Skip to content

chore(docs): relocate post-wave audit + add GA policy-matrix gate#505

Merged
trilamsr merged 1 commit into
mainfrom
chore/cleanup-stale-roadmap-refs
Jun 3, 2026
Merged

chore(docs): relocate post-wave audit + add GA policy-matrix gate#505
trilamsr merged 1 commit into
mainfrom
chore/cleanup-stale-roadmap-refs

Conversation

@trilamsr

@trilamsr trilamsr commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Part of the wave-2026-06-03 cleanup. Two doc-only changes:

  1. Relocate point-in-time audit. docs/v1-rc1-post-wave-audit.mddocs/audits/wave-2026-06-01.md. The v1-rc1-* prefix at the doc root no longer reflects scope after rc1 stabilization, and docs/audits/ is already the conventional home for point-in-time snapshots (e.g. 2026-06-cross-ref.md). One self-reference inside the file updated; no other cross-refs exist.
  2. Add GA cut criterion for policy-matrix re-enable. Adds id: 2 under the v1.0-ga milestone in docs/cut-criteria.yaml, pointing at the historical defer commit 33fddc0. The GA release-prep PR now has a falsifiable gate it can verify before tag cut, replacing the open issue ci(policy-matrix): re-enable when GA gates request engine-specific validation #502 (closed in this wave) that was tracking the same intent without action.

Companion issue ops in the same wave (not part of this diff): closed #468, #421, #335, #502; labeled #222 external-clock.

Test plan

  • make cut-criteria-render MILESTONE=v1.0-ga regenerates docs/v1-ga-cut-criteria.md cleanly.
  • make cut-criteria-check exits 0 (no drift between YAML and rendered markdown).
  • grep -rn v1-rc1-post-wave-audit docs/ README.md returns no hits after rename + self-ref edit.
  • DCO + deprecation-check pre-push hooks pass.
docs: relocate `docs/v1-rc1-post-wave-audit.md` to `docs/audits/wave-2026-06-01.md`; add GA cut criterion for engine-specific policy-matrix re-enable.

@trilamsr trilamsr enabled auto-merge (squash) June 3, 2026 22:55
trilamsr added a commit that referenced this pull request Jun 3, 2026
## Summary

Bumps the Go toolchain pin from **1.26.3 -> 1.26.4** to pick up the
stdlib fix for [GO-2026-5037](https://pkg.go.dev/vuln/GO-2026-5037)
(`crypto/x509.HostnameError.Error`), which `govulncheck` flags via
`tools/pyspy-lint/main.go:106:14` (reachable through `fmt.Fprintln` on
an error path). This was failing the `verify-static` job on every
recent PR.

## Root cause

`crypto/x509.HostnameError.Error` shipped vulnerable in Go 1.26.3.
Patched in Go 1.26.4. There is no in-repo workaround — the call site
in `tools/pyspy-lint` is legitimate error formatting; the only correct
fix is bumping the toolchain pin. Confirmed locally:

```
$ govulncheck ./tools/pyspy-lint/...   # with GOTOOLCHAIN=go1.26.4
No vulnerabilities found.
```

## Files touched (5)

- `go.mod` — `go 1.26.3` -> `go 1.26.4`
- `go.work` — `go 1.26.3` -> `go 1.26.4` (+ updated header comments)
- `.go-version` — `1.26.3` -> `1.26.4` (drives `actions/setup-go` via
  `go-version-file`)
- `install/kubernetes/tracecore/Dockerfile` — base image bumped to
  `golang:1.26.4-alpine` with refreshed sha256 digest
  (`f23e8b22…2a17f`, fetched via `crane digest`)
- `docs/SUPPORT-MATRIX.md` — Go-toolchain row updated to `1.26.4`

`module/go.mod` is intentionally untouched — it pins `go 1.22.0` to
track the OTel collector v0.110.0 OCB-distribution baseline (see
existing comment), and the workspace `go` directive (`1.26.4`)
remains `>=` the member-module floor (`1.22.0`), so workspace mode is
unaffected.

## Test plan

- [x] `govulncheck ./tools/pyspy-lint/...` -> No vulnerabilities found
- [x] `go build ./...` (root, GOTOOLCHAIN=go1.26.4) -> clean
- [x] `go test ./tools/... ./internal/...` -> all green (incl.
  `tools/pyspy-lint`, the file containing the flagged call site)
- [x] `module/` `go test ./...` -> matches `main` (one pre-existing
  failure in `processor/patterndetectorprocessor`

`TestPatternDetector_NegativeFixturesEmitNoVerdicts/synthetic-2026-06-multi-rank-disk-pressure`,
  reproducible on `main` at the same SHA — unrelated to this bump,
  out-of-scope here)
- [x] `make lint` -> 0 issues
- [ ] CI `verify-static` job passes (the gate this PR exists to fix)
- [ ] CI `build` / kind install bench builds against new pinned-digest
  golang base image

## Unblocks

Should clear `verify-static` for PRs #504, #505, #507 (and #506 once
its own `action.yml` fix lands).

```release-notes
chore: bump Go toolchain pin to 1.26.4 to pick up the stdlib fix for
GO-2026-5037 (crypto/x509.HostnameError.Error). No behavior change.
```

Signed-off-by: Tri Lam <tree@lumalabs.ai>
Move docs/v1-rc1-post-wave-audit.md to docs/audits/wave-2026-06-01.md (the audits dir is the conventional home for point-in-time audit snapshots; the v1-rc1-* prefix at the doc root no longer reflects scope after rc1 stabilization). Update the one self-reference inside the file.

Add GA cut criterion 2 to docs/cut-criteria.yaml — engine-specific policy-matrix validation re-enable — pointing at the historical defer commit 33fddc0 so the GA release-prep PR can verify the gate before tag cut. Closes the bureaucracy-vs-tracking concern raised on #502.

Signed-off-by: Tri Lam <tree@lumalabs.ai>
@trilamsr trilamsr force-pushed the chore/cleanup-stale-roadmap-refs branch from bbacf7d to cfcac01 Compare June 3, 2026 23:23
@trilamsr trilamsr merged commit 709d01b into main Jun 3, 2026
12 checks passed
@trilamsr trilamsr deleted the chore/cleanup-stale-roadmap-refs branch June 3, 2026 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(docs): docs/examples/with-telemetry.yaml broken on main (clockreceiver/stdoutexporter retired)

1 participant