From b2ef699fb65a8b85717fe38d8ddfefd1297e3e6e Mon Sep 17 00:00:00 2001 From: l-qing <9499086+l-qing@users.noreply.github.com> Date: Sun, 7 Jun 2026 16:30:01 +0000 Subject: [PATCH 1/3] chore(go): bump go directive to 1.26.4 to rebuild with fixed Go stdlib Rebuild released binaries with Go 1.26.4 to clear stdlib CVE-2026-42504, CVE-2026-27145 and CVE-2026-42507. The Alauda release workflow resolves the toolchain via setup-go go-version-file: go.mod, so bumping this directive is sufficient for the next -alauda-N release to build on Go 1.26.4. --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 0dd969051..6ffd64fca 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module oras.land/oras -go 1.26.3 +go 1.26.4 require ( github.com/Masterminds/sprig/v3 v3.3.0 From 193b82c051809df9003e7dc851ad0dc5bf6460cc Mon Sep 17 00:00:00 2001 From: qingliu Date: Sun, 7 Jun 2026 16:52:44 +0000 Subject: [PATCH 2/3] ci: bump Go to 1.26.4 to match go.mod toolchain requirement --- .github/workflows/build-alauda.yml | 2 +- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/golangci-lint.yml | 2 +- .github/workflows/release-github.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-alauda.yml b/.github/workflows/build-alauda.yml index 6068cb943..69a48539d 100644 --- a/.github/workflows/build-alauda.yml +++ b/.github/workflows/build-alauda.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: ['1.26.3'] + go-version: ['1.26.4'] fail-fast: true steps: - name: Checkout diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 603c054b2..97e682fc9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: ['1.26.3'] + go-version: ['1.26.4'] fail-fast: true steps: - name: Checkout diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 518f582af..529667379 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -35,7 +35,7 @@ jobs: security-events: write strategy: matrix: - go-version: ['1.26.3'] + go-version: ['1.26.4'] fail-fast: false steps: - name: Checkout repository diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 8bd9fcd7c..7a23310e6 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: ['1.26.3'] + go-version: ['1.26.4'] fail-fast: true steps: - name: Checkout diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index c51e00146..3031c2105 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -29,7 +29,7 @@ jobs: - name: setup go environment uses: actions/setup-go@v5 with: - go-version: '1.26.3' + go-version: '1.26.4' - name: run goreleaser uses: goreleaser/goreleaser-action@v6 with: From ac534be55619a675d2f2ca8dafa4fb94897146ac Mon Sep 17 00:00:00 2001 From: qingliu Date: Sun, 7 Jun 2026 17:10:15 +0000 Subject: [PATCH 3/3] chore(go): bump e2e workspace and module to Go 1.26.4 Align test/e2e go.work and go.mod with the root module so the GOTOOLCHAIN=local e2e build no longer fails with "go.work lists go 1.26.3" against a root module requiring 1.26.4. --- test/e2e/go.mod | 2 +- test/e2e/go.work | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 20142efa5..cab255611 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -1,6 +1,6 @@ module oras.land/oras/test/e2e -go 1.26.3 +go 1.26.4 require ( github.com/onsi/ginkgo/v2 v2.25.2 diff --git a/test/e2e/go.work b/test/e2e/go.work index edff9a05a..23b749405 100644 --- a/test/e2e/go.work +++ b/test/e2e/go.work @@ -1,4 +1,4 @@ -go 1.26.3 +go 1.26.4 use ( .