chore: upgrade Go from 1.24.4 to 1.26.4 to fix 32 stdlib vulnerabilities

[rohilsurana]

Summary

• Upgrades Go from 1.24.4 → 1.26.4 to fix 32 stdlib vulnerabilities reported by govulncheck
• Upgrades golangci-lint from v2.2.1 → v2.12.2 for Go 1.26 compatibility
• Replaces deprecated ioutil.ReadFile/ioutil.WriteFile with os.ReadFile/os.WriteFile (3 files)
• Migrates golang.org/x/exp/slices to stdlib slices package (13 files)

Changes

File	Change
go.mod	go 1.24.0 → go 1.26.4
Dockerfile.dev	golang:1.24.4-alpine3.21 → golang:1.26.4-alpine3.23
.github/workflows/release.yml	go-version: "1.26.4" (3 instances)
.github/workflows/main.yml	go-version: "1.26.4" (1 instance)
.github/workflows/test.yml	go-version: "1.26.4" (3 instances)
.github/workflows/lint.yml	go-version: "1.26.4" + golangci-lint v2.12.2
config/init.go	ioutil.WriteFile → os.WriteFile
internal/store/blob/blob.go	ioutil.ReadFile → os.ReadFile
pkg/file/file.go	ioutil.ReadFile → os.ReadFile
13 files	golang.org/x/exp/slices → stdlib slices

Stdlib vulns fixed (32)

crypto/tls, crypto/x509, net/http, net/url, net/mail, net/textproto, html/template, os, os/exec, database/sql, encoding/asn1, encoding/pem, net/http/httputil, net

Test plan

• go build ./... — pass
• go vet ./... — pass
• golangci-lint run ./... — 0 issues
• go test ./core/... ./internal/api/... ./billing/... ./pkg/... ./cmd/... — all pass
• Zero remaining references to Go 1.24
• CI workflows pass
• Docker build succeeds with golang:1.26.4-alpine3.23

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Jun 5, 2026 8:18pm

[coderabbitai]

Ready to act? Review this PR in Change Stack to turn feedback into patch suggestions you can inspect and refine.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b07e3065-3644-433a-81a5-0ee3a8000eca

📥 Commits

Reviewing files that changed from the base of the PR and between 8c4abcf and 3c7ce5b.

📒 Files selected for processing (16)

• billing/customer/service.go
• billing/entitlement/service.go
• billing/product/service.go
• cmd/serve.go
• config/init.go
• core/audit/audit.go
• core/audit/service.go
• core/authenticate/service.go
• core/preference/validator.go
• core/webhook/service.go
• internal/store/blob/blob.go
• internal/store/postgres/billing_customer_repository_test.go
• internal/store/postgres/org_billing_repository.go
• pkg/file/file.go
• pkg/utils/rql.go
• test/e2e/regression/api_test.go

✅ Files skipped from review due to trivial changes (12)

• internal/store/blob/blob.go
• core/audit/service.go
• internal/store/postgres/billing_customer_repository_test.go
• billing/product/service.go
• core/authenticate/service.go
• billing/entitlement/service.go
• core/audit/audit.go
• pkg/utils/rql.go
• core/webhook/service.go
• internal/store/postgres/org_billing_repository.go
• billing/customer/service.go
• pkg/file/file.go

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated Go toolchain to 1.26.4 across CI, release/test pipelines, dev image, and project configuration.
  • Upgraded linting workflow tooling for improved static analysis.
  • Replaced experimental slices dependency with the Go standard library slice utilities across the codebase.
  • Replaced deprecated file I/O usage with current standard library file APIs.

Walkthrough

Go toolchain version is updated from 1.24.x/1.24.0 to 1.26.4 in go.mod, the development Docker builder image, and all GitHub Actions workflows; the golangci-lint action version is also bumped. Additionally, code imports move from golang.org/x/exp/slices to the standard library slices and ioutil usages are replaced with os file APIs.

Changes

Go Toolchain Update

Layer / File(s)	Summary
Go version upgrade to 1.26.4 go.mod, Dockerfile.dev, .github/workflows/main.yml, .github/workflows/test.yml, .github/workflows/release.yml, .github/workflows/lint.yml	Module go directive updated to 1.26.4, Docker builder image changed to golang:1.26.4-alpine3.23, and all actions/setup-go job steps set go-version to 1.26.4.
golangci-lint action version bump .github/workflows/lint.yml	golangci/golangci-lint-action input version changed from v2.2.1 to v2.12.2.

Stdlib migration (slices, ioutil -> os)

Layer / File(s)	Summary
Replace ioutil with os for file IO config/init.go, internal/store/blob/blob.go, pkg/file/file.go	Removed io/ioutil imports and replaced ioutil.ReadFile/ioutil.WriteFile calls with os.ReadFile/os.WriteFile where files/secrets are read or written.
Replace golang.org/x/exp/slices with stdlib slices billing/*, core/*, cmd/serve.go, pkg/utils/rql.go, internal/store/postgres/*, test/e2e/*	Replaced imports of golang.org/x/exp/slices with the Go standard library slices across application code and tests; existing slices.* call sites remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• raystack/frontier#1500: Both PRs modify CI workflows and Dockerfile.dev to bump the Go toolchain/base image version.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 27037929088

Coverage remained the same at 43.221%

Details

• Coverage remained the same as the base build.
• Patch coverage: 3 uncovered changes across 3 files (0 of 3 lines covered, 0.0%).
• No coverage regressions found.

Uncovered Changes

File	Changed	Covered	%
config/init.go	1	0	0.0%
internal/store/blob/blob.go	1	0	0.0%
pkg/file/file.go	1	0	0.0%

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	38046
Covered Lines:	16444
Line Coverage:	43.22%
Coverage Strength:	12.14 hits per line

---

💛 - Coveralls

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/lint.yml (1)

11-23: ⚡ Quick win

Consider adding explicit permissions for security hardening.

The static analysis tool flagged that this job uses default permissions. Following the principle of least privilege, consider adding an explicit permissions block.

🔒 Proposed permissions block

 jobs:
   golangci:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1bb2685a-92e4-4fb2-a37d-5a293b88b431

📥 Commits

Reviewing files that changed from the base of the PR and between 276cd89 and 8c4abcf.

📒 Files selected for processing (1)

• .github/workflows/lint.yml