Skip to content

chore(deps): Bump Go from 1.25.8 to 1.25.9#3315

Open
ompushkara wants to merge 2 commits into
conforma:release-v0.7from
ompushkara:bump-go-docker-images
Open

chore(deps): Bump Go from 1.25.8 to 1.25.9#3315
ompushkara wants to merge 2 commits into
conforma:release-v0.7from
ompushkara:bump-go-docker-images

Conversation

@ompushkara
Copy link
Copy Markdown

@ompushkara ompushkara commented May 19, 2026

CVE Bumps for RHTAS

@qodo-for-conforma
Copy link
Copy Markdown

qodo-for-conforma Bot commented May 19, 2026

Review Summary by Qodo

Bump Go version from 1.25.8 to 1.25.9

✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Update Go version from 1.25.8 to 1.25.9
• Update all Docker base images to use Go 1.25.9
• Update all go.mod files across modules
• Update UBI9 go-toolset image with new SHA256 digest
Diagram 
flowchart LR
  A["Go 1.25.8"] -- "Version Bump" --> B["Go 1.25.9"]
  B --> C["Dockerfile"]
  B --> D["Dockerfile.dist"]
  B --> E["go.mod files"]
  D --> F["UBI9 Toolset SHA256"]
Loading

Grey Divider

File Changes

1. .tool-versions Dependencies +1/-1

Update golang version specification

• Update golang version from 1.25.8 to 1.25.9

.tool-versions

2. Dockerfile Dependencies +1/-1

Update Go base image version

• Update base image from golang:1.25.8 to golang:1.25.9

Dockerfile

3. Dockerfile.dist Dependencies +1/-1

Update UBI9 go-toolset and digest

• Update UBI9 go-toolset base image from 1.25.8 to 1.25.9
• Update image SHA256 digest to reflect new version

Dockerfile.dist

View more (4)
4. acceptance/go.mod Dependencies +1/-1

Update acceptance module Go version

• Update go version directive from 1.25.8 to 1.25.9

acceptance/go.mod

5. go.mod Dependencies +1/-1

Update main module Go version

• Update go version directive from 1.25.8 to 1.25.9

go.mod

6. tools/go.mod Dependencies +1/-1

Update tools module Go version

• Update go version directive from 1.25.8 to 1.25.9

tools/go.mod

7. tools/kubectl/go.mod Dependencies +1/-1

Update kubectl tools Go version

• Update go version directive from 1.25.8 to 1.25.9

tools/kubectl/go.mod

Grey Divider

Qodo Logo

@qodo-for-conforma
Copy link
Copy Markdown

qodo-for-conforma Bot commented May 19, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Advisory comments

1. Unpinned Go builder image 🐞 Bug ⛨ Security
Description 
Dockerfile builds with golang:1.25.9 without a digest, so the build input is not reproducible
and can change without a code change (unlike Dockerfile.dist, which pins its builder image by
digest). This is a pre-existing pattern (tag-only) that this PR continues on the touched line,
leaving the two build paths with different supply-chain guarantees.
Code

Dockerfile[19]

+FROM docker.io/library/golang:1.25.9 AS build
Relevance

⭐ Low

History keeps Dockerfile golang builder tag-only (e.g., #3052) while only dist/runtime images are
digest-pinned (#2545).

PR-#3052
PR-#2545

ⓘ Recommendations generated based on similar findings in past PRs

Evidence 
The main Dockerfile uses a tag-only Go builder image, while the dist build explicitly pins its Go
toolset image by sha256 digest; additionally, the Makefile documents Dockerfile.dist as the
pipeline build path, highlighting the split between build flows.

Dockerfile[19-19]
Dockerfile.dist[19-19]
Makefile[63-72]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`Dockerfile` uses a tag-only Go builder image (`docker.io/library/golang:1.25.9`) which is mutable and makes builds non-reproducible. `Dockerfile.dist` already pins its builder image by digest, so the two Docker build paths differ in supply-chain/reproducibility properties.

## Issue Context
This PR updates the `FROM` line in `Dockerfile`, making it a good opportunity to align it with the digest-pinning approach already used elsewhere in the repo.

## Fix Focus Areas
- Dockerfile[19-19]
- Dockerfile.dist[19-19]

## Suggested change
- Update the builder stage in `Dockerfile` to pin the `golang:1.25.9` image by digest (e.g., `FROM docker.io/library/golang:1.25.9@sha256:<digest> AS build`).
- (Optional) If you intentionally don’t pin Docker Hub images, add a short comment explaining why this differs from `Dockerfile.dist` to avoid future confusion.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

Qodo Logo

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 19, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 77880269-a625-4245-90a9-69cd4085d5a3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ompushkara