build: bump Go toolchain 1.25.11 → 1.25.12 (GO-2026-5856 security release)#483
build: bump Go toolchain 1.25.11 → 1.25.12 (GO-2026-5856 security release)#483general-lex wants to merge 1 commit into
Conversation
govulncheck flags the reachable crypto/tls Encrypted Client Hello privacy leak (GO-2026-5856), fixed in the July 2026 go1.25.12 security release — the sast CI gate fails repo-wide until the toolchain moves. Bumps go.mod, Makefile TOOLS_GO_TOOLCHAIN, ci.yml GO_VERSION, all 23 deploy Dockerfiles, all 19 azure-pipelines, and the CLAUDE.md builder-image reference. Co-Authored-By: Claude <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 22 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (46)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
The
sastCI gate now fails repo-wide (first observed on PR #482, but it will hit every branch andmain): govulncheck flags GO-2026-5856 — the Encrypted Client Hello privacy leak incrypto/tls— as reachable from our code (any TLS use: NATS, Mongo/ES drivers, Resty, HTTP servers). It's a Go standard-library vulnerability ingo1.25.11, fixed in the July 2026 go1.25.12 security release. gosec and semgrep are clean.Same playbook as the previous bump (ci.yml documents 1.25.11 was itself a June 2026 security bump). One mechanical change across every pin (46 files):
go.mod—go 1.25.12Makefile—TOOLS_GO_TOOLCHAIN := go1.25.12(drives the govulncheck/gosec/lint tool installs and thesast-vulnrun).github/workflows/ci.yml—GO_VERSION: "1.25.12"+ updated advisory commentdeploy/Dockerfile—golang:1.25.12-alpinebuilderdeploy/azure-pipelines.yml—GO_VERSION: '1.25.12'CLAUDE.md— builder-image referenceTesting
go build ./...).-race(make test).sastjob is the verification that GO-2026-5856 clears.Once merged, PR #482 (and any other open branch) just needs a rebase/re-run to go green.
🤖 Generated with Claude Code
https://claude.ai/code/session_012X9qhQT4NwmCHjdndwNtFD
Generated by Claude Code