Skip to content

Bump golang to 1.26.3#2925

Open
2uasimojo wants to merge 1 commit into
openshift:masterfrom
2uasimojo:go-1.26.3
Open

Bump golang to 1.26.3#2925
2uasimojo wants to merge 1 commit into
openshift:masterfrom
2uasimojo:go-1.26.3

Conversation

@2uasimojo

@2uasimojo 2uasimojo commented Jul 10, 2026

Copy link
Copy Markdown
Member

Note that this PR is not expected to make security pass, as there are still several vulns that require even newer golangs, which are not yet available to us. However, 1.26.3 is still newer than 1.25.9 (patch status equivalent to 1.25.10) so this still moves the ball forward.

Summary by CodeRabbit

  • Chores
    • Updated the project’s Go toolchain to 1.26.3 (including module/toolchain metadata and OTE-related Go module settings).
    • Refreshed local and container build defaults to newer Go 1.26–based builder images for EL8 and EL9.
    • Updated Tekton PipelineRun build arguments for EL8/EL9 to use the newer Go builder image tags (including OTE).

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The PR updates Go toolchain settings and bootstrap logic to Go 1.26.3, refreshes vendored metadata, updates local Go 1.26 builder image defaults, and changes Tekton EL8/EL9 builder image arguments to v1.26.3 images.

Changes

Go 1.26 toolchain and build configuration

Layer / File(s) Summary
Go toolchain configuration
go.mod, apis/go.mod, test/ote/go.mod, hack/ubi-build-deps.sh, vendor/modules.txt
Go version directives, toolchain installation, and vendored module metadata are updated for Go 1.26.0 and Go 1.26.3.
Local build image defaults
Dockerfile, Dockerfile.ote, Makefile
EL8, EL9, and OTE builder image defaults are updated to Go 1.26 and OpenShift 4.23 tags.
Tekton builder image references
.tekton/hive*.yaml, .tekton/hive-mce-*.yaml
EL8 and EL9 build-args replace v1.25.9 builder images with v1.26.3 references across pull-request and push PipelineRuns.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: bumping Go and related build toolchain images to 1.26.3.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from jstuever and suhanime July 10, 2026 16:17
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 10, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
hack/ubi-build-deps.sh (1)

8-8: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin the golang.org/dl module version.

The SDK is fixed at Go 1.26.3, but @latest makes the wrapper dependency change on future image rebuilds. Pin a tested module version so bootstrap behavior remains reproducible.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/ubi-build-deps.sh` at line 8, Pin the golang.org/dl dependency in the Go
installation command instead of using `@latest`, selecting a tested module version
compatible with Go 1.26.3 to keep the bootstrap in hack/ubi-build-deps.sh
reproducible.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/hive-mce-217-push.yaml:
- Around line 49-50: The Dockerfile’s default EL8_BUILD_IMAGE and
EL9_BUILD_IMAGE arguments still reference Go 1.25 images. Update the ARG
defaults to the same Go 1.26 builder images used in the pipeline, or make both
arguments mandatory for all build paths.

In `@go.mod`:
- Around line 3-5: The Dockerfile builder stages and the Makefile
podman-dev-build path are inconsistent with the Go version required by go.mod.
Update both builder image defaults to Go 1.26.3 and ensure podman-dev-build runs
hack/ubi-build-deps.sh, or otherwise make that customization hook mandatory for
every non-Tekton build path.

---

Nitpick comments:
In `@hack/ubi-build-deps.sh`:
- Line 8: Pin the golang.org/dl dependency in the Go installation command
instead of using `@latest`, selecting a tested module version compatible with Go
1.26.3 to keep the bootstrap in hack/ubi-build-deps.sh reproducible.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 35067e66-2bf3-4e14-8bb0-73755710bc8a

📥 Commits

Reviewing files that changed from the base of the PR and between 3a29cc3 and 9b64ed3.

📒 Files selected for processing (24)
  • .tekton/hive-mce-210-pull-request.yaml
  • .tekton/hive-mce-210-push.yaml
  • .tekton/hive-mce-211-pull-request.yaml
  • .tekton/hive-mce-211-push.yaml
  • .tekton/hive-mce-217-pull-request.yaml
  • .tekton/hive-mce-217-push.yaml
  • .tekton/hive-mce-26-pull-request.yaml
  • .tekton/hive-mce-26-push.yaml
  • .tekton/hive-mce-27-pull-request.yaml
  • .tekton/hive-mce-27-push.yaml
  • .tekton/hive-mce-28-pull-request.yaml
  • .tekton/hive-mce-28-push.yaml
  • .tekton/hive-mce-29-pull-request.yaml
  • .tekton/hive-mce-29-push.yaml
  • .tekton/hive-mce-50-pull-request.yaml
  • .tekton/hive-mce-50-push.yaml
  • .tekton/hive-mce-51-pull-request.yaml
  • .tekton/hive-mce-51-push.yaml
  • .tekton/hive-pull-request.yaml
  • .tekton/hive-push.yaml
  • apis/go.mod
  • go.mod
  • hack/ubi-build-deps.sh
  • vendor/modules.txt

Comment thread .tekton/hive-mce-217-push.yaml
Comment thread go.mod

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/ote/go.mod`:
- Line 3: Update the Go version declaration in test/ote/go.mod from 1.26.3 to
the current patched release 1.26.5, ensuring the module uses the latest
available security fixes.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1cb0d38a-7047-417c-acfe-b2b0e8d76fcf

📥 Commits

Reviewing files that changed from the base of the PR and between 9b64ed3 and 9085ea3.

📒 Files selected for processing (28)
  • .tekton/hive-mce-210-pull-request.yaml
  • .tekton/hive-mce-210-push.yaml
  • .tekton/hive-mce-211-pull-request.yaml
  • .tekton/hive-mce-211-push.yaml
  • .tekton/hive-mce-217-pull-request.yaml
  • .tekton/hive-mce-217-push.yaml
  • .tekton/hive-mce-26-pull-request.yaml
  • .tekton/hive-mce-26-push.yaml
  • .tekton/hive-mce-27-pull-request.yaml
  • .tekton/hive-mce-27-push.yaml
  • .tekton/hive-mce-28-pull-request.yaml
  • .tekton/hive-mce-28-push.yaml
  • .tekton/hive-mce-29-pull-request.yaml
  • .tekton/hive-mce-29-push.yaml
  • .tekton/hive-mce-50-pull-request.yaml
  • .tekton/hive-mce-50-push.yaml
  • .tekton/hive-mce-51-pull-request.yaml
  • .tekton/hive-mce-51-push.yaml
  • .tekton/hive-pull-request.yaml
  • .tekton/hive-push.yaml
  • Dockerfile
  • Dockerfile.ote
  • Makefile
  • apis/go.mod
  • go.mod
  • hack/ubi-build-deps.sh
  • test/ote/go.mod
  • vendor/modules.txt
✅ Files skipped from review due to trivial changes (4)
  • .tekton/hive-mce-217-pull-request.yaml
  • vendor/modules.txt
  • .tekton/hive-mce-211-pull-request.yaml
  • Dockerfile.ote
🚧 Files skipped from review as they are similar to previous changes (21)
  • .tekton/hive-mce-27-push.yaml
  • .tekton/hive-mce-26-push.yaml
  • .tekton/hive-mce-50-pull-request.yaml
  • .tekton/hive-mce-28-push.yaml
  • .tekton/hive-mce-217-push.yaml
  • .tekton/hive-mce-210-pull-request.yaml
  • .tekton/hive-mce-210-push.yaml
  • .tekton/hive-mce-26-pull-request.yaml
  • .tekton/hive-mce-51-pull-request.yaml
  • .tekton/hive-mce-211-push.yaml
  • .tekton/hive-pull-request.yaml
  • .tekton/hive-push.yaml
  • .tekton/hive-mce-51-push.yaml
  • .tekton/hive-mce-27-pull-request.yaml
  • .tekton/hive-mce-50-push.yaml
  • hack/ubi-build-deps.sh
  • .tekton/hive-mce-28-pull-request.yaml
  • .tekton/hive-mce-29-push.yaml
  • go.mod
  • apis/go.mod
  • .tekton/hive-mce-29-pull-request.yaml

Comment thread test/ote/go.mod
module github.com/openshift/hive/test/ote

go 1.25.0
go 1.26.0

@coderabbitai coderabbitai Bot Jul 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What security fixes are included in Go 1.26.4 and Go 1.26.5?

💡 Result:

Go 1.26.4 and Go 1.26.5 are minor point releases that include several security fixes for the Go programming language [1][2]. Go 1.26.4 (released June 2, 2026) includes the following three security fixes: * mime: A fix for quadratic complexity in WordDecoder.DecodeHeader, which could previously lead to excessive CPU consumption when decoding maliciously crafted MIME headers (CVE-2026-42504) [1][3]. * net/textproto: A fix for an issue where arbitrary input was included in errors without escaping, allowing for potential injection of misleading content or terminal control bytes into logs or output (CVE-2026-42507) [1][3]. * crypto/x509: A fix for an efficiency issue where (*x509.Certificate).VerifyHostname called strings.Split repeatedly on the same input, leading to quadratic scaling issues when processing certificates with large numbers of DNS Subject Alternative Name (SAN) entries (CVE-2026-27145) [1][3]. Go 1.26.5 includes the following two security fixes: * os: A fix for a root escape vulnerability on Unix systems where paths ending in a trailing slash (/) could improperly follow symlinks outside of the intended root directory (CVE-2026-39822) [2]. * crypto/tls: A fix for an Encrypted Client Hello (ECH) privacy leak where pre-shared key identities could be leaked during the handshake, potentially allowing a passive observer to de-anonymize the server's hostname (CVE-2026-42505) [2].

Citations:


Bump the Go 1.26.3 pin — Go 1.26.4 and 1.26.5 already include security fixes in mime, net/textproto, crypto/x509, os, and crypto/tls, so 1.26.3 is already behind current patched releases.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/ote/go.mod` at line 3, Update the Go version declaration in
test/ote/go.mod from 1.26.3 to the current patched release 1.26.5, ensuring the
module uses the latest available security fixes.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No can do. We are limited by the availability of go versions in our various builder images.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@2uasimojo, understood — thanks for the clarification. Makes sense that the Go version is tied to whatever openshift-golang-builder / rhel-*-golang-*-openshift-* tags are actually published, rather than being a free choice. I'll factor that in for future version-bump reviews on this repo.


✏️ Learnings added
Learnt from: 2uasimojo
Repo: openshift/hive PR: 2925
File: test/ote/go.mod:3-3
Timestamp: 2026-07-10T21:43:08.743Z
Learning: In the openshift/hive repository, Go toolchain version bumps (e.g., in go.mod, apis/go.mod, test/ote/go.mod) are constrained by the availability of matching Go versions in the builder images used across the Dockerfile, Dockerfile.ote, Makefile, and .tekton/*.yaml pipeline definitions (e.g., `rhel-8-golang-*-openshift-*`, `rhel-9-golang-*-openshift-*`, `openshift-golang-builder` image tags). Do not suggest bumping the Go version further (e.g., to a newer patch release) without confirming that a corresponding builder image is available; per maintainer 2uasimojo, such suggestions are unlikely to be actionable.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@2uasimojo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify 9085ea3 link true /test verify
ci/prow/security 9085ea3 link true /test security
ci/prow/e2e 9085ea3 link true /test e2e
ci/prow/unit 9085ea3 link true /test unit
ci/prow/e2e-pool 9085ea3 link true /test e2e-pool
ci/prow/periodic-images 9085ea3 link true /test periodic-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@2uasimojo

Copy link
Copy Markdown
Member Author

This requires a bump in the release repo in order to build properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant