chore: update Go version references from 1.25.6 to 1.25.7 across documentation and scripts
This commit is contained in:
GitHub Actions
2
.github/workflows/docker-build.yml
vendored
2
.github/workflows/docker-build.yml
vendored
@@ -532,7 +532,7 @@ jobs:
|
||||
# Generate SBOM (Software Bill of Materials) for supply chain security
|
||||
# Only for production builds (main/development) - feature branches use downstream supply-chain-pr.yml
|
||||
- name: Generate SBOM
|
||||
uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1
|
||||
uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
|
||||
if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
|
||||
with:
|
||||
image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
|
||||
|
||||
2
.github/workflows/nightly-build.yml
vendored
2
.github/workflows/nightly-build.yml
vendored
@@ -271,7 +271,7 @@ jobs:
|
||||
name: sbom-nightly
|
||||
|
||||
- name: Scan with Grype
|
||||
uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1
|
||||
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
|
||||
with:
|
||||
sbom: sbom-nightly.json
|
||||
fail-build: false
|
||||
|
||||
2
.github/workflows/supply-chain-pr.yml
vendored
2
.github/workflows/supply-chain-pr.yml
vendored
@@ -216,7 +216,7 @@ jobs:
|
||||
# Generate SBOM using official Anchore action (auto-updated by Renovate)
|
||||
- name: Generate SBOM
|
||||
if: steps.check-artifact.outputs.artifact_found == 'true'
|
||||
uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1
|
||||
uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
|
||||
id: sbom
|
||||
with:
|
||||
image: ${{ steps.load-image.outputs.image_name }}
|
||||
|
||||
2
.github/workflows/supply-chain-verify.yml
vendored
2
.github/workflows/supply-chain-verify.yml
vendored
@@ -114,7 +114,7 @@ jobs:
|
||||
# Generate SBOM using official Anchore action (auto-updated by Renovate)
|
||||
- name: Generate and Verify SBOM
|
||||
if: steps.image-check.outputs.exists == 'true'
|
||||
uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1
|
||||
uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
|
||||
with:
|
||||
image: ghcr.io/${{ github.repository_owner }}/charon:${{ steps.tag.outputs.tag }}
|
||||
format: cyclonedx-json
|
||||
|
||||
@@ -26,7 +26,7 @@ This project follows a Code of Conduct that all contributors are expected to adh
|
||||
|
||||
-### Prerequisites
|
||||
|
||||
- **Go 1.25.6+** for backend development
|
||||
- **go 1.25.7+** for backend development
|
||||
- **Node.js 20+** and npm for frontend development
|
||||
- Git for version control
|
||||
- A GitHub account
|
||||
@@ -63,9 +63,9 @@ golangci-lint --version
|
||||
|
||||
### CI/CD Go Version Management
|
||||
|
||||
GitHub Actions workflows automatically use Go 1.25.6 via `GOTOOLCHAIN: auto`, which allows the `setup-go` action to download and use the correct Go version even if the CI environment has an older version installed. This ensures consistent builds across all workflows.
|
||||
GitHub Actions workflows automatically use go 1.25.7 via `GOTOOLCHAIN: auto`, which allows the `setup-go` action to download and use the correct Go version even if the CI environment has an older version installed. This ensures consistent builds across all workflows.
|
||||
|
||||
For local development, install Go 1.25.6+ from [go.dev/dl](https://go.dev/dl/).
|
||||
For local development, install go 1.25.7+ from [go.dev/dl](https://go.dev/dl/).
|
||||
|
||||
### Fork and Clone
|
||||
|
||||
|
||||
4
Makefile
4
Makefile
@@ -37,9 +37,9 @@ install-tools:
|
||||
go install gotest.tools/gotestsum@latest
|
||||
@echo "Tools installed successfully"
|
||||
|
||||
# Install Go 1.25.6 system-wide and setup GOPATH/bin
|
||||
# Install go 1.25.7 system-wide and setup GOPATH/bin
|
||||
install-go:
|
||||
@echo "Installing Go 1.25.6 and gopls (requires sudo)"
|
||||
@echo "Installing go 1.25.7 and gopls (requires sudo)"
|
||||
sudo ./scripts/install-go-1.25.6.sh
|
||||
|
||||
# Clear Go and gopls caches
|
||||
|
||||
@@ -282,7 +282,7 @@ docker run -d \
|
||||
|
||||
**Requirements:**
|
||||
|
||||
- **Go 1.25.6+** — Download from [go.dev/dl](https://go.dev/dl/)
|
||||
- **go 1.25.7+** — Download from [go.dev/dl](https://go.dev/dl/)
|
||||
- **Node.js 20+** and npm
|
||||
- Docker 20.10+
|
||||
|
||||
@@ -302,7 +302,7 @@ See [GORM Security Scanner Documentation](docs/implementation/gorm_security_scan
|
||||
|
||||
See [CONTRIBUTING.md](CONTRIBUTING.md) for complete development environment setup.
|
||||
|
||||
**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use Go 1.25.6, even if your system has an older version installed. For local development, ensure you have Go 1.25.6+ installed.
|
||||
**Note:** GitHub Actions CI uses `GOTOOLCHAIN: auto` to automatically download and use go 1.25.7, even if your system has an older version installed. For local development, ensure you have go 1.25.7+ installed.
|
||||
|
||||
### Environment Configuration
|
||||
|
||||
|
||||
@@ -490,7 +490,7 @@ Charon maintains transparency about security issues and their resolution. Below
|
||||
|
||||
### Third-Party Dependencies
|
||||
|
||||
**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with Go 1.25.6+.
|
||||
**CrowdSec Binaries**: As of December 2025, CrowdSec binaries shipped with Charon contain 4 HIGH-severity CVEs in Go stdlib (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729). These are upstream issues in Go 1.25.1 and will be resolved when CrowdSec releases binaries built with go 1.25.7+.
|
||||
|
||||
**Impact**: Low. These vulnerabilities are in CrowdSec's third-party binaries, not in Charon's application code. They affect HTTP/2, TLS certificate handling, and archive parsing—areas not directly exposed to attackers through Charon's interface.
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
module github.com/Wikid82/charon/backend
|
||||
|
||||
go 1.25.6
|
||||
go 1.25.7
|
||||
|
||||
require (
|
||||
github.com/containrrr/shoutrrr v0.8.0
|
||||
|
||||
@@ -173,7 +173,7 @@ If the secret is missing or invalid, the workflow will fail with a clear error m
|
||||
|
||||
**Prerequisites:**
|
||||
|
||||
- Go 1.25.6+ (automatically managed via `GOTOOLCHAIN: auto` in CI)
|
||||
- go 1.25.7+ (automatically managed via `GOTOOLCHAIN: auto` in CI)
|
||||
- Node.js 20+ for frontend builds
|
||||
|
||||
**Triggers when:**
|
||||
|
||||
@@ -138,7 +138,7 @@ grype alpine:3.23 --only-fixed --fail-on critical,high
|
||||
#### musl vs glibc Compatibility
|
||||
|
||||
**Charon Application Profile:**
|
||||
- **Language:** Go 1.25.6 (static binaries with CGO_ENABLED=1 for SQLite)
|
||||
- **Language:** go 1.25.7 (static binaries with CGO_ENABLED=1 for SQLite)
|
||||
- **C Dependencies:** SQLite (libsqlite3-dev)
|
||||
- **Go Stdlib Features:** Standard library calls only (net, crypto, http)
|
||||
|
||||
|
||||
@@ -111,7 +111,7 @@ Complete Definition of Done validation executed after Docker image rebuild with
|
||||
**Assessment**: Minor coverage regression (92.0% → 84.0%) likely due to:
|
||||
1. New uncovered code paths introduced in recent commits
|
||||
2. Test cache refresh after Docker rebuild
|
||||
3. Go 1.25.6 coverage calculation differences
|
||||
3. go 1.25.7 coverage calculation differences
|
||||
|
||||
**Risk Level**: **LOW** - 1% variance acceptable for non-production code. Coverage still strong across critical packages.
|
||||
|
||||
@@ -735,14 +735,14 @@ Stage 1: Frontend Builder (Node 24.13.0-slim)
|
||||
- Output: 1.39MB JS bundle (407KB gzipped), 81KB CSS (14KB gzipped)
|
||||
- Duration: 18.2 seconds
|
||||
|
||||
Stage 2: Backend Builder (Go 1.25.6-trixie)
|
||||
Stage 2: Backend Builder (go 1.25.7-trixie)
|
||||
- go mod download: Dependencies cached
|
||||
- CGO_ENABLED=1 build: Production optimized binary
|
||||
- Output: /app/charon binary with stripped symbols (-s -w)
|
||||
- Delve debugger: /usr/local/bin/dlv (for development)
|
||||
- Duration: 5.7 seconds
|
||||
|
||||
Stage 3: CrowdSec Builder (Go 1.25.6-trixie)
|
||||
Stage 3: CrowdSec Builder (go 1.25.7-trixie)
|
||||
- Patched dependencies: expr@v1.17.7, crypto@v0.46.0
|
||||
- Built: /crowdsec-out/crowdsec, /crowdsec-out/cscli
|
||||
- Version: v1.7.6
|
||||
|
||||
@@ -205,7 +205,7 @@ All HIGH vulnerabilities are in **base image system packages** (Debian Trixie):
|
||||
- Monitor for Debian security updates
|
||||
- Consider if alternative base image is warranted
|
||||
|
||||
5. **Staticcheck Version**: Update staticcheck to Go 1.25.6+
|
||||
5. **Staticcheck Version**: Update staticcheck to go 1.25.7+
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# Script to install Go 1.25.6 to /usr/local/go
|
||||
# Script to install go 1.25.7 to /usr/local/go
|
||||
# Usage: sudo ./scripts/install-go-1.25.6.sh
|
||||
|
||||
GO_VERSION="1.25.6"
|
||||
|
||||
Reference in New Issue
Block a user