Go upgrade

[fatihtokus]

No description provided.

[qodo-code-review]

PR Summary by Qodo

Upgrade Go toolchain to 1.25.6 and bump RC plugin metadata
⚙️ Configuration changes 🕐 10-20 Minutes

Description

• Bump Go toolchain patch version to Go 1.25.6.
• Update release-candidate plugin.yaml to v0.3.27-rc.1 with refreshed artifact URLs.
• Remove the CodeQL GitHub Actions workflow from the repository.

Diagram

graph TD
  A["Git repo"] --> B["CI/CD workflows"] --> C[("Release artifacts")]
  C --> D["RC plugin.yaml"] --> E{{"Trivy users"}}
  B --> F["Go toolchain"]
  A --> G["CodeQL workflow (removed)"]

  subgraph Legend
    direction LR
    _cfg["Config file"] ~~~ _art[("Artifact store")] ~~~ _ext{{"External consumer"}}
  end

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Keep CodeQL workflow enabled (or re-add with pinned versions)

• ➕ Retains automated CodeQL code scanning and security-events visibility in GitHub Security tab
• ➕ Avoids regressions in required checks for protected branches
• ➖ Extra CI runtime/cost
• ➖ May require additional setup for build steps if languages/tooling change

2. Run CodeQL only on schedule (and/or on main)

• ➕ Reduces PR-time CI load while still providing periodic scanning
• ➕ Still uploads results to code scanning for auditability
• ➖ Longer time-to-detect new issues introduced in PRs
• ➖ Less useful as a merge gate if you rely on PR checks

3. Centralize security scanning via an org-level reusable workflow

• ➕ Consistent security posture across repos with less per-repo maintenance
• ➕ Easier upgrades for pinned action SHAs and policies
• ➖ More up-front plumbing and permissions management
• ➖ Harder for repo contributors to modify locally

Recommendation: The Go toolchain and RC manifest bumps are straightforward; validate that v0.3.27-rc.1 artifacts exist for every listed platform before tagging/releasing. The notable risk is deleting CodeQL: if code scanning is still desired/required, prefer keeping CodeQL (possibly schedule-only) or migrating it to a reusable workflow rather than removing it entirely.

Files changed (2) +14 / -14

Other (2) +14 / -14

go.modBump pinned Go toolchain patch to 1.25.6 +1/-1

Bump pinned Go toolchain patch to 1.25.6

• Updates the module toolchain directive from go1.25.5 to go1.25.6 while leaving module/go versions and dependencies unchanged.

go.mod

plugin.yamlUpdate RC plugin version and artifact URLs to v0.3.27-rc.1 +13/-13

Update RC plugin version and artifact URLs to v0.3.27-rc.1

• Bumps the release-candidate plugin version from 0.3.25-rc.2 to 0.3.27-rc.1 and updates all platform-specific download URIs accordingly.

release-candidate/plugin.yaml

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

1. CodeQL scanning removed 🐞 Bug ⛨ Security

Description

Deleting .github/workflows/codeql.yml removes the repo’s CodeQL code scanning workflow, reducing
automated detection of security issues. The remaining security workflows (e.g., Scorecard SARIF
upload and dependency review) do not run CodeQL init/analyze to replace it.

Code

.github/workflows/codeql.yml[L12-21]

-name: CodeQL
-
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: ["main"]
-  schedule:
-    - cron: "0 0 * * 1"

Evidence

After the CodeQL workflow file is deleted, the remaining security-related workflows shown in-repo
are Scorecard (which uploads its own SARIF) and Dependency Review (which checks dependency diffs);
neither runs CodeQL analysis actions (init/analyze).

.github/workflows/scorecard.yml[5-78]
.github/workflows/dependency-review.yml[9-27]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR deletes `.github/workflows/codeql.yml`, which disables CodeQL static analysis runs.

## Issue Context
Other existing security workflows in this repo (Scorecard SARIF upload and dependency review) do not perform CodeQL code scanning.

## Fix Focus Areas
- .github/workflows/codeql.yml[1-90]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---