fix: address review — patch comparison, renderkit parsing, labels, PR bodies

- build/images.mk: add NEW_TAG guard to prevent empty tag writes
- Patch availability: compare against GOMOD_VERSION not GO_MINOR
  (prevents weekly no-op PRs when go.mod already matches latest patch)
- Patch tag matching: use dot separator to prevent false prefix matches
- renderkit version: use `go mod edit -json` instead of fragile grep
- Labels: use existing 'go' label instead of non-existent 'needs-review'
- Assignee: remove 'copilot' (not a valid GitHub user for assignment)
- PR bodies: fix inaccurate claims (patch doesn't update GO_IMG;
  digest refresh may update go.mod)
- Remove duplicate git config in auto-bump job
- copilot-instructions.md: make GOEXPERIMENT guidance version-dependent
- SKILL.md: clarify CGO Map is version-dependent with Go 1.27 note

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: behzad-mir

.github/copilot-instructions.md

@@ -24,8 +24,9 @@ For task-specific guidance, use the appropriate skill:
 - Build system uses `make dockerfiles` with template rendering via `renderkit`
 - Tools module lives at `tools-go/go.mod` (separate from root `go.mod`)
 - CI uses both GitHub Actions and Azure Pipelines (`.pipelines/`)
-- `cilium-log-collector` is the only component using `CGO_ENABLED=1` (with `GOEXPERIMENT=systemcrypto`)
-- All other components use `CGO_ENABLED=0` with `GOEXPERIMENT=ms_nocgo_opensslcrypto` (Go 1.26)
+- `cilium-log-collector` is the only component using `CGO_ENABLED=1`
+- All other components use `CGO_ENABLED=0`
+- **GOEXPERIMENT requirements are version-dependent** — consult the `acn-go-version-bump` skill for current rules. As of Go 1.26: CGO=1 needs `systemcrypto`, CGO=0 needs `ms_nocgo_opensslcrypto`. Go 1.27+ changes these rules.
 
 ## AI Documentation
 

.github/skills/acn-go-version-bump/SKILL.md

@@ -245,10 +245,15 @@ After making all changes:
 - Uses `renderkit` and `skopeo` to resolve image tags to SHA digests
 - Pipeline uses `.pipelines/build/scripts/install-go.sh`
 
-### Component CGO Map (current as of Go 1.26)
-| Component | CGO_ENABLED | GOEXPERIMENT | Build Mode | Notes |
-|-----------|:-----------:|:------------:|:----------:|-------|
-| cni, cns, npm, dropgz, azure-ipam, azure-ip-masq-merger, azure-iptables-monitor, ipv6-hp-bpf | 0 | ms_nocgo_opensslcrypto | static binary | Nocgo OpenSSL backend (systemcrypto requires CGO) |
+### Component CGO Map
+
+> **GOEXPERIMENT values are version-dependent.** Always consult MS Go docs for the target version.
+> The table below shows the CGO settings (which are version-independent) and the GOEXPERIMENT
+> rules as of Go 1.26. For Go 1.27+, `systemcrypto` works without CGO (nocgo backend is default).
+
+| Component | CGO_ENABLED | GOEXPERIMENT (Go 1.26) | Build Mode | Notes |
+|-----------|:-----------:|:----------------------:|:----------:|-------|
+| cni, cns, npm, dropgz, azure-ipam, azure-ip-masq-merger, azure-iptables-monitor, ipv6-hp-bpf | 0 | ms_nocgo_opensslcrypto | static binary | Nocgo OpenSSL backend (systemcrypto requires CGO in 1.26) |
 | cilium-log-collector | 1 | systemcrypto | c-shared (.so) | Fluent Bit plugin, requires CGO |
 
 ### Important Notes

.github/workflows/go-version-check.yaml

@@ -161,7 +161,7 @@ jobs:
           LATEST_MINOR_TAG=""
           if [ -n "$ALL_TAGS" ]; then
             while IFS=$'\t' read -r ver tag; do
-              if [[ "$ver" == ${GO_MINOR}* ]]; then
+              if [[ "$ver" == ${GO_MINOR}.* ]] || [[ "$ver" == "${GO_MINOR}" ]]; then
                 LATEST_PATCH="$ver"
                 LATEST_PATCH_TAG="$tag"
                 break
@@ -183,7 +183,7 @@ jobs:
           echo "latest_minor_tag=$LATEST_MINOR_TAG" >> "$GITHUB_OUTPUT"
 
           PATCH_AVAILABLE="false"
-          if [ -n "$LATEST_PATCH" ] && [ "$LATEST_PATCH" != "$GO_MINOR" ]; then
+          if [ -n "$LATEST_PATCH" ] && [ "$LATEST_PATCH" != "$GOMOD_VERSION" ]; then
             LATEST_PATCH_DIGEST=$(skopeo inspect "docker://$MCR_REPO:${LATEST_PATCH}-${BASE_OS}" --format "{{.Digest}}" 2>/dev/null || echo "FAILED")
             if [ "$LATEST_PATCH_DIGEST" != "FAILED" ] && [ "$LATEST_PATCH_DIGEST" != "$CURRENT_DIGEST" ]; then
               PATCH_AVAILABLE="true"
@@ -294,7 +294,12 @@ jobs:
           fi
           # Install renderkit from repo's pinned tools-go/go.mod
           GOPATH=$(go env GOPATH 2>/dev/null || echo "$HOME/go")
-          RENDERKIT_VER=$(grep 'orellazri/renderkit' tools-go/go.mod | awk '{print $2}')
+          RENDERKIT_VER=$(go mod edit -json tools-go/go.mod | python3 -c "
+          import sys, json
+          for req in json.load(sys.stdin).get('Require', []):
+              if 'orellazri/renderkit' in req['Path']:
+                  print(req['Version']); break
+          ")
           go install "github.com/orellazri/renderkit@${RENDERKIT_VER}"
           echo "${GOPATH}/bin" >> "$GITHUB_PATH"
 
@@ -360,8 +365,6 @@ jobs:
           fi
 
           # Commit
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
           git add -A
           if git diff --cached --quiet; then
             echo "::notice::No changes to commit"
@@ -426,8 +429,6 @@ jobs:
           make dockerfiles
 
           # Commit
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
           git add -A
           if git diff --cached --quiet; then
             echo "::notice::No changes to commit"
@@ -470,8 +471,7 @@ jobs:
           **Digest:** \`${PR_LATEST_PATCH_DIGEST}\`
 
           ### Changes Made
-          - \`build/images.mk\` GO_IMG tag updated
-          - \`go.mod\` version bumped
+          - \`go.mod\` and \`tools-go/go.mod\` version bumped
           - \`go mod tidy\` executed
           - \`install-go.sh\` DEFAULT_IMAGE SHA updated
           - \`bpf-prog/ipv6-hp-bpf/linux.Dockerfile\` SHA updated
@@ -496,12 +496,13 @@ jobs:
           **Go version in image:** \`${PR_LATEST_GO_VERSION}\`
 
           This is a same-tag image rebuild (security patches, base OS updates).
-          No Go language version change expected.
+          If the Go version label in the image changed, \`go.mod\` is also updated.
 
           ### Changes Made
           - \`install-go.sh\` DEFAULT_IMAGE SHA updated
           - \`bpf-prog/ipv6-hp-bpf/linux.Dockerfile\` SHA updated
           - Template Dockerfiles regenerated via \`make dockerfiles\`
+          - \`go.mod\`/\`tools-go/go.mod\` bumped (if Go version in image changed)
 
           ---
           <!-- go-digest-update:${PR_GO_TAG} -->
@@ -566,7 +567,12 @@ jobs:
           fi
           # Install renderkit from repo's pinned tools-go/go.mod
           GOPATH=$(go env GOPATH 2>/dev/null || echo "$HOME/go")
-          RENDERKIT_VER=$(grep 'orellazri/renderkit' tools-go/go.mod | awk '{print $2}')
+          RENDERKIT_VER=$(go mod edit -json tools-go/go.mod | python3 -c "
+          import sys, json
+          for req in json.load(sys.stdin).get('Require', []):
+              if 'orellazri/renderkit' in req['Path']:
+                  print(req['Version']); break
+          ")
           go install "github.com/orellazri/renderkit@${RENDERKIT_VER}"
           echo "${GOPATH}/bin" >> "$GITHUB_PATH"
 
@@ -738,8 +744,8 @@ jobs:
           gh issue create \
             --repo "$REPO" \
             --title "chore: FIPS prerequisites needed on ${MATRIX_BRANCH} before Go backport" \
-            --label "needs-review" \
-            --assignee "copilot" \
+            --label "go" \
+            --assignee "" \
             --body "## Prerequisites Needed on \`${MATRIX_BRANCH}\`
 
           The Go version automation detected a digest/patch update on master, but
@@ -1160,6 +1166,6 @@ jobs:
           gh issue create \
             --repo "$REPO" \
             --title "chore: upgrade Go ${GO_MINOR} → ${LATEST_MINOR}" \
-            --label "needs-review" \
-            --assignee "copilot" \
+            --label "go" \
+            --assignee "" \
             --body "$BODY"

build/images.mk

@@ -31,6 +31,9 @@ print-%:
 
 # Set GO_IMG tag: make -f build/images.mk set-GO_IMG NEW_TAG=1.27-azurelinux3.0
 set-GO_IMG:
+ifndef NEW_TAG
+	$(error NEW_TAG is required — usage: make -f build/images.mk set-GO_IMG NEW_TAG=1.27-azurelinux3.0)
+endif
 	sed -i -E 's|(GO_IMG[[:space:]]*\?=[[:space:]]*.*golang:)[^ ]*|\1$(NEW_TAG)|' $(CURDIR)/build/images.mk
 
 render: