1. GitHub Actions — Node.js 20 runtime deprecation
GitHub enforces Node.js 24 as the minimum action runtime effective June 2026. All three workflow files in this repository (ci.yaml, docker-publish.yaml, release.yaml) pin action versions whose bundled JavaScript runtime is Node.js 20. These will trigger deprecation warnings or fail under the enforced Node.js 24 requirement.
The sibling repositories krakenkey/app, krakenkey/cli, and krakenkey/infra-int have already been updated to the newer major versions shown below.
| Action |
Pinned version |
Used in sibling repos |
Recommended |
actions/checkout |
@v4 |
@v6 (app, cli, infra-int) |
@v6 |
actions/setup-go |
@v5 |
@v6 (cli) |
@v6 |
actions/upload-artifact |
@v4 |
@v6 (app) |
@v6 |
docker/setup-qemu-action |
@v3 |
@v4 (cli) |
@v4 |
docker/setup-buildx-action |
@v3 |
@v4 (cli, app) |
@v4 |
docker/login-action |
@v3 |
@v4 (cli, app) |
@v4 |
docker/metadata-action |
@v5 |
@v6 (app) |
@v6 |
docker/build-push-action |
@v6 |
@v7 (app) |
@v7 |
goreleaser/goreleaser-action |
@v6 |
@v7 (cli) |
@v7 |
golangci/golangci-lint-action |
@v6 |
— |
verify Node-24-compatible release |
2. Go toolchain — EOL minimum version
go.mod declares go 1.23.6 as the minimum toolchain version. Go 1.23 reached end-of-life in August 2025 (when Go 1.25 shipped) and no longer receives security patches. The CI workflows also test against go-version: "1.24", which reaches end-of-life in approximately August 2026.
| Location |
Current |
Recommended |
go.mod |
go 1.23.6 |
go 1.26 |
ci.yaml → go-version |
"1.24" |
"1.26" |
docker-publish.yaml → go-version |
"1.24" |
"1.26" |
release.yaml → go-version |
"1.24" |
"1.26" |
3. Go module dependencies
govulncheck could not be executed remotely; running govulncheck ./... locally is recommended to catch newly published advisories. Static review of the pinned dependencies found no known CVEs:
| Module |
Version |
Status |
gopkg.in/yaml.v3 |
v3.0.1 |
✅ No known CVEs — v3.0.1 is the CVE-2022-28948 fix release |
gopkg.in/check.v1 |
v0.0.0-20161208181325 |
✅ No known CVEs |
1. GitHub Actions — Node.js 20 runtime deprecation
GitHub enforces Node.js 24 as the minimum action runtime effective June 2026. All three workflow files in this repository (
ci.yaml,docker-publish.yaml,release.yaml) pin action versions whose bundled JavaScript runtime is Node.js 20. These will trigger deprecation warnings or fail under the enforced Node.js 24 requirement.The sibling repositories
krakenkey/app,krakenkey/cli, andkrakenkey/infra-inthave already been updated to the newer major versions shown below.actions/checkout@v4@v6(app, cli, infra-int)@v6actions/setup-go@v5@v6(cli)@v6actions/upload-artifact@v4@v6(app)@v6docker/setup-qemu-action@v3@v4(cli)@v4docker/setup-buildx-action@v3@v4(cli, app)@v4docker/login-action@v3@v4(cli, app)@v4docker/metadata-action@v5@v6(app)@v6docker/build-push-action@v6@v7(app)@v7goreleaser/goreleaser-action@v6@v7(cli)@v7golangci/golangci-lint-action@v62. Go toolchain — EOL minimum version
go.moddeclaresgo 1.23.6as the minimum toolchain version. Go 1.23 reached end-of-life in August 2025 (when Go 1.25 shipped) and no longer receives security patches. The CI workflows also test againstgo-version: "1.24", which reaches end-of-life in approximately August 2026.go.modgo 1.23.6go 1.26ci.yaml→go-version"1.24""1.26"docker-publish.yaml→go-version"1.24""1.26"release.yaml→go-version"1.24""1.26"3. Go module dependencies
govulncheckcould not be executed remotely; runninggovulncheck ./...locally is recommended to catch newly published advisories. Static review of the pinned dependencies found no known CVEs:gopkg.in/yaml.v3v3.0.1gopkg.in/check.v1v0.0.0-20161208181325