= 1.26.4 (running go 1.26.3; GOTOOLCHAIN=local)". Bump the defaults to 1.26.4."> phpboyscout/cicd v0.11.2 — bump default Go image to 1.26.4 - phpboyscout/cicd
Skip to content

Spec: phpboyscout/cicd v0.11.2 — default Go image → 1.26.4

  • Repository: gitlab.com/phpboyscout/cicd
  • Released as: v0.11.2 (patch — a fix: the default toolchain image no longer satisfies current go.mod requirements).
  • Driver: the cicd-ref bump round surfaced this on haileys-app (krites), which deliberately uses the component defaults (no image override). Its go-test failed: go.mod requires go >= 1.26.4 (running go 1.26.3; GOTOOLCHAIN=local). go-tool-base/keyrx avoided this only by overriding the image to golang:1.26.4-bookworm.

Decision

D1 — Bump the golang:1.26.3-bookworm defaults to 1.26.4

  • go-test: input image default → golang:1.26.4-bookworm.
  • go-security: input govulncheck_image default → golang:1.26.4-bookworm (govulncheck builds the import graph, so it needs a toolchain matching go.mod just like go-test).

go-lint is unaffected — it runs the golangci/golangci-lint:v2.12.2 image, which bundles its own (1.26.x) Go.

Non-breaking: consumers overriding the image (go-tool-base, keyrx) are unchanged; consumers on the default (haileys-app) start passing; new consumers get a toolchain matching modern go.mod. Consumers pinning an older Go in go.mod can still override downward.

D2 — goreleaser is a separate, deferred concern

goreleaser resolves its Go from the goreleaser/goreleaser:v2.16.0 image (bundles 1.26.3) with gotoolchain: local, not from a golang:1.26.3 default — so it is out of scope for this patch. A consumer releasing a toolchain go1.26.4 project on the default goreleaser config will hit the same mismatch at tag time; the fix there is either a goreleaser image that bundles 1.26.4 or gotoolchain: go1.26.4 (as go-tool-base/keyrx already set). Tracked as follow-up, not part of v0.11.2 (it does not block the MR-time gates).

D3 — Versioning

A non-breaking default change → v0.11.2 (patch). Consumers on the preset pick it up via Renovate; haileys-app is re-pinned to v0.11.2 so its bump MR goes green.

Follow-up

  • Re-pin haileys-app (krites) to @v0.11.2 so its go-test / go-security pass on the new default.
  • goreleaser toolchain (D2) — decide between a 1.26.4-bundling image default and gotoolchain: auto/go1.26.4.
  • Once defaults are 1.26.4, go-tool-base / keyrx can drop their per-repo image / govulncheck_image overrides (cleanup).