Skip to content

Decouple CI Go version from module minimum#726

Merged
rdimitrov merged 4 commits intomasterfrom
use-toolchain-directive
Apr 6, 2026
Merged

Decouple CI Go version from module minimum#726
rdimitrov merged 4 commits intomasterfrom
use-toolchain-directive

Conversation

@rdimitrov
Copy link
Copy Markdown
Contributor

@rdimitrov rdimitrov commented Mar 29, 2026
edited
Loading

The following PR:

  • Lower the go directive in go.mod to 1.25.0 (minimum version consumers need)
  • Switch all CI workflows from go-version-file: 'go.mod' to go-version: 'stable'
  • Add oldstable and stable Go version matrix to the test workflow for cross-version validation

This follows Go's recommended pattern for libraries: declare the minimum supported version in go.mod and let consumers control their own toolchain. No toolchain directive or .go-version file needed.

Alternative approach to #722

@rdimitrov
go.mod: use toolchain directive to decouple CI version from minimum
73b68e1 
See also: #722

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov rdimitrov requested a review from a team as a code owner March 29, 2026 16:50
Copilot AI review requested due to automatic review settings March 29, 2026 16:50
Copilot AI reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the module’s Go versioning strategy to separate the minimum supported Go version for consumers from the Go toolchain version used in CI/development, using Go’s native toolchain directive.

Changes:

  • Lower the go directive from 1.25.5 to 1.25.0.
  • Add toolchain go1.25.8 to pin the intended CI/dev toolchain.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rdimitrov
ci: test against oldstable and stable Go versions
cf11a5e 
Add a Go version matrix to the test workflow using the oldstable and
stable aliases from actions/setup-go. This validates compatibility
across the two most recent Go release series without hardcoding
versions or requiring manual updates.

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov rdimitrov changed the title go.mod: use toolchain directive to decouple CI version from minimum Decouple CI Go version from module minimum using toolchain directive Mar 29, 2026
@rdimitrov rdimitrov mentioned this pull request Mar 29, 2026
Closed
@rdimitrov
Drop specifying the toolchain
1f768f5 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov rdimitrov changed the title Decouple CI Go version from module minimum using toolchain directive Decouple CI Go version from module minimum Mar 29, 2026
@rdimitrov
Bump golangci-lint
f3fad7b 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov
Copy link
Copy Markdown
Contributor Author

rdimitrov commented Mar 30, 2026

@kommendorkapten - Thanks! I'll wait a couple of days before we merge it so the other folks from #722 can have time to look and provide feedback in case they have any 👍

@thaJeztah thaJeztah mentioned this pull request Mar 31, 2026
Merged
@rdimitrov rdimitrov merged commit fa94ec0 into master Apr 6, 2026
26 checks passed
@rdimitrov rdimitrov deleted the use-toolchain-directive branch April 6, 2026 12:37
This was referenced Apr 8, 2026
Closed
Merged
rdimitrov added a commit to stacklok/toolhive-registry-server that referenced this pull request Apr 8, 2026
@rdimitrov @claude
Decouple CI Go version from go.mod (#674)
e607a6f 
## Summary

- Switch all CI workflows from `go-version-file: 'go.mod'` to
`go-version: 'stable'` so CI always uses the latest stable Go release
- Eliminates mechanical patch-bump PRs every time a new Go patch is
released
- Ensures shipped artifacts (binaries, images) always include the latest
Go security patches
- Fixes failing govulncheck CI — the stdlib vulnerabilities
(GO-2026-4946, 4947, 4870, 4869, 4866, 4865) are fixed in Go 1.26.2
which `stable` picks up automatically

## Context

We've been pinning Go to the patch version in `go.mod` (e.g., `go
1.26.1`), which couples the CI Go version to `go.mod` and requires a PR
for every Go patch release. This decouples them:

- **`go.mod`** declares the minimum Go version the module needs
(unchanged for now — blocked on upstream dependencies like `toolhive`
which also patch-pin)
- **CI** always uses the latest stable Go, independent of what `go.mod`
declares
- **Enterprise `go.work`** continues to control the exact Go version for
the workspace build

Similar approach to theupdateframework/go-tuf#726.

### Follow-up (blocked on upstream)

Once `toolhive` and other leaf dependencies drop their patch pins, we
can also update `go.mod` to use `go 1.26` (minor only) + `toolchain
go1.26.1`. Currently `go mod tidy` reverts this because
`toolhive@v0.15.0` requires `go 1.26.1`.

## Test plan

- [ ] CI passes on this branch with `go-version: 'stable'`
- [ ] govulncheck passes (stdlib vulns fixed by Go 1.26.2)
- [ ] Verify `govulncheck` workflow uses `go-version-input: 'stable'`
correctly

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees

No one assigned

Labels

None yet

Projects

go-tuf/v2 project planning
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rdimitrov @kommendorkapten