Skip to content

chore: upgrade go to 1.26.1#2839

Merged
migmartri merged 8 commits into
chainloop-dev:mainfrom
jiparis:upgrade-go-1.26.1
Mar 13, 2026
Merged

chore: upgrade go to 1.26.1#2839
migmartri merged 8 commits into
chainloop-dev:mainfrom
jiparis:upgrade-go-1.26.1

Conversation

@jiparis

@jiparis jiparis commented Mar 12, 2026

Copy link
Copy Markdown
Member

Upgrade latest golang to get rid of some CVEs.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from javirln and migmartri March 12, 2026 16:04

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

@migmartri

Copy link
Copy Markdown
Member

Check dagger though, youn might not want to upgrade it

jiparis added 2 commits March 12, 2026 22:04
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="extras/dagger/go.mod">

<violation number="1" location="extras/dagger/go.mod:52">
P2: These replace directives pin the OTel log packages back to 0.16.0, so the upgrade above never takes effect.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread extras/dagger/go.mod Outdated

@migmartri migmartri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double check with @javirln in case we have a customer that can't upgrade and doesn't have the version pinned

@jiparis

jiparis commented Mar 12, 2026

Copy link
Copy Markdown
Member Author

@javirln you have the background on those pinned dependencies. Please take over this upgrade.

@javirln

javirln commented Mar 13, 2026

Copy link
Copy Markdown
Member

I'll check the Dagger issues

jiparis added 3 commits March 13, 2026 11:08
This reverts commit 123472f.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
This reverts commit 6388905.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="dagger.json">

<violation number="1">
P2: This downgrades the published Dagger module from v0.20.1 to v0.19.3, so remote consumers will start resolving an older engine unless that regression is intentional and documented.

(Based on your team's feedback about cross-component and version compatibility.) [FEEDBACK_USED]</violation>
</file>

<file name="extras/dagger/go.mod">

<violation number="1">
P1: This downgrades the Dagger submodule's minimum Go/toolchain version back to 1.24.0, which undercuts the repo-wide 1.26.x security upgrade this PR is meant to apply.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

jiparis added 2 commits March 13, 2026 11:22
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".claude/skills/upgrading-golang/SKILL.md">

<violation number="1" location=".claude/skills/upgrading-golang/SKILL.md:54">
P2: This change drops the GitHub Actions update step, so the Go upgrade instructions are now incomplete and can leave CI running the old Go version.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

```

### 6. Update Documentation
### 5. Update Documentation

@cubic-dev-ai cubic-dev-ai Bot Mar 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: This change drops the GitHub Actions update step, so the Go upgrade instructions are now incomplete and can leave CI running the old Go version.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .claude/skills/upgrading-golang/SKILL.md, line 54:

<comment>This change drops the GitHub Actions update step, so the Go upgrade instructions are now incomplete and can leave CI running the old Go version.</comment>

<file context>
@@ -51,35 +51,26 @@ With:
-```
-
-### 6. Update Documentation
+### 5. Update Documentation
 
 Update the version reference in `./CLAUDE.md` under "Key Technologies":
</file context>
Fix with Cubic

@migmartri migmartri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Straightforward Go patch version bump, all CI checks pass. A couple of minor notes:

  • Atlas bump (v1.1.0 → v1.1.3) not mentioned in PR description, consider adding for traceability
  • Verify extras/dagger/go.mod is intentionally kept on a different Go version (Dagger SDK compat) or should also be bumped
  • Confirm docs/examples/ci-workflows/github.yaml doesn't hardcode a Go version that needs updating

@migmartri migmartri merged commit ebb6cf5 into chainloop-dev:main Mar 13, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants