From 3f12f658771eb73d55788be273975b1e3782a221 Mon Sep 17 00:00:00 2001
From: l-qing <9499086+l-qing@users.noreply.github.com>
Date: Sun, 7 Jun 2026 16:38:08 +0000
Subject: [PATCH 1/2] chore(go): bump go directive to 1.26.4 to rebuild with
 fixed Go stdlib

Rebuild released binaries with Go 1.26.4 to clear stdlib CVE-2026-42504,
CVE-2026-27145 and CVE-2026-42507. The Alauda release workflow resolves the
toolchain via setup-go go-version-file: go.mod, so bumping this directive is
sufficient for the next -alauda-N release to build on Go 1.26.4.

Consumed downstream by AlaudaDevops/catalog helm v4.1 image (tag v4.1.5-alauda-2).
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index a83f0e3f140..bce6f956f32 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module helm.sh/helm/v4
 
-go 1.26.3
+go 1.26.4
 
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24

From a4ea0dd038262f5a122a66952cf6a02ab711caff Mon Sep 17 00:00:00 2001
From: l-qing <ilyasaiman357@gmail.com>
Date: Sun, 7 Jun 2026 16:53:16 +0000
Subject: [PATCH 2/2] ci: bump Go to 1.26.4 to match go.mod toolchain
 requirement

---
 .github/env | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/env b/.github/env
index 10bbf3e9cf4..5ec39595ffd 100644
--- a/.github/env
+++ b/.github/env
@@ -1,2 +1,2 @@
-GOLANG_VERSION=1.26.3
+GOLANG_VERSION=1.26.4
 GOLANGCI_LINT_VERSION=v2.11.2