Skip to content

fix(#1344): update Go version in code agent sandbox to 1.26.0#1990

Merged
ralphbean merged 4 commits into
mainfrom
agent/1344-update-go-sandbox-version
Jun 8, 2026
Merged

fix(#1344): update Go version in code agent sandbox to 1.26.0#1990
ralphbean merged 4 commits into
mainfrom
agent/1344-update-go-sandbox-version

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown
Contributor

The sandbox image pinned Go 1.24.13 while go.mod requires 1.26.0. This version mismatch prevented the code agent from compiling or testing Go code, causing it to submit untested PRs (e.g. PR #1016 shipped a duplicate map key that go build would have caught).

Update GO_VERSION from 1.24.13 to 1.26.0 and replace the SHA256 checksums for linux-amd64 and linux-arm64 archives. Checksums sourced from docker-library/golang at the go1.26.0 release commit.

The sandbox image will rebuild automatically via the sandbox-images.yml workflow on push to main.

Note: pre-commit could not run in-sandbox (exit 3) because the gitleaks hook tried to auto-download a newer Go toolchain, which is blocked by sandbox network policy. This is the same version mismatch this commit fixes.


Closes #1344

Post-script verification

  • Branch is not main/master (agent/1344-update-go-sandbox-version)
  • Secret scan passed (gitleaks — 9ea038f26b4c37a1000c1fe5a42303217a79357b..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

The sandbox image pinned Go 1.24.13 while go.mod requires 1.26.0.
This version mismatch prevented the code agent from compiling or
testing Go code, causing it to submit untested PRs (e.g. PR #1016
shipped a duplicate map key that go build would have caught).

Update GO_VERSION from 1.24.13 to 1.26.0 and replace the SHA256
checksums for linux-amd64 and linux-arm64 archives. Checksums
sourced from docker-library/golang at the go1.26.0 release commit.

The sandbox image will rebuild automatically via the
sandbox-images.yml workflow on push to main.

Note: pre-commit could not run in-sandbox (exit 3) because the
gitleaks hook tried to auto-download a newer Go toolchain, which
is blocked by sandbox network policy. This is the same version
mismatch this commit fixes.

Closes #1344
@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown

Site preview

Preview: https://09468cca-site.fullsend-ai.workers.dev

Commit: d735bee01aa627e8d12016f16488c310c011fc2b

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 7, 2026

Copy link
Copy Markdown

Review

Findings

Low

  • [supply-chain-verification] images/code/Containerfile:60 — SHA256 checksums for Go 1.26.0 cannot be verified within this review, but the build self-diagnoses via sha256sum -c (line 70) — incorrect checksums cause a safe build failure. The prior gopls compatibility concern is resolved by the bump from v0.18.1 to v0.22.0, which also self-diagnoses at line 82 (gopls version).

Info

  • [authorization] images/code/Containerfile — Change is properly authorized by issue Update Go version in code agent sandbox image to match go.mod #1344 and scoped exactly to the authorized work (GO_VERSION, SHA256 checksums, and GOPLS_VERSION). The issue explicitly authorizes updating the Go version to match go.mod and confirming gopls compatibility. No scope creep detected.
  • [architectural-coherence] images/code/Containerfile:59 — Change aligns Go version across go.mod (1.26.0), mise.toml (1.26.0), and the sandbox image. CI workflows use go-version-file: go.mod and are unaffected. The gopls bump from 0.18.1 to 0.22.0 maintains language server compatibility with Go 1.26.0.
Previous run

Review

Findings

Low

  • [compatibility] images/code/Containerfile:80 — gopls is pinned at v0.18.1, which was released during the Go 1.24 era. While gopls typically maintains forward compatibility, it is worth confirming that gopls v0.18.1 builds and runs correctly under Go 1.26.0. If it fails, the code agent loses LSP code intelligence. The image build will surface this at line 82 (go install ... && gopls version), so a build failure here is safe and self-diagnosing.
    Remediation: If the sandbox image build fails at the gopls install step, bump GOPLS_VERSION to a release that supports Go 1.26.0.

Info

  • [supply-chain-note] images/code/Containerfile:60 — SHA256 checksums for Go 1.26.0 were updated. The PR body states they were sourced from docker-library/golang rather than the canonical go.dev/dl/?mode=json API referenced in the inline comment (line 58). Both are official sources, and the build pipeline verifies checksums via sha256sum -c (line 70) against the go.dev download — incorrect checksums cause a safe build failure. No action needed; noting for traceability.
  • [authorization] images/code/Containerfile — Change is properly authorized by issue Update Go version in code agent sandbox image to match go.mod #1344 and scoped exactly to the authorized work (GO_VERSION + SHA256 checksums). No scope creep detected.
  • [architectural-coherence] images/code/Containerfile:59 — Change aligns Go version across go.mod (1.26.0), mise.toml (1.26.0), and the sandbox image. CI workflows use go-version-file: go.mod and are unaffected.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jun 7, 2026
gopls 0.18.1 depends on golang.org/x/tools v0.30.x which fails to
compile under Go 1.26.0 (invalid array length in tokeninternal.go).
Bump to gopls 0.22.0, the latest release, which supports Go 1.26.

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jun 7, 2026
Keep the PR's Go ENV block (PATH, GOPATH, GOMODCACHE) and gopls v0.22.0
install; remove the duplicate gopls v0.18.1 block that came from main.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@fullsend-ai-review

Copy link
Copy Markdown

🤖 Review · Started 3:38 PM UTC
Commit: d0ac11b · View workflow run →

Fixes end-of-file-fixer pre-commit hook failure.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@fullsend-ai-review

Copy link
Copy Markdown

🤖 Review · Started 3:41 PM UTC
Commit: d0ac11b · View workflow run →

@ralphbean ralphbean added this pull request to the merge queue Jun 8, 2026
Merged via the queue into main with commit 4135fb3 Jun 8, 2026
9 checks passed
@ralphbean ralphbean deleted the agent/1344-update-go-sandbox-version branch June 8, 2026 15:45
@fullsend-ai-retro

Copy link
Copy Markdown

🤖 Retro · Started 3:47 PM UTC
Commit: d0ac11b · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review skipped — this PR is already merged.

The /fs-review command only reviews open pull requests.

Posted by fullsend post-review check

@fullsend-ai-review

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:41 PM UTC · Completed 3:51 PM UTC
Commit: d0ac11b · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #1990 — Update Go version in code agent sandbox

This PR originated from issue #1344, which was itself filed by the retro agent after PR #1016 shipped a Go compile error because the sandbox couldn't build Go code (Go 1.24.13 in sandbox vs 1.26.0 required by go.mod). The full loop — retro → triage → prioritize → code → review → merge — worked well.

What went well:

  • The retro agent correctly identified the root cause from PR fix(#1012): add extract-transcript-error.sh to executableFiles map #1016 and filed a well-scoped issue
  • The code agent produced the correct Go version bump on first attempt
  • The review agent caught a real compatibility concern (gopls v0.18.1 incompatible with Go 1.26) at low severity
  • Two human approvals and merge completed within ~24 hours of PR creation

What required human intervention:

  • A human had to push a gopls v0.18.1 → v0.22.0 bump because the code agent didn't check co-located tool compatibility
  • A human resolved a merge conflict with main and a trailing blank line pre-commit failure (2 additional commits)

Skipped proposals (already covered by existing issues):

1 proposal filed for code agent cascading dependency checking.

Proposals filed

@fullsend-ai-retro

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 3:47 PM UTC · Completed 3:53 PM UTC
Commit: d0ac11b · View workflow run →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-merge All reviewers approved — ready to merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Update Go version in code agent sandbox image to match go.mod

2 participants