Skip to content

Commit ddbe7a6

Browse files
committed
build(security): pin Go toolchain to 1.26.5 + add blocking govulncheck CI job (om-xga8)
govulncheck flags GO-2026-5856 (CVE-2026-42505, ECH privacy leak in crypto/tls, fixed in go1.26.5) against the 1.26.4 toolchain. It is symbol-reachable here (internal/spot -> net/http -> https -> tls), so the scanner genuinely reports it; real exposure is ~nil (we never configure ECH). An unclean scanner is a scanner nobody reads, so: get to a clean baseline and wire govulncheck into CI so the next advisory arrives as a red check. - go.mod: ADD `toolchain go1.26.5` (a soft floor). The `go 1.26.4` line STAYS — it is the minimum-LANGUAGE-version contract, not the build-stdlib selector. Bumping it would hard-break GOTOOLCHAIN=local builders (distro packagers, hermetic/air-gapped) for zero security gain. The toolchain directive gives patched stdlib under GOTOOLCHAIN=auto while local 1.26.4 builds still succeed. go.sum untouched. - ci.yml + release.yml: setup-go now reads `go-version-file: 'go.mod'`, so go.mod is the single source of truth for the toolchain — no floating '1.26' literal to silently roll, one place to bump next time. - ci.yml: ADD a blocking `vuln` job running `govulncheck ./...` as its own job (a stdlib advisory shows as a distinct red check, not "your diff broke the build"). No Node/npm steps — `go build` works without the UI because web/dist/.gitkeep is tracked. Verified: go1.26.5 selected under default GOTOOLCHAIN; build/vet/test pass; govulncheck clean under 1.26.5; GOTOOLCHAIN=local build still succeeds on 1.26.4; go.sum unchanged.
1 parent 38a34cc commit ddbe7a6

3 files changed

Lines changed: 19 additions & 2 deletions

File tree

.github/workflows/ci.yml

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
- uses: actions/checkout@v7
1313
- uses: actions/setup-go@v6
1414
with:
15-
go-version: '1.26'
15+
go-version-file: 'go.mod'
1616
- uses: actions/setup-node@v6
1717
with:
1818
node-version: '22'
@@ -28,3 +28,18 @@ jobs:
2828

2929
- name: go test
3030
run: go test ./...
31+
32+
vuln:
33+
# Blocking govulncheck. Its own job so a stdlib advisory shows up as a
34+
# distinct red check, not "your diff broke the build". go build works with
35+
# no UI (web/dist/.gitkeep is tracked), so no Node/npm steps are needed.
36+
runs-on: ubuntu-latest
37+
steps:
38+
- uses: actions/checkout@v7
39+
- uses: actions/setup-go@v6
40+
with:
41+
go-version-file: 'go.mod'
42+
- name: govulncheck
43+
run: |
44+
go install golang.org/x/vuln/cmd/govulncheck@latest
45+
govulncheck ./...

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
fetch-depth: 0 # tags, for `git describe`
1919
- uses: actions/setup-go@v6
2020
with:
21-
go-version: '1.26'
21+
go-version-file: 'go.mod'
2222
- uses: actions/setup-node@v6
2323
with:
2424
node-version: '22'

go.mod

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ module github.com/tompscanlan/coinrollhunter
22

33
go 1.26.4
44

5+
toolchain go1.26.5
6+
57
require (
68
github.com/mattn/go-isatty v0.0.20
79
modernc.org/sqlite v1.53.0

0 commit comments

Comments
 (0)