Skip to content

chore(deps): bump golang from 1.26.2-alpine3.22 to 1.26.3-alpine3.22#254

Merged
jmeridth merged 2 commits into
mainfrom
dependabot/docker/golang-1.26.3-alpine3.22
May 23, 2026
Merged

chore(deps): bump golang from 1.26.2-alpine3.22 to 1.26.3-alpine3.22#254
jmeridth merged 2 commits into
mainfrom
dependabot/docker/golang-1.26.3-alpine3.22

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 7, 2026

Bumps golang from 1.26.2-alpine3.22 to 1.26.3-alpine3.22.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump golang from 1.26.2-alpine3.22 to 1.26.3-alpine3.22
54dfb0b 
Bumps golang from 1.26.2-alpine3.22 to 1.26.3-alpine3.22.

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.26.3-alpine3.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 7, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 7, 2026 21:13
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 7, 2026
@jmeridth
Copy link
Copy Markdown
Member

jmeridth commented May 8, 2026

We need to bump go.mod also

@jmeridth
chore: auto-sync go.mod toolchain with Dockerfile golang bumps
3157716 
## What

Add a workflow that runs on PRs touching the Dockerfile, comparing the golang
base-image patch version to the `go` directive in go.mod. Dependabot Docker
bumps that desync the two are auto-synced via a follow-up commit; human-authored
PRs that desync them fail the check with a fix-it annotation. Also bumps go.mod
from 1.26.2 to 1.26.3 to align with the current Dockerfile.

## Why

Dependabot's gomod ecosystem deliberately ignores the `go` directive, so a
Docker golang bump leaves go.mod stale. CI uses `go-version-file: go.mod` for
its toolchain, so the local build and the container build silently drift apart.
The workflow makes the two versions a single enforced invariant without
switching off Dependabot.

## Notes

- The auto-sync commit is pushed with GITHUB_TOKEN, which by design does not
  re-trigger CI on the new commit. Other CI workflows (ci.yml, etc.) will not
  re-run after the sync; only this workflow re-runs and confirms the match.
  Swap to a PAT if full CI re-validation on the synced commit is required.
- Dependabot abandons PRs that receive out-of-band commits, so once we push the
  sync commit Dependabot will stop rebasing the PR. Acceptable for a single-shot
  version bump, but worth knowing.
- The sync-vs-fail branching is gated on `github.actor == 'dependabot[bot]'`
  AND a `dependabot/docker/golang/*` head ref. A compromised dependabot
  account could in principle abuse the write token, but the scope is limited
  to `go mod edit -go=` on the dependabot branch only.
- Permissions block follows least-privilege (`contents: write` only on the
  sync job, nothing at workflow level).

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth
Copy link
Copy Markdown
Member

jmeridth commented May 18, 2026

Sync workflow won't fire until it's on main.

@jmeridth
Copy link
Copy Markdown
Member

jmeridth commented May 18, 2026

.github/workflows/sync-go-version.yaml — new workflow. On any PR that touches Dockerfile:

  • Extracts the golang patch version from the FROM golang:X.Y.Z-alpine... line
  • Compares to go mod edit -json | jq .Go
  • Match → pass
  • Differ + actor is dependabot on a dependabot/docker/golang/* branch → runs go mod edit -go=X.Y.Z, commits as github-actions[bot], pushes
  • Differ + human actor → fails the check with ::error file=go.mod::... annotation including the exact go mod edit command to fix it

@jmeridth jmeridth merged commit 7d5e157 into main May 23, 2026
12 checks passed
@jmeridth jmeridth deleted the dependabot/docker/golang-1.26.3-alpine3.22 branch May 23, 2026 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmeridth jmeridth jmeridth approved these changes

@eddie-knight eddie-knight eddie-knight approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmeridth @eddie-knight