OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps#167
OADP-7565: Go 1.25.8 toolchain + golang.org/x/* CVE bumps#167kaovilai wants to merge 1 commit intomigtools:oadp-devfrom
Conversation
- Add toolchain go1.25.8 (fixes GO-2026-4337, GO-2026-4340, GO-2026-4341, GO-2026-4342, CVE-2026-25679, CVE-2026-27137) - golang.org/x/net → v0.52.0 (fixes GHSA-vvgc-356p-c3xw) - golang.org/x/crypto → v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv) - Transitive bumps: x/sys → v0.42.0, x/text → v0.35.0, x/term → v0.41.0, x/mod → v0.33.0 - CI workflows: use go-version-file instead of hardcoded versions - test.yml: bump actions/setup-go@v4 → @v6 (supports toolchain directive) Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering>
|
@kaovilai: This pull request references OADP-7565 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
📝 WalkthroughWalkthroughUpdated GitHub Actions workflows to derive Go versions from Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@kaovilai: This pull request references OADP-7565 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s Go toolchain/dependency versions to address security advisories, and adjusts CI workflows to derive the Go version from go.mod instead of hardcoding it.
Changes:
- Add
toolchain go1.25.8togo.modand bump severalgolang.org/x/*module versions. - Update GitHub Actions workflows (
test.yml,lint.yml) to usego-version-file: 'go.mod'and neweractions/setup-go. - Refresh corresponding
go.sumentries for the bumped modules.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
go.mod |
Adds toolchain directive and bumps indirect golang.org/x/* dependencies. |
go.sum |
Updates sums to match the bumped module versions. |
.github/workflows/test.yml |
Switches to setup-go@v6 and go-version-file from go.mod. |
.github/workflows/lint.yml |
Switches from hardcoded Go version to go-version-file from go.mod. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| golang.org/x/mod v0.33.0 // indirect | ||
| golang.org/x/net v0.52.0 // indirect | ||
| golang.org/x/oauth2 v0.33.0 // indirect | ||
| golang.org/x/sys v0.40.0 // indirect | ||
| golang.org/x/term v0.37.0 // indirect | ||
| golang.org/x/text v0.31.0 // indirect | ||
| golang.org/x/sys v0.42.0 // indirect | ||
| golang.org/x/term v0.41.0 // indirect | ||
| golang.org/x/text v0.35.0 // indirect |
There was a problem hiding this comment.
The PR description says golang.org/x/crypto is being bumped to v0.49.0, but this repo’s go.mod doesn’t require golang.org/x/crypto (directly or indirectly pinned) and go.sum doesn’t contain a v0.49.0 entry. If the intent is to ensure the CVE-fixed x/crypto version is selected, add an explicit (likely // indirect) require for golang.org/x/crypto at the desired version (or update the dependency that pulls it in) and run go mod tidy so the module graph reflects the stated change.
| go 1.25.0 | ||
|
|
||
| toolchain go1.25.8 | ||
|
|
There was a problem hiding this comment.
go.mod now declares toolchain go1.25.8, but several other CI workflows in the repo still use actions/setup-go@v5 with go-version-file: go.mod (e.g., cross-arch-build-test.yml, release.yml, quay_binaries_push.yml). To avoid inconsistent CI behavior (or potential failures if older setup-go versions can’t handle the toolchain directive), consider aligning all workflows to the same setup-go major version (v6) or otherwise verifying v5 works correctly with the toolchain directive.
| go 1.25.0 | |
| toolchain go1.25.8 | |
| go 1.25.8 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Joeavaikath, kaovilai The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
toolchain go1.25.8directive to fix Go stdlib CVEs:golang.org/x/net→ v0.52.0 (fixes GHSA-vvgc-356p-c3xw, XSS in HTML tokenizer)golang.org/x/crypto→ v0.49.0 (fixes GHSA-j5w8-q4qc-rx2x, GHSA-f6x5-jh6r-wrfv)x/sys→ v0.42.0,x/text→ v0.35.0,x/term→ v0.41.0,x/mod→ v0.33.0go-version-file: 'go.mod'instead of hardcoded versionstest.yml: bumpedactions/setup-go@v4→@v6(supports toolchain directive)Supersedes #166
Test plan
go build ./...passesNote
Responses generated with Claude
Summary by CodeRabbit