Update Go to 1.26.4 and bump golang.org/x/crypto and golang.org/x/net#8630
Open
JeffreyCA wants to merge 3 commits into
Open
Update Go to 1.26.4 and bump golang.org/x/crypto and golang.org/x/net#8630JeffreyCA wants to merge 3 commits into
JeffreyCA wants to merge 3 commits into
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JeffreyCA
requested review from
RickWinter,
XiaofuHuang,
achauhan-scc,
anchenyi,
danieljurek,
glharper,
hemarina,
kingernupur,
saanikaguptamicrosoft,
tg-msft,
therealjohn,
trangevi,
trrwilson and
vhvb1989
as code owners
github-actions
Bot
added
ext-agents
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the repository’s pinned Go toolchain patch version and refreshes golang.org/x dependency versions in cli/azd to address the versions called out in #8595, while also adding a bash equivalent of the existing Go-version update script.
Changes:
- Bump pinned Go version from
1.26.1→1.26.4acrosscli/azdmodules, ADO template, devcontainer, and sample Dockerfile. - Bump
golang.org/x/cryptotov0.53.0andgolang.org/x/nettov0.56.0(plus resultinggo.sumupdates). - Add
eng/scripts/Update-GoVersion.shand cross-reference it fromUpdate-GoVersion.ps1.
Show a summary per file
| File | Description |
|---|---|
| eng/scripts/Update-GoVersion.sh | New bash script to update pinned Go version across the repo. |
| eng/scripts/Update-GoVersion.ps1 | Adds header docs referencing the new bash equivalent. |
| eng/pipelines/templates/steps/setup-go.yml | Updates ADO Go tool version parameter to 1.26.4. |
| cli/azd/test/functional/testdata/samples/containerappjob/src/job/go.mod | Updates sample module Go version to 1.26.4. |
| cli/azd/test/functional/testdata/samples/containerappjob/src/job/Dockerfile | Updates sample build image tag to golang:1.26.4-alpine. |
| cli/azd/go.sum | Updates sums for bumped golang.org/x/* modules and transitive updates. |
| cli/azd/go.mod | Updates go directive and bumps x/crypto, x/net, and related x/* versions. |
| cli/azd/extensions/microsoft.azd.concurx/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.coding-agent/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.appservice/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.training/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.toolboxes/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.skills/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.routines/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.projects/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.models/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.inspector/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.finetune/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.connections/go.mod | Updates extension module Go version to 1.26.4. |
| cli/azd/extensions/azure.ai.agents/go.mod | Updates extension module Go version to 1.26.4. |
| .devcontainer/devcontainer.json | Updates devcontainer Go feature version to 1.26.4. |
Copilot's findings
- Files reviewed: 20/21 changed files
- Comments generated: 1
Consolidate the repo-wide Go version sync logic into a single 'mage updateGoVersion <version>' target, removing the duplicated PowerShell and bash scripts that could drift apart. Repoint the validate-go-version workflow hint and document the target in AGENTS.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Address PR review feedback: require a bare X.Y.Z version in the mage updateGoVersion target to guard against typos, and embed 'cd cli/azd' in the validate-go-version error hint so it can be pasted directly from the CI log. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Collaborator
Azure Dev CLI Install InstructionsInstall scriptsMacOS/Linux
bash: pwsh: WindowsPowerShell install MSI install Standalone Binary
MSI
Documentationlearn.microsoft.com documentationtitle: Azure Developer CLI reference
|
hemarina
approved these changes
Jun 12, 2026
hemarina
left a comment
hemarina
left a comment
Contributor
There was a problem hiding this comment.
What it does
- Bumps pinned Go
1.26.1 → 1.26.4everywhere (15go.modundercli/azd, devcontainer, ADOsetup-go.yml, containerappjobDockerfile). - Bumps
x/crypto 0.49→0.53,x/net 0.52→0.56(+ transitivex/sync,x/sys,x/term,x/text) with matchinggo.sum. - Replaces
eng/scripts/Update-GoVersion.ps1with a cross-platformmage updateGoVersion <version>target; updates thevalidate-go-versionworkflow hint andAGENTS.md.
Verification performed
- ✅ All
magefile.goimports used by the new function are present;findRepoRootexists — compiles. - ✅ Regexes match real file formats: devcontainer
\s*correctly spans the newline between{and"version";goDirective,dockerImage,adoVersionall valid. - ✅ Coverage complete: all 15
go.modfiles undercli/azdwere updated; no stale1.26.1remains. - ✅ Deleted PS1 had only one external reference (
validate-go-version.yml), which the PR updates. No dangling references. - ✅ The Go port faithfully mirrors the PS1 logic and is safer (
os.WriteFilepreserves bytes/EOL with no BOM).
Security
- Dependency bumps are remediation (upstream fixes), pinned with verified
go.sumhashes; no new third-party deps. - Go
1.26.1→1.26.4is a patch-level toolchain bump. - The new
mage updateGoVersiontarget runs at dev time only, validates its argument with^\d+\.\d+\.\d+$, has no shell exec / network / untrusted input. Safer than the deleted PowerShell script. - No secrets, credentials, or CI privilege changes.
Observations (non-blocking)
- Document
go mod tidyinAGENTS.md— themage updateGoVersionentry only rewrites the pinned version strings. Suggest adding a note that, if the bump changes the module graph (e.g. new minimum transitive deps), rungo mod tidyincli/azdseparately.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #8595
This PR updates the pinned Go toolchain and the two
golang.org/xdependencies flagged as out of date in the linked issue.golang.org/x/cryptogolang.org/x/netThe Go bump is applied everywhere the version is pinned so the
validate-go-versioncheck stays green: everycli/azdgo.mod(core, extensions, and testdata samples), the ADOsetup-gotemplate, the containerappjobDockerfile, and the devcontainer Go feature. Thecrypto/netbumps also pull in their required minimum transitive versions (x/sync,x/sys,x/term,x/text) viago mod tidy.While here, the version-sync logic is consolidated into a single
mage updateGoVersion <version>target (run fromcli/azd), replacing the PowerShell-onlyUpdate-GoVersion.ps1. A single Go target avoids the cross-platform script duplication problem, works without PowerShell, and is the one place to maintain when new pinned locations are added. Thevalidate-go-versionworkflow hint andcli/azd/AGENTS.mdnow point at the target.