Skip to content

chore(deps): bump Go and in-toto dependencies#161

Merged
l-qing merged 1 commit into
alauda-v0.41.1from
chore/run-skills/alauda-v0.41.1
May 9, 2026
Merged

chore(deps): bump Go and in-toto dependencies#161
l-qing merged 1 commit into
alauda-v0.41.1from
chore/run-skills/alauda-v0.41.1

Conversation

@l-qing

@l-qing l-qing commented May 9, 2026

Copy link
Copy Markdown

Summary

Auto-generated by tektoncd-run-skills.sh. Every skill below ran in
changes-only mode and all modifications were combined into a single commit
on top of origin/alauda-v0.41.1.

Commit message

chore(deps): bump Go and in-toto dependencies

  • bump Go version to 1.26.3 in main and tools modules
  • upgrade github.com/in-toto/in-toto-golang to v0.11.0
  • refresh go.sum and vendored in-toto sources for compatibility

Skills executed (in order)

  • devops-refresh-containerfile-digests — changed(49s)
  • devops-sync-alauda-github-releases — changed(55s)
  • devops-upgrade-go — changed(324s)
  • devops-fix-go-vulns — changed(223s)

Changed files

 contrib/tkn-image/Dockerfile                       |  2 +-
 go.mod                                             |  4 +-
 go.sum                                             |  4 +-
 tools/go.mod                                       |  2 +-
 .../in-toto/in-toto-golang/in_toto/attestations.go |  2 +-
 .../in-toto/in-toto-golang/in_toto/keylib.go       |  6 +-
 .../in-toto/in-toto-golang/in_toto/match.go        |  8 ++-
 .../in-toto/in-toto-golang/in_toto/model.go        | 10 ++-
 .../in-toto/in-toto-golang/in_toto/runlib.go       |  4 +-
 .../in_toto/slsa_provenance/common/common.go       |  2 +-
 .../in_toto/slsa_provenance/v0.1/provenance.go     |  4 +-
 .../in_toto/slsa_provenance/v0.2/provenance.go     |  4 +-
 .../in_toto/slsa_provenance/v1/provenance.go       |  4 +-
 .../in-toto/in-toto-golang/in_toto/verifylib.go    | 82 ++++++++++++++++------
 vendor/modules.txt                                 |  4 +-
 15 files changed, 98 insertions(+), 44 deletions(-)

Test plan

  • CI on alauda-v0.41.1 passes
  • Spot-check each skill section against its standalone behaviour
  • If vulnerabilities were fixed, confirm trivy re-scan shows 0 fixable

@l-qing
chore(deps): bump Go and in-toto dependencies
99753be 
- bump Go version to 1.26.3 in main and tools modules
- upgrade github.com/in-toto/in-toto-golang to v0.11.0
- refresh go.sum and vendored in-toto sources for compatibility
alaudabot
alaudabot reviewed May 9, 2026
View reviewed changes

@alaudabot alaudabot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

This PR bumps Go version to 1.26.3 (including security fixes) and upgrades in-toto-golang to v0.11.0. The changes are primarily dependency updates with vendored source refresh.

Critical Issues: 0
Warnings: 1 (see inline comment)
Suggestions: 0

The Go upgrade includes 11 security fixes. The in-toto-golang upgrade includes type safety improvements. See inline comment for a breaking change to note.

Comment thread vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go
// format is defined by builder.id; by default it is treated as opaque and
// case-sensitive. The value SHOULD be globally unique.
InvocationID string `json:"invocationID,omitempty"`
InvocationID string `json:"invocationId,omitempty"`

@alaudabot alaudabot May 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning (breaking-change): The JSON field name changed from invocationID to invocationId (camelCase). This is a breaking change in SLSA provenance v1 JSON serialization. If this project generates SLSA attestations, consumers expecting the old field name will fail to parse. Please verify this change is compatible with your SLSA verification pipeline.

@alaudabot

alaudabot commented May 9, 2026

Copy link
Copy Markdown

Summary

This PR bumps Go version to 1.26.3 (including security fixes) and upgrades in-toto-golang to v0.11.0. The changes are primarily dependency updates with vendored source refresh. The Go upgrade includes 11 security fixes. The in-toto-golang upgrade includes type safety improvements and a JSON field naming change.

Review Statistics

Category Count
Critical Issues 0
Warnings 1
Suggestions 0
Files Reviewed 15

Critical Issues

No critical issues found.

Warnings

  • [vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go:176] (breaking-change): The JSON field name changed from invocationID to invocationId (camelCase). This is a breaking change in SLSA provenance v1 JSON serialization. If this project generates SLSA attestations, consumers expecting the old field name will fail to parse. Verify this change is compatible with your SLSA verification pipeline.

Suggestions

No suggestions.

Positive Feedback

  • Go 1.26.3 includes important security fixes (CVE-2026-27142 XSS, cmd/go checksum bypass, net/http issues). Upgrading is recommended.
  • The in-toto-golang upgrade includes improved type safety with proper type assertion checks (ok pattern), reducing potential runtime panics.
  • The vendor code includes documentation fixes (typos corrected: "speficic" → "specific", "metatadata" → "metadata", etc.).
  • Changes follow standard dependency update practices with appropriate module version bumps.

@alaudabot

alaudabot commented May 9, 2026

Copy link
Copy Markdown

🤖 AI Code Review

Property Value
Model opencode/minimax-m2.5-free
Style strict
Issues Found 0
Config Source centralized
Profile ❌ Not Found
Personalized Prompt ❌ No
Prompt Path .github/review/profiles/alaudadevops/tektoncd-cli/pr-review.md
Alauda Skills ✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at 2026-05-09 15:17:21 UTC

Summary

This PR bumps Go version to 1.26.3 (including security fixes) and upgrades in-toto-golang to v0.11.0. The changes are primarily dependency updates with vendored source refresh. The Go upgrade includes 11 security fixes. The in-toto-golang upgrade includes type safety improvements and a JSON field naming change.

Review Statistics

Category Count
Critical Issues 0
Warnings 1
Suggestions 0
Files Reviewed 15

Critical Issues

No critical issues found.

Warnings

  • [vendor/github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1/provenance.go:176] (breaking-change): The JSON field name changed from invocationID to invocationId (camelCase). This is a breaking change in SLSA provenance v1 JSON serialization. If this project generates SLSA attestations, consumers expecting the old field name will fail to parse. Verify this change is compatible with your SLSA verification pipeline.

Suggestions

No suggestions.

Positive Feedback

  • Go 1.26.3 includes important security fixes (CVE-2026-27142 XSS, cmd/go checksum bypass, net/http issues). Upgrading is recommended.
  • The in-toto-golang upgrade includes improved type safety with proper type assertion checks (ok pattern), reducing potential runtime panics.
  • The vendor code includes documentation fixes (typos corrected: "speficic" → "specific", "metatadata" → "metadata", etc.).
  • Changes follow standard dependency update practices with appropriate module version bumps.
ℹ️ About this review

This review was automatically generated using the run-actions workflow.

  • Shared prompt: .github/prompts/code-review.md
  • Config source: centralized
  • Profile path: Not Found
  • Profile ref: 4a9568cdd56fea5ff37c463d60c67e04c765f13f
  • No repository-specific prompt configured
  • Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-alauda-pipeline, builders-component-knowledge, builders-confluence, builders-jira, builders-notify-wecom, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-creating-tekton-pipelines, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-jira-rfd-acceptance, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-pipeline-delivery, devops-tekton-task-delivery, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade

@l-qing l-qing merged commit 43cd4f0 into alauda-v0.41.1 May 9, 2026
2 checks passed
@l-qing l-qing deleted the chore/run-skills/alauda-v0.41.1 branch May 9, 2026 15:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alaudabot alaudabot alaudabot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@l-qing @alaudabot