Skip to content

chore(release): bump golang.org/x/image to v0.43.0 and attest build provenance#309

Merged
ion-alpha-dev merged 2 commits into
mainfrom
chore/bump-x-image-security
Jul 7, 2026
Merged

chore(release): bump golang.org/x/image to v0.43.0 and attest build provenance#309
ion-alpha-dev merged 2 commits into
mainfrom
chore/bump-x-image-security

Conversation

@ion-alpha-dev

Copy link
Copy Markdown
Collaborator

What

Two release-security changes:

  • Bump golang.org/x/image from v0.41.0 to v0.43.0. This is an indirect, unreachable dependency, so it is a go.mod/go.sum version bump only, with no code changes.
  • Generate a signed SLSA build-provenance attestation for the release archives and native packages in the release workflow, and attach it to the GitHub release as a flynn.intoto.jsonl asset.

Why

  • golang.org/x/image before v0.43.0 carries four known advisories (GO-2026-4961, GO-2026-5061, GO-2026-5062, GO-2026-5066) covering panics on malformed WEBP and TIFF input. Even though the package is not reachable from this module, pinning to a fixed version keeps the dependency graph free of known-vulnerable versions.
  • Build provenance records a verifiable statement that each release artifact was built from a specific commit by a specific workflow, checkable with gh attestation verify. actions/attest-build-provenance writes the attestation to GitHub's attestation store, which the signed-releases health check does not read; it scans release assets by name. Attaching the bundle as a *.intoto.jsonl asset makes the provenance discoverable to that check and to any downstream verifier.

How to verify

  • go build ./... and go vet ./... pass.
  • govulncheck ./... reports No vulnerabilities found. (before the bump it flagged the four advisories above).
  • git diff main -- go.mod go.sum shows only the golang.org/x/image bump.
  • Release workflow: .github/workflows/release.yml parses as valid YAML; the job gains attestations: write, runs actions/attest-build-provenance (pinned by SHA) over dist/*.{tar.gz,zip,deb,rpm,apk}, and uploads flynn.intoto.jsonl to the release. The provenance asset appears on the next tagged release.

Notes for reviewers

  • The provenance step takes effect on the next tagged release; it does not alter existing releases.
  • actions/attest-build-provenance is pinned to the v2 commit e8998f949152b193b063cb0ec769d69d929409be, matching the SHA-pinning convention used for the other actions in this workflow.

Clears four known advisories in golang.org/x/image (GO-2026-4961,
GO-2026-5061, GO-2026-5062, GO-2026-5066), covering panics on malformed
WEBP and TIFF input. The module is an indirect, unreachable dependency,
so this is a go.mod/go.sum version bump only with no code changes.
govulncheck reports no vulnerabilities after the bump.
Generate a signed SLSA build-provenance attestation for the release
archives and native packages with actions/attest-build-provenance, so
each artifact carries a verifiable statement of the commit and workflow
that built it (checkable with gh attestation verify).

The action stores the attestation in GitHub's attestation store, which
the signed-releases health check does not read; it scans release assets
by name. Attach the provenance bundle as a flynn.intoto.jsonl release
asset so that check and any downstream verifier can find it. Takes
effect on the next tagged release.
@ion-alpha-dev ion-alpha-dev merged commit 716ba5c into main Jul 7, 2026
16 checks passed
@ion-alpha-dev ion-alpha-dev deleted the chore/bump-x-image-security branch July 7, 2026 05:54
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant