Skip to content

ci: derive Go version from go.mod and bump to Go 1.25.9#31

Open
marcusburghardt wants to merge 5 commits intocomplytime:mainfrom
marcusburghardt:ci/go-version-from-gomod
Open

ci: derive Go version from go.mod and bump to Go 1.25.9#31
marcusburghardt wants to merge 5 commits intocomplytime:mainfrom
marcusburghardt:ci/go-version-from-gomod

Conversation

@marcusburghardt
Copy link
Copy Markdown
Contributor

@marcusburghardt marcusburghardt commented Apr 23, 2026

Summary

  • Derive Go version from go.mod instead of hardcoding GO_VERSION in ci_local.yml. Uses go-version-file: go.mod with actions/setup-go, making go.mod the single source of truth. Future dependency updates that change the Go version requirement will automatically work in CI without manual workflow changes.
  • Bump Go to 1.25.9 to resolve 19 known stdlib vulnerabilities in Go 1.25.0 (GO-2025-4006 through GO-2026-4947) flagged by OSV-Scanner, and to unblock Dependabot PR chore(deps): bump github.com/gin-contrib/requestid from 1.0.5 to 1.0.6 #24 (gin-contrib/requestid v1.0.6) which transitively requires Go 1.25 via gin-gonic/gin v1.12.0.
  • Bump golangci-lint from v2.1 to v2.11 since v2.1 was built with Go 1.24 and cannot target Go 1.25+.
  • Downgrade kin-openapi from v0.135.0 to v0.133.0 to fix the pre-existing verify-codegen CI failure on main. The v0.135.0 upgrade (PR chore(deps): bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 #26) introduced a breaking API change (Ref changed from string to MappingRef) incompatible with oapi-codegen v2.6.0.

Motivation

Dependabot PR #24 is blocked because:

  1. The CI hardcodes Go 1.24, but the PR's dependencies require Go 1.25
  2. golangci-lint v2.1 can't lint Go 1.25 code
  3. OSV-Scanner flags 19 stdlib vulns in Go 1.25.0
  4. verify-codegen was already failing on main (pre-existing, from PR chore(deps): bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 #26)

This PR resolves all four issues. After merging, rebasing PR #24 (@dependabot rebase) should allow it to pass CI.

Verification

All tests pass, build succeeds, and make api-codegen produces no diffs (verified locally with Go 1.25.9).

@marcusburghardt
ci: derive Go version from go.mod instead of hardcoding
af69ac3 
Replace the hardcoded GO_VERSION env variable with go-version-file
pointing to go.mod. This makes go.mod the single source of truth for
the Go version used in CI, so dependency updates that change the Go
version requirement no longer require a separate CI workflow change.

Also bump golangci-lint from v2.1 to v2.11 to ensure compatibility
with Go 1.25+, since v2.1 was built with Go 1.24 and cannot target
newer Go versions.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
chore: bump Go version to 1.25.9
d3c14f3 
Update the go directive from 1.24.0 to 1.25.9 to resolve 19 known
stdlib vulnerabilities in Go 1.25.0 (GO-2025-4006 through
GO-2026-4947) flagged by OSV-Scanner.

This also unblocks dependabot PR complytime#24 (gin-contrib/requestid v1.0.6)
which transitively requires Go 1.25 via gin-gonic/gin v1.12.0.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
fix: downgrade kin-openapi to restore codegen compatibility
fd2ed54 
Revert kin-openapi from v0.135.0 to v0.133.0 and pin oasdiff/yaml to
matching pseudo-versions. The v0.135.0 upgrade (merged in PR complytime#26)
introduced a breaking API change (Ref changed from string to
MappingRef) that is incompatible with oapi-codegen v2.6.0, causing
the verify-codegen CI job to fail on main.

This restores the dependency set that oapi-codegen v2.6.0 was built
against, fixing the pre-existing verify-codegen failure.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt marcusburghardt requested a review from gvauter April 23, 2026 07:34
@marcusburghardt
fix: resolve gosec G122 and G706 findings from golangci-lint v2.11
5c37c2b 
G122 (config.go): Replace filepath.Walk + os.ReadFile with os.OpenRoot
and root-scoped fs.WalkDir + root.ReadFile. This prevents symlink
TOCTOU traversal by confining all filesystem operations to the
evaluations directory via Go 1.25 os.Root.

G706 (jwtauth.go): Add nolint directive for structured slog.Debug call
in the DNS bypass dialer. The address values come from the Go net
package dial callback and are logged as structured attributes, which
prevents log injection. Consistent with existing nolint directives on
lines 54 and 116 for the same pattern.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt
chore: regenerate CRAP baseline after config.go refactor
64f3f28 
Update the gaze baseline to reflect the minor complexity increase in
NewMapperFromDir (8 -> 9) caused by the os.Root security hardening.

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gvauter gvauter Awaiting requested review from gvauter

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marcusburghardt