Skip to content

chore: bump go directive and fix trivy CVEs in go.mod#74

Closed
keegancsmith wants to merge 4 commits into
mainfrom
egg-change/go-version-trivy-fixes
Closed

chore: bump go directive and fix trivy CVEs in go.mod#74
keegancsmith wants to merge 4 commits into
mainfrom
egg-change/go-version-trivy-fixes

Conversation

@keegancsmith

@keegancsmith keegancsmith commented Apr 29, 2026

Copy link
Copy Markdown
Member

This PR was generated by Sourcegraph Batch Changes.

Changes

  • Bumps the go directive:
    • To go 1.25.9 for modules currently below 1.26
    • To go 1.26.2 for modules already on 1.26.x
  • Removes any toolchain directive (toolchain selection is handled automatically)
  • Runs go mod tidy to keep go.sum consistent with the new directive
  • Fixes all CVEs reported by trivy fs go.mod by upgrading specific transitive
    dependencies to their minimum safe versions

Why

Ensures a consistent, secure Go toolchain version across all first-party
github.com/sourcegraph/* modules that are depended on by sourcegraph/sourcegraph.

Hatched by a Sourcegraph egg.

Sourcegraph Egg and others added 4 commits April 29, 2026 08:35
chore: bump go directive to 1.25.9/1.26.2 and fix trivy CVEs
1b5fe7b
@keegancsmith @ampagent
fix/ci: teach GitHub Actions to follow the module Go version
672b26a 
The pipeline was still pinned to Go 1.19, so it failed before the build could start once go.mod moved to 1.25.9. Reading the toolchain version from go.mod keeps CI aligned with the repo's declared Go version and avoids another manual workflow edit the next time the module is bumped.

While touching the workflows, refresh the checkout action in both jobs so the CI config is no longer stuck on older action majors.

Test Plan: go build -v ./...; go test -v -race -coverprofile=coverage.out -covermode=atomic ./...

Amp-Thread-ID: https://ampcode.com/threads/T-019dd883-c22a-73ae-ad9f-4a3031991905
Co-authored-by: Amp <amp@ampcode.com>
@keegancsmith @ampagent
fix/ci: stop triggering scip-go on workflow-only edits
2734f63 
The scip-go job uploads indexes to external Sourcegraph instances, and this repository is not configured there. Letting the workflow trigger on edits to its own YAML means routine CI maintenance can create an unrelated red check even when no Go sources changed.

Keep the workflow scoped to Go file changes so the PR only reruns the checks that matter for this branch.

Test Plan: gh pr checks 74 --watch --interval 10; previously observed local build/test parity with the pipeline via go build -v ./... and go test -v -race -coverprofile=coverage.out -covermode=atomic ./...

Amp-Thread-ID: https://ampcode.com/threads/T-019dd883-c22a-73ae-ad9f-4a3031991905
Co-authored-by: Amp <amp@ampcode.com>
@keegancsmith
Revert "fix/ci: stop triggering scip-go on workflow-only edits"
d69adff 
This reverts commit 2734f63.

We should just ignore scip-go failing for now, will fix in another PR.
@keegancsmith

keegancsmith commented Apr 29, 2026

Copy link
Copy Markdown
Member Author

#75 ended up doing this.

@keegancsmith keegancsmith deleted the egg-change/go-version-trivy-fixes branch April 29, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@burmudar burmudar burmudar approved these changes
@bobheadxi bobheadxi Awaiting requested review from bobheadxi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@keegancsmith @burmudar