Merge upstream updates from Google (RA-8661 → RA-8279) by himaschal · Pull Request #16 · digicert/certificate-transparency-go

himaschal · 2026-01-20T13:04:26Z

Summary

This PR merges ~6 months of upstream updates from Google's certificate-transparency-go repository while preserving all OpenTelemetry instrumentation and DigiCert-specific customizations from RA-8279.

Changes (20 commits, 26 files)

Major Updates

Go Upgrade: 1.23 → 1.24
Dependency Updates: Go modules, Docker images
Log Filtering: Enhanced CT log compatibility logging
Client Improvements: More robust error handling in jsonclient
Protocol Buffers: Regenerated with updated compiler

Impact on RA-8279 Features

✅ OpenTelemetry integration preserved
✅ CTFE handlers retain instrumentation
⚠️ Go 1.24 upgrade may introduce new behaviors
⚠️ Proto regeneration may affect serialization

Verification

✅ Clean Run 12.0 completed successfully
✅ Dependency versions verified (ctutils v0.1.25-test)
✅ OTel trace propagation validated with Jaeger

⚠️ Pre-Merge Requirements

IMPORTANT: This branch uses test reference branches for CI/CD workflows.

Before merging to master, the following workflow files must be updated to target production branches:

Automated dependency update workflows currently target RA-8661_apply_updates_from_google

These must be changed to target master or appropriate production branch

Action Required: Review and update workflow base branch targets post-approval, pre-merge.

Production Readiness

Note: RA-8661 may be deployed to production instead of RA-8279 if upstream updates are prioritized.

Testing

See: https://digicertinc.atlassian.net/wiki/spaces/~7120204df6290675f64a1694751af63e1592d3/pages/8066859024/RA-8661+Integrate+Google+changes+into+CTLog)

* ctfe: Enforce max request body size with http.MaxBytesHandler Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update returned statusCode, update handlers_test Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update CHANGELOG.md Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> * update MaxHeaderBytes: 128KB, update handlers.go errors handling Signed-off-by: Firas Ghanmi <fghanmi@redhat.com> --------- Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

…google#1723) Bumps the all-deps group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.29.2 to 3.29.5 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@181d5ee...51f7732) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e#1722) Bumps the docker-deps group with 1 update in the /integration directory: golang. Bumps the docker-deps group with 2 updates in the /internal/witness/cmd/feeder directory: golang and alpine. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/witness directory: golang. Bumps the docker-deps group with 1 update in the /trillian/examples/deployment/docker/ctfe directory: golang. Bumps the docker-deps group with 1 update in the /trillian/examples/deployment/docker/envsubst directory: alpine. Updates `golang` from 1.24.4-bookworm to 1.24.5-bookworm Updates `golang` from 1.24.4-bookworm to 1.24.5-bookworm Updates `alpine` from `8a1f59f` to `4bcff63` Updates `golang` from 1.24.4-bookworm to 1.24.5-bookworm Updates `golang` from 1.24.4-bookworm to 1.24.5-bookworm Updates `alpine` from `8a1f59f` to `4bcff63` --- updated-dependencies: - dependency-name: golang dependency-version: 1.24.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.24.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: alpine dependency-version: '3.22' dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.24.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.24.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: alpine dependency-version: '3.22' dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e#1727) Bumps the docker-deps group with 1 update in the /integration directory: golang. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/feeder directory: golang. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/witness directory: golang. Bumps the docker-deps group with 2 updates in the /trillian/examples/deployment/docker/ctfe directory: golang and distroless/base-debian12. Updates `golang` from 1.24.5-bookworm to 1.25.0-bookworm Updates `golang` from 1.24.5-bookworm to 1.25.0-bookworm Updates `golang` from 1.24.5-bookworm to 1.25.0-bookworm Updates `golang` from 1.24.5-bookworm to 1.25.0-bookworm Updates `distroless/base-debian12` from `201ef91` to `d605e13` --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.0-bookworm dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.0-bookworm dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.0-bookworm dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.0-bookworm dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-deps - dependency-name: distroless/base-debian12 dependency-version: d605e138bb398428779e5ab490a6bbeeabfd2551bd919578b1044718e5c30798 dependency-type: direct:production dependency-group: docker-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump the all-deps group with 2 updates Bumps the all-deps group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 4.2.2 to 5.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...08c6903) Updates `github/codeql-action` from 3.29.7 to 3.30.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@51f7732...2d92b76) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-deps - dependency-name: github/codeql-action dependency-version: 3.30.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-deps ... Signed-off-by: dependabot[bot] <support@github.com> * Fix incorrect version comment --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Roger Ng <rogerng@google.com>

Bumps the all-deps group with 3 updates: [github/codeql-action](https://github.com/github/codeql-action), [actions/setup-go](https://github.com/actions/setup-go) and [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `github/codeql-action` from 3.30.0 to 3.30.5 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@2d92b76...3599b3b) Updates `actions/setup-go` from 5.5.0 to 6.0.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4469467) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@05b42c6...4eaacf0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-deps - dependency-name: actions/setup-go dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-deps - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e#1732) Bumps the docker-deps group with 1 update in the /integration directory: golang. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/feeder directory: golang. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/witness directory: golang. Bumps the docker-deps group with 2 updates in the /trillian/examples/deployment/docker/ctfe directory: golang and distroless/base-debian12. Updates `golang` from 1.25.0-bookworm to 1.25.1-bookworm Updates `golang` from 1.25.0-bookworm to 1.25.1-bookworm Updates `golang` from 1.25.0-bookworm to 1.25.1-bookworm Updates `golang` from 1.25.0-bookworm to 1.25.1-bookworm Updates `distroless/base-debian12` from `d605e13` to `fa15492` --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.1-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.1-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.1-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.1-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: distroless/base-debian12 dependency-version: fa15492938650e1a5b87e34d47dc7d99a2b4e8aefd81b931b3f3eb6bb4c1d2f6 dependency-type: direct:production dependency-group: docker-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…1734) * adding some additional log messages around CT log compatibility to debug CT submission issue * fixing copy paste misses * i forgot to add these files to the push * log the initial list of log URLs from the rootpool * Set verbosity for compatability log messages to 1 and update log message contents * fix name to operator instead of ctlog when iterating through the operators * fix other variable names. I got too excited and pushed early --------- Co-authored-by: breadyzhang <zhangfreddy@google.com>

…e#1737) Bumps the docker-deps group with 1 update in the /integration directory: golang. Bumps the docker-deps group with 2 updates in the /internal/witness/cmd/feeder directory: golang and alpine. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/witness directory: golang. Bumps the docker-deps group with 2 updates in the /trillian/examples/deployment/docker/ctfe directory: golang and distroless/base-debian12. Bumps the docker-deps group with 1 update in the /trillian/examples/deployment/docker/envsubst directory: alpine. Updates `golang` from 1.25.1-bookworm to 1.25.3-bookworm Updates `golang` from 1.25.1-bookworm to 1.25.3-bookworm Updates `alpine` from `4bcff63` to `4b7ce07` Updates `golang` from 1.25.1-bookworm to 1.25.3-bookworm Updates `golang` from 1.25.1-bookworm to 1.25.3-bookworm Updates `distroless/base-debian12` from `fa15492` to `9e9b50d` Updates `alpine` from `4bcff63` to `4b7ce07` --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.3-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.3-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: alpine dependency-version: '3.22' dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.3-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.3-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: distroless/base-debian12 dependency-version: 9e9b50d2048db3741f86a48d939b4e4cc775f5889b3496439343301ff54cdba8 dependency-type: direct:production dependency-group: docker-deps - dependency-name: alpine dependency-version: '3.22' dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the all-deps group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `github/codeql-action` from 3.30.5 to 4.31.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3599b3b...0499de3) Updates `actions/upload-artifact` from 4.6.2 to 5.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-deps - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…oogle#1741) TestPostAndParse depends on the exact text of errors returned by encoding/json. The text of some of these error changes when GOEXPERIMENT=jsonv2 is set, causing the test to fail. Change the test to not depend on the text of errors that are not contained in this module.

* add instructions to re-generate mocks and protos * fix instructions * add cmd deps in tools * fix Dockerfile

…#1744) Bumps the docker-deps group with 1 update in the /integration directory: golang. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/feeder directory: golang. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/witness directory: golang. Bumps the docker-deps group with 1 update in the /trillian/examples/deployment/docker/ctfe directory: golang. Updates `golang` from 1.25.3-bookworm to 1.25.4-bookworm Updates `golang` from 1.25.3-bookworm to 1.25.4-bookworm Updates `golang` from 1.25.3-bookworm to 1.25.4-bookworm Updates `golang` from 1.25.3-bookworm to 1.25.4-bookworm --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.4-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.4-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.4-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.4-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e#1750) Bumps the docker-deps group with 1 update in the /integration directory: golang. Bumps the docker-deps group with 2 updates in the /internal/witness/cmd/feeder directory: golang and alpine. Bumps the docker-deps group with 1 update in the /internal/witness/cmd/witness directory: golang. Bumps the docker-deps group with 2 updates in the /trillian/examples/deployment/docker/ctfe directory: golang and distroless/base-debian12. Bumps the docker-deps group with 1 update in the /trillian/examples/deployment/docker/envsubst directory: alpine. Updates `golang` from 1.25.4-bookworm to 1.25.5-bookworm Updates `golang` from 1.25.4-bookworm to 1.25.5-bookworm Updates `alpine` from 3.22 to 3.23 Updates `golang` from 1.25.4-bookworm to 1.25.5-bookworm Updates `golang` from 1.25.4-bookworm to 1.25.5-bookworm Updates `distroless/base-debian12` from `9e9b50d` to `f5a3067` Updates `alpine` from 3.22 to 3.23 --- updated-dependencies: - dependency-name: golang dependency-version: 1.25.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: alpine dependency-version: '3.23' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: golang dependency-version: 1.25.5-bookworm dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-deps - dependency-name: distroless/base-debian12 dependency-version: f5a3067027c2b322cd71b844f3d84ad3deada45ceb8a30f301260a602455070e dependency-type: direct:production dependency-group: docker-deps - dependency-name: alpine dependency-version: '3.23' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the all-deps group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `5.0.0` | `6.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.31.2` | `4.31.9` | | [actions/setup-go](https://github.com/actions/setup-go) | `6.0.0` | `6.1.0` | | [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | `8.0.0` | `9.2.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `5.0.0` | `6.0.0` | Updates `actions/checkout` from 5.0.0 to 6.0.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@08c6903...8e8c483) Updates `github/codeql-action` from 4.31.2 to 4.31.9 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@0499de3...5d4e8d1) Updates `actions/setup-go` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4469467...4dc6199) Updates `golangci/golangci-lint-action` from 8.0.0 to 9.2.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@4afd733...1e7e51e) Updates `actions/upload-artifact` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@330a01c...b7c566a) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-deps - dependency-name: github/codeql-action dependency-version: 4.31.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-deps - dependency-name: actions/setup-go dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-deps - dependency-name: golangci/golangci-lint-action dependency-version: 9.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-deps - dependency-name: actions/upload-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-deps ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…h. Removed our branch from push trigger so it does not fire.

…o RA-8661_apply_updates_from_google # Conflicts: # .github/workflows/codeql.yml # .github/workflows/golangci-lint.yml # trillian/ctfe/ct_server/main.go

fghanmi and others added 19 commits January 23, 2026 12:09

Bump Go from 1.23 to 1.24 (google#1733)

1fa82d7

Update instructions to generate protos (google#1742)

c30e695

* add instructions to re-generate mocks and protos * fix instructions * add cmd deps in tools * fix Dockerfile

regenerate protos (google#1743)

579e725

chore(ci): update update-ctutils workflow to target RA-8661

8f43b81

chore: Remove extraneous blank lines from update-ctutils workflow.

e86e90f

himaschal force-pushed the RA-8661_apply_updates_from_google branch from e5437f9 to e86e90f Compare January 23, 2026 10:21

himaschal added 3 commits January 23, 2026 12:23

Fix build error: explicitly type wrappedHandler as http.Handler

e9ea82b

RA-8661: scorecard supply-chain security only applies on master branc…

76de232

…h. Removed our branch from push trigger so it does not fire.

Merge branch 'RA-8279_improve_application_visibility_timing_logs' int…

a99fdaf

…o RA-8661_apply_updates_from_google # Conflicts: # .github/workflows/codeql.yml # .github/workflows/golangci-lint.yml # trillian/ctfe/ct_server/main.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge upstream updates from Google (RA-8661 → RA-8279)#16

Merge upstream updates from Google (RA-8661 → RA-8279)#16
himaschal wants to merge 22 commits intoRA-8279_improve_application_visibility_timing_logsfrom
RA-8661_apply_updates_from_google

himaschal commented Jan 20, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

himaschal commented Jan 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes (20 commits, 26 files)

Major Updates

Impact on RA-8279 Features

Verification

⚠️ Pre-Merge Requirements

Production Readiness

Testing

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

himaschal commented Jan 20, 2026 •

edited

Loading