Skip to content

chore: Go 1.24, grpc 1.79.3, and flexible Alpine apk pins#1730

Merged
peterbroadhurst merged 1 commit intomainfrom
cves-go124
Mar 23, 2026
Merged

chore: Go 1.24, grpc 1.79.3, and flexible Alpine apk pins#1730
peterbroadhurst merged 1 commit intomainfrom
cves-go124

Conversation

@EnriqueL8
Copy link
Copy Markdown
Contributor

@EnriqueL8 EnriqueL8 commented Mar 23, 2026

Proposed changes

  • Go 1.24 – Root go.mod / toolchain, manifest.json firefly-builder, and GitHub Actions setup-go use Go 1.24 so builds and images match.
  • gRPC – Bump google.golang.org/grpc to v1.79.3 in the main module (transitive via migrate/viper/etc.) and Fabric sample chaincode modules to address CVE-2026-33186.
  • Docker – Replace exact Alpine apk pins (=) with minimum versions (>=) on the firefly-builder and final stages so package updates (e.g. gcc 15, newer curl/git) no longer conflict with build-base / the index.

Types of changes

  • Chore fix
  • New feature added
  • Documentation Update

Please make sure to follow these points

  • I have read the contributing guidelines.
  • I have performed a self-review of my own code or work.
  • I have commented my code, particularly in hard-to-understand areas.
  • My changes generates no new warnings.
  • I have added tests that prove my fix is effective or that my feature works.
  • My changes have sufficient code coverage (unit, integration, e2e tests).

@EnriqueL8
chore: Go 1.24, grpc 1.79.3, and flexible Alpine apk pins
e0ec773 
- Require Go 1.24 / toolchain in root go.mod; align CI setup-go and
  firefly-builder image (golang:1.24-alpine).
- Raise google.golang.org/grpc to v1.79.3 (CVE-2026-33186) in root and
  Fabric chaincode modules; go mod tidy.
- Dockerfile: use >= for build and runtime apk packages so builds keep
  working as Alpine indexes move forward.

Signed-off-by: Enrique Lacal <enrique.lacal@kaleido.io>
@EnriqueL8 EnriqueL8 requested a review from a team as a code owner March 23, 2026 18:04
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.94%. Comparing base (0047123) to head (e0ec773).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1730   +/-   ##
=======================================
  Coverage   99.94%   99.94%           
=======================================
  Files         342      342           
  Lines       25022    25022           
=======================================
+ Hits        25007    25008    +1     
- Misses          9       10    +1     
+ Partials        6        4    -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

peterbroadhurst
peterbroadhurst approved these changes Mar 23, 2026
View reviewed changes
manifest.json
},
"build": {
"firefly-builder": {
"image": "golang:1.23-alpine3.21"
Copy link
Copy Markdown
Contributor

@peterbroadhurst peterbroadhurst Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm was unsure we could un-pin this to at least an alpine major version, but I see it's really only last digit that changes for alpine looking at golang tags ✅

@peterbroadhurst peterbroadhurst merged commit d3ee0a3 into main Mar 23, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peterbroadhurst peterbroadhurst peterbroadhurst approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EnriqueL8 @peterbroadhurst