Bump Go 1.23 -> 1.24 and align Alpine to 3.22

geropl · ona-agent · geropl · commit 31e5984585d1 · 2026-03-04T09:05:35.000Z
Fixes CVE-2025-68121 (crypto/tls session resumption, Go <1.24.13), CVE-2025-22871 (net/http request smuggling, Go <1.23.8/1.24.2), and CVE-2025-15467 (OpenSSL stack buffer overflow, Alpine 3.22 ships 3.5.5). Co-authored-by: Ona <no-reply@ona.com>
diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml
@@ -27,7 +27,7 @@ on:
         type: string
 
 env:
-  GO_VERSION: "1.23"
+  GO_VERSION: "1.24"
   SETUP_BUILDX_VERSION: "edge"
   SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest"
 
diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml
@@ -19,7 +19,7 @@ on:
       - 'frontend/dockerfile/docs/**'
 
 env:
-  GO_VERSION: "1.23"
+  GO_VERSION: "1.24"
   SETUP_BUILDX_VERSION: "edge"
   SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest"
   IMAGE_NAME: "ghcr.io/gitpod-io/buildkit"
diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,7 @@ ARG AZURITE_VERSION=3.33.0
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG DELVE_VERSION=v1.23.1
 
-ARG GO_VERSION=1.23
+ARG GO_VERSION=1.24
 ARG ALPINE_VERSION=3.22
 ARG XX_VERSION=1.6.1
 ARG BUILDKIT_DEBUG
diff --git a/frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile b/frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile-upstream:master
 
-ARG GO_VERSION=1.23
-ARG ALPINE_VERSION=3.21
+ARG GO_VERSION=1.24
+ARG ALPINE_VERSION=3.22
 ARG XX_VERSION=1.6.1
 
 # xx is a helper for cross-compilation
