Bump golang from 1.24 to 1.26

[dependabot]

Bumps golang from 1.24 to 1.26.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Upgraded Go base image from version 1.24 to 1.26 for Docker builds (standard and ARM64 variants), bringing latest performance improvements and security patches.

[coderabbitai]

Walkthrough

The Go base image version is upgraded from 1.24 to 1.26 in both the standard and ARM64 Dockerfile variants. All subsequent build and runtime stages remain unchanged.

Changes

Cohort / File(s)	Summary
Docker Base Image Update Dockerfile, Dockerfile.arm64	Upgraded Go base image from golang:1.24 to golang:1.26 in both standard and ARM64 build stages.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	❓ Inconclusive	No shell commands were executed; unable to verify if PR adds new Ginkgo e2e tests using MicroShift-incompatible APIs.	Execute git show --name-status and review test files to determine if new Ginkgo e2e tests are introduced.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading the Go base image from version 1.24 to 1.26 across both Dockerfiles, which is the sole purpose of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This custom check is not applicable to the provided pull request. The PR only modifies Docker build configuration files, updating the Go base image from version 1.24 to 1.26. No test files were changed.
Test Structure And Quality	✅ Passed	The PR only modifies Docker configuration files to update Go base image version; no Ginkgo test code changes are present.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only Dockerfile and Dockerfile.arm64 to upgrade Go base image from 1.24 to 1.26. No new Ginkgo e2e tests are added or modified, making the SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates Go base image version in Dockerfile files, not deployment manifests or controller code, so topology-aware scheduling check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only modifies Docker base image versions with no changes to Go source code, logging configuration, or stdout/stderr handling.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; only Dockerfile base image versions were updated from 1.24 to 1.26.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/docker/golang-1.26

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign maiqueb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

Dockerfile (1)

8-8: ⚡ Quick win

Avoid alpine:latest for reproducible, safer builds.

Using FROM alpine:latest means your runtime base can change underneath you between builds (including security updates/vulnerability fixes and potential incompatibilities). Pinning to a specific Alpine version (and ideally a digest) improves reproducibility and supply-chain control.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 8, The Dockerfile uses an unpinned base image ("FROM
alpine:latest"), which leads to non-reproducible builds; update the FROM
instruction to pin a specific Alpine version (e.g., "alpine:3.18" or better, an
image digest) so the base image remains stable and predictable across builds;
change the FROM line accordingly and include the chosen version/digest in the
Dockerfile.

Dockerfile.arm64 (1)

12-12: ⚡ Quick win

Avoid arm64v8/alpine:latest for reproducible, safer builds.

FROM arm64v8/alpine:latest can drift over time. Consider pinning to a specific Alpine release (and ideally digest) for reproducibility and vulnerability management parity with amd64.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.arm64` at line 12, Replace the floating base image reference in
the Dockerfile FROM instruction (currently "FROM arm64v8/alpine:latest") with a
specific Alpine release tag (e.g., "alpine:3.18.2" or equivalent arm64 variant)
and preferably pin to an immutable digest (sha256) to ensure reproducible,
secure builds; update the FROM line to use the chosen version/digest and
document the chosen tag/digest in the commit message so future reviewers know
why it was pinned.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Line 1: Dockerfile is using golang:1.26 while go.mod pins toolchain go1.24.6
causing Go to download the older toolchain during build; fix by either updating
go.mod's "go" and "toolchain" directives to match 1.26 (e.g., change toolchain
to go1.26.x in go.mod) or ensure the build uses the container's toolchain by
exporting GOTOOLCHAIN=local before invoking the build (set GOTOOLCHAIN=local in
hack/build-go.sh or export it in the Dockerfile prior to RUN ./hack/build-go.sh)
so plain go build uses the local Go image instead of downloading toolchains.

In `@Dockerfile.arm64`:
- Line 1: Update the base image in the Dockerfile FROM line to match the go
toolchain in go.mod: replace the current "golang:1.26" base image with
"golang:1.24.6" so the Docker build uses the same Go version as the toolchain
directive and avoids Go downloading/selecting a different toolchain at build
time.

---

Nitpick comments:
In `@Dockerfile`:
- Line 8: The Dockerfile uses an unpinned base image ("FROM alpine:latest"),
which leads to non-reproducible builds; update the FROM instruction to pin a
specific Alpine version (e.g., "alpine:3.18" or better, an image digest) so the
base image remains stable and predictable across builds; change the FROM line
accordingly and include the chosen version/digest in the Dockerfile.

In `@Dockerfile.arm64`:
- Line 12: Replace the floating base image reference in the Dockerfile FROM
instruction (currently "FROM arm64v8/alpine:latest") with a specific Alpine
release tag (e.g., "alpine:3.18.2" or equivalent arm64 variant) and preferably
pin to an immutable digest (sha256) to ensure reproducible, secure builds;
update the FROM line to use the chosen version/digest and document the chosen
tag/digest in the commit message so future reviewers know why it was pinned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 668626c2-3257-4d6d-8df6-fbb71f5f8d63

📥 Commits

Reviewing files that changed from the base of the PR and between d691040 and 71d3be5.

📒 Files selected for processing (2)

• Dockerfile
• Dockerfile.arm64

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "go.mod (toolchain + go directives):"
sed -n '1,40p' go.mod

echo
echo "hack/build-go.sh: look for go invocations and any GOTOOLCHAIN pinning:"
if [ -f hack/build-go.sh ]; then
  rg -n --context 3 'GOTOOLCHAIN|toolchain|go1\.' hack/build-go.sh || true
  rg -n --context 2 '\bgo (build|test|list|install)\b' hack/build-go.sh || true
else
  echo "Missing hack/build-go.sh in repo root; adjust path if different."
fi

Repository: openshift/whereabouts-cni

Length of output: 1546

---

🏁 Script executed:

# Check if hack/build-go.sh exists and read it
fd -t f 'build.*\.sh' . 2>/dev/null | head -20

Repository: openshift/whereabouts-cni

Length of output: 170

---

🏁 Script executed:

# Read the Dockerfile to understand the full context
cat -n Dockerfile

Repository: openshift/whereabouts-cni

Length of output: 871

---

🏁 Script executed:

# Check for any .sh files in hack directory
ls -la hack/ 2>/dev/null || echo "No hack directory found"

Repository: openshift/whereabouts-cni

Length of output: 994

---

🏁 Script executed:

cat -n hack/build-go.sh

Repository: openshift/whereabouts-cni

Length of output: 2602

---

Go toolchain mismatch: golang:1.26 builder with toolchain go1.24.6 in go.mod.

The Dockerfile uses golang:1.26, but go.mod pins toolchain go1.24.6. Since hack/build-go.sh does not set GOTOOLCHAIN=local and invokes plain go build, Go 1.26 will attempt to download and use the pinned Go 1.24.6 toolchain per the go.mod directive. This adds unnecessary network dependency and slows the Docker build.

Recommended fixes:

• Update go.mod to go 1.26 and toolchain go1.26.x, or
• Add GOTOOLCHAIN=local to the build environment in hack/build-go.sh (or in the Dockerfile before RUN ./hack/build-go.sh)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 1, Dockerfile is using golang:1.26 while go.mod pins
toolchain go1.24.6 causing Go to download the older toolchain during build; fix
by either updating go.mod's "go" and "toolchain" directives to match 1.26 (e.g.,
change toolchain to go1.26.x in go.mod) or ensure the build uses the container's
toolchain by exporting GOTOOLCHAIN=local before invoking the build (set
GOTOOLCHAIN=local in hack/build-go.sh or export it in the Dockerfile prior to
RUN ./hack/build-go.sh) so plain go build uses the local Go image instead of
downloading toolchains.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find and read go.mod to verify toolchain version
find . -name "go.mod" -type f | head -5

Repository: openshift/whereabouts-cni

Length of output: 78

---

🏁 Script executed:

# Find and read hack/build-go.sh to understand toolchain handling
find . -path "*/hack/build-go.sh" -type f

Repository: openshift/whereabouts-cni

Length of output: 88

---

🏁 Script executed:

cat -n ./go.mod | head -20

Repository: openshift/whereabouts-cni

Length of output: 801

---

🏁 Script executed:

cat -n ./hack/build-go.sh

Repository: openshift/whereabouts-cni

Length of output: 2602

---

Use golang:1.24.6 in Dockerfile.arm64 to match the go.mod toolchain directive.

The FROM golang:1.26 creates a mismatch with go.mod's toolchain go1.24.6 directive. When hack/build-go.sh runs go build, Go 1.26 will detect the toolchain directive and attempt to download/select Go 1.24.6 instead, adding unnecessary overhead to the build process. Pin the base image to golang:1.24.6 to match the intended toolchain.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.arm64` at line 1, Update the base image in the Dockerfile FROM
line to match the go toolchain in go.mod: replace the current "golang:1.26" base
image with "golang:1.24.6" so the Docker build uses the same Go version as the
toolchain directive and avoids Go downloading/selecting a different toolchain at
build time.