update go 1.26

[mfrancisc]

see: https://github.com/codeready-toolchain/account-verifier/pull/5/changes/BASE..59da390cf10bc94d8f5a7d3ebf9f5bcf8e61ed32#r2895987724

Summary by CodeRabbit

• Chores

  • Updated Go toolchain and base runtime images to Go 1.26.0.
  • Cleaned up outdated inline comments.

• Bug Fixes / Runtime

  • Added and installed a container entrypoint to ensure proper startup behavior.

• Tests

  • CI linting adjusted to install and run the linter binary directly rather than via the previous hosted step.

[coderabbitai]

Walkthrough

Bumps Go from 1.24.x to 1.26.0 in the Containerfile and go.mod, adds copying of an entrypoint.sh into the image and sets ENTRYPOINT in the Containerfile, and replaces a hosted golangci-lint action with explicit Go setup and local golangci-lint installation/invocation in the CI workflow.

Changes

Cohort / File(s)	Summary
Container & Go toolchain govulncheck-action/Containerfile, govulncheck-action/go.mod	Updated base image and Go toolchain to Go 1.26.0; removed outdated comment; copy entrypoint.sh from builder to /usr/local/bin/entrypoint.sh and set ENTRYPOINT ["entrypoint.sh"].
CI workflow (lint/test) .github/workflows/govulncheck-action-test-lint.yml	Replaced golangci-lint hosted action with steps: actions/setup-go@v6 (using go-version-file), go install of golangci-lint, and running the installed golangci-lint binary with explicit working-directory, config and verbose flags.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'update go 1.26' is partially related to the changeset - it describes a real aspect of the changes (Go version update) but is incomplete, as the PR also updates linting configuration beyond just the Go version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

govulncheck-action/Containerfile (1)

21-23: ⚠️ Potential issue | 🟠 Major

Make entrypoint execution deterministic.

Lines 21–23 copy and execute entrypoint.sh without ensuring executable permissions inside the final image. This can cause container startup failures (permission denied) if file mode isn’t executable in source control.

Proposed fix

 COPY --from=builder /usr/src/app/govulncheckx /usr/local/bin/govulncheckx
 COPY --from=builder /usr/src/app/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod 0755 /usr/local/bin/entrypoint.sh
 
-ENTRYPOINT ["entrypoint.sh"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@govulncheck-action/Containerfile` around lines 21 - 23, The final image runs
ENTRYPOINT ["entrypoint.sh"] but the copied file may lack executable bits; after
copying /usr/src/app/entrypoint.sh to /usr/local/bin/entrypoint.sh (COPY
--from=builder ...), add a step to set executable permissions (e.g., RUN chmod
+x /usr/local/bin/entrypoint.sh) so entrypoint.sh is always executable at
container startup and avoids permission denied errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@govulncheck-action/Containerfile`:
- Around line 21-23: The final image runs ENTRYPOINT ["entrypoint.sh"] but the
copied file may lack executable bits; after copying /usr/src/app/entrypoint.sh
to /usr/local/bin/entrypoint.sh (COPY --from=builder ...), add a step to set
executable permissions (e.g., RUN chmod +x /usr/local/bin/entrypoint.sh) so
entrypoint.sh is always executable at container startup and avoids permission
denied errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 23c5be2e-5e70-4a66-8216-a9402515ff25

📥 Commits

Reviewing files that changed from the base of the PR and between bd06cc1 and 08ae502.

📒 Files selected for processing (2)

• govulncheck-action/Containerfile
• govulncheck-action/go.mod

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/govulncheck-action-test-lint.yml (1)

43-46: Point setup-go's cache at the nested module.

actions/setup-go@v6 enables caching by default, but its default cache key is based on a repository-root go.mod. For modules living in a subdirectory, the docs call out cache-dependency-path; without it, this job can miss the intended cache or just warn and continue. (github.com)

Suggested change

     - name: Install Go
       uses: actions/setup-go@v6
       with:
         go-version-file: govulncheck-action/go.mod
+        cache-dependency-path: govulncheck-action/go.sum

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/govulncheck-action-test-lint.yml around lines 43 - 46, The
setup step using actions/setup-go@v6 currently sets go-version-file but does not
set cache-dependency-path, so caching may miss the nested module; update the
setup-go step (actions/setup-go@v6) to include a cache-dependency-path that
points to the same nested module used by go-version-file so the action computes
the cache key from that module's dependencies and enables correct caching.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/govulncheck-action-test-lint.yml:
- Around line 48-53: The CI currently builds golangci-lint from source using the
"Install golangci-lint" step (go install
github.com/golangci/golangci-lint/v2/...@v2.11.2); replace this with installing
the official published binary (for example use the golangci-lint GitHub release
tarball and extract the v2.11.2 binary or use a maintained action such as
actions/setup-golangci-lint) and keep the "Lint" step (working-directory:
govulncheck-action, run: golangci-lint run ...) unchanged so the job uses the
reproducible released binary instead of a local go install build.

---

Nitpick comments:
In @.github/workflows/govulncheck-action-test-lint.yml:
- Around line 43-46: The setup step using actions/setup-go@v6 currently sets
go-version-file but does not set cache-dependency-path, so caching may miss the
nested module; update the setup-go step (actions/setup-go@v6) to include a
cache-dependency-path that points to the same nested module used by
go-version-file so the action computes the cache key from that module's
dependencies and enables correct caching.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f81894c5-113d-43ce-a303-a9c25ca8c908

📥 Commits

Reviewing files that changed from the base of the PR and between 08ae502 and cd4d4e7.

📒 Files selected for processing (1)

• .github/workflows/govulncheck-action-test-lint.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

golangci-lint v2.11.2 installation documentation recommended method

💡 Result:

The recommended installation method for golangci-lint v2.11.2 is to install the official prebuilt binary (not go install) using the project’s installer script:

# installs to $(go env GOPATH)/bin
curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b "$(go env GOPATH)/bin" v2.11.2

# or installs to ./bin
curl -sSfL https://golangci-lint.run/install.sh | sh -s v2.11.2

They explicitly note that installing from source via go install / go get (and related “tools pattern” / go tool approaches) isn’t recommended, and they recommend binary installation instead. [1]

---

🌐 Web query:

golangci-lint go install not recommended security

💡 Result:

go install (and related go get, “tools pattern”, and the Go 1.24+ tool directive/command approach) is explicitly not recommended by golangci-lint because it can produce untested, non-reproducible builds that may even be unstable/broken:

• It compiles locally, so the resulting binary depends on your local Go version. [1]
• Many people used go get -u, which upgrades golangci-lint’s dependencies; the resulting binary is not tested and “not guaranteed to work”. [1]
• Using the tools pattern / tool directives can cause dependency interference between tools and/or your project, again producing an untested binary. [1]
• Other issues include Go module hash/tag problems, non-transitive replace behavior, and the ability to install from main (not stable). [1]

From a security/supply-chain perspective, those points matter because you’re no longer consuming a known, tested release artifact; you may instead build something with different dependency versions (or even main) than what the project released/tested. [1]

Recommended (more verifiable) install: use the official binary install script / releases. The project’s install.sh downloads the release tarball and its checksum file and performs a SHA-256 verification before installing. [2]
In GitHub Actions, the official golangci-lint-action also defaults to install-mode: binary and notes that goinstall is not recommended. [3]

Sources:
[1] golangci-lint docs – Local installation / “Install from Sources” warning and rationale (golangci-lint.run)
[2] golangci-lint install.sh – downloads checksums and verifies SHA-256 (raw.githubusercontent.com)
[3] golangci/golangci-lint-action – goinstall not recommended (github.com)

Citations:

• 1: https://golangci-lint.run/docs/welcome/install/local/
• 2: https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh
• 3: https://github.com/golangci/golangci-lint-action?utm_source=openai

---

🌐 Web query:

site:github.com golangci-lint releases v2.11.2

💡 Result:

golangci-lint v2.11.2 was released on March 7, 2026 (tag v2.11.2, commit e8f6219) and is marked Latest on GitHub. The release changelog contains a single notable change: “fix: fmt with path” (PR #6418). [1][2]

---

Avoid building golangci-lint from source in CI.

golangci-lint's documentation explicitly states that go install/source installs "aren't guaranteed to work" and recommends binary installation instead. Using go install produces locally-compiled, untested, and non-reproducible builds that depend on your local Go version and can have unverified dependency versions. Since v2.11.2 already has published release artifacts, switching to the official binary installer improves reproducibility, reliability, and supply-chain security.

Suggested change

     - name: Install golangci-lint
-      run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.2
+      run: curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b "$(go env GOPATH)/bin" v2.11.2

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install golangci-lint
	run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.2
	- name: Lint
	working-directory: govulncheck-action
	run: golangci-lint run --path-mode=abs --config=.golangci.yml --verbose ./...
	- name: Install golangci-lint
	run: curl -sSfL https://golangci-lint.run/install.sh | sh -s -- -b "$(go env GOPATH)/bin" v2.11.2
	- name: Lint
	working-directory: govulncheck-action
	run: golangci-lint run --path-mode=abs --config=.golangci.yml --verbose ./...

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/govulncheck-action-test-lint.yml around lines 48 - 53, The
CI currently builds golangci-lint from source using the "Install golangci-lint"
step (go install github.com/golangci/golangci-lint/v2/...@v2.11.2); replace this
with installing the official published binary (for example use the golangci-lint
GitHub release tarball and extract the v2.11.2 binary or use a maintained action
such as actions/setup-golangci-lint) and keep the "Lint" step
(working-directory: govulncheck-action, run: golangci-lint run ...) unchanged so
the job uses the reproducible released binary instead of a local go install
build.