[release-3.1] Upgrade Go to 1.26.4#15659
Conversation
69448b9 to
1474a82
Compare
|
Building new version of mimir-build-image. After image is built and pushed to the registry, a new commit will automatically be added to this PR with new image version |
1474a82 to
6536d46
Compare
|
Building new version of mimir-build-image. After image is built and pushed to the registry, a new commit will automatically be added to this PR with new image version |
|
Not building new version of mimir-build-image. This PR modifies the build image or the build image build workflow, but the image |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Makefile skipped when image exists
- Decoupled Makefile synchronization from need_to_build flag so the Makefile is always updated when files are modified, even when the image already exists in the registry.
Or push these changes by commenting:
@cursor push 3cd14ff2a3
Preview (3cd14ff2a3)
diff --git a/.github/workflows/push-mimir-build-image.yml b/.github/workflows/push-mimir-build-image.yml
--- a/.github/workflows/push-mimir-build-image.yml
+++ b/.github/workflows/push-mimir-build-image.yml
@@ -112,10 +112,12 @@
IMAGE: ${{ steps.compute_variables.outputs.image_name }}
outputs:
+ modified: ${{ steps.check_if_files_modified.outputs.modified }}
need_to_build: ${{ steps.check_if_image_is_built.outputs.need_to_build }}
new_image_tag: ${{ steps.compute_variables.outputs.new_image_tag }}
main_image_tag: ${{ steps.compute_variables.outputs.main_image_tag }}
build_args: ${{ steps.compute_variables.outputs.build_args }}
+ image_name: ${{ steps.compute_variables.outputs.image_name }}
build-push-multiarch:
name: Build image
@@ -159,7 +161,7 @@
exit 1
- name: Checkout repository
- if: needs.prepare.outputs.need_to_build == 'true'
+ if: needs.prepare.outputs.modified == 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
@@ -170,12 +172,18 @@
# `changed=false` and no commit will be made.
- name: Check whether Makefile needs updating, and update it
id: update_makefile
- if: needs.prepare.outputs.need_to_build == 'true'
+ if: needs.prepare.outputs.modified == 'true'
run: |
set -euo pipefail
+ # If we built a new image, use the digest output; otherwise use the computed tag
+ if [ "$NEED_TO_BUILD" = "true" ]; then
+ NEW_IMAGE="$BUILD_IMAGE_DIGEST"
+ else
+ NEW_IMAGE="$IMAGE_NAME:$NEW_IMAGE_TAG"
+ fi
NEW_IMAGE_TAG=$(echo $NEW_IMAGE | cut -d ':' -f 2-)
echo "Current build image tag is $MAIN_IMAGE_TAG"
- echo "Built image is $NEW_IMAGE, new tag is $NEW_IMAGE_TAG"
+ echo "Target image is $NEW_IMAGE, new tag is $NEW_IMAGE_TAG"
if [ "$MAIN_IMAGE_TAG" = "$NEW_IMAGE_TAG" ]; then
echo "Build image tag is already up to date."
echo "changed=false" >> "$GITHUB_OUTPUT"
@@ -184,7 +192,10 @@
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
env:
- NEW_IMAGE: ${{ needs.build-push-multiarch.outputs.image-digests }}
+ NEED_TO_BUILD: ${{ needs.prepare.outputs.need_to_build }}
+ BUILD_IMAGE_DIGEST: ${{ needs.build-push-multiarch.outputs.image-digests }}
+ IMAGE_NAME: ${{ needs.prepare.outputs.image_name }}
+ NEW_IMAGE_TAG: ${{ needs.prepare.outputs.new_image_tag }}
MAIN_IMAGE_TAG: ${{ needs.prepare.outputs.main_image_tag }}
# Generate the app token here (rather than earlier in the job) so we only mint oneYou can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 919b700. Configure here.
| # `changed=false` and no commit will be made. | ||
| - name: Check whether Makefile needs updating, and update it | ||
| id: update_makefile | ||
| if: needs.prepare.outputs.need_to_build == 'true' |
There was a problem hiding this comment.
Makefile skipped when image exists
Medium Severity
The Check whether Makefile needs updating step only runs when need_to_build is true. If the registry already has the PR image tag (re-run, failed bot commit, or stale LATEST_BUILD_IMAGE_TAG), the build is skipped but the Makefile is never synced, so the required build_and_push check can pass with an outdated pin.
Reviewed by Cursor Bugbot for commit 919b700. Configure here.
That's a backport for #15566 to release-3.1
This also brings the fixes #15439 to the build-image workflow, which is broken in the release-3.1 and doesn't let this PR pass (doing it in one bundle to cut on PR stamping).
And also backport #15429 for the same reason.
Note
Medium Risk
Changes CI build/push paths, registry, and automated Makefile commits on PRs; security impact is limited but release-branch merge gates depend on the refactored workflow behaving correctly.
Overview
Upgrades the CI build toolchain to Go 1.26.4 for CVE-2026-42507, updates
mimir-build-image/Dockerfile, bumps the pinnedLATEST_BUILD_IMAGE_TAGin the Makefile, and documents the change inCHANGELOG.md. The vendoring workflow’ssetup-goversion is aligned to 1.26.4.Replaces the monolithic
push-mimir-build-imagejob withprepare, a reusable GAR multi-arch build (build-push-multiarch), and abuild_and_pushjob that still satisfies the legacy required check name. Triggers now cover any change undermimir-build-image/or the workflow file (via paginated PR Files API instead ofgh pr diff), image tags hash the whole directory plus workflow, and Makefile updates are committed with ghcommit and digest-aware tag replacement.Makefile defaults point
BUILD_IMAGEat Google Artifact Registry (us-docker.pkg.dev/.../mimir-build-image) and addprint-build-image-build-argsfor the shared build workflow. Org-membership authorization for image builds is removed in favor of GitHub’s fork vs write-access permission model.Reviewed by Cursor Bugbot for commit 919b700. Bugbot is set up for automated code reviews on this repo. Configure here.