Skip to content

chore(deps): update golang#48

Open
scality-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/golang
Open

chore(deps): update golang#48
scality-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/golang

Conversation

@scality-renovate

@scality-renovate scality-renovate Bot commented Jun 29, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Type Update Change
golang stage digest 792443b079e598
mcr.microsoft.com/devcontainers/go final digest 232b16d638cb8e

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 9am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@scality-renovate scality-renovate Bot requested a review from a team as a code owner June 29, 2026 04:06
@scality-renovate scality-renovate Bot added dependencies Pull requests that update a dependency file digest docker go Pull requests that update go code labels Jun 29, 2026
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

Dependency Bump Evaluation

Packages:

  • golang (build stage): digest 792443b -> f96cc55 (same golang:1.26 tag)
  • mcr.microsoft.com/devcontainers/go (devcontainer): digest 232b16d -> 638cb8e (same 1.26-trixie tag)

Bump type: Docker digest rotation (no semver change)

Changes:

  • Picks up the latest rebuild of both Go Docker images, which typically includes OS-level security patches and minor updates to the base layer
  • Go toolchain version remains 1.26 -- no compiler or stdlib changes

Breaking changes: None -- same Go version, same tags, only the underlying OS packages are refreshed

Security concerns: None -- digest rotations are the standard mechanism for receiving OS-level security patches in pinned Docker images. This is a positive security update.

Impact on codebase: No impact. The Dockerfile uses a multi-stage build: the golang:1.26 builder compiles a statically linked binary (CGO_ENABLED=0), which is then copied to a distroless/static:nonroot runtime image. OS-layer changes in the builder do not affect the final artifact. The devcontainer change only affects the development environment.

CI status: lint passed, test passed, build in progress

Recommendation: SAFE TO MERGE (once CI passes)

-- Claude Code

@scality-renovate scality-renovate Bot changed the title chore(deps): update golang:1.26 docker digest to 32c0e6e chore(deps): update golang:1.26 docker digest to f96cc55 Jun 30, 2026
@scality-renovate scality-renovate Bot changed the title chore(deps): update golang:1.26 docker digest to f96cc55 chore(deps): update golang Jul 2, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Dependency Bump Evaluation

Version change: Docker image digest-only updates (no version change)

  • golang:1.26 digest 792443b079e598 (now resolves to Go 1.26.5, released 2026-07-07)
  • mcr.microsoft.com/devcontainers/go:1.26-trixie digest 232b16d638cb8e

Semver bump type: digest (sub-patch — same image tag, updated hash)

Changes:

  • Refreshes the SHA256 digest pins for the Go 1.26 build image (Dockerfile) and devcontainer image (.devcontainer/Dockerfile)
  • The Go version tag remains 1.26 — the digest now points to Go 1.26.5, which includes:
    • Security fix (CVE-2026-39822): os.Root path traversal via symlink + trailing slash
    • Security fix: crypto/tls PSK leak in ECH outer client hello
    • Runtime fixes: SIGILL in GC AVX-512 span-scan, SIGSEGV in fork+race on darwin/arm64, concurrent map read/write on ppc64le, version parsing, moveSliceNoCap
    • Other: os/signal context.Canceled mismatch, test caching fix, go get with GOFIPS140

Breaking changes: None. Go point releases maintain backward compatibility.

Security concerns: None for this codebase. The two security fixes (os.Root and crypto/tls ECH) do not affect this project — the codebase uses neither os.Root/os.OpenRoot nor crypto/tls directly. The runtime stability fixes are broadly beneficial.

Impact on codebase: Zero — only Dockerfiles are modified; no Go source code, go.mod, or go.sum changes.

CI status: Some checks still in progress at time of evaluation (build, test). Lint passed. Verify CI is fully green before merging.

Recommendation: SAFE TO MERGE (once CI is green)

Notes: This is a renovate bot PR. The renovate/stability-days status is pending; wait for it and CI to clear before merging.

— Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file digest docker go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants