Skip to content

[release-12.0.6] Go: Update to 1.25.2 + golangci-lint v2.5.0 + golang.org/x/net v0.45.0 #112161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 8, 2025
Merged

[release-12.0.6] Go: Update to 1.25.2 + golangci-lint v2.5.0 + golang.org/x/net v0.45.0 #112161

merged 4 commits into from
Oct 8, 2025

Conversation

@macabu
Copy link
Contributor

@macabu macabu commented Oct 8, 2025

I had to include #104861 so that the upgrades in the .citools wouldn't affect the core Grafana modules!

Bumping Go to 1.25.2 addresses:

Bumping golangci-lint to match the supported Go version 1.25.x

Bumping golang.org/x/net addresses:

  • CVE-2025-58190
  • CVE-2025-47911

macabu and others added 4 commits October 8, 2025 13:08
@macabu
Go: Update to 1.25.2
bca6efc
@grambbledook @macabu
Chore: Detaching go tools from the main Grafana workspace (#104861)
1bdc94d 
* add script for tooling

* add to make

* not to forget

* reworked go tools

* add tool installation script

* adding readme

* updating readme

* updating readme

* cleanup install.sh and makefile

* update the readme file

* cleanup scripts

* switch variables.mk to lazy evaluation

* add tools ache to gitignore

* get rid of absolute path in hte Variables.mk file

* switch to reusable function for path generation

* add debug statements

* add create cache tool dir

* add debuig statements to make file

* drop tool cache

* fix race condition n ci

* fix race condition n ci

* cleanup workspace

* add lefthook.rc to codeowners

* copy .citools folder to docker image

* switch back to main branch of grafana-build

* Add .citools to the drone builder

* fix wording in generate.sh and README.md

(cherry picked from commit cefd2da)
@macabu
golangci-lint: Update to 2.5.0
f53979f
@macabu
Dependencies: Bump golang.org/x/net to v0.45.0
4862417
@macabu macabu requested review from MissingRoberto, briangann, dprokop, oshirohugo, owensmallwood and radiohead and removed request for a team October 8, 2025 11:20
@macabu macabu requested a review from bfmatei October 8, 2025 11:20
@github-actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

😢 zizmor failed with exit code 14.

Expand for full output 
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/backend-code-checks.yml:32:9
   |
 3 | / on:
 4 | |   pull_request:
 5 | |     paths-ignore:
 6 | |       - '*.md'
...  |
15 | |       - 'docs/**'
16 | |       - 'latest.json'
   | |_____________________- generally used when publishing artifacts generated at runtime
...
32 | /         with:
33 | |           # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
34 | |           # The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs
35 | |           # This ensures the GHAs environment matches what we use in the Drone pipeline
36 | |           go-version: 1.24.1
37 | |           cache: true
   | |_____________________^ opt-in for caching here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/go-lint.yml:23:9
   |
 2 | / on:
 3 | |   push:
 4 | |     paths:
 5 | |       - pkg/**
...  |
10 | |       - release-*.*.*
11 | |   pull_request:
   | |_______________- generally used when publishing artifacts generated at runtime
...
23 |         - uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[bot-conditions]: spoofable bot actor check
  --> ./.github/workflows/pr-dependabot-update-go-workspace.yml:20:13
   |
18 | /   update:
19 | |     runs-on: "ubuntu-latest"
20 | |     if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
   | |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
21 | |     continue-on-error: true
...  |
68 | |           git push origin "$BRANCH_NAME"
69 | |         fi
   | |___________- this job
   |
   = note: audit confidence → Medium
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:26:9
   |
 3 | / on:
 4 | |   push:
 5 | |     branches:
 6 | |       - main
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________- generally used when publishing artifacts generated at runtime
...
26 |           uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:31:9
   |
 3 | / on:
 4 | |   push:
 5 | |     branches:
 6 | |       - main
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________- generally used when publishing artifacts generated at runtime
...
31 | /         with:
32 | |           node-version-file: '.nvmrc'
33 | |           cache: 'yarn'
   | |_______________________^ opt-in for caching here
   |
   = note: audit confidence → Low

262 findings (65 ignored, 192 suppressed, 4 fixable): 0 informational, 0 low, 0 medium, 5 high

@grafana-delivery-bot
Copy link
Contributor

grafana-delivery-bot bot commented Oct 8, 2025
edited
Loading

🚀 Your submission is now being built and packaged.

@macabu macabu merged commit 10648b9 into release-12.0.6 Oct 8, 2025
100 of 105 checks passed
@macabu macabu deleted the go/update-1.25.2-release-12.0.6 branch October 8, 2025 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Proximyst Proximyst Proximyst approved these changes

@tolzhabayev tolzhabayev Awaiting requested review from tolzhabayev tolzhabayev is a code owner

@fcjack fcjack Awaiting requested review from fcjack fcjack is a code owner

@matryer matryer Awaiting requested review from matryer matryer is a code owner

@svennergr svennergr Awaiting requested review from svennergr svennergr is a code owner

@oshirohugo oshirohugo Awaiting requested review from oshirohugo oshirohugo is a code owner automatically assigned from grafana/plugins-platform-backend

@briangann briangann Awaiting requested review from briangann briangann is a code owner automatically assigned from grafana/plugins-platform-backend

@owensmallwood owensmallwood Awaiting requested review from owensmallwood owensmallwood is a code owner automatically assigned from grafana/grafana-search-and-storage

@radiohead radiohead Awaiting requested review from radiohead radiohead is a code owner automatically assigned from grafana/grafana-app-platform-squad

@MissingRoberto MissingRoberto Awaiting requested review from MissingRoberto MissingRoberto is a code owner automatically assigned from grafana/grafana-app-platform-squad

@dprokop dprokop Awaiting requested review from dprokop dprokop is a code owner automatically assigned from grafana/dashboards-squad

@bfmatei bfmatei Awaiting requested review from bfmatei bfmatei is a code owner automatically assigned from grafana/dashboards-squad

Assignees

No one assigned

Labels

add to changelog area/backend type/build-packaging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@macabu @Proximyst @grambbledook