From 48e1efece78dddd7376e68d1f317dc04b434220a Mon Sep 17 00:00:00 2001 From: rcourtman Date: Sun, 14 Jun 2026 18:22:26 +0100 Subject: [PATCH] Use patched Go toolchain for v6 release --- Dockerfile | 2 +- deploy/provider-msp/Dockerfile.control-plane | 2 +- .../internal/subsystems/deployment-installability.md | 10 ++++++++++ go.mod | 2 +- scripts/.go-version | 2 +- scripts/build-release.sh | 2 +- scripts/install-go-toolchain.sh | 2 +- scripts/installtests/build_release_assets_test.go | 4 ++-- scripts/installtests/provider_msp_deploy_test.go | 2 +- 9 files changed, 19 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 01a1bf2da..85a70ac1b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,7 +25,7 @@ RUN --mount=type=cache,id=pulse-npm-cache,target=/root/.npm \ # Build stage for Go backend # Force amd64 platform - Go cross-compiles for all targets anyway, # and this avoids slow QEMU emulation during multi-arch builds -FROM --platform=linux/amd64 golang:1.25.9-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f AS backend-builder +FROM --platform=linux/amd64 golang:1.25.11-alpine@sha256:8d95af53d0d58e1759ddb4028285d9b1239067e4fbf4f544618cad0f60fbc354 AS backend-builder ARG BUILD_AGENT ARG VERSION diff --git a/deploy/provider-msp/Dockerfile.control-plane b/deploy/provider-msp/Dockerfile.control-plane index e6c2e6ca2..2577aeeb6 100644 --- a/deploy/provider-msp/Dockerfile.control-plane +++ b/deploy/provider-msp/Dockerfile.control-plane @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1.7 -FROM --platform=$BUILDPLATFORM golang:1.25.9-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f AS builder +FROM --platform=$BUILDPLATFORM golang:1.25.11-alpine@sha256:8d95af53d0d58e1759ddb4028285d9b1239067e4fbf4f544618cad0f60fbc354 AS builder ARG VERSION=dev ARG BUILD_TIME=unknown ARG GIT_COMMIT=unknown diff --git a/docs/release-control/v6/internal/subsystems/deployment-installability.md b/docs/release-control/v6/internal/subsystems/deployment-installability.md index 277bf01ef..bcb3362da 100644 --- a/docs/release-control/v6/internal/subsystems/deployment-installability.md +++ b/docs/release-control/v6/internal/subsystems/deployment-installability.md @@ -841,6 +841,16 @@ That same supply-chain boundary also owns the checked-in build roots themselves. `Dockerfile` must pin its Node, Go, and Alpine bases by immutable manifest-list digest so multi-arch release builds do not silently drift onto a different upstream filesystem just because a mutable tag was republished. +The governed v6 release Go patch level is part of that same boundary: +`go.mod`, `scripts/.go-version`, `scripts/install-go-toolchain.sh`, +`scripts/build-release.sh`, the Go builder stages in `Dockerfile` and +`deploy/provider-msp/Dockerfile.control-plane`, and the Pro release workflows +must stay aligned on the same patched `1.25.x` floor before a release can be +treated as shippable. When `govulncheck` reports called standard-library +vulnerabilities in the current patch level, the canonical fix is to advance the +governed release toolchain and immutable Go builder digest together, not to +suppress the scanner or produce release artifacts with an older patched-over +runtime. That same dev-runtime dependency-manifest boundary now also owns the maintained Docker engine module floor. `go.mod`, `go.sum`, and `internal/cloudcp/docker/manager.go` must route hosted runtime orchestration diff --git a/go.mod b/go.mod index 605aeb4ee..cd3c9a971 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/rcourtman/pulse-go-rewrite go 1.25.0 -toolchain go1.25.9 +toolchain go1.25.11 require ( github.com/IGLOU-EU/go-wildcard/v2 v2.1.0 diff --git a/scripts/.go-version b/scripts/.go-version index 6f9fcdf1f..90fef721d 100644 --- a/scripts/.go-version +++ b/scripts/.go-version @@ -1 +1 @@ -go1.25.9 +go1.25.11 diff --git a/scripts/build-release.sh b/scripts/build-release.sh index d2eaef976..23da3414d 100755 --- a/scripts/build-release.sh +++ b/scripts/build-release.sh @@ -19,7 +19,7 @@ if [ -x /usr/local/go/bin/go ]; then fi # Release artifacts must be built with the vetted toolchain to match security-gate evidence. -required_go="go1.25.9" +required_go="go1.25.11" current_go="$(go env GOVERSION 2>/dev/null || true)" if [[ "${PULSE_SKIP_GO_VERSION_CHECK:-false}" != "true" ]]; then if [[ "${current_go}" != "${required_go}" ]]; then diff --git a/scripts/install-go-toolchain.sh b/scripts/install-go-toolchain.sh index 233cce50a..1694d986a 100755 --- a/scripts/install-go-toolchain.sh +++ b/scripts/install-go-toolchain.sh @@ -3,7 +3,7 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" VERSION_FILE="${SCRIPT_DIR}/.go-version" -DEFAULT_VERSION="go1.25.9" +DEFAULT_VERSION="go1.25.11" TARGET_ROOT="/opt/toolchains/go" DOWNLOAD_ROOT="https://dl.google.com/go" GOPATH_DIR="/var/lib/pulse/go" diff --git a/scripts/installtests/build_release_assets_test.go b/scripts/installtests/build_release_assets_test.go index 6086ea1f0..5e36ccfe3 100644 --- a/scripts/installtests/build_release_assets_test.go +++ b/scripts/installtests/build_release_assets_test.go @@ -444,7 +444,7 @@ func TestDockerAndDemoBuildsUseCanonicalReleaseLdflags(t *testing.T) { dockerfile := string(dockerfileBytes) dockerRequired := []string{ `FROM --platform=linux/amd64 node:20-alpine@sha256:fb4cd12c85ee03686f6af5362a0b0d56d50c58a04632e6c0fb8363f609372293 AS frontend-builder`, - `FROM --platform=linux/amd64 golang:1.25.9-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f AS backend-builder`, + `FROM --platform=linux/amd64 golang:1.25.11-alpine@sha256:8d95af53d0d58e1759ddb4028285d9b1239067e4fbf4f544618cad0f60fbc354 AS backend-builder`, `FROM backend-builder AS release-assets-builder`, `FROM alpine:3.20@sha256:d9e853e87e55526f6b2917df91a2115c36dd7c696a35be12163d44e6e2a4b6bc AS agent_runtime`, `FROM alpine:3.20@sha256:d9e853e87e55526f6b2917df91a2115c36dd7c696a35be12163d44e6e2a4b6bc AS pulse-runtime-base`, @@ -486,7 +486,7 @@ func TestDockerAndDemoBuildsUseCanonicalReleaseLdflags(t *testing.T) { t.Fatalf("hosted_runtime target must not depend on installer rendering or embedded agent artifacts:\n%s", hostedStage) } if strings.Contains(dockerfile, `FROM --platform=linux/amd64 node:20-alpine AS frontend-builder`) || - strings.Contains(dockerfile, `FROM --platform=linux/amd64 golang:1.25.9-alpine AS backend-builder`) || + strings.Contains(dockerfile, `FROM --platform=linux/amd64 golang:1.25.11-alpine AS backend-builder`) || strings.Contains(dockerfile, `FROM alpine:3.20 AS agent_runtime`) || strings.Contains(dockerfile, `FROM alpine:3.20 AS pulse-runtime-base`) { t.Fatal("Dockerfile base images must be pinned by immutable @sha256 digests") diff --git a/scripts/installtests/provider_msp_deploy_test.go b/scripts/installtests/provider_msp_deploy_test.go index 9e761cdcb..6b6b74054 100644 --- a/scripts/installtests/provider_msp_deploy_test.go +++ b/scripts/installtests/provider_msp_deploy_test.go @@ -266,7 +266,7 @@ func TestProviderMSPControlPlaneDockerfileBuildsReleaseLicenseBinary(t *testing. text := string(dockerfileBytes) assertContainsAll(t, text, "# syntax=docker/dockerfile:1.7", - "FROM --platform=$BUILDPLATFORM golang:1.25.9-alpine@sha256:5caaf1cca9dc351e13deafbc3879fd4754801acba8653fa9540cea125d01a71f AS builder", + "FROM --platform=$BUILDPLATFORM golang:1.25.11-alpine@sha256:8d95af53d0d58e1759ddb4028285d9b1239067e4fbf4f544618cad0f60fbc354 AS builder", "FROM alpine:3.20@sha256:d9e853e87e55526f6b2917df91a2115c36dd7c696a35be12163d44e6e2a4b6bc", "ARG PULSE_LICENSE_PUBLIC_KEY_SHA256", "ARG TARGETOS",