Raise Go toolchain to 1.26.4 and refresh deps#47
Merged
Conversation
- Automate weekly dependency updates for Go modules - Group minor and patch updates separately for Go and Actions
- Align the module's Go toolchain with the newer runtime used for dependency and security maintenance. - Keep the build and dependency graph compatible with the updated language version requirements.
- Refresh direct and indirect module versions for current tooling. - Keep checksum data in sync with the dependency bumps. - Align CLI, runtime, and transitive packages with newer releases.
- Standardize workflow jobs on Go 1.26.4 - Add vulnerability checks to CI on the same toolchain - Ensure CodeQL builds and release jobs use the same Go version
- Upgrade fsnotify to the newer v1.10.1 release - Keep module metadata and checksums in sync
- Refresh the SQLite stack to the newer resolver output. - Keep module metadata and checksums aligned after the upgrade.
- Remove an unused indirect dep from go.mod. - Refresh go.sum to match the current dependency graph. - Drop stale checksum entries from older module versions.
- Raise the minimum Go version to 1.26.4. - Refresh pinned dependency notes to `modernc.org/sqlite v1.52.0`. - Keep release notes and contributor guidance in sync.
- Pin govulncheck to a released version for reproducible CI. - Enable Go module cache in release builds for faster runs. - Run setup-go before CodeQL init to align the Go toolchain.
- Add govulncheck as a module tool. - Refresh the module sums needed by the new toolchain. - Keep dependency metadata in sync so vulnerability checks work.
- Keep install docs aligned with the minimum supported Go version. - Use the bundled govulncheck tool in CI to avoid a separate install. - Centralize the workflow Go version so checks stay in sync.
- Cap Dependabot PRs for Go and GitHub Actions updates - Allow Dependabot to open a separate major-update PR group - Reduce noise from automated dependency churn while preserving coverage
- Centralize the Go version used by CI and release jobs - Keep workflow setup aligned by deriving it from one env var
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Security and toolchain maintenance bump for ACD. This PR raises the minimum Go
toolchain to 1.26.4, refreshes pinned dependencies (notably
modernc.org/sqliteandfsnotify), adds automated vulnerability scanning inCI, and configures Dependabot for ongoing Go module and GitHub Actions updates.
There are no application logic changes — no edits to
internal/daemon,internal/state, CLI behavior, hooks, or schema. The diff is limited togo.mod/go.sum, CI workflows, Dependabot config, and release-contract docs.Type of Change
Changes Made
Go toolchain
go.mod, all workflows).GO_VERSION: '1.26.4'env var(
ci.yml,codeql.yml,release.yml); remove the CI matrix that pinnedgo: ['1.22'].Direct dependency bumps
modernc.org/sqlitestate.db)github.com/fsnotify/fsnotifygithub.com/spf13/cobragolang.org/x/sysgithub.com/mattn/go-isattyIndirect deps (
modernc.org/libc,modernc.org/memory, etc.) updated withthe SQLite stack.
CI hardening
govulncheckjob inci.ymlusing the module-pinned tool:go tool govulncheck ./...golang.org/x/vuln/cmd/govulncheckas a module tool ingo.mod.setup-gobeforecodeql-action/initso analysis uses thecorrect toolchain.
release.yml.Dependabot (new)
.github/dependabot.yml— weekly updates for Go modules and GitHub Actions.# vN.M.Pcomment convention).Documentation
CHANGELOG.md— unreleased note for Go 1.26.4 and sqlite bump.README.md— "Building from source requires Go 1.26.4 or newer."CLAUDE.md— agent guide version pins updated.Scope decision
This branch is a single review/rollback unit: all 13 commits are
maintenance/CI/deps work with no user-facing feature changes. Splitting would
not improve reviewability.
Impact
End users (prebuilt binaries)
No intended behavior change. Install via brew,
install.sh, or GitHub releasesis unchanged.
Developers building from source
Breaking for builders only: requires Go 1.26.4+ for
go installandmake build.Runtime subsystems (indirect, not intentional change)
state.db)How to Test
Pre-PR gate (from
AGENTS.md):SQLite-focused verification:
Local verification performed
make lint— passgo test ./internal/state/... -race— pass (incl. v4→v10 migrations, WAL concurrency)go test ./test/integration/... -tags=integration -race— pass (~192s)go test ./internal/daemon/... ./internal/cli/... -race— passgo tool govulncheck ./...— no vulnerabilities foundstate.db:PRAGMA integrity_check→ok,user_version=10, WAL modestatus,events,explain)Checklist
Related Issues
None.
Screenshots
N/A — infrastructure and dependency maintenance only.