Fix release pipelines to pick up latest Go patch TT-16060

[Razeen-Abdal-Rahman]

User description

Go version for release pipelines updated to 1.24-bookworm.
Other changes from gromit carried over:

• .github/workflows/release.yml upgrade tests (logic added for handling scenarios where no previous version is available, used for new product launches) and steps to push docker images for fips
• ci/Dockerfile updated to fix bugs when building locally
• ci/goreleaser/goreleaser.yml properly imports env value for fips and adds docker builds to goreleaser for local testing, these are skipped in pipeline runs
• ci/install/post_install.sh fix reversed logic and add handling if config file doesn't exist

Description

All versions of golang in the relese.yml file have been updated from 1.24-bullseye to 1.24-bookworm

Related Issue

Jira ticket: TT-16060

Motivation and Context

This update is required so the CI pipeline can pick up the latest Go patch, which addresses newly reported CVEs in stdlib

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning why it's required
• I would like a code coverage CI quality gate exception and have explained why

---

PR Type

Bug fix, Enhancement

---

Description

• Switch Go image to 1.24-bookworm

• Add FIPS docker build and publishing

• Fix post-install cleanup and chmod guard

• Improve upgrade tests fallback logic

---

Diagram Walkthrough

flowchart LR
  GO["Go base: 1.24-bookworm"]
  CI["GitHub Actions release workflow"]
  FIPS["FIPS image build/push"]
  EE["EE images build/push"]
  STD["STD images build/push"]
  POST["post_install.sh fixes"]
  GOREL["Goreleaser docker configs"]

  GO -- "matrix switch" --> CI
  CI -- "adds" --> FIPS
  CI -- "retargets conditions" --> EE
  CI -- "retargets conditions" --> STD
  GOREL -- "defines ee/std/fips images + manifests" --> CI
  POST -- "cleanup & chmod guard" --> CI

Loading

File Walkthrough

	Relevant files
Bug fix	post_install.sh Fix service cleanup and safe chmod                                              ci/install/post_install.sh Correct service cleanup conditional paths Guard chmod with config existence check +4/-4
Enhancement	release.yml Release workflow: bookworm and FIPS support                            .github/workflows/release.yml Update golang_cross to 1.24-bookworm Add FIPS docker image build/publish steps Adjust goreleaser to skip docker in snapshots Make upgrade tests resilient to missing previous version +82/-14  Dockerfile.std Dockerfile uses dist deb and cleans caches                              ci/Dockerfile.std Install deb from dist path Clean specific apt/cache/log paths Reorder copy/install for reproducibility +5/-5      goreleaser.yml Goreleaser: add docker images and FIPS config                        ci/goreleaser/goreleaser.yml Set GOEXPERIMENT=boringcrypto for FIPS build Add docker image builds for ee/std/fips Define multi-arch manifests for ee/std, single-arch for fips +248/-1

---

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Possible Issue Inverted cleanup logic now removes the systemd unit when systemctl is not used and leaves it when it is, which may be correct, but please validate across all target distros that the intended files are removed for each init system to avoid stale units or missing service scripts. if [ "${use_systemctl}" = "True" ]; then rm -f /etc/init.d/tyk-gateway else rm -f /lib/systemd/system/tyk-gateway.service fi CI Logic Change The goreleaser command now skips docker builds on non-tag refs and adds new FIPS image build/push steps gated by the matrix golang image. Confirm this conditional behavior matches the release process expectations and does not inadvertently skip required images or attempt pushes on PRs. echo '#!/bin/sh ci/bin/unlock-agent.sh git config --global url."https://${{ secrets.ORG_GH_TOKEN }}@github.com".insteadOf "https://github.com" git config --global --add safe.directory /go/src/github.com/TykTechnologies/tyk goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' | tee /tmp/build.sh chmod +x /tmp/build.sh docker run --rm --privileged -e GITHUB_TOKEN=${{ github.token }} \ -e GOPRIVATE=github.com/TykTechnologies \ -e DEBVERS='${{ matrix.debvers }}' \ -e RPMVERS='${{ matrix.rpmvers }}' \ -e CGO_ENABLED=${{ matrix.cgo }} \ -e NFPM_PASSPHRASE="$NFPM_PASSPHRASE" \ -e GPG_FINGERPRINT=12B5D62C28F57592D1575BD51ED14C59E37DAC20 \ -e PKG_SIGNING_KEY="$PKG_SIGNING_KEY" \ Packaging Path Globs The switch to copy from dist using a specific pattern with TARGETARCH may differ from previous globbing; ensure the dpkg install and cleanup work for all arches and that the files exist at those paths during CI and local runs. COPY dist/${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb / RUN dpkg -i /${BUILD_PACKAGE_NAME}_*_${TARGETARCH}.deb && find / -maxdepth 1 -name "*.deb" -delete

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix inverted cleanup logic The removal targets are reversed: when systemctl is used, you should remove the systemd unit, not the SysV init script. Swap the rm paths to avoid deleting the wrong service file and leaving stale units behind. ci/install/post_install.sh [20-24] if [ "${use_systemctl}" = "True" ]; then + rm -f /lib/systemd/system/tyk-gateway.service +else rm -f /etc/init.d/tyk-gateway -else - rm -f /lib/systemd/system/tyk-gateway.service fi Suggestion importance[1-10]: 8 __ Why: The PR flips the cleanup paths so ${use_systemctl} == True deletes the SysV script, which is inverted; swapping the rm targets matches intent and prevents stale service files. The existing_code matches the new hunk lines 20-24 and the improved_code correctly fixes the logic.	Medium
General	Preserve apt metadata directory Removing /var/lib/apt breaks further apt operations during later layers or container use (e.g., apt-get update cannot run). Keep apt metadata directories intact while still cleaning caches to avoid runtime package manager failures. ci/Dockerfile.std [21-25] RUN rm -rf /root/.cache \ && apt-get -y autoremove \ && apt-get clean \ - && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/apt /var/lib/cache /var/log/* \ + && rm -rf /usr/include/* /var/cache/apt/archives /var/lib/cache /var/log/* \ && find /usr/lib -type f -name '*.a' -o -name '*.o' -delete Suggestion importance[1-10]: 7 __ Why: The PR now removes /var/lib/apt, which can break future apt operations in later layers; keeping apt metadata while cleaning caches is a sensible reliability fix. The snippet corresponds to new hunk lines 21-25 and the improved_code reflects retaining /var/lib/apt.	Medium
	Correct CLI flag spacing The conditional appends a leading space inside the quoted fragment, which can produce malformed arguments and inconsistent parsing. Remove the leading spaces inside the dynamic strings to ensure flags are passed correctly. .github/workflows/release.yml [102] -goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && ' --snapshot --skip=sign,docker' || '--skip=docker' }}' +goreleaser release --clean -f ${{ matrix.goreleaser }} ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot --skip=sign,docker' || '--skip=docker' }}' Suggestion importance[1-10]: 6 __ Why: The embedded strings include a leading space which can lead to awkward argument parsing; removing it is a minor but valid robustness improvement. The line maps to new hunk line 102 and the change is accurate though impact is moderate.	Low

[github-actions]

API Changes

no api changes detected

[github-actions]

🚨 Jira Linter Failed

Commit: ce3d2fe
Failed at: 2025-11-04 15:56:02 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'releng/release-5.8' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud