Skip to content

[release-11.5.10] Go: Update to 1.25.3 #112366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2025
Merged

[release-11.5.10] Go: Update to 1.25.3 #112366

merged 1 commit into from
Oct 14, 2025

Conversation

@macabu
Copy link
Contributor

@macabu macabu commented Oct 14, 2025

From the Go team:

This release addresses breakage caused by a security patch included in Go 1.25.2
and 1.24.8, which enforced overly restrictive validation on the parsing of X.509
certificates. We've removed those restrictions while maintaining the security
fix that the initial release addressed.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 14, 2025

😢 zizmor failed with exit code 14.

Expand for full output 
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/backend-code-checks.yml:32:9
   |
 3 | / on:
 4 | |   pull_request:
 5 | |     paths-ignore:
 6 | |       - '*.md'
...  |
15 | |       - 'docs/**'
16 | |       - 'latest.json'
   | |_____________________- generally used when publishing artifacts generated at runtime
...
32 | /         with:
33 | |           # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
34 | |           # The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs
35 | |           # This ensures the GHAs environment matches what we use in the Drone pipeline
36 | |           go-version: 1.24.1
37 | |           cache: true
   | |_____________________^ opt-in for caching here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/go-lint.yml:23:9
   |
 2 | / on:
 3 | |   push:
 4 | |     paths:
 5 | |       - pkg/**
...  |
10 | |       - release-*.*.*
11 | |   pull_request:
   | |_______________- generally used when publishing artifacts generated at runtime
...
23 |         - uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[bot-conditions]: spoofable bot actor check
  --> ./.github/workflows/pr-dependabot-update-go-workspace.yml:20:13
   |
18 | /   update:
19 | |     runs-on: "ubuntu-latest"
20 | |     if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
   | |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
21 | |     continue-on-error: true
...  |
68 | |           git push origin "$BRANCH_NAME"
69 | |         fi
   | |___________- this job
   |
   = note: audit confidence → Medium
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:26:9
   |
 3 | / on:
 4 | |   push:
 5 | |     branches:
 6 | |       - main
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________- generally used when publishing artifacts generated at runtime
...
26 |           uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:31:9
   |
 3 | / on:
 4 | |   push:
 5 | |     branches:
 6 | |       - main
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________- generally used when publishing artifacts generated at runtime
...
31 | /         with:
32 | |           node-version-file: '.nvmrc'
33 | |           cache: 'yarn'
   | |_______________________^ opt-in for caching here
   |
   = note: audit confidence → Low

275 findings (66 ignored, 204 suppressed, 4 fixable): 0 informational, 0 low, 0 medium, 5 high

@macabu macabu marked this pull request as ready for review October 14, 2025 10:17
@macabu macabu requested review from a team as code owners October 14, 2025 10:17
@macabu macabu requested review from charandas, grafakus, ivanortegaalba, mustafasencer, oshirohugo, radiohead, toddtreece and wbrowne and removed request for a team October 14, 2025 10:17
@macabu macabu merged commit 9527797 into release-11.5.10 Oct 14, 2025
98 of 101 checks passed
@macabu macabu deleted the go-update-1.25.3-release-11.5.10 branch October 14, 2025 10:21
@grafana-delivery-bot
Copy link
Contributor

grafana-delivery-bot bot commented Oct 14, 2025

🚀 Your submission is now being built and packaged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Proximyst Proximyst Proximyst approved these changes

@ivanortegaalba ivanortegaalba Awaiting requested review from ivanortegaalba ivanortegaalba is a code owner automatically assigned from grafana/dashboards-squad

@grafakus grafakus Awaiting requested review from grafakus grafakus is a code owner automatically assigned from grafana/dashboards-squad

@toddtreece toddtreece Awaiting requested review from toddtreece toddtreece is a code owner automatically assigned from grafana/plugins-platform-backend

@wbrowne wbrowne Awaiting requested review from wbrowne wbrowne is a code owner automatically assigned from grafana/plugins-platform-backend

@oshirohugo oshirohugo Awaiting requested review from oshirohugo oshirohugo is a code owner automatically assigned from grafana/plugins-platform-backend

@mustafasencer mustafasencer Awaiting requested review from mustafasencer mustafasencer is a code owner automatically assigned from grafana/grafana-search-and-storage

@charandas charandas Awaiting requested review from charandas charandas is a code owner automatically assigned from grafana/grafana-app-platform-squad

@radiohead radiohead Awaiting requested review from radiohead radiohead is a code owner automatically assigned from grafana/grafana-app-platform-squad

Assignees

No one assigned

Labels

add to changelog area/backend backport A backport PR type/build-packaging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@macabu @Proximyst