build: require patched Go release artifacts#77
Conversation
Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
📝 WalkthroughWalkthroughThe change pins Go 1.26.5 across modules and GitHub Actions workflows, updates the documented Go requirement, and refreshes digest-pinned Docker base images. It adds a Makefile vulnerability target using a pinned govulncheck version and runs it in CI. Docker CI now loads architecture-specific images and scans them with Trivy, failing on HIGH or CRITICAL vulnerabilities. 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Makefile`:
- Around line 133-139: Make GO_BIN an absolute path before deriving
VULNCHECK_BIN, preserving the existing binary configuration while ensuring
VULNCHECK_BIN remains executable after the vuln target changes directories into
hnsutil and hnsutil/psbt.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 49f8b8cc-1af8-4e1f-8123-369ed22d8363
📒 Files selected for processing (10)
.github/workflows/ci-docker.yml.github/workflows/go-test.yml.github/workflows/golangci-lint.yml.github/workflows/publish.ymlDockerfileMakefileREADME.mdgo.modhnsutil/go.modhnsutil/psbt/go.mod
There was a problem hiding this comment.
All reported issues were addressed across 10 files
You're on the cubic free plan with 11 free PR reviews remaining this month. Upgrade for unlimited reviews.
Re-trigger cubic
Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
|
@coderabbitai full review |
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@go.mod`:
- Around line 46-47: Update the go directive to 1.26.5 in go.mod (lines 46-47),
hnsutil/go.mod (lines 5-6), and hnsutil/psbt/go.mod (lines 5-6); README.md
(lines 33-34) already reflects the required version and needs no change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 918b6473-67f1-4fa2-81d4-0507931f32fb
📒 Files selected for processing (10)
.github/workflows/ci-docker.yml.github/workflows/go-test.yml.github/workflows/golangci-lint.yml.github/workflows/publish.ymlDockerfileMakefileREADME.mdgo.modhnsutil/go.modhnsutil/psbt/go.mod
Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
Summary
govulnchecktarget and CI job covering the root,hnsutil, andpsbtmodulesSecurity impact
The previous production builder used Go 1.26.3. Current reachable standard-library advisories require fixes from Go 1.26.4 and 1.26.5. This change makes the patched toolchain part of source builds and release artifacts, while adding gates that detect future reachable Go vulnerabilities and assembled-image vulnerabilities.
Validation
GOTOOLCHAIN=go1.26.5 go versiongo mod tidyin all three modules with no dependency driftmake buildmake unitmake integrationmake unit-covermake unit-race GOTEST="go test"make vuln: zero reachable vulnerabilities in all three modulesgo vet ./...in all three modulesmake lint workers=2with the Makefile-pinned golangci-lint v2.1.6 built by Go 1.26.5actionlintgit diff --checkSummary by cubic
Require Go 1.26.5 across all modules, CI, and release images to ship patched binaries. Add CI checks to block builds and images with known vulnerabilities.
Dependencies
go 1.26.5in root,hnsutil, andhnsutil/psbt; README now requires Go 1.26.5+.GO_VERSIONto 1.26.5 in workflows.golang:1.26.5-bookworm@sha256:...; run onalpine:3.24.1@sha256:....GOBINfor reliable installs across subdirs.Security
govulncheckmake target and CI job covering all modules.aquasecurity/trivy-actionv0.36.0 (Trivy v0.72.0), fail on HIGH/CRITICAL.Written for commit 158f5a1. Summary will update on new commits.
Summary by CodeRabbit
Security
Maintenance
Developer Experience
vulnmake target to run Go vulnerability checks across modules.