Skip to content

fix: harden toolchain and release integrity#103

Merged
RNT56 merged 1 commit into
mainfrom
task/security-release-hardening
Jul 12, 2026
Merged

fix: harden toolchain and release integrity#103
RNT56 merged 1 commit into
mainfrom
task/security-release-hardening

Conversation

@RNT56

@RNT56 RNT56 commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Summary

  • pin CI and release builds to patched Go 1.25.12 and upgrade golang.org/x/sys to 0.44.0
  • add a pinned govulncheck lane so reachable compiler/runtime or module vulnerabilities cannot merge green
  • make release publication fail closed unless all four platform binaries and matching checksums are present and valid
  • add four-target release and installer E2Es with negative controls for partial releases, missing checksums, and tampered binaries
  • refresh the public toolchain requirement and current-state snapshot

Why

The previous Go 1.25.0 pin was affected by reachable GO-2026-5856, and the latest published release omitted checksum assets even though the installer requires them. This closes both gaps at the release boundary and makes the protections permanent CI gates.

Verification

  • GOTOOLCHAIN=go1.25.12 make verify
  • GOTOOLCHAIN=go1.25.12 make test-race
  • GOTOOLCHAIN=go1.25.12 make tui-verify
  • pinned golangci-lint v2.12.2: 0 issues
  • pinned govulncheck v1.6.0: no vulnerabilities found
  • four-target CGO-free release E2E: all assets/checksums verified; partial release refused
  • installer E2E: valid install succeeds; missing checksum and tampered binary fail closed
  • git diff --check

Pin CI and releases to Go 1.25.12 and x/sys 0.44.0, add a pinned govulncheck lane, and make release publication fail closed on missing or corrupt assets. Add four-target release and installer E2Es covering successful install, partial releases, missing checksums, and tampered binaries; refresh public toolchain and state docs.
@RNT56 RNT56 marked this pull request as ready for review July 12, 2026 02:23
@RNT56 RNT56 merged commit 46808c2 into main Jul 12, 2026
9 checks passed
@RNT56 RNT56 deleted the task/security-release-hardening branch July 12, 2026 02:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant