Skip to content

feat(cve-fix): revert Dockerfile builder digests to Go 1.26.1#2168

Merged
agrawaliti merged 1 commit intomicrosoft:mainfrom
agrawaliti:dependencyUpdates2
Apr 10, 2026
Merged

feat(cve-fix): revert Dockerfile builder digests to Go 1.26.1#2168
agrawaliti merged 1 commit intomicrosoft:mainfrom
agrawaliti:dependencyUpdates2

Conversation

@agrawaliti
Copy link
Copy Markdown
Contributor

@agrawaliti agrawaliti commented Apr 10, 2026
edited
Loading

This pull request updates all Dockerfiles in the repository to use newer, more specific, and pinned versions of the Microsoft Go base images. The changes ensure that builds are based on Go 1.26.1 images (with appropriate OS variants), improving reproducibility and consistency across Linux and Windows builds.

Base image updates:

  • Updated all Linux-based Dockerfiles to use mcr.microsoft.com/oss/go/microsoft/golang:1.26.1 or 1.26.1-azurelinux3.0 with the corresponding SHA256 digest for improved version pinning and reproducibility. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]
  • Updated all Windows-based Dockerfiles to use mcr.microsoft.com/oss/go/microsoft/golang:1.26.1-windowsservercore-ltsc2022 with the corresponding SHA256 digest for consistent Windows builds. [1] [2]

These updates help ensure that all builds use the same Go toolchain version and OS base, reducing the risk of inconsistencies and unexpected build issues.…ab10de78

Commit c08d827 inadvertently reverted Go builder image digests from 1.26.1 back to the floating azurelinux3.0 tag (Go 1.24.x). This restores the Go 1.26.1 pinned digests to fix remaining stdlib CVEs (CVE-2026-25679, CVE-2026-27139, CVE-2026-27142) that cannot be fixed on Go 1.24.x.

Description

Please provide a brief description of the changes made in this pull request.

Related Issue

If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request.

Checklist

  • I have read the contributing documentation.
  • I signed and signed-off the commits (git commit -S -s ...). See this documentation on signing commits.
  • I have correctly attributed the author(s) of the code.
  • I have tested the changes locally.
  • I have followed the project's style guidelines.
  • I have updated the documentation, if necessary.
  • I have added tests, if applicable.

Screenshots (if applicable) or Testing Completed

Please add any relevant screenshots or GIFs to showcase the changes made.

Additional Notes

Add any additional notes or context about the pull request here.

Please refer to the CONTRIBUTING.md file for more information on how to contribute to this project.

@agrawaliti
chore(security): revert Dockerfile builder digests to Go 1.26.1 from a…
602ca40 
…b10de7

Commit c08d827 inadvertently reverted Go builder image digests from
1.26.1 back to the floating azurelinux3.0 tag (Go 1.24.x). This restores
the Go 1.26.1 pinned digests to fix remaining stdlib CVEs (CVE-2026-25679,
CVE-2026-27139, CVE-2026-27142) that cannot be fixed on Go 1.24.x.
@agrawaliti agrawaliti requested a review from a team as a code owner April 10, 2026 11:43
@agrawaliti agrawaliti changed the title chore(security): revert Dockerfile builder digests to Go 1.26.1 from … chore(security): revert Dockerfile builder digests to Go 1.26.1 Apr 10, 2026
ibezrukavyi
ibezrukavyi previously approved these changes Apr 10, 2026
View reviewed changes
@agrawaliti agrawaliti changed the title chore(security): revert Dockerfile builder digests to Go 1.26.1 feat(cve-fix): revert Dockerfile builder digests to Go 1.26.1 Apr 10, 2026
@agrawaliti agrawaliti force-pushed the dependencyUpdates2 branch 3 times, most recently from fa6d54a to 602ca40 Compare April 10, 2026 13:11
@agrawaliti agrawaliti enabled auto-merge April 10, 2026 13:16
@agrawaliti agrawaliti added this pull request to the merge queue Apr 10, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 10, 2026
@nddq
Copy link
Copy Markdown
Member

nddq commented Apr 10, 2026

we can might as well bump to go v1.26.2

skopeo inspect docker://mcr.microsoft.com/oss/go/microsoft/golang:1.26.2 --format "{{.Name}}@{{.Digest}}"
mcr.microsoft.com/oss/go/microsoft/golang@sha256:8d219d3f8e6edc46cc6d1f4bec61347560c2bca6ba53c4eae908c542fbc72a65

@agrawaliti agrawaliti added this pull request to the merge queue Apr 10, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 10, 2026
@agrawaliti agrawaliti added this pull request to the merge queue Apr 10, 2026
@agrawaliti agrawaliti removed this pull request from the merge queue due to a manual request Apr 10, 2026
@agrawaliti agrawaliti added this pull request to the merge queue Apr 10, 2026
Merged via the queue into microsoft:main with commit dfc6bed Apr 10, 2026
133 checks passed
@agrawaliti agrawaliti deleted the dependencyUpdates2 branch April 10, 2026 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ibezrukavyi ibezrukavyi ibezrukavyi approved these changes

@alam-tahmid alam-tahmid Awaiting requested review from alam-tahmid alam-tahmid is a code owner automatically assigned from microsoft/retina

@rayaisaiah rayaisaiah Awaiting requested review from rayaisaiah rayaisaiah is a code owner automatically assigned from microsoft/retina

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@agrawaliti @nddq @ibezrukavyi