Summary
release.yml uses go-version: "1.26" which resolves to latest 1.26.x at dispatch. A silent minor bump between releases changes binary provenance for identical source — undermines attestation reproducibility arguments.
Scope
Pin release workflow to a specific 1.26.X (the version recorded in bench.txt). CI workflow keeps floating 1.26.
Acceptance criteria
release.yml pins 1.26.X explicitly.
- Dependabot gomod ecosystem picks up the patch.
Source: security-reviewer.
Summary
release.ymlusesgo-version: "1.26"which resolves to latest 1.26.x at dispatch. A silent minor bump between releases changes binary provenance for identical source — undermines attestation reproducibility arguments.Scope
Pin release workflow to a specific
1.26.X(the version recorded in bench.txt). CI workflow keeps floating1.26.Acceptance criteria
release.ymlpins1.26.Xexplicitly.Source: security-reviewer.