Remove orphaned submodule and update Go toolchain to 1.25.6

[Copilot]

CI failing on PR #10 due to orphaned git submodule reference causing cleanup errors and govulncheck detecting vulnerabilities in Go 1.25.5 stdlib.

Changes

• Removed orphaned submodule: canva-connect-api-starter-kit was tracked as submodule (mode 160000) without corresponding .gitmodules entry, causing fatal: No url found for submodule path during git operations

• Updated Go toolchain: 1.25.5 → 1.25.6 in go.mod to address stdlib vulnerabilities:

  • GO-2026-4342 (archive/zip): memory exhaustion
  • GO-2026-4341 (net/url): query parameter parsing
  • GO-2026-4340 (crypto/tls): handshake encryption level

Notes

Remaining govulncheck findings (out of scope):

• github.com/sigstore/timestamp-authority@v1.2.8 (no fix available)
• github.com/cli/cli/v2 application vulnerabilities (require separate patches)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• vuln.go.dev
  • Triggering command: /home/REDACTED/go/bin/govulncheck /home/REDACTED/go/bin/govulncheck ./... (dns block)
  • Triggering command: /home/REDACTED/go/bin/govulncheck /home/REDACTED/go/bin/govulncheck -version (dns block)
  • Triggering command: /home/REDACTED/go/bin/govulncheck /home/REDACTED/go/bin/govulncheck ./... -D_FORTIFY_SOURCE=3 -quiet -dumpdir (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Problem

The lint workflow is failing on PR #10 (https://github.com/darkangelpraha/cli/actions/runs/21548304203/job/62093081720) with two issues:

Issue 1: Govulncheck Failure

The govulncheck job is failing with exit code 3 because it found 7 vulnerabilities from 2 modules and the Go standard library. The log shows:

Your code is affected by 7 vulnerabilities from 2 modules and the Go standard library.
exit status 3

Issue 2: Git Submodule Configuration Error

During the post-job cleanup, there's a fatal error:

fatal: No url found for submodule path 'canva-connect-api-starter-kit' in .gitmodules

The file canva-connect-api-starter-kit exists in the repository root but appears to be registered as a git submodule without proper configuration in .gitmodules.

Solution Required

1. Fix the git submodule issue: Remove the canva-connect-api-starter-kit from git's submodule tracking since there's no .gitmodules file. This appears to be a stray submodule reference that should be cleaned up.

2. Update dependencies: After cleaning up the submodule, run go mod tidy to ensure all Go dependencies are properly updated and check if the govulncheck issues are resolved by the updated dependencies in this PR (which updates github.com/sigstore/rekor from 1.3.10 to 1.5.0 with vulnerability fixes).

3. Verify: Ensure the workflow passes after these fixes.

Files to Modify

• Remove the git submodule reference for canva-connect-api-starter-kit
• Run go mod tidy to update dependencies
• Potentially update go.mod and go.sum if needed

Base Branch

Work on branch: dependabot/go_modules/github.com/sigstore/rekor-1.5.0

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Continue Tasks: ❌ 1 failed — View all