chore: align CLI CI with patched Go 1.26.5 toolchain#784
chore: align CLI CI with patched Go 1.26.5 toolchain#784plural-copilot[bot] wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
This PR was generated by the codex Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:
| Name | Details |
|---|---|
| 💬 Prompt | Open a remediation PR in this repository to address Go stdlib CVEs affecting the ghcr.io/pluralsh/console image for Plural Service: mgmt/console.... |
| 🔗 Run history | View run history |
Greptile SummaryThis PR upgrades
Confidence Score: 5/5Safe to merge — three workflow files get a straightforward action version bump with no behavioural risk. The three changed files each swap a single action pin ( No files require special attention; the change is limited to action version tags in CI workflow files.
|
| Filename | Overview |
|---|---|
| .github/workflows/codeql.yml | Upgrades actions/setup-go from v4.1.0 to v5; Go version still resolved from go.mod via go-version-file. No logic change. |
| .github/workflows/e2e.yaml | Upgrades actions/setup-go from v4.1.0 to v5 in all three e2e job steps; consistent with other workflows now. |
| .github/workflows/goreleaser-cd.yml | Upgrades actions/setup-go from v4.1.0 to v5 in the release job; Go version remains controlled by go.mod. |
Reviews (1): Last reviewed commit: "chore: align Go setup actions with patch..." | Re-trigger Greptile
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version-file: go.mod |
There was a problem hiding this comment.
Action version doesn't drive toolchain selection here
The PR description frames this upgrade as CVE remediation, but actions/setup-go@v4.1.0 with go-version-file: go.mod already resolved and installed Go 1.26.5 (the version declared in go.mod). The action version (v4 vs v5) controls the action's own behaviour (caching defaults, toolchain directive support, etc.), not which Go SDK is downloaded — the go-version-file directive does that. Aligning to v5 is still a good maintenance step (consistent with ci.yaml and edge.yaml, and v5 adds improved module-cache handling), but it doesn't independently address the cited CVEs; those are already remediated by the go 1.26.5 pin in go.mod that was in place before this PR.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Summary
Why
This repo is the source of the embedded CLI in
ghcr.io/pluralsh/console, so Go stdlib vulnerabilities reported against the console image map back to builds frompluralsh/plural-cli.This remediates the Go stdlib CVEs affecting Plural Service: mgmt/console:
CVE-2026-42505(crypto/tls)CVE-2026-39822(os.Root)The vulnerable environment was reported on Go
1.26.4; this repo already pins Go1.26.5ingo.modand Docker-based build paths, and this PR updates the remaining workflow action pins so CI/release jobs also resolve that fixed toolchain consistently.Files changed
.github/workflows/codeql.yml.github/workflows/e2e.yaml.github/workflows/goreleaser-cd.ymlVerification
go.mod,Dockerfile,test.Dockerfile, and helper scripts are1.26.5test.Dockerfile/make testverification; the build did not complete within the available execution window in the agent environment