Skip to content

chore(deps): raise minimum Go to 1.25; batch 5 dependabot bumps#40

Merged
kevinelliott merged 1 commit intomainfrom
chore/go-1.25-and-deps
Apr 24, 2026
Merged

chore(deps): raise minimum Go to 1.25; batch 5 dependabot bumps#40
kevinelliott merged 1 commit intomainfrom
chore/go-1.25-and-deps

Conversation

@kevinelliott
Copy link
Copy Markdown
Owner

@kevinelliott kevinelliott commented Apr 24, 2026

Summary

`golang.org/x/sync v0.20.0` requires `go >= 1.25.0`. Rather than pin that sub-package to v0.19 and leave four other bumps blocked, bump the module's minimum Go to match.

User-visible: `go install` users on 1.24 will see a clear `requires go >= 1.25` error when they next install. Existing binaries are unaffected.

Dep bumps

package from to
`google.golang.org/grpc` v1.79.3 v1.80.0
`golang.org/x/sync` v0.19.0 v0.20.0 (forces 1.25)
`github.com/mattn/go-isatty` v0.0.20 v0.0.21
`github.com/mattn/go-sqlite3` v1.14.34 v1.14.42
`golang.org/x/sys` v0.41.0 v0.43.0

Transitive: `x/net` 0.48→0.49, `x/text` 0.32→0.33, `protobuf` 1.36.10→1.36.11, genproto-rpc bump.

Toolchain updates

  • `go.mod`: `go 1.24.2` (+ `toolchain go1.24.11`) → `go 1.25.0`
  • `.github/workflows/ci.yml`: `GO_VERSION` 1.24 → 1.25; matrix `['1.23','1.24']` → `['1.25']` (module now excludes 1.24)
  • `.github/workflows/release.yml`: `GO_VERSION` 1.24 → 1.25
  • `Dockerfile`: `golang:1.24-alpine` → `golang:1.25-alpine`
  • `README.md` + `CONTRIBUTING.md` prerequisites: Go 1.24+ → Go 1.25+

Supersedes

Test plan

  • `go build ./...` clean
  • `go test ./... -race -short` green
  • `make lint` clean (golangci-lint v1.64.8)
  • CI Lint job passes on Go 1.25
  • CI Test matrix passes on Go 1.25 across macOS/Ubuntu/Windows

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings April 24, 2026 20:32
Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the module’s minimum supported Go version to 1.25 to accommodate dependency updates (notably golang.org/x/sync v0.20.0) and batches several dependency bumps while aligning tooling/docs/CI to the new baseline.

Changes:

  • Raise go.mod minimum Go version to 1.25.0 and update direct + indirect module dependencies accordingly.
  • Update CI/release workflows and Docker build image to use Go 1.25.
  • Update README/CONTRIBUTING prerequisites to reflect Go 1.25+.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
go.mod Bumps Go directive to 1.25.0 and updates dependency versions.
go.sum Refreshes module checksums for the updated dependency graph.
.github/workflows/ci.yml Updates Go version env/matrix and Codecov condition to 1.25.
.github/workflows/release.yml Updates release workflow Go version to 1.25.
Dockerfile Updates builder base image to golang:1.25-alpine.
README.md Updates development prerequisites to Go 1.25+.
CONTRIBUTING.md Updates contributor prerequisites to Go 1.25+.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@kevinelliott @claude
chore(deps): raise minimum Go to 1.25; bump 5 deps; migrate golangci-…
91708a8 
…lint to v2

golang.org/x/sync v0.20.0 requires go >= 1.25.0. Rather than pin that
sub-package to v0.19 and leave four other bumps blocked, bump the
module's minimum Go to match. User-visible: go install users on 1.24
will see a clear "requires go >= 1.25" error when they next install.

Golangci-lint v1 is discontinued (last release v1.64.8 built with
Go 1.24, refuses to lint Go 1.25 modules). Migrated to v2.11.4:
- .golangci.yml: v1 format -> v2 (via `golangci-lint migrate`)
- Makefile GOLANGCI_LINT_VERSION: v1.64.8 -> v2.11.4; install path
  switched to v2 module (.../v2/cmd/golangci-lint)
- CI uses golangci-lint-action@v7 (v6 doesn't support v2 binaries)
- Added exclusions for 3 v2-new rules that fire false-positive-heavy
  on this codebase:
  - gocritic importShadow (we deliberately shadow agent/status)
  - gosec G703 (all flagged paths are from platform.GetConfigDir /
    platform.GetDataDir / catalog package names, never user input)
  - noctx (most flags are exec.Command/net.Listen/httptest.NewRequest
    where adopting ctx variants adds ceremony without correctness)

Dep bumps:
- google.golang.org/grpc           v1.79.3  -> v1.80.0
- golang.org/x/sync                v0.19.0  -> v0.20.0  (forces 1.25)
- github.com/mattn/go-isatty       v0.0.20  -> v0.0.21
- github.com/mattn/go-sqlite3      v1.14.34 -> v1.14.42
- golang.org/x/sys                 v0.41.0  -> v0.43.0
- Transitive: x/net 0.48->0.49, x/text 0.32->0.33,
  protobuf 1.36.10->1.36.11, genproto-rpc bump

Toolchain updates: go.mod go 1.24.2 -> 1.25.0; CI GO_VERSION 1.24
-> 1.25; test matrix ['1.23','1.24'] -> ['1.25']; Dockerfile
golang:1.24-alpine -> golang:1.25-alpine; README.md +
CONTRIBUTING.md prerequisites Go 1.24+ -> Go 1.25+.

Real findings the v2 lint surfaced and fixed inline:
- internal/systray/systray.go:109 gosec G118: cancel func is stored
  on the struct and invoked in onExit; suppressed with contextual
  nolint since gosec can't see that.
- internal/systray/systray.go:942 nolintlint: removed a stale
  //nolint:gosec directive (the call no longer matched G204 under
  the new ruleset).
- internal/tui/app.go:572 staticcheck QF1012: WriteString(Sprintf)
  -> Fprintf.

Supersedes dependabot PRs #35, #36, #37, #38, #39.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@kevinelliott kevinelliott force-pushed the chore/go-1.25-and-deps branch from c900b82 to 91708a8 Compare April 24, 2026 20:52
@kevinelliott kevinelliott merged commit 9f863a8 into main Apr 24, 2026
12 checks passed
@kevinelliott kevinelliott deleted the chore/go-1.25-and-deps branch April 24, 2026 21:06
This was referenced Apr 24, 2026
Closed
Closed
Closed
Closed
Closed
Merged
kevinelliott added a commit that referenced this pull request Apr 24, 2026
@kevinelliott @claude
chore(deps): group dependabot PRs; weekly cadence (#41)
6a846da 
Switches dependabot from daily/per-package to weekly/grouped so
routine dep maintenance consolidates into a single PR instead of
spamming 5+ at a time (we manually batched them in #34 and #40).

- gomod: weekly Monday runs. Minor + patch bumps ride together in
  one "go-deps" group PR. Major bumps still open individually
  (API changes warrant per-dep review). Security advisories open
  per-package so triage isn't blocked on unrelated minors.
- github-actions: weekly Monday, grouped. We hadn't had any action
  bumps open so this is purely preventive.
- Removed the stock "Please see docs" comment block (noise).

open-pull-requests-limit caps are set so a burst of major bumps
can't flood the queue.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kevinelliott