Bump golang to 1.26.3#2925
Conversation
📝 WalkthroughWalkthroughThe PR updates Go toolchain settings and bootstrap logic to Go 1.26.3, refreshes vendored metadata, updates local Go 1.26 builder image defaults, and changes Tekton EL8/EL9 builder image arguments to ChangesGo 1.26 toolchain and build configuration
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 2uasimojo The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
hack/ubi-build-deps.sh (1)
8-8: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the
golang.org/dlmodule version.The SDK is fixed at Go 1.26.3, but
@latestmakes the wrapper dependency change on future image rebuilds. Pin a tested module version so bootstrap behavior remains reproducible.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@hack/ubi-build-deps.sh` at line 8, Pin the golang.org/dl dependency in the Go installation command instead of using `@latest`, selecting a tested module version compatible with Go 1.26.3 to keep the bootstrap in hack/ubi-build-deps.sh reproducible.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.tekton/hive-mce-217-push.yaml:
- Around line 49-50: The Dockerfile’s default EL8_BUILD_IMAGE and
EL9_BUILD_IMAGE arguments still reference Go 1.25 images. Update the ARG
defaults to the same Go 1.26 builder images used in the pipeline, or make both
arguments mandatory for all build paths.
In `@go.mod`:
- Around line 3-5: The Dockerfile builder stages and the Makefile
podman-dev-build path are inconsistent with the Go version required by go.mod.
Update both builder image defaults to Go 1.26.3 and ensure podman-dev-build runs
hack/ubi-build-deps.sh, or otherwise make that customization hook mandatory for
every non-Tekton build path.
---
Nitpick comments:
In `@hack/ubi-build-deps.sh`:
- Line 8: Pin the golang.org/dl dependency in the Go installation command
instead of using `@latest`, selecting a tested module version compatible with Go
1.26.3 to keep the bootstrap in hack/ubi-build-deps.sh reproducible.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 35067e66-2bf3-4e14-8bb0-73755710bc8a
📒 Files selected for processing (24)
.tekton/hive-mce-210-pull-request.yaml.tekton/hive-mce-210-push.yaml.tekton/hive-mce-211-pull-request.yaml.tekton/hive-mce-211-push.yaml.tekton/hive-mce-217-pull-request.yaml.tekton/hive-mce-217-push.yaml.tekton/hive-mce-26-pull-request.yaml.tekton/hive-mce-26-push.yaml.tekton/hive-mce-27-pull-request.yaml.tekton/hive-mce-27-push.yaml.tekton/hive-mce-28-pull-request.yaml.tekton/hive-mce-28-push.yaml.tekton/hive-mce-29-pull-request.yaml.tekton/hive-mce-29-push.yaml.tekton/hive-mce-50-pull-request.yaml.tekton/hive-mce-50-push.yaml.tekton/hive-mce-51-pull-request.yaml.tekton/hive-mce-51-push.yaml.tekton/hive-pull-request.yaml.tekton/hive-push.yamlapis/go.modgo.modhack/ubi-build-deps.shvendor/modules.txt
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/ote/go.mod`:
- Line 3: Update the Go version declaration in test/ote/go.mod from 1.26.3 to
the current patched release 1.26.5, ensuring the module uses the latest
available security fixes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 1cb0d38a-7047-417c-acfe-b2b0e8d76fcf
📒 Files selected for processing (28)
.tekton/hive-mce-210-pull-request.yaml.tekton/hive-mce-210-push.yaml.tekton/hive-mce-211-pull-request.yaml.tekton/hive-mce-211-push.yaml.tekton/hive-mce-217-pull-request.yaml.tekton/hive-mce-217-push.yaml.tekton/hive-mce-26-pull-request.yaml.tekton/hive-mce-26-push.yaml.tekton/hive-mce-27-pull-request.yaml.tekton/hive-mce-27-push.yaml.tekton/hive-mce-28-pull-request.yaml.tekton/hive-mce-28-push.yaml.tekton/hive-mce-29-pull-request.yaml.tekton/hive-mce-29-push.yaml.tekton/hive-mce-50-pull-request.yaml.tekton/hive-mce-50-push.yaml.tekton/hive-mce-51-pull-request.yaml.tekton/hive-mce-51-push.yaml.tekton/hive-pull-request.yaml.tekton/hive-push.yamlDockerfileDockerfile.oteMakefileapis/go.modgo.modhack/ubi-build-deps.shtest/ote/go.modvendor/modules.txt
✅ Files skipped from review due to trivial changes (4)
- .tekton/hive-mce-217-pull-request.yaml
- vendor/modules.txt
- .tekton/hive-mce-211-pull-request.yaml
- Dockerfile.ote
🚧 Files skipped from review as they are similar to previous changes (21)
- .tekton/hive-mce-27-push.yaml
- .tekton/hive-mce-26-push.yaml
- .tekton/hive-mce-50-pull-request.yaml
- .tekton/hive-mce-28-push.yaml
- .tekton/hive-mce-217-push.yaml
- .tekton/hive-mce-210-pull-request.yaml
- .tekton/hive-mce-210-push.yaml
- .tekton/hive-mce-26-pull-request.yaml
- .tekton/hive-mce-51-pull-request.yaml
- .tekton/hive-mce-211-push.yaml
- .tekton/hive-pull-request.yaml
- .tekton/hive-push.yaml
- .tekton/hive-mce-51-push.yaml
- .tekton/hive-mce-27-pull-request.yaml
- .tekton/hive-mce-50-push.yaml
- hack/ubi-build-deps.sh
- .tekton/hive-mce-28-pull-request.yaml
- .tekton/hive-mce-29-push.yaml
- go.mod
- apis/go.mod
- .tekton/hive-mce-29-pull-request.yaml
| module github.com/openshift/hive/test/ote | ||
|
|
||
| go 1.25.0 | ||
| go 1.26.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
What security fixes are included in Go 1.26.4 and Go 1.26.5?
💡 Result:
Go 1.26.4 and Go 1.26.5 are minor point releases that include several security fixes for the Go programming language [1][2]. Go 1.26.4 (released June 2, 2026) includes the following three security fixes: * mime: A fix for quadratic complexity in WordDecoder.DecodeHeader, which could previously lead to excessive CPU consumption when decoding maliciously crafted MIME headers (CVE-2026-42504) [1][3]. * net/textproto: A fix for an issue where arbitrary input was included in errors without escaping, allowing for potential injection of misleading content or terminal control bytes into logs or output (CVE-2026-42507) [1][3]. * crypto/x509: A fix for an efficiency issue where (*x509.Certificate).VerifyHostname called strings.Split repeatedly on the same input, leading to quadratic scaling issues when processing certificates with large numbers of DNS Subject Alternative Name (SAN) entries (CVE-2026-27145) [1][3]. Go 1.26.5 includes the following two security fixes: * os: A fix for a root escape vulnerability on Unix systems where paths ending in a trailing slash (/) could improperly follow symlinks outside of the intended root directory (CVE-2026-39822) [2]. * crypto/tls: A fix for an Encrypted Client Hello (ECH) privacy leak where pre-shared key identities could be leaked during the handshake, potentially allowing a passive observer to de-anonymize the server's hostname (CVE-2026-42505) [2].
Citations:
- 1: https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw
- 2: https://groups.google.com/g/golang-announce/c/OrmQE_Yp5Sc
- 3: https://www.openwall.com/lists/oss-security/2026/06/03/2
Bump the Go 1.26.3 pin — Go 1.26.4 and 1.26.5 already include security fixes in mime, net/textproto, crypto/x509, os, and crypto/tls, so 1.26.3 is already behind current patched releases.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@test/ote/go.mod` at line 3, Update the Go version declaration in
test/ote/go.mod from 1.26.3 to the current patched release 1.26.5, ensuring the
module uses the latest available security fixes.
There was a problem hiding this comment.
No can do. We are limited by the availability of go versions in our various builder images.
There was a problem hiding this comment.
@2uasimojo, understood — thanks for the clarification. Makes sense that the Go version is tied to whatever openshift-golang-builder / rhel-*-golang-*-openshift-* tags are actually published, rather than being a free choice. I'll factor that in for future version-bump reviews on this repo.
✏️ Learnings added
Learnt from: 2uasimojo
Repo: openshift/hive PR: 2925
File: test/ote/go.mod:3-3
Timestamp: 2026-07-10T21:43:08.743Z
Learning: In the openshift/hive repository, Go toolchain version bumps (e.g., in go.mod, apis/go.mod, test/ote/go.mod) are constrained by the availability of matching Go versions in the builder images used across the Dockerfile, Dockerfile.ote, Makefile, and .tekton/*.yaml pipeline definitions (e.g., `rhel-8-golang-*-openshift-*`, `rhel-9-golang-*-openshift-*`, `openshift-golang-builder` image tags). Do not suggest bumping the Go version further (e.g., to a newer patch release) without confirming that a corresponding builder image is available; per maintainer 2uasimojo, such suggestions are unlikely to be actionable.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
|
@2uasimojo: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
This requires a bump in the release repo in order to build properly. |
Note that this PR is not expected to make
securitypass, as there are still several vulns that require even newer golangs, which are not yet available to us. However, 1.26.3 is still newer than 1.25.9 (patch status equivalent to 1.25.10) so this still moves the ball forward.Summary by CodeRabbit