From 8fa626388c72015e1e3f50dc9399f7c855e70774 Mon Sep 17 00:00:00 2001 From: Lucas Machado Date: Mon, 8 Jun 2026 19:17:18 +0200 Subject: [PATCH] fix: bump Go to 1.25.11 for stdlib vulns; stop advisory review blocking PRs govulncheck flagged two reachable standard-library vulnerabilities once the dashboard added an HTTP server (internal/web/server.go): - GO-2026-5039 net/textproto (fixed in go1.25.11) - GO-2026-5037 crypto/x509 (fixed in go1.25.11) Bump the go directive 1.25.10 -> 1.25.11. Verified locally with the 1.25.11 toolchain: `go test ./...` passes and `govulncheck ./...` reports 0 vulnerabilities affecting the code. Also mark the `review` job's reviewforge step continue-on-error: it is an advisory AI review, not a required check, but a failure (e.g. an expired AI_API_KEY) leaves a red X and pushes PRs into a BLOCKED/UNSTABLE merge state. This keeps it informational without gating merges. Renewing GEMINI_API_KEY is still needed to actually get reviews back. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/pr.yml | 2 ++ go.mod | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index de226c6..bb1f1df 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -53,7 +53,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + # Advisory AI review — never block a PR on it (e.g. expired AI_API_KEY). - uses: AxeForging/reviewforge@main + continue-on-error: true with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} AI_PROVIDER: gemini diff --git a/go.mod b/go.mod index 5da2446..8c7822a 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/AxeForging/aigate -go 1.25.10 +go 1.25.11 require ( github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2