chore: bump golang.org/x/vuln to v1.4.0, eliminate govulncheck version drift#40034
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…rift Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
✅ Test Quality Sentinel completed test quality analysis. No test files were added or modified in this PR. Test Quality Sentinel skipped. |
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. No ADR enforcement needed: PR #40034 does not have the 'implementation' label and has 0 new lines of code in business logic directories (≤100 threshold). The PR is a dependency bump (golang.org/x/vuln to v1.4.0) and skill script tweaks, which do not warrant an ADR. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
There was a problem hiding this comment.
Pull request overview
This PR consolidates govulncheck versioning onto a single source of truth by bumping golang.org/x/vuln to v1.4.0 in go.mod and updating the Makefile to invoke govulncheck via go run (avoiding separate binary installation/version drift). It also includes a small script header clarification and regenerates several compiled workflow lock files to include awk in the allowed tool lists.
Changes:
- Bump
golang.org/x/vulntov1.4.0(with correspondinggo.sumupdates, includinggolang.org/x/telemetry). - Update
make security-govulncheckto rungovulncheckviago run ...and remove the stalegovulncheckinstall line frommake tools. - Refresh a few workflow lock files’ allowlists (adding
awk) and clarify the canonical/copy relationship in the install script header.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Switch security-govulncheck to go run ... and remove govulncheck from tools installs to prevent version drift. |
| go.mod | Pin golang.org/x/vuln to v1.4.0 (single source of truth) and update indirect x/telemetry. |
| go.sum | Update checksums to match the go.mod dependency bumps. |
| actions/setup-cli/install.sh | Clarify which install script is canonical vs copied. |
| .github/workflows/spec-librarian.lock.yml | Regenerate compiled lock output to include shell(awk) in allowed tools. |
| .github/workflows/go-fan.lock.yml | Regenerate compiled lock output to include Bash(awk) in allowed tools. |
| .github/workflows/daily-testify-uber-super-expert.lock.yml | Regenerate compiled lock output to include shell(awk) in allowed tools. |
| .github/workflows/daily-file-diet.lock.yml | Regenerate compiled lock output to include shell(awk) in allowed tools. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 7/8 changed files
- Comments generated: 0
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /diagnose and /zoom-out — approving. Clean, well-motivated maintenance work with no blocking issues.
📋 Key Themes & Highlights
Positive Highlights
- ✅ Root cause properly addressed: three divergent version pins (
v1.3.0in go.mod,v1.1.4in Makefile tools target,@latestin security target) collapsed to a single source of truth - ✅
go runinvocation eliminates the install-then-run pattern and closes the drift window permanently - ✅ Picks up the v1.4.0 exit-code propagation fix that could previously mask a non-zero result and weaken the security gate
- ✅
install.shcomment clarification correctly identifies which file is canonical
Minor Observation
The four .lock.yml changes add shell(awk) to allowed tool lists, which appears orthogonal to the govulncheck version bump — likely bundled in via a make recompile that picked up a separate source-workflow change. Not blocking, but the PR title/description does not describe this portion.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer
There was a problem hiding this comment.
REQUEST_CHANGES — two issues must be fixed before merge.
🔎 Review summary
What works well
The core goal — collapsing three divergent version pins to a single go.mod source of truth via go run — is sound. The go.sum updates are correct, and the install.sh comment fix is strictly better than before.
Blocking issues
1. Lock files were hand-edited instead of regenerated from markdown sources (high)
All 4 .lock.yml files received a direct Bash(awk) / shell(awk) addition, but none of the corresponding .md workflow source files were updated. make recompile --purge will silently overwrite these changes the next time it runs. See inline comment on go-fan.lock.yml:847.
2. make tools no longer installs a govulncheck binary (medium)
Dropping the go install line removes the only path that puts a govulncheck binary in $PATH. IDE integrations, pre-commit hooks, and direct CLI invocations break silently. tools.go still blank-imports the package, creating an inconsistency. See inline comment on Makefile:576.
Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
proxy.golang.org
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "proxy.golang.org"See Network Configuration for more information.
🔎 Code quality review by PR Code Quality Reviewer
|
@copilot merge main, recompile |
…-govulncheck Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done. Merged
Hand-off: CI must be re-triggered by a maintainer (close/reopen PR or push) before merge. |
golang.org/x/vulnwas pinned three different ways —v1.3.0ingo.mod,v1.1.4in thetoolsMakefile target, and@latestinsecurity-govulncheck— meaning local scans could silently diverge from CI and miss the exit-code propagation fix shipped in v1.4.0.Changes
go.mod: bumpgolang.org/x/vulnv1.3.0→v1.4.0(picks up exit-code fix for wrapped scan errors that could previously mask a non-zero exit and weaken the security gate)Makefile—security-govulncheck: replace install-then-invoke pattern withgo run golang.org/x/vuln/cmd/govulncheck ./..., which resolves the binary directly from the module cache at the pinned go.mod version — no drift, no separate install stepMakefile—tools: drop the stalego install golang.org/x/vuln/cmd/govulncheck@v1.1.4line; govulncheck no longer needs pre-installation as a binaryAll three version pins now collapse to a single source of truth:
v1.4.0ingo.mod.