chore(docs): relocate post-wave audit + add GA policy-matrix gate#505
Merged
Conversation
7 tasks
trilamsr
added a commit
that referenced
this pull request
Jun 3, 2026
## Summary Bumps the Go toolchain pin from **1.26.3 -> 1.26.4** to pick up the stdlib fix for [GO-2026-5037](https://pkg.go.dev/vuln/GO-2026-5037) (`crypto/x509.HostnameError.Error`), which `govulncheck` flags via `tools/pyspy-lint/main.go:106:14` (reachable through `fmt.Fprintln` on an error path). This was failing the `verify-static` job on every recent PR. ## Root cause `crypto/x509.HostnameError.Error` shipped vulnerable in Go 1.26.3. Patched in Go 1.26.4. There is no in-repo workaround — the call site in `tools/pyspy-lint` is legitimate error formatting; the only correct fix is bumping the toolchain pin. Confirmed locally: ``` $ govulncheck ./tools/pyspy-lint/... # with GOTOOLCHAIN=go1.26.4 No vulnerabilities found. ``` ## Files touched (5) - `go.mod` — `go 1.26.3` -> `go 1.26.4` - `go.work` — `go 1.26.3` -> `go 1.26.4` (+ updated header comments) - `.go-version` — `1.26.3` -> `1.26.4` (drives `actions/setup-go` via `go-version-file`) - `install/kubernetes/tracecore/Dockerfile` — base image bumped to `golang:1.26.4-alpine` with refreshed sha256 digest (`f23e8b22…2a17f`, fetched via `crane digest`) - `docs/SUPPORT-MATRIX.md` — Go-toolchain row updated to `1.26.4` `module/go.mod` is intentionally untouched — it pins `go 1.22.0` to track the OTel collector v0.110.0 OCB-distribution baseline (see existing comment), and the workspace `go` directive (`1.26.4`) remains `>=` the member-module floor (`1.22.0`), so workspace mode is unaffected. ## Test plan - [x] `govulncheck ./tools/pyspy-lint/...` -> No vulnerabilities found - [x] `go build ./...` (root, GOTOOLCHAIN=go1.26.4) -> clean - [x] `go test ./tools/... ./internal/...` -> all green (incl. `tools/pyspy-lint`, the file containing the flagged call site) - [x] `module/` `go test ./...` -> matches `main` (one pre-existing failure in `processor/patterndetectorprocessor` `TestPatternDetector_NegativeFixturesEmitNoVerdicts/synthetic-2026-06-multi-rank-disk-pressure`, reproducible on `main` at the same SHA — unrelated to this bump, out-of-scope here) - [x] `make lint` -> 0 issues - [ ] CI `verify-static` job passes (the gate this PR exists to fix) - [ ] CI `build` / kind install bench builds against new pinned-digest golang base image ## Unblocks Should clear `verify-static` for PRs #504, #505, #507 (and #506 once its own `action.yml` fix lands). ```release-notes chore: bump Go toolchain pin to 1.26.4 to pick up the stdlib fix for GO-2026-5037 (crypto/x509.HostnameError.Error). No behavior change. ``` Signed-off-by: Tri Lam <tree@lumalabs.ai>
Move docs/v1-rc1-post-wave-audit.md to docs/audits/wave-2026-06-01.md (the audits dir is the conventional home for point-in-time audit snapshots; the v1-rc1-* prefix at the doc root no longer reflects scope after rc1 stabilization). Update the one self-reference inside the file. Add GA cut criterion 2 to docs/cut-criteria.yaml — engine-specific policy-matrix validation re-enable — pointing at the historical defer commit 33fddc0 so the GA release-prep PR can verify the gate before tag cut. Closes the bureaucracy-vs-tracking concern raised on #502. Signed-off-by: Tri Lam <tree@lumalabs.ai>
bbacf7d to
cfcac01
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Part of the wave-2026-06-03 cleanup. Two doc-only changes:
docs/v1-rc1-post-wave-audit.md→docs/audits/wave-2026-06-01.md. Thev1-rc1-*prefix at the doc root no longer reflects scope after rc1 stabilization, anddocs/audits/is already the conventional home for point-in-time snapshots (e.g.2026-06-cross-ref.md). One self-reference inside the file updated; no other cross-refs exist.id: 2under thev1.0-gamilestone indocs/cut-criteria.yaml, pointing at the historical defer commit33fddc0. The GA release-prep PR now has a falsifiable gate it can verify before tag cut, replacing the open issue ci(policy-matrix): re-enable when GA gates request engine-specific validation #502 (closed in this wave) that was tracking the same intent without action.Companion issue ops in the same wave (not part of this diff): closed #468, #421, #335, #502; labeled #222
external-clock.Test plan
make cut-criteria-render MILESTONE=v1.0-garegeneratesdocs/v1-ga-cut-criteria.mdcleanly.make cut-criteria-checkexits 0 (no drift between YAML and rendered markdown).grep -rn v1-rc1-post-wave-audit docs/ README.mdreturns no hits after rename + self-ref edit.