sqlite tzdata curl gettext libcap libcap-utils \
c-ares binutils libc-utils busybox-extras
# Copy gosu binary from gosu-builder (built with Go 1.25+ to avoid stdlib CVEs)
# Copy gosu binary from gosu-builder (built with Go 1.26+ to avoid stdlib CVEs)
COPY --from=gosu-builder /gosu-out/gosu /usr/sbin/gosu
RUN chmod +x /usr/sbin/gosu
@@ -416,7 +416,7 @@ COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
# Allow non-root to bind privileged ports (80/443) securely
RUN setcap 'cap_net_bind_service=+ep' /usr/bin/caddy
# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.25.5+)
# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.26.0+)
# This ensures we don't have stdlib vulnerabilities from older Go versions
COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec
COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli
@@ -434,7 +434,7 @@ RUN if [ ! -f /etc/crowdsec.dist/config.yaml ]; then \
# Verify CrowdSec binaries and configuration
RUN chmod +x /usr/local/bin/crowdsec /usr/local/bin/cscli 2>/dev/null || true; \
if [ -x /usr/local/bin/cscli ]; then \
echo "CrowdSec installed (built from source with Go 1.25):"; \
echo "CrowdSec installed (built from source with Go 1.26):"; \
cscli version || echo "CrowdSec version check failed"; \
echo ""; \
echo "Configuration source: /etc/crowdsec.dist"; \
Makefile
+3 -3
View File
@@ -37,10 +37,10 @@ install-tools:
go install gotest.tools/gotestsum@latest
@echo "Tools installed successfully"
# Install go 1.25.7 system-wide and setup GOPATH/bin
# Install go 1.26.0 system-wide and setup GOPATH/bin
install-go:
@echo "Installing go 1.25.7 and gopls (requires sudo)"
sudo ./scripts/install-go-1.25.6.sh
@echo "Installing go 1.26.0 and gopls (requires sudo)"
sudo ./scripts/install-go-1.26.0.sh
# Clear Go and gopls caches
clear-go-cache:
README.md
+2 -2
View File
@@ -282,7 +282,7 @@ docker run -d \
**Requirements:**
- **go 1.25.7+** — Download from [go.dev/dl](https://go.dev/dl/)
- **go 1.26.0+** — Download from [go.dev/dl](https://go.dev/dl/)
- **Node.js 20+** and npm
- Docker 20.10+
@@ -302,7 +302,7 @@ See [GORM Security Scanner Documentation](docs/implementation/gorm_security_scan
See [CONTRIBUTING.md](CONTRIBUTING.md) for complete development environment setup.
**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use go 1.25.7, even if your system has an older version installed. For local development, ensure you have go 1.25.7+ installed.
**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use go 1.26.0, even if your system has an older version installed. For local development, ensure you have go 1.26.0+ installed.
### Environment Configuration
SECURITY.md
+1 -1
View File
@@ -490,7 +490,7 @@ Charon maintains transparency about security issues and their resolution. Below
### Third-Party Dependencies
**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with go 1.25.7+.
**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with go 1.26.0+.
**Impact**: Low. These vulnerabilities are in CrowdSec's third-party binaries, not in Charon's application code. They affect HTTP/2, TLS certificate handling, and archive parsing—areas not directly exposed to attackers through Charon's interface.
docs/github-setup.md
+1 -1
View File
@@ -173,7 +173,7 @@ If the secret is missing or invalid, the workflow will fail with a clear error m
**Prerequisites:**
- go 1.25.7+ (automatically managed via `GOTOOLCHAIN: auto` in CI)
- go 1.26.0+ (automatically managed via `GOTOOLCHAIN: auto` in CI)
- Node.js 20+ for frontend builds
**Triggers when:**
docs/implementation/SUPPLY_CHAIN_REMEDIATION_PLAN.md
+2 -2
View File
@@ -28,7 +28,7 @@ CI supply chain scans detected 4 HIGH-severity vulnerabilities in CrowdSec binar
**Root Cause**: CrowdSec v1.6.5 compiled with Go 1.25.1 (vulnerable)
**Resolution**: Upgrade to CrowdSec v1.6.6+ (compiled with Go 1.25.2+)
**Resolution**: Upgrade to CrowdSec v1.6.6+ (compiled with Go 1.26.0+)
## Action Items
@@ -56,7 +56,7 @@ docker run --rm charon:local /usr/local/bin/crowdsec version
docker run --rm charon:local /usr/local/bin/cscli version
```
**Expected Output**: Should show Go 1.25.2 or later
**Expected Output**: Should show Go 1.26.0 or later
**Assignee**: @qa-team
**Effort**: 10 minutes
docs/implementation/WORKSTREAM_C_CROWDSEC_GO_VERSION_FIX.md
+3 -3
View File
@@ -2,7 +2,7 @@
**Date:** 2026-01-10
**Issue:** CrowdSec binaries built with Go 1.25.1 containing 4 HIGH CVEs
**Solution:** Pin CrowdSec builder to Go 1.25.5+
**Solution**: Pin CrowdSec builder to Go 1.26.0+
## Problem
@@ -17,7 +17,7 @@ The CrowdSec builder stage in the Dockerfile was using `golang:1.25-alpine`, whi
## Solution
Updated the `CrowdSec Builder` stage in the Dockerfile to explicitly pin to Go 1.25.5:
Updated the `CrowdSec Builder` stage in the Dockerfile to explicitly pin to Go 1.26.0:
```dockerfile
# Before:
@@ -63,7 +63,7 @@ After this change, the following validations should be performed:
3. **Expected outcome:**
- Trivy image scan should report **0 HIGH/CRITICAL** vulnerabilities
- CrowdSec binaries should be built with Go 1.25.5+
- CrowdSec binaries should be built with Go 1.26.0+
- All CrowdSec functionality should remain operational
## Related
go.work
+1 -1
View File
@@ -1,3 +1,3 @@
go 1.25.7
go 1.26.0
use ./backend
scripts/install-go-1.25.7.sh
Executable → Regular
+3 -3
View File
@@ -1,10 +1,10 @@
#!/usr/bin/env bash
set -euo pipefail
# Script to install go 1.25.7 to /usr/local/go
# Usage: sudo ./scripts/install-go-1.25.7.sh
# Script to install go 1.26.0 to /usr/local/go
# Usage: sudo ./scripts/install-go-1.26.0.sh
GO_VERSION="1.25.7"
GO_VERSION="1.26.0"
ARCH="linux-amd64"
TARFILE="go${GO_VERSION}.${ARCH}.tar.gz"
TMPFILE="/tmp/${TARFILE}"
scripts/install-go-1.26.0.sh
Executable
+61
View File
@@ -0,0 +1,61 @@
#!/usr/bin/env bash
set -euo pipefail
# Script to install go 1.26.0 to /usr/local/go
# Usage: sudo ./scripts/install-go-1.26.0.sh
GO_VERSION="1.26.0"
ARCH="linux-amd64"
TARFILE="go${GO_VERSION}.${ARCH}.tar.gz"
TMPFILE="/tmp/${TARFILE}"
# Ensure GOPATH is set
: ${GOPATH:=$HOME/go}
: ${GOBIN:=${GOPATH}/bin}
# Download
if [ ! -f "$TMPFILE" ]; then
echo "Downloading go${GO_VERSION}..."
curl -sSfL -o "$TMPFILE" "https://go.dev/dl/${TARFILE}"
fi
# Remove existing installation
if [ -d "/usr/local/go" ]; then
echo "Removing existing /usr/local/go..."
sudo rm -rf /usr/local/go
fi
# Extract
echo "Extracting to /usr/local..."
sudo tar -C /usr/local -xzf "$TMPFILE"
# Setup system PATH via /etc/profile.d
echo "Creating /etc/profile.d/go.sh to export /usr/local/go/bin and GOPATH/bin"
sudo tee /etc/profile.d/go.sh > /dev/null <<'EOF'
export PATH=/usr/local/go/bin:$GOPATH/bin:$PATH
EOF
sudo chmod +x /etc/profile.d/go.sh
# Update current session PATH
export PATH=/usr/local/go/bin:$GOPATH/bin:$PATH
# Verify
echo "Installed go: $(go version)"
# Optionally install gopls
echo "Installing gopls..."
# renovate: datasource=go depName=golang.org/x/tools
go install golang.org/x/tools/gopls@v0.41.0
GOPLS_PATH="$GOPATH/bin/gopls"
if [ -f "$GOPLS_PATH" ]; then
echo "gopls installed at $GOPLS_PATH"
$GOPLS_PATH version || true
else
echo "gopls not installed in GOPATH/bin"
fi
cat <<'EOF'
Done. Please restart your shell or run:
source /etc/profile.d/go.sh
and restart your editor's Go language server (Go: Restart Language Server in VS Code)
EOF