From cb0362ec6ab83fe097059a473a13f6dcd1487072 Mon Sep 17 00:00:00 2001 From: Giulio Calzolari Date: Thu, 2 Jul 2026 09:37:01 +0200 Subject: [PATCH 1/3] ci(go): add govulncheck and bump Go to 1.25.11 Run govulncheck in the Go workflow on every PR and upgrade the toolchain to Go 1.25.11 to clear reachable stdlib vulnerabilities. Signed-off-by: Giulio Calzolari --- .claude/CLAUDE.md | 4 ++-- .github/workflows/go.yml | 21 ++++++++++++++++++--- AGENTS.md | 4 ++-- CHANGELOG.md | 6 ++++++ Dockerfile | 2 +- go.mod | 2 +- 6 files changed, 30 insertions(+), 9 deletions(-) diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index b1579ca3..f8e8e375 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -62,7 +62,7 @@ These structures propagate across every provider and engine. Changing them in a ### Prerequisites -- **Go 1.25.9** (see `go.mod`) — newer minor versions are fine; older will not build +- **Go 1.25.11** (see `go.mod`) — newer minor versions are fine; older will not build - **make** - **golangci-lint** — `brew install golangci-lint` or via `go install` - **helm 3.10+ or 4.x** — required for `make chart-test`; the `helm-unittest` plugin is installed automatically by the target (`brew install helm`). CI pins helm `v4.1.1` in `.github/workflows/chart-test.yaml`. @@ -105,7 +105,7 @@ Coverage checks run on pull requests. A drop below target with no matching uplif ### CI workflows -- `.github/workflows/go.yml` — build, test, and lint on every push and PR +- `.github/workflows/go.yml` — build, test, lint, and `govulncheck` on every push and PR - `.github/workflows/chart-test.yaml` — Helm chart lint + helm-unittest suites (`make chart-test`) on every push and PR - `.github/workflows/docker.yml` — container image build (manual trigger) - `.github/workflows/helm-release.yaml` — Helm chart release (manual trigger) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index fd5d6039..cd3b4298 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -17,7 +17,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: '1.25.9' + go-version: '1.25.11' - name: Lint uses: golangci/golangci-lint-action@v9 @@ -42,7 +42,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: '1.25.9' + go-version: '1.25.11' - name: Test run: go test -v -coverpkg=./... -coverprofile=coverage.out -covermode=atomic ./... @@ -63,8 +63,23 @@ jobs: - name: Set up Go uses: actions/setup-go@v6 with: - go-version: '1.25.9' + go-version: '1.25.11' - name: Build run: | make build + + govulncheck: + runs-on: linux-amd64-cpu8 + timeout-minutes: 15 + steps: + - uses: actions/checkout@v5 + + - name: Set up Go + uses: actions/setup-go@v6 + with: + go-version: '1.25.11' + cache: true + + - name: Run govulncheck + run: go run golang.org/x/vuln/cmd/govulncheck@latest ./... diff --git a/AGENTS.md b/AGENTS.md index 52f75349..a830232a 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -62,7 +62,7 @@ These structures propagate across every provider and engine. Changing them in a ### Prerequisites -- **Go 1.25.9** (see `go.mod`) — newer minor versions are fine; older will not build +- **Go 1.25.11** (see `go.mod`) — newer minor versions are fine; older will not build - **make** - **golangci-lint** — `brew install golangci-lint` or via `go install` - **helm 3.10+ or 4.x** — required for `make chart-test`; the `helm-unittest` plugin is installed automatically by the target (`brew install helm`). CI pins helm `v4.1.1` in `.github/workflows/chart-test.yaml`. @@ -105,7 +105,7 @@ Coverage checks run on pull requests. A drop below target with no matching uplif ### CI workflows -- `.github/workflows/go.yml` — build, test, and lint on every push and PR +- `.github/workflows/go.yml` — build, test, lint, and `govulncheck` on every push and PR - `.github/workflows/chart-test.yaml` — Helm chart lint + helm-unittest suites (`make chart-test`) on every push and PR - `.github/workflows/docker.yml` — container image build (manual trigger) - `.github/workflows/helm-release.yaml` — Helm chart release (manual trigger) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb77f27f..c4e24302 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ### Added +- `govulncheck` job in the Go CI workflow for symbol-level vulnerability scanning on pull requests. + +### Changed + +- Go toolchain bumped to **1.25.11** (`go.mod`, `Dockerfile`, CI) to address reachable stdlib vulnerabilities reported by `govulncheck`. + - OCI labels missing from `docker/metadata-action` on the Topograph container image: `org.opencontainers.image.documentation`, `authors`, and `vendor` ([#377](https://github.com/NVIDIA/topograph/pull/377)). - Helm chart metadata: `home`, `icon`, `maintainers`, `keywords`, and Artifact Hub annotations ([#377](https://github.com/NVIDIA/topograph/pull/377)). diff --git a/Dockerfile b/Dockerfile index 3ababc9b..d0c7927b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.9 AS builder +FROM golang:1.25.11 AS builder WORKDIR /go/src/github.com/NVIDIA/topograph COPY . . diff --git a/go.mod b/go.mod index 3102c211..d9d1f00e 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/NVIDIA/topograph -go 1.25.9 +go 1.25.11 require ( cloud.google.com/go/compute v1.60.0 From f952f27e9ed9d5aac4c69c20c075bccf58945a6a Mon Sep 17 00:00:00 2001 From: Giulio Calzolari <9049490+giuliocalzo@users.noreply.github.com> Date: Thu, 2 Jul 2026 09:40:28 +0200 Subject: [PATCH 2/3] Update .github/workflows/go.yml Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> Signed-off-by: Giulio Calzolari <9049490+giuliocalzo@users.noreply.github.com> --- .github/workflows/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index cd3b4298..e806a019 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -82,4 +82,4 @@ jobs: cache: true - name: Run govulncheck - run: go run golang.org/x/vuln/cmd/govulncheck@latest ./... + run: go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./... From c6311b48413890134c797f16adfd0fe8f1cfb3f7 Mon Sep 17 00:00:00 2001 From: Giulio Calzolari Date: Thu, 2 Jul 2026 09:41:38 +0200 Subject: [PATCH 3/3] fix(ci): address Greptile review on CHANGELOG and govulncheck pin Keep PR #377 OCI/Helm entries under Added and pin govulncheck to v1.1.4 for reproducible CI scans. Signed-off-by: Giulio Calzolari --- CHANGELOG.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c4e24302..2a7c1698 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,14 +9,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). ### Added - `govulncheck` job in the Go CI workflow for symbol-level vulnerability scanning on pull requests. +- OCI labels missing from `docker/metadata-action` on the Topograph container image: `org.opencontainers.image.documentation`, `authors`, and `vendor` ([#377](https://github.com/NVIDIA/topograph/pull/377)). +- Helm chart metadata: `home`, `icon`, `maintainers`, `keywords`, and Artifact Hub annotations ([#377](https://github.com/NVIDIA/topograph/pull/377)). ### Changed - Go toolchain bumped to **1.25.11** (`go.mod`, `Dockerfile`, CI) to address reachable stdlib vulnerabilities reported by `govulncheck`. -- OCI labels missing from `docker/metadata-action` on the Topograph container image: `org.opencontainers.image.documentation`, `authors`, and `vendor` ([#377](https://github.com/NVIDIA/topograph/pull/377)). -- Helm chart metadata: `home`, `icon`, `maintainers`, `keywords`, and Artifact Hub annotations ([#377](https://github.com/NVIDIA/topograph/pull/377)). - ### Fixed - Helm node-observer now targets the rendered Topograph Service fullname in `generateTopologyUrl`.