Bump Go and x/net for GO-2026-4918

[simonsmallchua]

Summary

• Bumps Go to 1.26.3 and golang.org/x/net to v0.53.0 to clear GO-2026-4918 (HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite-loop) flagged by govulncheck.
• Probe PR: also exercises review-app migration CI on a fresh branch off main, per #377.

Test plan

• govulncheck reports no actionable vulnerabilities locally
• Review-app workflow provisions Supabase preview branch without schema_migrations_pkey duplicate-key error
• Fly review apps deploy

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

Summary by CodeRabbit

• Bug Fixes

  • Resolved an HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite-loop to improve network stability.

• Chores

  • Upgraded Go toolchain to 1.26.3 across builds, CI, and images.
  • Updated networking and related dependencies for security and compatibility.
  • Split pool-reconciliation into dedicated CI jobs and reduced review-app pool targets from 10/5 to 3/3 (prod unchanged).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9037815c-7ba8-4834-924d-f1b8c9c75479

📥 Commits

Reviewing files that changed from the base of the PR and between 96c7de4 and 6185a6b.

📒 Files selected for processing (3)

• .github/workflows/fly-deploy.yml
• .github/workflows/review-apps.yml
• CHANGELOG.md

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

---

📝 Walkthrough

Walkthrough

Bumps Go toolchain to 1.26.3 and golang.org/x/net to v0.53.0, updates transitive golang.org/x modules, updates CI setup-go versions and Docker builder images, extracts Fly pool reconciliation into dedicated jobs and reduces review-app pool targets, and adds an Unreleased changelog entry.

Changes

Dependency & Toolchain Security Update

Layer / File(s)	Summary
Go Toolchain & Direct Dependency go.mod	Module go directive updated 1.26.2 → 1.26.3; golang.org/x/net bumped v0.52.0 → v0.53.0.
Transitive Dependencies go.mod	Indirect golang.org/x updates: x/crypto v0.49.0 → v0.50.0, x/sys v0.42.0 → v0.43.0, x/text v0.35.0 → v0.36.0.
CI Workflows .github/workflows/test.yml	All actions/setup-go usages updated to install Go 1.26.3 (lint, format, unit-tests, integration-tests, coverage-report).
Dockerfiles (builder stages) Dockerfile, Dockerfile.analysis	Builder base images updated from golang:1.26.2-alpine → golang:1.26.3-alpine.
Fly Deploy Jobs .github/workflows/fly-deploy.yml	Removed inline pool reconciliation from release-* jobs; added reconcile-analysis-pool and reconcile-worker-pool jobs; rewired autoscaler release jobs to depend on reconcile jobs.
Review-apps Workflow .github/workflows/review-apps.yml	Extracted pool reconciliation into dedicated reconcile jobs and lowered review-app pool top-up targets from 10/5 → 3/3; autoscaler jobs now depend on reconcile jobs.
Changelog Documentation CHANGELOG.md	Added Unreleased bullets documenting Go 1.26.3 and golang.org/x/net v0.53.0 bump (referencing GO-2026-4918) and the CI reconcile split with updated review-app pool targets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Good-Native/hover#361: Related changes touching Fly deployment and review-apps workflow rearrangement.

Poem

🐰 A hop through patch and tag so spry,
go versions lifted, vulnerabilities shy,
CI jobs tidy, pools trimmed to three,
changelog whispers what once came to be,
build and deploy — a safer sky.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Bump Go and x/net for GO-2026-4918' accurately reflects the main change: upgrading Go to 1.26.3 and golang.org/x/net to v0.53.0 to address a security vulnerability. The title is concise, specific, and clearly summarizes the primary change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch work/interesting-merkle-004c74

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[supabase]

Updates to Preview Branch (work/interesting-merkle-004c74) ↗︎

Deployments	Status	Updated
Database	✅	Sat, 09 May 2026 02:37:39 UTC
Services	✅	Sat, 09 May 2026 02:37:39 UTC
APIs	✅	Sat, 09 May 2026 02:37:39 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks	Status	Updated
Configurations	✅	Sat, 09 May 2026 02:37:41 UTC
Migrations	✅	Sat, 09 May 2026 02:37:43 UTC
Seeding	✅	Sat, 09 May 2026 02:37:44 UTC
Edge Functions	✅	Sat, 09 May 2026 02:37:45 UTC

---

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Around line 37-38: The changelog check is failing because this PR doesn't
introduce any new "## [Unreleased]" content unique from main; add a new net‑new
Unreleased entry so MAIN_UNRELEASED != HEAD_UNRELEASED. Edit CHANGELOG.md to add
a top-level "## [Unreleased]" section (or add an additional unique bullet under
the existing Unreleased section) — for example add a short one-line bullet
referencing this bump (e.g., "Bump Go to 1.26.3 and golang.org/x/net to v0.53.0
— fixes GO-2026-4918") or any other distinct note that only exists in this PR so
the pipeline detects a change. Ensure the header text is exactly "##
[Unreleased]" and the new bullet is not identical to the entry already present
on main.

In `@go.mod`:
- Line 3: CI workflows are pinned to go-version: "1.26.2" but go.mod now
specifies go 1.26.3, causing CI failures; update all occurrences of the
go-version key in .github/workflows (the jobs that currently set go-version:
"1.26.2") to "1.26.3" or replace them with go-version-file: go.mod so the runner
reads the module file; search for the literal go-version: "1.26.2" in the
workflow files and update each to either go-version: "1.26.3" or
go-version-file: go.mod to match the go.mod entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7a19c9a8-04bc-430d-b290-503200580091

📥 Commits

Reviewing files that changed from the base of the PR and between 3262110 and 7bca5c5.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• CHANGELOG.md
• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify Go toolchain/version config in workflows and repo files.

set -euo pipefail

echo "== Workflow files mentioning Go version/toolchain =="
fd -i '.*\.(yml|yaml)$' .github/workflows -x rg -n --no-heading 'setup-go|go-version|GOTOOLCHAIN|1\.26\.2|1\.26\.3|toolchain'

echo
echo "== Repo files mentioning Go version/toolchain =="
rg -n --no-heading 'go 1\.26\.[0-9]+|toolchain go1\.26\.[0-9]+|GOTOOLCHAIN'

Repository: Good-Native/hover

Length of output: 549

---

Multiple CI workflows are hardcoded to Go 1.26.2 but go.mod now requires Go 1.26.3.

The workflows in .github/workflows have hardcoded go-version: "1.26.2" in multiple jobs (lines 43, 83, 128, 171, 173, 255). This blocks execution since go.mod now declares go 1.26.3. Update these to 1.26.3, or switch to go-version-file: go.mod (like the workflow at line 20-22) to auto-resolve the version.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 3, CI workflows are pinned to go-version: "1.26.2" but go.mod
now specifies go 1.26.3, causing CI failures; update all occurrences of the
go-version key in .github/workflows (the jobs that currently set go-version:
"1.26.2") to "1.26.3" or replace them with go-version-file: go.mod so the runner
reads the module file; search for the literal go-version: "1.26.2" in the
workflow files and update each to either go-version: "1.26.3" or
go-version-file: go.mod to match the go.mod entry.

[github-actions]

Release Versions

App patch: v0.34.5 → v0.34.6

Changelog

Changed

• Bump Go to 1.26.3 and golang.org/x/net to v0.53.0 to clear GO-2026-4918
  (HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite-loop) flagged by govulncheck.
• Split Fly machine pool reconcile into its own CI job so downstream autoscaler
  releases no longer block on clone-start-stop warm-up. Review apps drop their
  per-PR pool target from 10/5 to 3/3 (analysis/worker); prod retains 10/5.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-378.fly.dev
Dashboard: https://hover-pr-378.fly.dev/dashboard

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-378.fly.dev
Dashboard: https://hover-pr-378.fly.dev/dashboard

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-378.fly.dev
Dashboard: https://hover-pr-378.fly.dev/dashboard