diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index b1579ca3..f8e8e375 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -62,7 +62,7 @@ These structures propagate across every provider and engine. Changing them in a ### Prerequisites -- **Go 1.25.9** (see `go.mod`) — newer minor versions are fine; older will not build +- **Go 1.25.11** (see `go.mod`) — newer minor versions are fine; older will not build - **make** - **golangci-lint** — `brew install golangci-lint` or via `go install` - **helm 3.10+ or 4.x** — required for `make chart-test`; the `helm-unittest` plugin is installed automatically by the target (`brew install helm`). CI pins helm `v4.1.1` in `.github/workflows/chart-test.yaml`. @@ -105,7 +105,7 @@ Coverage checks run on pull requests. A drop below target with no matching uplif ### CI workflows -- `.github/workflows/go.yml` — build, test, and lint on every push and PR +- `.github/workflows/go.yml` — build, test, lint, and `govulncheck` on every push and PR - `.github/workflows/chart-test.yaml` — Helm chart lint + helm-unittest suites (`make chart-test`) on every push and PR - `.github/workflows/docker.yml` — container image build (manual trigger) - `.github/workflows/helm-release.yaml` — Helm chart release (manual trigger) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index fd5d6039..e806a019 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -17,7 +17,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: '1.25.9' + go-version: '1.25.11' - name: Lint uses: golangci/golangci-lint-action@v9 @@ -42,7 +42,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: '1.25.9' + go-version: '1.25.11' - name: Test run: go test -v -coverpkg=./... -coverprofile=coverage.out -covermode=atomic ./... @@ -63,8 +63,23 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: '1.25.9' + go-version: '1.25.11' - name: Build run: | make build + + govulncheck: + runs-on: linux-amd64-cpu8 + timeout-minutes: 15 + steps: + - uses: actions/checkout@v5 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version: '1.25.11' + cache: true + + - name: Run govulncheck + run: go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./... diff --git a/AGENTS.md b/AGENTS.md index 52f75349..a830232a 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -62,7 +62,7 @@ These structures propagate across every provider and engine. Changing them in a ### Prerequisites -- **Go 1.25.9** (see `go.mod`) — newer minor versions are fine; older will not build +- **Go 1.25.11** (see `go.mod`) — newer minor versions are fine; older will not build - **make** - **golangci-lint** — `brew install golangci-lint` or via `go install` - **helm 3.10+ or 4.x** — required for `make chart-test`; the `helm-unittest` plugin is installed automatically by the target (`brew install helm`). CI pins helm `v4.1.1` in `.github/workflows/chart-test.yaml`. @@ -105,7 +105,7 @@ Coverage checks run on pull requests. A drop below target with no matching uplif ### CI workflows -- `.github/workflows/go.yml` — build, test, and lint on every push and PR +- `.github/workflows/go.yml` — build, test, lint, and `govulncheck` on every push and PR - `.github/workflows/chart-test.yaml` — Helm chart lint + helm-unittest suites (`make chart-test`) on every push and PR - `.github/workflows/docker.yml` — container image build (manual trigger) - `.github/workflows/helm-release.yaml` — Helm chart release (manual trigger) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb77f27f..2a7c1698 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,9 +8,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ### Added +- `govulncheck` job in the Go CI workflow for symbol-level vulnerability scanning on pull requests. - OCI labels missing from `docker/metadata-action` on the Topograph container image: `org.opencontainers.image.documentation`, `authors`, and `vendor` ([#377](https://github.com/NVIDIA/topograph/pull/377)). - Helm chart metadata: `home`, `icon`, `maintainers`, `keywords`, and Artifact Hub annotations ([#377](https://github.com/NVIDIA/topograph/pull/377)). +### Changed + +- Go toolchain bumped to **1.25.11** (`go.mod`, `Dockerfile`, CI) to address reachable stdlib vulnerabilities reported by `govulncheck`. + ### Fixed - Helm node-observer now targets the rendered Topograph Service fullname in `generateTopologyUrl`. diff --git a/Dockerfile b/Dockerfile index 3ababc9b..d0c7927b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.9 AS builder +FROM golang:1.25.11 AS builder WORKDIR /go/src/github.com/NVIDIA/topograph COPY . . diff --git a/go.mod b/go.mod index 3102c211..d9d1f00e 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/NVIDIA/topograph -go 1.25.9 +go 1.25.11 require ( cloud.google.com/go/compute v1.60.0