chore(release): bump golang.org/x/image to v0.43.0 and attest build provenance#309
Merged
Conversation
Clears four known advisories in golang.org/x/image (GO-2026-4961, GO-2026-5061, GO-2026-5062, GO-2026-5066), covering panics on malformed WEBP and TIFF input. The module is an indirect, unreachable dependency, so this is a go.mod/go.sum version bump only with no code changes. govulncheck reports no vulnerabilities after the bump.
Generate a signed SLSA build-provenance attestation for the release archives and native packages with actions/attest-build-provenance, so each artifact carries a verifiable statement of the commit and workflow that built it (checkable with gh attestation verify). The action stores the attestation in GitHub's attestation store, which the signed-releases health check does not read; it scans release assets by name. Attach the provenance bundle as a flynn.intoto.jsonl release asset so that check and any downstream verifier can find it. Takes effect on the next tagged release.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two release-security changes:
golang.org/x/imagefromv0.41.0tov0.43.0. This is an indirect, unreachable dependency, so it is ago.mod/go.sumversion bump only, with no code changes.flynn.intoto.jsonlasset.Why
golang.org/x/imagebeforev0.43.0carries four known advisories (GO-2026-4961,GO-2026-5061,GO-2026-5062,GO-2026-5066) covering panics on malformed WEBP and TIFF input. Even though the package is not reachable from this module, pinning to a fixed version keeps the dependency graph free of known-vulnerable versions.gh attestation verify.actions/attest-build-provenancewrites the attestation to GitHub's attestation store, which the signed-releases health check does not read; it scans release assets by name. Attaching the bundle as a*.intoto.jsonlasset makes the provenance discoverable to that check and to any downstream verifier.How to verify
go build ./...andgo vet ./...pass.govulncheck ./...reportsNo vulnerabilities found.(before the bump it flagged the four advisories above).git diff main -- go.mod go.sumshows only thegolang.org/x/imagebump..github/workflows/release.ymlparses as valid YAML; the job gainsattestations: write, runsactions/attest-build-provenance(pinned by SHA) overdist/*.{tar.gz,zip,deb,rpm,apk}, and uploadsflynn.intoto.jsonlto the release. The provenance asset appears on the next tagged release.Notes for reviewers
actions/attest-build-provenanceis pinned to thev2commite8998f949152b193b063cb0ec769d69d929409be, matching the SHA-pinning convention used for the other actions in this workflow.