Skip to content

docker: bump golang from 1.26.4-alpine to 1.26.4-alpine#605

Merged
bgentry merged 1 commit into
masterfrom
dependabot/docker_compose/golang-1.26.4-alpine
Jul 2, 2026
Merged

docker: bump golang from 1.26.4-alpine to 1.26.4-alpine#605
bgentry merged 1 commit into
masterfrom
dependabot/docker_compose/golang-1.26.4-alpine

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps golang from 1.26.4-alpine to 1.26.4-alpine.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps golang from 1.26.4-alpine to 1.26.4-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.26.4-alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file docker labels Jul 1, 2026

@bgentry bgentry left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Codex review: Security review looks good to me.

I reviewed this as a dependency-upgrade supply-chain/security pass for the dev golang:1.26.4-alpine image digest refresh at head d314444b0c11033cf0684781144ac3ec41800023.

Scope reviewed:

  • docker-compose.dev.yaml migrate service image reference change.
  • Official Docker Hub library/golang source and pinned digest behavior.
  • Live Docker Hub manifest-list digest verification with skopeo inspect --raw.
  • CI status, with the known Dependabot riverproui image-publish/OIDC failure treated separately from dependency safety.

No blocking supply-chain issue found. The update keeps the image source on official Docker Hub library/golang, keeps the same 1.26.4-alpine tag, and only refreshes the pinned dev Compose digest from sha256:f23e8b2... to sha256:3ad5730....

I independently verified that the current raw manifest-list digest for docker.io/library/golang:1.26.4-alpine is sha256:3ad57304ad93bbec8548a0437ad9e06a455660655d9af011d58b993f6f615648, matching the PR.

The remaining failed riverproui image checks are consistent with the known Dependabot OIDC/publish limitation, while the ordinary JS/Go checks and riverui image jobs passed.

@bgentry bgentry merged commit 84ac20a into master Jul 2, 2026
16 of 18 checks passed
@bgentry bgentry deleted the dependabot/docker_compose/golang-1.26.4-alpine branch July 2, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file docker

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant