Skip to content

fix(security): build harbor-cli with Go 1.26.3#17

Merged
chengjingtao merged 3 commits into
AlaudaDevops:alauda-v0.0.18from
dancer430:fix/go-1.26.3-stdlib-cves
May 22, 2026
Merged

fix(security): build harbor-cli with Go 1.26.3#17
chengjingtao merged 3 commits into
AlaudaDevops:alauda-v0.0.18from
dancer430:fix/go-1.26.3-stdlib-cves

Conversation

@dancer430

@dancer430 dancer430 commented May 21, 2026
edited
Loading

Copy link
Copy Markdown

Summary

  • Bump the root Go directive from 1.26.2 to 1.26.3 so Dagger release builds use golang:1.26.3-alpine for all harbor-cli artifacts.
  • Keep .dagger/go.mod on Go 1.26.2 because Dagger v0.20.8 codegen currently rejects Go 1.26.3 in the Dagger module (highest supported version is 1.26.2). The release build still reads the root go.mod, so the released binaries are built with Go 1.26.3.
  • Replace reflect.Ptr with reflect.Pointer to satisfy the Go 1.26.3 govet/golangci-lint checks. This is a compatibility cleanup required after the Go toolchain bump, not part of the vulnerability fix itself; the two names represent the same reflect.Kind value.

Why

The v0.0.18-alauda-8 release binaries are built with Go 1.26.2. Trivy reports fixed Go stdlib CVEs requiring Go 1.26.3.

Verification

  • PR GitHub Actions passed: lint, test-code, vulnerability-check.
  • GOTOOLCHAIN=auto go test ./...
  • GOTOOLCHAIN=go1.26.3 go vet ./...
  • GOTOOLCHAIN=go1.26.3 go run golang.org/x/vuln/cmd/govulncheck@latest ./...
  • Built and released a fork verification artifact from the same commit: https://github.com/dancer430/harbor-cli/releases/tag/v0.0.18-alauda-9
  • Verified harbor-cli_0.0.18-alauda-9_linux_amd64.tar.gz: go version -m reports go1.26.3.
  • Trivy scan against the linux/amd64 binary packaged into a scratch image reports no fixed vulnerabilities: [].

@dancer430

dancer430 commented May 21, 2026

Copy link
Copy Markdown
Author

Validation update for this PR:

  • GitHub Actions on PR head f7992a4 all passed: lint, test-code, vulnerability-check.
  • Local checks passed: GOTOOLCHAIN=auto go test ./..., GOTOOLCHAIN=go1.26.3 go vet ./..., GOTOOLCHAIN=go1.26.3 govulncheck ./....
  • I also built a fork release from the same commit for verification: https://github.com/dancer430/harbor-cli/releases/tag/v0.0.18-alauda-9
  • Verified harbor-cli_0.0.18-alauda-9_linux_amd64.tar.gz: go version -m reports go1.26.3.
  • Trivy scan against the linux/amd64 binary packaged into a scratch image reports no fixed vulnerabilities: [].

Once this PR is reviewed and merged into alauda-v0.0.18, the upstream auto-tag workflow should produce the official v0.0.18-alauda-9 release under AlaudaDevops/harbor-cli.

@chengjingtao chengjingtao merged commit eed0017 into AlaudaDevops:alauda-v0.0.18 May 22, 2026
5 checks passed
@kycheng kycheng mentioned this pull request Jun 10, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chengjingtao chengjingtao chengjingtao approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dancer430 @chengjingtao