Merged
Conversation
- bump Go toolchain 1.21 -> 1.25 across go.mod, Dockerfile, build_artifacts.sh, kool.yml dev scripts, and the golang-cli preset - CI action bumps: setup-go v2/v3 -> v5; checkout master/v3 -> v4; codeql-action v1 -> v3; dockerhub-description v2 -> v4; release-drafter v5 -> v6; anchore/scan-action v2 -> v6 - test matrix now 1.25.x - replace inline go-install golangci-lint with golangci/golangci-lint-action@v6 pinned to v2.11.4; lint image in kool.yml scripts now golangci/golangci-lint:v2.11.4 - fix all v2 default-linter findings (staticcheck autofixes for redundant var types and strings.ReplaceAll; ST1005 error-string casing/punctuation; errcheck: explicitly swallow Close/Setenv/Fprint returns where ignoring is idiomatic) Verified in golang:1.25 and golangci-lint:v2.11.4 containers: go mod tidy / vet / build OK; go test -race ./... all green; golangci-lint run: 0 issues; docker build + kool --version OK.
Direct dep upgrades (via go get -u ./...): - AlecAivazis/survey/v2 v2.3.6 -> v2.3.7 (patch) - agnivade/levenshtein v1.1.1 -> v1.2.1 (minor) - briandowns/spinner v1.23.0 -> v1.23.2 (patch) - compose-spec/compose-go v1.13.0 -> v1.20.2 (minor) - creack/pty v1.1.18 -> v1.1.24 (minor) - gookit/color v1.5.2 -> v1.6.0 (minor) - jedib0t/go-pretty/v6 v6.4.6 -> v6.7.9 (minor) - moby/term pseudo -> v0.5.2 (tagged release) - spf13/afero v1.9.5 -> v1.15.0 (minor, within v1) - spf13/cobra v1.6.1 -> v1.10.2 (minor) - golang.org/x/sys v0.28.0 -> v0.43.0 - golang.org/x/term v0.27.0 -> v0.42.0 Indirect refresh for protobuf, net, oauth2, crypto, logrus, fatih/color, mattn/*, pflag, ulikunitz/xz, etc. Verified in golang:1.25 + golangci/golangci-lint:v2.11.4: go build / go test -race ./... all green; golangci-lint run: 0 issues; docker build + kool --version: OK.
mitchellh/go-homedir is archived upstream. Its homedir.Dir() is effectively equivalent to os.UserHomeDir() (stdlib since Go 1.12) on Linux/macOS/Windows. The only practical behavioral delta is on Unix with HOME unset: go-homedir falls back to /etc/passwd via os/user; stdlib returns an error instead. That path already log.Fatals with the error, so the user-visible outcome is equivalent. Also evaluated blang/semver v3 -> v4 in this pass but reverted: the v3 import path is pinned transitively by rhysd/go-github-selfupdate (selfupdate.Release.Version is blang/semver v3). A clean v4 migration requires first replacing the selfupdate library.
v6 of the action rejects golangci-lint v2 versions: "invalid version string 'v2.11.4', golangci-lint v2 is not supported by golangci-lint-action v6"
Eliminates 9 of the 10 Critical CVEs grype flagged on kooldev/kool: - 3x stdlib CVE-2025-22871 (Go 1.22.10/11, 1.23.5 -> fixed 1.23.8+) - 3x stdlib CVE-2026-27143 (same old Go versions -> fixed 1.25.9+) - 3x stdlib CVE-2025-68121 (same -> fixed 1.24.13+/1.25.7+) - GHSA-p77j-4mvh-x3m3 grpc v1.68.1 in docker 27 binaries Remaining residual Critical: docker-compose and docker-buildx plugins bundled in docker:29-cli (v29.4.1) are themselves built with go1.25.8 (fix: 1.25.9). That is upstream (docker-library/docker) territory and will clear on the next Docker plugin rebuild, or if we replace the bundled plugins ourselves in a follow-up.
Until now the kooldev/kool Docker image — built and pushed on every tag via .github/workflows/docker.yml — was published without any README or docs reference. Users discovered it organically and had no contract for what's inside or what it's for. Adds: - docs/01-Getting-Started/5-CI-Integration.md covering the DinD sidecar pattern (primary GitLab CI use case) with full .gitlab-ci and GitHub Actions examples, plus what the image actually contains. - A "Known security caveat" section acknowledging that docker-compose and docker-buildx are bundled as pre-built Go binaries inherited from docker:29-cli, which can carry stdlib CVEs outside our control (e.g. CVE-2026-27143 from a go1.25.8 plugin build). - README pointer under Installation so users find the image, and a Security-section cross-link so the CVE caveat is discoverable.
Unblocks .github/workflows/scan.yml after the docker:27-cli -> docker:29-cli base bump. The residual Critical is CVE-2026-27143 in the go1.25.8 stdlib of the docker-compose and docker-buildx plugins bundled inside docker:29-cli; fixed in go1.25.9 at the Docker image rebuild level. This is a TEMPORARY ignore — remove it once `grype kooldev/kool:<tag>` no longer reports CVE-2026-27143 (i.e. when docker-library/docker publishes a rebuilt docker:29-cli with an updated Go toolchain). Context for users of the published image is already documented in docs/01-Getting-Started/5-CI-Integration.md#known-security-caveat.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.