chore(deps): bump Go to 1.26.4 (GO-2026-5039, GO-2026-5037)

[kanywst]

Why

The vuln CI job (govulncheck) fails on the current go 1.26.3 toolchain due to two Go standard-library vulnerabilities, both fixed in go1.26.4:

Vuln	Package	Detail
GO-2026-5039	net/textproto	Arbitrary inputs included in errors without escaping
GO-2026-5037	crypto/x509	Inefficient candidate hostname parsing

Detection traces run through main.go fmt.Printf/fmt.Println (the --version/--help paths), so practical impact is minimal, but govulncheck exits non-zero and the job is red.

What

Bump the go directive in go.mod to 1.26.4. With go-version-file: go.mod in CI, setup-go then provisions the fixed toolchain.

Verification

Locally on go1.26.4: go vet ./..., go test ./..., and govulncheck ./... all pass — No vulnerabilities found.

This is independent of #3 (actions/checkout bump); that PR was red for the same vuln reason. Once this merges, rebasing #3 onto main turns it green.

Summary by CodeRabbit

• Chores
  • Updated Go toolchain version to 1.26.4.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d027e8ca-33c6-4f00-830d-89520bf1b2a6

📥 Commits

Reviewing files that changed from the base of the PR and between 1e1fb20 and 8e45292.

📒 Files selected for processing (1)

• go.mod

---

📝 Walkthrough

Walkthrough

The go.mod file is updated to declare Go 1.26.4 as the minimum toolchain version, replacing the previous 1.26.3 declaration. No module dependencies or other configuration changed.

Changes

Go Toolchain Update

Layer / File(s)	Summary
Go 1.26.4 upgrade go.mod	The go directive is updated from Go 1.26.3 to 1.26.4.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Poem

A rabbit hops with glee so bright, 🐰
Go's toolchain springs to newest height,
From point-three up to point-four we go,
A version bump, a minor flow!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating Go toolchain from 1.26.3 to 1.26.4 in go.mod. It is concise, specific, and includes relevant issue references.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-go-1.26.4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the Go version in the go.mod file from 1.26.3 to 1.26.4. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.