From 858dc8cc046e31de791b7a98921bcf4b1c29bcb7 Mon Sep 17 00:00:00 2001
From: qingliu <qingliu@alauda.io>
Date: Sun, 7 Jun 2026 16:41:00 +0000
Subject: [PATCH 1/2] fix(deps): bump Go to 1.26.4 to fix stdlib CVEs

Build with Go 1.26.4 to fix:
- CVE-2026-42504 (HIGH) in Go stdlib
- CVE-2026-27145 (MEDIUM) in Go stdlib
- CVE-2026-42507 (MEDIUM) in Go stdlib

containerd is already at v1.7.32 (CVE-2026-46680 already fixed).
The helm-self CVE-2026-35206 is intentionally out of scope
(ignored downstream in catalog).

Go version mechanism: go-version-file: go.mod (reusable-release-alauda.yaml)
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index ba1daf37b77..31a96ebba5d 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module helm.sh/helm/v3
 
-go 1.26.3
+go 1.26.4
 
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6

From dfd54720e3898ddd5daec7bfae7ed85a18367fd1 Mon Sep 17 00:00:00 2001
From: l-qing <ilyasaiman357@gmail.com>
Date: Sun, 7 Jun 2026 16:53:21 +0000
Subject: [PATCH 2/2] ci: bump Go to 1.26.4 to match go.mod toolchain
 requirement

---
 .github/env | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/env b/.github/env
index 27ae3be18f5..dc88fb42100 100644
--- a/.github/env
+++ b/.github/env
@@ -1,2 +1,2 @@
-GOLANG_VERSION=1.26.3
+GOLANG_VERSION=1.26.4
 GOLANGCI_LINT_VERSION=v1.64.8