Skip to content

ci(go): add govulncheck and bump Go to 1.25.11#378

Merged
giuliocalzo merged 3 commits into
NVIDIA:mainfrom
giuliocalzo:ci/govulncheck-go-1.25.11
Jul 2, 2026
Merged

ci(go): add govulncheck and bump Go to 1.25.11#378
giuliocalzo merged 3 commits into
NVIDIA:mainfrom
giuliocalzo:ci/govulncheck-go-1.25.11

Conversation

@giuliocalzo

@giuliocalzo giuliocalzo commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add a govulncheck job to .github/workflows/go.yml (symbol-level scan via go run golang.org/x/vuln/cmd/govulncheck@latest ./...)
  • Bump Go from 1.25.9 to 1.25.11 in go.mod, Dockerfile, and all CI setup-go steps to address 9 reachable stdlib vulnerabilities on 1.25.9
  • Update AGENTS.md, .claude/CLAUDE.md, and CHANGELOG.md

Test plan

  • Go CI workflow passes (check, test, build, govulncheck)
  • govulncheck reports no reachable vulnerabilities on Go 1.25.11
  • make build succeeds locally with Go 1.25.11

Run govulncheck in the Go workflow on every PR and upgrade the
toolchain to Go 1.25.11 to clear reachable stdlib vulnerabilities.

Signed-off-by: Giulio Calzolari <gcalzolari@nvidia.com>
@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR bumps the Go toolchain from 1.25.9 to 1.25.11 across go.mod, Dockerfile, and all CI setup-go steps, and adds a dedicated govulncheck job to the Go CI workflow to surface reachable stdlib vulnerabilities automatically.

  • Go version bump: go.mod, Dockerfile, and all three existing CI jobs (check, test, build) are updated to 1.25.11 consistently.
  • govulncheck job: New CI job runs golang.org/x/vuln/cmd/govulncheck@v1.1.4 (pinned) and mirrors the runner/timeout/setup of the existing jobs.
  • Docs and changelog: AGENTS.md, .claude/CLAUDE.md, and CHANGELOG.md are updated to reflect the new version and the new workflow step.

Confidence Score: 5/5

Straightforward toolchain bump and additive CI job; all changes are mechanical and consistent across the codebase.

The Go version is updated uniformly across go.mod, Dockerfile, and all four CI jobs with no discrepancies. The new govulncheck job uses a pinned tool version, mirrors the runner and timeout of the existing jobs, and does not modify any application logic. Documentation and changelog entries are accurate and correctly placed.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/go.yml Go version bumped to 1.25.11 in all three existing jobs; new govulncheck job added with pinned @v1.1.4 tool version, consistent runner/timeout settings, and module caching enabled.
go.mod Minimum Go version directive updated from 1.25.9 to 1.25.11; no dependency changes.
Dockerfile Builder base image updated from golang:1.25.9 to golang:1.25.11; no other changes.
CHANGELOG.md govulncheck entry added under ### Added; Go toolchain bump entry added under a new ### Changed section placed correctly between ### Added and ### Fixed.
AGENTS.md Go prerequisite version and CI workflow description updated to match 1.25.11 and the new govulncheck job.
.claude/CLAUDE.md Go prerequisite version and CI workflow description updated to match 1.25.11 and the new govulncheck job; mirrors AGENTS.md changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    push[Push / Pull Request] --> check
    push --> test
    push --> build
    push --> govulncheck

    check["check job\n(lint via golangci-lint)\nGo 1.25.11"]
    test["test job\n(go test + coverage)\nGo 1.25.11"]
    build["build job\n(make build)\nGo 1.25.11"]
    govulncheck["govulncheck job NEW\n(govulncheck@v1.1.4 ./...)\nGo 1.25.11"]

    check --> pass[CI Pass]
    test --> pass
    build --> pass
    govulncheck --> pass
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    push[Push / Pull Request] --> check
    push --> test
    push --> build
    push --> govulncheck

    check["check job\n(lint via golangci-lint)\nGo 1.25.11"]
    test["test job\n(go test + coverage)\nGo 1.25.11"]
    build["build job\n(make build)\nGo 1.25.11"]
    govulncheck["govulncheck job NEW\n(govulncheck@v1.1.4 ./...)\nGo 1.25.11"]

    check --> pass[CI Pass]
    test --> pass
    build --> pass
    govulncheck --> pass
Loading

Reviews (2): Last reviewed commit: "fix(ci): address Greptile review on CHAN..." | Re-trigger Greptile

Comment thread CHANGELOG.md Outdated
Comment thread .github/workflows/go.yml Outdated
giuliocalzo and others added 2 commits July 2, 2026 09:40
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Signed-off-by: Giulio Calzolari <9049490+giuliocalzo@users.noreply.github.com>
Keep PR NVIDIA#377 OCI/Helm entries under Added and pin govulncheck to v1.1.4
for reproducible CI scans.

Signed-off-by: Giulio Calzolari <gcalzolari@nvidia.com>
@giuliocalzo giuliocalzo merged commit 1dd3a14 into NVIDIA:main Jul 2, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants