chore(deps): bump go to 1.25 everywhere#3572
Merged
mdelapenya merged 13 commits intotestcontainers:mainfrom Mar 7, 2026
Merged
chore(deps): bump go to 1.25 everywhere#3572mdelapenya merged 13 commits intotestcontainers:mainfrom
mdelapenya merged 13 commits intotestcontainers:mainfrom
Conversation
✅ Deploy Preview for testcontainers-go ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
Summary by CodeRabbit
WalkthroughUpgrades Go toolchain references from 1.24 → 1.25 across the repo, pins golangci-lint to v2.9.0 and removes dynamic Go-compat gating in CI, updates devcontainer/docs, adds revive exclusions, and applies many small preallocation/refactor changes—no public API changes. Changes
Sequence Diagram(s)(Skipped) Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (4)
modules/chroma/go.mod (1)
3-3: Verify whether omitting thetoolchainpin here is intentional.This is the only reviewed module bumped to
go 1.25.0without the matchingtoolchain go1.25.7directive. If that omission is accidental, local patch-level compiler selection can drift from the rest of the repo.Possible alignment if the omission was accidental
go 1.25.0 + +toolchain go1.25.7🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@modules/chroma/go.mod` at line 3, The go.mod in modules/chroma sets "go 1.25.0" but omits a matching toolchain pin; verify whether this was intentional and if not add the repository's patch-level toolchain directive (e.g. add a line "toolchain go1.25.7" above or below the existing "go 1.25.0") so local compilers align with the repo; if omission is intentional, add a brief comment in the module's go.mod or the PR description confirming that it's deliberate..devcontainer/devcontainer.json (1)
5-5: Consider matching the devcontainer image granularity to the pinned module toolchains.
1.25-trixiewill float as new 1.25.x images are published, while several reviewed modules now pingo1.25.7. If this image family publishes patch-level tags, pinning the same patch would reduce local-vs-module compiler drift.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.devcontainer/devcontainer.json at line 5, The devcontainer "image" value "mcr.microsoft.com/devcontainers/go:1.25-trixie" is floating at patch level; change that image reference to a patch-pinned tag that matches the project's module toolchain (e.g., the same go1.25.7 pin used elsewhere) so local dev compile/runtime matches CI and modules—update the "image" field to the specific patch tag (for example replace "mcr.microsoft.com/devcontainers/go:1.25-trixie" with the corresponding patch-pinned image such as one including 1.25.7).options.go (1)
322-324: Consider applying the same preallocation pattern here for consistency.
WithStartupCommanduses an empty slice literal whileWithAfterReadyCommandnow preallocates capacity. Applying the same pattern would maintain consistency.♻️ Suggested change
func WithStartupCommand(execs ...Executable) CustomizeRequestOption { return func(req *GenericContainerRequest) error { - startupCommandsHook := ContainerLifecycleHooks{ - PostStarts: []ContainerHook{}, - } + postStartsHook := make([]ContainerHook, 0, len(execs)) for _, exec := range execs { execFn := func(ctx context.Context, c Container) error { _, _, err := c.Exec(ctx, exec.AsCommand(), exec.Options()...) return err } - startupCommandsHook.PostStarts = append(startupCommandsHook.PostStarts, execFn) + postStartsHook = append(postStartsHook, execFn) } - req.LifecycleHooks = append(req.LifecycleHooks, startupCommandsHook) + req.LifecycleHooks = append(req.LifecycleHooks, ContainerLifecycleHooks{ + PostStarts: postStartsHook, + }) return nil } }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@options.go` around lines 322 - 324, The startupCommandsHook is initialized with an empty slice literal while WithAfterReadyCommand preallocates capacity; update the initialization of startupCommandsHook (the ContainerLifecycleHooks variable created for PostStarts) to preallocate capacity like WithAfterReadyCommand (e.g., use make([]ContainerHook, 0, 1) or an appropriate capacity) so WithStartupCommand follows the same preallocation pattern as WithAfterReadyCommand..github/workflows/ci-test-go.yml (1)
118-128: Sonar runs only on Go 1.25.x matrix leg.The hardcoded
"1.25.x"comparison at line 121 means Sonar analysis will only execute for the Go 1.25.x matrix leg, skipping 1.26.x runs. This is likely intentional to avoid duplicate Sonar reports per module, but consider adding a brief comment explaining this design choice for future maintainers.📝 Suggested comment for clarity
- name: Decide if Sonar must be run if: ${{ matrix.platform == 'ubuntu-latest' }} run: | + # Run Sonar only on the primary Go version to avoid duplicate analysis if [[ "1.25.x" == "${{ inputs.go-version }}" ]] && \🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci-test-go.yml around lines 118 - 128, The workflow step "Decide if Sonar must be run" compares the Go matrix version to the hardcoded string "1.25.x", which causes Sonar to run only for that matrix leg; add a concise inline comment above that conditional explaining the intentional choice (e.g., to avoid duplicate Sonar reports across module matrix legs and only run once on the 1.25.x leg), so future maintainers understand why "1.25.x" is hardcoded; update the comment near the if condition that checks "${{ inputs.go-version }}" (and mention related flags rootless-docker, testcontainers-cloud, ryuk-disabled and branch check) rather than changing the logic.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@commons-test.mk`:
- Around line 8-9: The lint target currently invokes the bare golangci-lint
command which can resolve to a global binary; update the lint target to call the
installed binary at $(GOBIN)/golangci-lint (the existing dependency target
$(GOBIN)/golangci-lint) so the pinned v2.9.0 form is used consistently; locate
the lint target and replace the bare invocation of golangci-lint with
$(GOBIN)/golangci-lint and ensure the dependency on $(GOBIN)/golangci-lint
remains.
---
Nitpick comments:
In @.devcontainer/devcontainer.json:
- Line 5: The devcontainer "image" value
"mcr.microsoft.com/devcontainers/go:1.25-trixie" is floating at patch level;
change that image reference to a patch-pinned tag that matches the project's
module toolchain (e.g., the same go1.25.7 pin used elsewhere) so local dev
compile/runtime matches CI and modules—update the "image" field to the specific
patch tag (for example replace "mcr.microsoft.com/devcontainers/go:1.25-trixie"
with the corresponding patch-pinned image such as one including 1.25.7).
In @.github/workflows/ci-test-go.yml:
- Around line 118-128: The workflow step "Decide if Sonar must be run" compares
the Go matrix version to the hardcoded string "1.25.x", which causes Sonar to
run only for that matrix leg; add a concise inline comment above that
conditional explaining the intentional choice (e.g., to avoid duplicate Sonar
reports across module matrix legs and only run once on the 1.25.x leg), so
future maintainers understand why "1.25.x" is hardcoded; update the comment near
the if condition that checks "${{ inputs.go-version }}" (and mention related
flags rootless-docker, testcontainers-cloud, ryuk-disabled and branch check)
rather than changing the logic.
In `@modules/chroma/go.mod`:
- Line 3: The go.mod in modules/chroma sets "go 1.25.0" but omits a matching
toolchain pin; verify whether this was intentional and if not add the
repository's patch-level toolchain directive (e.g. add a line "toolchain
go1.25.7" above or below the existing "go 1.25.0") so local compilers align with
the repo; if omission is intentional, add a brief comment in the module's go.mod
or the PR description confirming that it's deliberate.
In `@options.go`:
- Around line 322-324: The startupCommandsHook is initialized with an empty
slice literal while WithAfterReadyCommand preallocates capacity; update the
initialization of startupCommandsHook (the ContainerLifecycleHooks variable
created for PostStarts) to preallocate capacity like WithAfterReadyCommand
(e.g., use make([]ContainerHook, 0, 1) or an appropriate capacity) so
WithStartupCommand follows the same preallocation pattern as
WithAfterReadyCommand.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e5e9209d-af1c-41c4-9702-fb78f71cfb83
📒 Files selected for processing (85)
.devcontainer/devcontainer.json.github/workflows/ci-lint-go.yml.github/workflows/ci-test-go.yml.github/workflows/ci.yml.golangci.ymlAI.mdcommons-test.mkcontainer.godocs/system_requirements/ci/aws_codebuild.mddocs/system_requirements/ci/circle_ci.mddocs/system_requirements/ci/concourse_ci.mddocs/system_requirements/ci/dind_patterns.mddocs/system_requirements/ci/gitlab_ci.mddocs/system_requirements/ci/tekton.mdexamples/nginx/go.modgo.modmodulegen/go.modmodules/aerospike/go.modmodules/arangodb/go.modmodules/artemis/go.modmodules/azure/go.modmodules/azure/lowkeyvault/testdata/go.modmodules/azurite/go.modmodules/cassandra/go.modmodules/chroma/go.modmodules/clickhouse/go.modmodules/cockroachdb/go.modmodules/consul/go.modmodules/couchbase/go.modmodules/databend/go.modmodules/dind/go.modmodules/dockermcpgateway/go.modmodules/dockermodelrunner/go.modmodules/dolt/go.modmodules/dynamodb/go.modmodules/elasticsearch/go.modmodules/etcd/go.modmodules/gcloud/go.modmodules/grafana-lgtm/go.modmodules/inbucket/go.modmodules/influxdb/go.modmodules/k3s/go.modmodules/k6/go.modmodules/kafka/go.modmodules/localstack/go.modmodules/mariadb/go.modmodules/meilisearch/go.modmodules/memcached/go.modmodules/milvus/go.modmodules/minio/go.modmodules/mockserver/go.modmodules/mongodb/go.modmodules/mssql/go.modmodules/mysql/go.modmodules/nats/go.modmodules/nebulagraph/go.modmodules/neo4j/go.modmodules/ollama/go.modmodules/openfga/go.modmodules/openldap/go.modmodules/opensearch/go.modmodules/pinecone/go.modmodules/postgres/go.modmodules/pulsar/go.modmodules/qdrant/go.modmodules/rabbitmq/go.modmodules/redis/go.modmodules/redpanda/go.modmodules/registry/go.modmodules/scylladb/go.modmodules/socat/go.modmodules/solace/go.modmodules/surrealdb/go.modmodules/toxiproxy/go.modmodules/valkey/go.modmodules/vault/go.modmodules/vearch/go.modmodules/weaviate/go.modmodules/yugabytedb/go.modnetwork/network_test.gooptions.goport_forwarding.goreaper.gousage-metrics/go.modwait/testdata/http/go.mod
Comment on lines
8
to
+9
| $(GOBIN)/golangci-lint: | ||
| $(call go_install,github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.0.2) | ||
| $(call go_install,github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.9.0) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, find the commons-test.mk file
find . -name "commons-test.mk" -type fRepository: testcontainers/testcontainers-go
Length of output: 93
🏁 Script executed:
cat -n commons-test.mkRepository: testcontainers/testcontainers-go
Length of output: 1893
Use explicit path to ensure the installed golangci-lint version is invoked.
The lint target depends on $(GOBIN)/golangci-lint but invokes the bare golangci-lint command on line 33, which resolves via PATH and may pick up a globally installed binary instead of the pinned v2.9.0.
Fix
lint: $(GOBIN)/golangci-lint
- golangci-lint run --verbose -c $(ROOT_DIR)/.golangci.yml --fix
+ $(GOBIN)/golangci-lint run --verbose -c $(ROOT_DIR)/.golangci.yml --fixThe v2.9.0 version is correct for Go 1.25 in this repository.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@commons-test.mk` around lines 8 - 9, The lint target currently invokes the
bare golangci-lint command which can resolve to a global binary; update the lint
target to call the installed binary at $(GOBIN)/golangci-lint (the existing
dependency target $(GOBIN)/golangci-lint) so the pinned v2.9.0 form is used
consistently; locate the lint target and replace the bare invocation of
golangci-lint with $(GOBIN)/golangci-lint and ensure the dependency on
$(GOBIN)/golangci-lint remains.
* main: chore(pulsar): bump base image to 4.x, replacing the wait for log strategy with wait for listening port (deterministic) (testcontainers#3573) chore(deps): bump github.com/sigstore/sigstore in /modules/compose (testcontainers#3571)
There was a problem hiding this comment.
🧹 Nitpick comments (1)
modules/ollama/ollama.go (1)
77-81: Preallocate for the GPU option too.On the non-local path, Line 94 appends
withGpu()beforemoduleOpts = append(moduleOpts, opts...), so2+len(opts)still underestimates the final size by one. If the goal here is to avoid the extra allocation, size this to3+len(opts)or buildmoduleOptsafter deciding whether GPU is needed.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@modules/ollama/ollama.go` around lines 77 - 81, The preallocation for moduleOpts underestimates capacity when withGpu() is added: change the allocation from make([]testcontainers.ContainerCustomizer, 0, 2+len(opts)) to make([]testcontainers.ContainerCustomizer, 0, 3+len(opts)) so it accounts for the GPU customizer, or alternatively move the creation of moduleOpts to after the GPU decision and compute the capacity based on whether withGpu() will be appended; update references to moduleOpts, withGpu(), and opts accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@modules/ollama/ollama.go`:
- Around line 77-81: The preallocation for moduleOpts underestimates capacity
when withGpu() is added: change the allocation from
make([]testcontainers.ContainerCustomizer, 0, 2+len(opts)) to
make([]testcontainers.ContainerCustomizer, 0, 3+len(opts)) so it accounts for
the GPU customizer, or alternatively move the creation of moduleOpts to after
the GPU decision and compute the capacity based on whether withGpu() will be
appended; update references to moduleOpts, withGpu(), and opts accordingly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0d6f88be-3e36-4487-b378-734fc06dd9d7
📒 Files selected for processing (51)
.golangci.ymlmodules/aerospike/aerospike.gomodules/arangodb/arangodb.gomodules/artemis/artemis.gomodules/azure/cosmosdb/cosmosdb.gomodules/azure/eventhubs/eventhubs.gomodules/azure/lowkeyvault/lowkeyvault.gomodules/azure/servicebus/servicebus.gomodules/chroma/chroma.gomodules/clickhouse/clickhouse.gomodules/clickhouse/options.gomodules/cockroachdb/cockroachdb.gomodules/compose/compose_api.gomodules/consul/consul.gomodules/couchbase/couchbase.gomodules/couchbase/options.gomodules/databend/databend.gomodules/dind/dind.gomodules/dockermcpgateway/dockermcpgateway.gomodules/dockermodelrunner/dockermodelrunner_test.gomodules/dolt/dolt.gomodules/dynamodb/dynamodb.gomodules/elasticsearch/elasticsearch.gomodules/grafana-lgtm/grafana.gomodules/inbucket/inbucket.gomodules/influxdb/influxdb.gomodules/k3s/k3s.gomodules/k6/k6.gomodules/kafka/kafka.gomodules/localstack/localstack.gomodules/mariadb/mariadb.gomodules/memcached/memcached.gomodules/milvus/milvus.gomodules/mockserver/mockserver.gomodules/mongodb/atlaslocal/atlaslocal.gomodules/mongodb/atlaslocal/atlaslocal_test.gomodules/mongodb/mongodb.gomodules/nats/nats.gomodules/nebulagraph/nebulagraph.gomodules/neo4j/neo4j.gomodules/ollama/ollama.gomodules/openfga/openfga.gomodules/openldap/openldap.gomodules/opensearch/opensearch.gomodules/pinecone/pinecone.gomodules/postgres/postgres.gomodules/pulsar/pulsar.gomodules/qdrant/qdrant.gomodules/scylladb/scylladb.gomodules/solace/solace.gomodules/weaviate/weaviate_test.go
✅ Files skipped from review due to trivial changes (7)
- modules/cockroachdb/cockroachdb.go
- modules/couchbase/couchbase.go
- modules/databend/databend.go
- modules/mongodb/mongodb.go
- modules/couchbase/options.go
- modules/neo4j/neo4j.go
- modules/openfga/openfga.go
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
wait/testdata/http/Dockerfile (1)
7-12: Optional: Consider adding a non-root user in the runtime stage.Trivy flagged that the container runs as root (DS-0002). For a testdata Dockerfile this is low priority, but if you want to address it:
🔧 Optional fix to run as non-root
FROM alpine +RUN adduser -D -u 1000 appuser WORKDIR /app COPY --from=builder /app/tls.pem /app/tls-key.pem ./ COPY --from=builder /app/dist/server . +RUN chown -R appuser:appuser /app +USER appuser EXPOSE 6443 CMD ["/app/server"]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@wait/testdata/http/Dockerfile` around lines 7 - 12, The runtime Dockerfile currently runs the server as root; add a non-root user and switch to it in the final stage to mitigate DS-0002: create a user/group (e.g., appuser), chown the WORKDIR and copied artifacts to that user, and add USER appuser before CMD so the process launched by CMD ["/app/server"] runs unprivileged; ensure ownership adjustments reference the copied files and WORKDIR to avoid permission issues.modules/azure/lowkeyvault/testdata/Dockerfile (1)
7-11: Optional: Consider adding a non-root user in the runtime stage.Same Trivy DS-0002 flag as the other Dockerfile. For testdata this is low priority, but for consistency you could apply the same pattern if desired:
🔧 Optional fix to run as non-root
FROM alpine +RUN adduser -D -u 1000 appuser WORKDIR /app COPY --from=builder /app/dist/server . +RUN chown -R appuser:appuser /app +USER appuser EXPOSE 6443 CMD ["/app/server"]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@modules/azure/lowkeyvault/testdata/Dockerfile` around lines 7 - 11, The runtime Dockerfile uses the alpine base and runs /app/server as root; create a non-root user (e.g., adduser or groupadd/useradd and a home) in the runtime stage, chown the /app directory and its contents (the files copied by COPY --from=builder /app/dist/server .) to that user, and switch to it with USER before EXPOSE/CMD so the server runs unprivileged; update Dockerfile entries around COPY --from=builder, WORKDIR /app and CMD ["/app/server"] to reflect the chown and USER change.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@wait/testdata/http/Dockerfile`:
- Line 1: Update the pinned digest for the base image in the FROM line: replace
the current sha256 digest value after "golang:1.25-alpine@" (currently
8e02eb337d9e0ea459e041f1ee5eece41cbb61f1d83e7d883a3e2fb4862063fa) with the
official digest aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34
in both Dockerfiles (the lines starting with "FROM
golang:1.25-alpine@sha256:...") so the pinned image matches the official one.
---
Nitpick comments:
In `@modules/azure/lowkeyvault/testdata/Dockerfile`:
- Around line 7-11: The runtime Dockerfile uses the alpine base and runs
/app/server as root; create a non-root user (e.g., adduser or groupadd/useradd
and a home) in the runtime stage, chown the /app directory and its contents (the
files copied by COPY --from=builder /app/dist/server .) to that user, and switch
to it with USER before EXPOSE/CMD so the server runs unprivileged; update
Dockerfile entries around COPY --from=builder, WORKDIR /app and CMD
["/app/server"] to reflect the chown and USER change.
In `@wait/testdata/http/Dockerfile`:
- Around line 7-12: The runtime Dockerfile currently runs the server as root;
add a non-root user and switch to it in the final stage to mitigate DS-0002:
create a user/group (e.g., appuser), chown the WORKDIR and copied artifacts to
that user, and add USER appuser before CMD so the process launched by CMD
["/app/server"] runs unprivileged; ensure ownership adjustments reference the
copied files and WORKDIR to avoid permission issues.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5424b742-8e03-482b-b49a-a0f6964be174
📒 Files selected for processing (2)
modules/azure/lowkeyvault/testdata/Dockerfilewait/testdata/http/Dockerfile
| @@ -1,4 +1,4 @@ | |||
| FROM golang:1.24-alpine@sha256:fc2cff6625f3c1c92e6c85938ac5bd09034ad0d4bc2dfb08278020b68540dbb5 as builder | |||
| FROM golang:1.25-alpine@sha256:8e02eb337d9e0ea459e041f1ee5eece41cbb61f1d83e7d883a3e2fb4862063fa as builder | |||
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the sha256 digest for golang:1.25-alpine
docker manifest inspect golang:1.25-alpine 2>/dev/null | jq -r '.manifests[] | select(.platform.architecture=="amd64") | .digest' || echo "Cannot verify locally - check Docker Hub for golang:1.25-alpine digest"Repository: testcontainers/testcontainers-go
Length of output: 58
🏁 Script executed:
# Search for any references to golang:1.25-alpine in the repository
rg "golang:1\.25" --type yaml --type dockerfile --type txt
# Also check if there are other base image references to understand the pattern
rg "golang:[0-9]\.[0-9]+-alpine" --type yaml --type dockerfileRepository: testcontainers/testcontainers-go
Length of output: 145
🏁 Script executed:
# Check git history for this specific Dockerfile to see when and how it was changed
cd wait/testdata/http && git log --oneline -20 Dockerfile 2>/dev/null || echo "Git history not available"Repository: testcontainers/testcontainers-go
Length of output: 123
🏁 Script executed:
# Search for any documentation or comments about the digest in related files
rg "8e02eb337d9e0ea459e041f1ee5eece41cbb61f1d83e7d883a3e2fb4862063fa" .Repository: testcontainers/testcontainers-go
Length of output: 369
🏁 Script executed:
# Get the full commit details to see context
git show 5039e33 --statRepository: testcontainers/testcontainers-go
Length of output: 50388
🌐 Web query:
golang:1.25-alpine docker hub official digest sha256
💡 Result:
golang:1.25-alpine (repo digest / RepoDigests entry):
docker.io/library/golang@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34
Source (tag metadata showing RepoDigests): [1]
Update the golang:1.25-alpine digest to match the official image.
The pinned digest 8e02eb337d9e0ea459e041f1ee5eece41cbb61f1d83e7d883a3e2fb4862063fa does not match the current official digest for golang:1.25-alpine, which is aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34. Update both wait/testdata/http/Dockerfile and modules/azure/lowkeyvault/testdata/Dockerfile to use the correct digest.
🧰 Tools
🪛 Trivy (0.69.2)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@wait/testdata/http/Dockerfile` at line 1, Update the pinned digest for the
base image in the FROM line: replace the current sha256 digest value after
"golang:1.25-alpine@" (currently
8e02eb337d9e0ea459e041f1ee5eece41cbb61f1d83e7d883a3e2fb4862063fa) with the
official digest aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34
in both Dockerfiles (the lines starting with "FROM
golang:1.25-alpine@sha256:...") so the pinned image matches the official one.
Merged
mdelapenya
added a commit
that referenced
this pull request
Mar 9, 2026
…m-v2 * upstream/main: (269 commits) chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#3560) chore(deps): bump go.opentelemetry.io/otel/sdk to v1.41.0 (#3589) feat: add TiDB module (#3575) feat: add Forgejo module (#3556) feat: improve container conflict detection (#3574) chore(deps): bump go to 1.25 everywhere (#3572) chore(pulsar): bump base image to 4.x, replacing the wait for log strategy with wait for listening port (deterministic) (#3573) chore(deps): bump github.com/sigstore/sigstore in /modules/compose (#3571) chore(compose): update to compose-v5 (#3568) chore(deps): bump github.com/modelcontextprotocol/go-sdk (#3557) chore(deps): bump mkdocs-codeinclude-plugin from 0.2.1 to 0.3.1 (#3561) chore: update usage metrics (2026-03-02) (#3565) chore(deps): bump mkdocs-include-markdown-plugin from 7.2.0 to 7.2.1 (#3562) chore(deps): bump go.opentelemetry.io/otel/sdk in /modules/grafana-lgtm (#3563) chore(deps): bump go.opentelemetry.io/otel/sdk in /modules/toxiproxy (#3564) feat(azure): add lowkey vault container (#3542) feat(chroma): update to chroma 1.x (#3552) chore(deps): bump mkdocs-include-markdown-plugin from 7.2.0 to 7.2.1 (#3547) chore(deps): bump tj-actions/changed-files from 47.0.0 to 47.0.1 (#3546) chore(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0 (#3545) ...
mdelapenya
added a commit
that referenced
this pull request
Mar 9, 2026
…archive-temp * upstream/main: chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#3560) chore(deps): bump go.opentelemetry.io/otel/sdk to v1.41.0 (#3589) feat: add TiDB module (#3575) feat: add Forgejo module (#3556) feat: improve container conflict detection (#3574) chore(deps): bump go to 1.25 everywhere (#3572) chore(pulsar): bump base image to 4.x, replacing the wait for log strategy with wait for listening port (deterministic) (#3573) chore(deps): bump github.com/sigstore/sigstore in /modules/compose (#3571) chore(compose): update to compose-v5 (#3568) chore(deps): bump github.com/modelcontextprotocol/go-sdk (#3557) chore(deps): bump mkdocs-codeinclude-plugin from 0.2.1 to 0.3.1 (#3561) chore: update usage metrics (2026-03-02) (#3565) chore(deps): bump mkdocs-include-markdown-plugin from 7.2.0 to 7.2.1 (#3562) chore(deps): bump go.opentelemetry.io/otel/sdk in /modules/grafana-lgtm (#3563) chore(deps): bump go.opentelemetry.io/otel/sdk in /modules/toxiproxy (#3564)
mdelapenya
added a commit
that referenced
this pull request
Mar 10, 2026
…-action * upstream/main: (22 commits) chore(deps): bump golang.org/x/mod in /modules/localstack (#3587) chore(deps): bump golang.org/x/mod in /modules/elasticsearch (#3585) chore(deps): bump golang.org/x/mod in /modules/redpanda (#3588) chore(deps): bump golang.org/x/mod in /modules/kafka (#3586) chore(deps): bump github.com/shirou/gopsutil/v4 from 4.25.12 to 4.26.2 (#3576) chore(deps): bump github.com/moby/go-archive from 0.1.0 to 0.2.0 (#3548) chore(deps): bump github.com/moby/term from 0.5.0 to 0.5.2 (#3081) chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#3560) chore(deps): bump go.opentelemetry.io/otel/sdk to v1.41.0 (#3589) feat: add TiDB module (#3575) feat: add Forgejo module (#3556) feat: improve container conflict detection (#3574) chore(deps): bump go to 1.25 everywhere (#3572) chore(pulsar): bump base image to 4.x, replacing the wait for log strategy with wait for listening port (deterministic) (#3573) chore(deps): bump github.com/sigstore/sigstore in /modules/compose (#3571) chore(compose): update to compose-v5 (#3568) chore(deps): bump github.com/modelcontextprotocol/go-sdk (#3557) chore(deps): bump mkdocs-codeinclude-plugin from 0.2.1 to 0.3.1 (#3561) chore: update usage metrics (2026-03-02) (#3565) chore(deps): bump mkdocs-include-markdown-plugin from 7.2.0 to 7.2.1 (#3562) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Bumps the minimum supported Go version from 1.24 to 1.25, supporting the last two major versions (1.25 and 1.26).
Changes
go 1.24.0→go 1.25.0andtoolchain go1.24.7→toolchain go1.25.7across allgo.modfiles (~67 modules)[1.24.x, 1.25.x]to[1.25.x, 1.26.x]inci.ymlci-test-go.yml, as all modules now share the same minimum Go versionci-lint-go.ymland hardcodedv2.9.0; also bumpedcommons-test.mkfromv2.0.2tov2.9.0preallocwarnings by usingmake()with capacity, and excluded 2revivevar-namingwarnings forexec/andlog/packages (renaming would be a breaking API change)1.24to1.251.24.xto1.25.xWhy is it important?
Go 1.26 has been released. This project supports the last two major Go versions, so the supported window moves to [1.25, 1.26]. Dropping 1.24 support allows the project to adopt Go 1.25 language features and ensures CI tests against the current supported versions.
Related issues