Skip to content

build: bump Go toolchain 1.25.11 → 1.25.12 (GO-2026-5856 security release)#483

Closed
general-lex wants to merge 1 commit into
mainfrom
claude/go1-25-12-security-bump
Closed

build: bump Go toolchain 1.25.11 → 1.25.12 (GO-2026-5856 security release)#483
general-lex wants to merge 1 commit into
mainfrom
claude/go1-25-12-security-bump

Conversation

@general-lex

Copy link
Copy Markdown
Collaborator

Summary

The sast CI gate now fails repo-wide (first observed on PR #482, but it will hit every branch and main): govulncheck flags GO-2026-5856 — the Encrypted Client Hello privacy leak in crypto/tls — as reachable from our code (any TLS use: NATS, Mongo/ES drivers, Resty, HTTP servers). It's a Go standard-library vulnerability in go1.25.11, fixed in the July 2026 go1.25.12 security release. gosec and semgrep are clean.

Same playbook as the previous bump (ci.yml documents 1.25.11 was itself a June 2026 security bump). One mechanical change across every pin (46 files):

  • go.modgo 1.25.12
  • MakefileTOOLS_GO_TOOLCHAIN := go1.25.12 (drives the govulncheck/gosec/lint tool installs and the sast-vuln run)
  • .github/workflows/ci.ymlGO_VERSION: "1.25.12" + updated advisory comment
  • 23 × deploy/Dockerfilegolang:1.25.12-alpine builder
  • 19 × deploy/azure-pipelines.ymlGO_VERSION: '1.25.12'
  • CLAUDE.md — builder-image reference

Testing

  • Full repo builds under go1.25.12 (go build ./...).
  • Full unit suite green with -race (make test).
  • govulncheck itself couldn't run locally (vuln DB fetch is proxy-blocked in the sandbox) — this PR's own sast job is the verification that GO-2026-5856 clears.

Once merged, PR #482 (and any other open branch) just needs a rebase/re-run to go green.

🤖 Generated with Claude Code

https://claude.ai/code/session_012X9qhQT4NwmCHjdndwNtFD


Generated by Claude Code

govulncheck flags the reachable crypto/tls Encrypted Client Hello privacy
leak (GO-2026-5856), fixed in the July 2026 go1.25.12 security release —
the sast CI gate fails repo-wide until the toolchain moves. Bumps go.mod,
Makefile TOOLS_GO_TOOLCHAIN, ci.yml GO_VERSION, all 23 deploy Dockerfiles,
all 19 azure-pipelines, and the CLAUDE.md builder-image reference.

Co-Authored-By: Claude <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@general-lex, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 22 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2f10c2a1-8bc8-4e2c-ba90-01facb9aa47b

📥 Commits

Reviewing files that changed from the base of the PR and between 85f92a8 and 4d2b566.

📒 Files selected for processing (46)
  • .github/workflows/ci.yml
  • CLAUDE.md
  • Makefile
  • auth-service/deploy/Dockerfile
  • auth-service/deploy/azure-pipelines.yml
  • broadcast-worker/deploy/Dockerfile
  • broadcast-worker/deploy/azure-pipelines.yml
  • data-migration/oplog-collections-transformer/deploy/Dockerfile
  • data-migration/oplog-collections-transformer/deploy/azure-pipelines.yml
  • data-migration/oplog-connector/deploy/Dockerfile
  • data-migration/oplog-connector/deploy/azure-pipelines.yml
  • data-migration/oplog-direct-transfer/deploy/Dockerfile
  • data-migration/oplog-direct-transfer/deploy/azure-pipelines.yml
  • data-migration/oplog-transformer/deploy/Dockerfile
  • data-migration/oplog-transformer/deploy/azure-pipelines.yml
  • go.mod
  • history-service/deploy/Dockerfile
  • history-service/deploy/azure-pipelines.yml
  • inbox-worker/deploy/Dockerfile
  • inbox-worker/deploy/azure-pipelines.yml
  • media-service/deploy/Dockerfile
  • media-service/deploy/azure-pipelines.yml
  • message-gatekeeper/deploy/Dockerfile
  • message-gatekeeper/deploy/azure-pipelines.yml
  • message-worker/deploy/Dockerfile
  • message-worker/deploy/azure-pipelines.yml
  • notification-worker/deploy/Dockerfile
  • notification-worker/deploy/azure-pipelines.yml
  • portal-service/deploy/Dockerfile
  • portal-service/deploy/azure-pipelines.yml
  • room-service/deploy/Dockerfile
  • room-service/deploy/azure-pipelines.yml
  • room-worker/deploy/Dockerfile
  • room-worker/deploy/azure-pipelines.yml
  • search-service/deploy/Dockerfile
  • search-sync-worker/deploy/Dockerfile
  • search-sync-worker/deploy/azure-pipelines.yml
  • tools/loadgen/deploy/Dockerfile
  • tools/nats-debug/deploy/Dockerfile
  • upload-service/deploy/Dockerfile
  • user-presence-service/deploy/Dockerfile
  • user-presence-service/deploy/azure-pipelines.yml
  • user-presence-service/sync/deploy/Dockerfile
  • user-presence-service/sync/deploy/azure-pipelines.yml
  • user-service/deploy/Dockerfile
  • user-service/deploy/azure-pipelines.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/go1-25-12-security-bump

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@general-lex general-lex closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants