chore(deps): update go-non-major to v1.26.5#1133
Conversation
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
The Dockerfile's golang builder image ARG was tracked via the docker datasource and grouped separately (dockerfile-non-major) from go.mod's go directive and GO_VERSION workflow vars (go-non-major, golang-version datasource). This let the two land in independent PRs that could merge out of order, breaking the Docker build whenever go.mod's floor version outran the pinned builder image (as happened with the 1.26.5 bump).
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
✅ Supply Chain Verification Results✅ PASSED 📦 SBOM Summary
🔍 Vulnerability Scan
📎 Artifacts
Generated by Supply Chain Verification workflow • View Details |
The "Utility: Update Go Version" task only pinned GOTOOLCHAIN, leaving gopls (a long-running process that resolves its Go version once at startup) reporting the old version until the editor was reloaded. It also left every previously-downloaded toolchain cached indefinitely (~285MB each). update-go-toolchain.sh now prunes old toolchain caches and kills gopls so the editor's Go extension respawns it automatically.
Go vulndb flags golang.org/x/crypto/openpgp v0.53.0 as unmaintained and unsafe by design with no fixed version — not a patchable bug. Trivy's gobinary scan flags it in app/charon, caddy, crowdsec, and cscli based on module version alone; verified via `go list -deps ./...` that Charon's own code never imports the openpgp subpackage, so the app/charon finding is a false positive. caddy/crowdsec/cscli carry it as a third-party transitive dependency we don't control. Documents the suppression in .trivyignore, .grype.yaml, and SECURITY.md so it's tracked as awaiting upstream with a 2026-08-08 review date.
This PR contains the following updates:
1.26.4→1.26.51.26.4→1.26.5Release Notes
golang/go (golang/go)
v1.26.5Compare Source
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.