Skip to content

fix(security): build harbor-cli with Go 1.26.4#19

Merged
chengjingtao merged 1 commit into
AlaudaDevops:alauda-v0.0.18from
kycheng:fix/go-1.26.4-20260610-123153
Jun 10, 2026
Merged

fix(security): build harbor-cli with Go 1.26.4#19
chengjingtao merged 1 commit into
AlaudaDevops:alauda-v0.0.18from
kycheng:fix/go-1.26.4-20260610-123153

Conversation

@kycheng

@kycheng kycheng commented Jun 10, 2026

Copy link
Copy Markdown

Summary

Bump the go directive in go.mod from 1.26.3 to 1.26.4. The dagger release build derives the golang:<version>-alpine builder image from this directive, so the next v0.0.18-alauda-* release will be built with Go 1.26.4.

This fixes the Go stdlib vulnerabilities reported by the redline static scan against connectors-operator-bundle:v1.11.0-rc.192.ge8c3a01 (image devops/harbor-connector-automatic-creation:v0.0.18, binary /usr/local/bin/harbor-cli):

CVE Severity Package Installed → Fixed
CVE-2026-42504 HIGH stdlib 1.26.3 → 1.26.4
CVE-2026-27145 MEDIUM stdlib 1.26.3 → 1.26.4
CVE-2026-42507 MEDIUM stdlib 1.26.3 → 1.26.4

Same pattern as #17 (previous Go 1.26.3 security bump).

Follow-up after merge

  1. Auto-tag workflow will cut v0.0.18-alauda-11 and the release workflow will publish binaries built with Go 1.26.4.
  2. Bump HARBOR_CLI_VERSION to v0.0.18-alauda-11 in connectors-extensions (connectors-harbor/tektoncd/tasks/harbor-connector-automatic-creation/0.1/images/harbor-cli/Containerfile) and trigger /test harbor-connector-automatic-creation.

Test plan

  • go build ./... passes locally with Go 1.26.4

@kycheng
fix(security): build harbor-cli with Go 1.26.4
f018145 
Bump the go directive to 1.26.4 so the dagger release build uses
golang:1.26.4-alpine, fixing Go stdlib vulnerabilities reported by
redline static scan on harbor-connector-automatic-creation:v0.0.18:

- CVE-2026-42504 (HIGH)
- CVE-2026-27145 (MEDIUM)
- CVE-2026-42507 (MEDIUM)
@codecov-commenter

codecov-commenter commented Jun 10, 2026

Copy link
Copy Markdown

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

@kycheng

kycheng commented Jun 10, 2026

Copy link
Copy Markdown
Author

Verification note: ran go mod tidy locally with Go 1.26.4 after bumping the go directive — it produced no diff (go.mod / go.sum unchanged, working tree clean).

This is expected: a patch-level bump of the go directive (1.26.3 → 1.26.4) does not affect module graph resolution. The stdlib CVE fix comes entirely from the build toolchain — the dagger build derives the golang:1.26.4-alpine builder image from the go directive in go.mod.

Also verified go build ./... passes with Go 1.26.4.

@kycheng

kycheng commented Jun 10, 2026

Copy link
Copy Markdown
Author

/ready

@chengjingtao chengjingtao merged commit 199b385 into AlaudaDevops:alauda-v0.0.18 Jun 10, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chengjingtao chengjingtao chengjingtao approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kycheng @codecov-commenter @chengjingtao