build: bump Go toolchain to 1.26.3#1048
Merged
Merged
Conversation
9f8d117 to
045a850
Compare
Contributor
devbox.lock (via devbox update):
- go@latest: 1.25.5 -> 1.26.2
- govulncheck@latest: 1.1.4 -> 1.3.0
- golangci-lint@latest: 2.7.2 -> 2.12.2
devbox.json already pins these to latest; no change needed.
go modules (via `task go:mod-edit-toolchain GO_TOOLCHAIN_VERSION=1.26.3`):
- All three go.mods now use `toolchain go1.26.3` (root, cmd/copy-file-to-pod,
cmd/wait-for-files-to-exist).
- cmd/copy-file-to-pod: bump golang.org/x/net 0.38.0 -> 0.53.0 to fix
GO-2026-4918 (HTTP/2 infinite loop on bad SETTINGS_MAX_FRAME_SIZE).
Side effects: transitive x/sync, x/sys, x/term, x/text bumps; `go`
directive auto-bumped 1.24.0 -> 1.25.0 (required by x/net@v0.53.0).
dependabot:
- Add /cmd/copy-file-to-pod/ and /cmd/wait-for-files-to-exist/ to the
gomod ecosystem so the submodules receive patch/minor updates.
lint cleanup (golangci-lint 2.12.2 surfaces new/stricter rules):
- Auto-fixes from `golangci-lint run --fix`: interface{} -> any,
slices.Contains / slices.ContainsFunc modernization, line wrapping.
- .golangci.yml: migrate `gomodguard` -> `gomodguard_v2` (deprecated since
2.12.0). Exclude goconst from _test.go (test fixture strings), exclude
gosec G122 (filepath.Walk symlink TOCTOU) from _test.go and test helpers —
false-positives in tests that own their temp dirs.
- prealloc fixes in containerd/ctr.go, cmd/mindthegap/push/bundle/bundle.go,
cmd/mindthegap/push/imagearchive/image_archive.go, and
cmd/mindthegap/flags/platforms_flag_test.go.
govulncheck reports no vulnerabilities across all three modules.
golangci-lint reports 0 issues across all three modules.
045a850 to
f99bf53
Compare
Contributor
Merged
jimmidyson
pushed a commit
that referenced
this pull request
May 19, 2026
🤖 I have created a release *beep* *boop* --- ## 1.26.0 (2026-05-19) <!-- Release notes generated using configuration in .github/release.yaml at main --> ## What's Changed ### Exciting New Features 🎉 * feat: push OCI/docker image archive tarballs (NCN-113655) by @jimmidyson in #1038 ### Fixes 🔧 * fix: Allow same-host private/loopback registry bearer realms (NCN-114223) by @jimmidyson in #1046 ### Other Changes * build: bump Go toolchain to 1.26.3 by @jimmidyson in #1048 **Full Changelog**: v1.25.4...v1.26.0 --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: mesosphere-actions-pr-bot[bot] <157582460+mesosphere-actions-pr-bot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Toolchain
Bump Go toolchain to
go1.26.3across all three modules (root,cmd/copy-file-to-pod,cmd/wait-for-files-to-exist) viatask go:mod-edit-toolchain GO_TOOLCHAIN_VERSION=1.26.3.devbox.lockupdated viadevbox update:go@latest1.25.5 → 1.26.2govulncheck@latest1.1.4 → 1.3.0golangci-lint@latest2.7.2 → 2.12.2devbox.jsonalready pins these tolatest; no change needed.Security
golang.org/x/net0.38.0 → 0.53.0 incmd/copy-file-to-podto fix GO-2026-4918 (HTTP/2 infinite loop on badSETTINGS_MAX_FRAME_SIZE), surfaced bygovulncheckagainst the new toolchain. Side effects ofgo mod tidy: transitivex/sync,x/sys,x/term,x/textbumps; thegodirective moved 1.24.0 → 1.25.0 (required byx/net@v0.53.0).Dependabot
gomodecosystem config to also cover/cmd/copy-file-to-pod/and/cmd/wait-for-files-to-exist/so the submodules receive patch/minor updates going forward.Lint cleanup
The
golangci-lint2.7.2 → 2.12.2 bump surfaces new/stricter rules. Addressed as follows:golangci-lint run --fix:interface{}→any,slices.Contains/slices.ContainsFuncmodernization, line wrapping..golangci.yml:gomodguard→gomodguard_v2(deprecated since 2.12.0).goconstfrom_test.go— extracting constants for every repeated test-fixture string is low-value churn.gosecG122 (filepath.Walk symlink TOCTOU) from_test.goand test helpers — false-positives in tests that own their temp dirs.preallocfixes incontainerd/ctr.go,cmd/mindthegap/push/bundle/bundle.go,cmd/mindthegap/push/imagearchive/image_archive.go, andcmd/mindthegap/flags/platforms_flag_test.go.Test plan
task go:vulncheck— no vulnerabilities across all three modulestask go:lint— 0 issues across all three modules, no deprecation warningsgo test ./...(root) — all packages passgo test ./...for affected packages after prealloc changes — pass