Skip to content

ci(vuln): set check-latest so govulncheck uses go1.26.5#32

Open
hstern wants to merge 1 commit into
mainfrom
fix/govulncheck-check-latest
Open

ci(vuln): set check-latest so govulncheck uses go1.26.5#32
hstern wants to merge 1 commit into
mainfrom
fix/govulncheck-check-latest

Conversation

@hstern

@hstern hstern commented Jul 13, 2026

Copy link
Copy Markdown
Owner

What

Enable check-latest: true on the setup-go step in vuln.yml.

Why

The daily govulncheck scan is failing on GO-2026-5856Encrypted Client Hello privacy leak in crypto/tls (found in crypto/tls@go1.26.4, fixed in go1.26.5).

setup-go was resolving the Go version against the ubuntu-latest runner image, which still ships go1.26.4, because check-latest was false/unset. check-latest: true makes it download the latest matching patch (go1.26.5), whose crypto/tls contains the fix, so the scan goes green — and future stdlib patch advisories clear automatically.

Not a code vulnerability: the advisory is already fixed upstream; CI just needed to build with the patched toolchain.

🤖 Generated with Claude Code

The daily govulncheck scan fails on GO-2026-5856 (crypto/tls ECH
privacy leak), fixed in go1.26.5. setup-go was resolving the Go
version against the runner image (go1.26.4) because check-latest was
false, so the fixed toolchain was never used. Enabling check-latest
pulls the latest 1.26.x patch (1.26.5), whose crypto/tls is fixed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant