From 126fa1a632d62551d5aeb1cd9f8af0f2e5f9166a Mon Sep 17 00:00:00 2001 From: David Levy Date: Wed, 3 Jun 2026 17:26:16 -0500 Subject: [PATCH] ci: pin Go toolchain to 1.26.4 and unify version source Fixes govulncheck failures for GO-2026-5037 (crypto/x509) and GO-2026-5039 (net/textproto), both fixed in Go 1.26.4. Changes: - go.mod: add 'toolchain go1.26.4' so go/setup-go know the minimum acceptable patch. - security.yml, pr-validation.yml, golangci-lint.yml: read version from go.mod (single source of truth) and set 'check-latest: true' so the runner fetches the newest matching patch from the signed actions/go-versions manifest instead of serving a stale cache entry (1.26.3). - security.yml: pin govulncheck to @v1.1.4 instead of @latest for supply-chain hygiene. The vuln DB itself is fetched at runtime, so this only pins the analyzer binary. --- .github/workflows/golangci-lint.yml | 5 +++-- .github/workflows/pr-validation.yml | 3 ++- .github/workflows/security.yml | 3 ++- go.mod | 2 ++ 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index f9f97c19..37e68070 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -13,10 +13,11 @@ jobs: name: lint-pr-changes runs-on: ubuntu-latest steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: - go-version: '1.26.0' - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + go-version-file: go.mod + check-latest: true - name: golangci-lint # Pinned to commit SHA for supply chain security (CWE-829) # Verify: gh api repos/golangci/golangci-lint-action/git/ref/tags/v9 --jq '.object.sha' diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 1f1af8e7..edeed249 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -16,7 +16,8 @@ jobs: - name: Setup go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: - go-version: '1.26.0' + go-version-file: go.mod + check-latest: true - name: Run tests against Linux SQL run: | go version diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index d23f59c7..0b73e4c3 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -30,9 +30,10 @@ jobs: uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: go-version-file: go.mod + check-latest: true - name: Install govulncheck - run: go install golang.org/x/vuln/cmd/govulncheck@latest + run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4 - name: Run govulncheck run: govulncheck ./... diff --git a/go.mod b/go.mod index bf6bcd19..625f6f3d 100644 --- a/go.mod +++ b/go.mod @@ -2,6 +2,8 @@ module github.com/microsoft/go-sqlcmd go 1.26 +toolchain go1.26.4 + require ( github.com/alecthomas/chroma/v2 v2.26.1 github.com/billgraziano/dpapi v0.5.0