Skip to content

build: require patched Go release artifacts#77

Merged
wolf31o2 merged 3 commits into
mainfrom
security/go-1.26.5
Jul 17, 2026
Merged

build: require patched Go release artifacts#77
wolf31o2 merged 3 commits into
mainfrom
security/go-1.26.5

Conversation

@wolf31o2

@wolf31o2 wolf31o2 commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

  • select Go 1.26.5 in every module, CI workflow, release build, and production container
  • pin the official multi-architecture Go 1.26.5 builder and Alpine 3.24.1 runtime to immutable OCI digests
  • add a pinned govulncheck target and CI job covering the root, hnsutil, and psbt modules
  • load and scan both Docker CI architectures with pinned Trivy tooling, failing on high or critical OS and Go binary findings
  • document the patched toolchain requirement

Security impact

The previous production builder used Go 1.26.3. Current reachable standard-library advisories require fixes from Go 1.26.4 and 1.26.5. This change makes the patched toolchain part of source builds and release artifacts, while adding gates that detect future reachable Go vulnerabilities and assembled-image vulnerabilities.

Validation

  • GOTOOLCHAIN=go1.26.5 go version
  • go mod tidy in all three modules with no dependency drift
  • make build
  • make unit
  • make integration
  • make unit-cover
  • make unit-race GOTEST="go test"
  • make vuln: zero reachable vulnerabilities in all three modules
  • go vet ./... in all three modules
  • make lint workers=2 with the Makefile-pinned golangci-lint v2.1.6 built by Go 1.26.5
  • actionlint
  • native arm64 and emulated amd64 production Docker builds
  • non-root identity, image metadata, node version, and hnsctl version smoke checks on both images
  • Trivy v0.72.0 scans of both assembled images: zero high or critical findings in Alpine, handshake-node, and hnsctl
  • git diff --check

Summary by cubic

Require Go 1.26.5 across all modules, CI, and release images to ship patched binaries. Add CI checks to block builds and images with known vulnerabilities.

  • Dependencies

    • Set go 1.26.5 in root, hnsutil, and hnsutil/psbt; README now requires Go 1.26.5+.
    • Pin GO_VERSION to 1.26.5 in workflows.
    • Build with golang:1.26.5-bookworm@sha256:...; run on alpine:3.24.1@sha256:....
    • Normalize Go tool installs to an absolute GOBIN for reliable installs across subdirs.
  • Security

    • Add govulncheck make target and CI job covering all modules.
    • Load and scan per-arch CI images with aquasecurity/trivy-action v0.36.0 (Trivy v0.72.0), fail on HIGH/CRITICAL.
    • Enforce Go 1.26.5 as the module baseline in release artifacts; addresses stdlib advisories fixed in 1.26.4 and 1.26.5.

Written for commit 158f5a1. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Security

    • Added automated vulnerability scanning for container images and Go modules.
    • CI now fails builds when high- or critical-severity issues are detected.
  • Maintenance

    • Pinned the Go toolchain to Go 1.26.5 and updated documented minimum requirements.
    • Pinned Docker base images for more consistent container builds.
  • Developer Experience

    • Added a project-wide vuln make target to run Go vulnerability checks across modules.

Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The change pins Go 1.26.5 across modules and GitHub Actions workflows, updates the documented Go requirement, and refreshes digest-pinned Docker base images. It adds a Makefile vulnerability target using a pinned govulncheck version and runs it in CI. Docker CI now loads architecture-specific images and scans them with Trivy, failing on HIGH or CRITICAL vulnerabilities.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main change: pinning builds to patched Go release artifacts.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/go-1.26.5

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Around line 133-139: Make GO_BIN an absolute path before deriving
VULNCHECK_BIN, preserving the existing binary configuration while ensuring
VULNCHECK_BIN remains executable after the vuln target changes directories into
hnsutil and hnsutil/psbt.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 49f8b8cc-1af8-4e1f-8123-369ed22d8363

📥 Commits

Reviewing files that changed from the base of the PR and between 85322c4 and 2ac6794.

📒 Files selected for processing (10)
  • .github/workflows/ci-docker.yml
  • .github/workflows/go-test.yml
  • .github/workflows/golangci-lint.yml
  • .github/workflows/publish.yml
  • Dockerfile
  • Makefile
  • README.md
  • go.mod
  • hnsutil/go.mod
  • hnsutil/psbt/go.mod

Comment thread Makefile

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 10 files

You're on the cubic free plan with 11 free PR reviews remaining this month. Upgrade for unlimited reviews.

Re-trigger cubic

Comment thread Makefile
Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
@wolf31o2

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 46-47: Update the go directive to 1.26.5 in go.mod (lines 46-47),
hnsutil/go.mod (lines 5-6), and hnsutil/psbt/go.mod (lines 5-6); README.md
(lines 33-34) already reflects the required version and needs no change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 918b6473-67f1-4fa2-81d4-0507931f32fb

📥 Commits

Reviewing files that changed from the base of the PR and between 85322c4 and 172ca44.

📒 Files selected for processing (10)
  • .github/workflows/ci-docker.yml
  • .github/workflows/go-test.yml
  • .github/workflows/golangci-lint.yml
  • .github/workflows/publish.yml
  • Dockerfile
  • Makefile
  • README.md
  • go.mod
  • hnsutil/go.mod
  • hnsutil/psbt/go.mod

Comment thread go.mod Outdated
Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
@wolf31o2
wolf31o2 merged commit 9755071 into main Jul 17, 2026
15 checks passed
@wolf31o2
wolf31o2 deleted the security/go-1.26.5 branch July 17, 2026 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant