chore(deps): upgrade Go to 1.26 and all dependencies#475
Merged
Conversation
- Go: 1.25.7 → 1.26.0 - docker/cli: v29.1.3 → v29.2.1 - go-playground/validator: v10.30.0 → v10.30.1 - netresearch/go-cron: v0.9.1 → v0.11.0 - sirupsen/logrus: v1.9.3 → v1.9.4 - golang.org/x/crypto: v0.46.0 → v0.48.0 - golang.org/x/term: v0.38.0 → v0.40.0 - golang.org/x/text: v0.32.0 → v0.34.0 - gopkg.in/ini.v1: v1.67.0 → v1.67.1 - Various indirect dependency upgrades (otel, mimetype, etc.) All CI workflows use go-version-file: go.mod, so they will automatically use Go 1.26. Supersedes Dependabot PRs #469, #470, #471, #472, #473.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
This was referenced Feb 15, 2026
Closed
Dependency ReviewThe following issues were found:
License Issuesgo.mod
Allowed Licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, CC0-1.0, Unlicense Excluded from license check: pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp, pkg:golang/go.opentelemetry.io/otel, pkg:golang/go.opentelemetry.io/otel/metric, pkg:golang/go.opentelemetry.io/otel/trace, pkg:golang/golang.org/x/crypto, pkg:golang/golang.org/x/sys, pkg:golang/golang.org/x/text OpenSSF ScorecardScorecard details
Scanned Files
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Updates the project’s Go toolchain and module dependencies to newer versions, aligning runtime/CI builds (which read Go version from go.mod) with the upgraded ecosystem.
Changes:
- Bump
godirective from1.25.7to1.26.0. - Upgrade key direct dependencies (e.g.,
github.com/netresearch/go-cron,github.com/docker/cli,golang.org/x/*,logrus,validator). - Refresh
go.sumto match the new resolved dependency graph (including updated indirect dependencies).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| go.mod | Updates Go version and bumps direct/indirect module requirements. |
| go.sum | Updates module checksums to reflect the upgraded dependency set. |
Run `go fix ./...` with Go 1.26's 22 built-in modernizers across 77
files. Key changes:
- interface{} → any (~260 occurrences)
- manual map copy → maps.Copy() (17)
- context.WithCancel(context.Background()) → t.Context() in tests (11)
- for i := 0; i < n; i++ → for i := range n (11)
- manual contains loops → slices.Contains() (9)
- reflect.TypeOf(x) → reflect.TypeFor[T]() (7)
- if/else capping → min()/max() builtins (4)
- HasPrefix+TrimPrefix → CutPrefix (3)
- range strings.Split() → range strings.SplitSeq() (3)
- wg.Add(1)/go/defer wg.Done() → wg.Go() (2)
- string concatenation → strings.Builder (1)
Convert all 7 errors.As calls to the type-safe generic errors.AsType[T] added in Go 1.26, eliminating the need for pre-declared target variables.
- Remove redundant loop variable copy (Go 1.22+) - Remove blank line after wg.Go closure (gofumpt) - Remove unused stringPtr helper (inlined by go fix)
✅ Mutation Testing ResultsMutation Score: 77.78% (threshold: 60%)
What is mutation testing?Mutation testing measures test quality by introducing small changes (mutations) to the code and checking if tests detect them. A higher score means better test effectiveness.
|
3 tasks
golangci-lint v2.6.2 was built with Go 1.25 and rejects Go 1.26 targets. Update to v2.9.0 which has Go 1.26 support. Also update dependency-review allow-licenses to handle compound SPDX expressions (e.g. "Apache-2.0 AND BSD-3-Clause") now reported by GitHub's dependency graph for OpenTelemetry and golang.org/x packages.
All call sites were already inlined to new(bool) by go fix. The exported wrapper is no longer needed.
Revert allow-licenses from YAML >- multi-line format back to single line — the block scalar folding broke the dependency-review-action's comma-separated license parsing, rejecting even MIT and Apache-2.0. Increase smoke test timeout from 30s to 60s — race detection overhead caused TestSchedulerGracefulShutdown to time out on CI.
The dependency-review-action cannot match compound SPDX expressions (e.g. "Apache-2.0 AND BSD-3-Clause") in allow-licenses — including them corrupts the parser, rejecting ALL licenses including MIT. Use allow-dependencies-licenses with purl format to whitelist the specific packages GitHub reports with compound SPDX expressions (OpenTelemetry, golang.org/x/*), and keep allow-licenses clean with only simple SPDX identifiers.
CodeQL Action v3 will be deprecated in December 2026. Update all 5 occurrences across ci.yml and scorecard.yml from v3.31.9 to v4.32.3.
4 tasks
github-merge-queue bot
pushed a commit
that referenced
this pull request
Feb 15, 2026
## Summary Modernizes the scheduler to adopt features added in go-cron v0.10.0 and v0.11.0, which was upgraded as part of the Go 1.26 dependency bump (#475). ### Changes - **`WithCapacity(64)`** — pre-allocates cron scheduler internal structures for ~12% scheduling performance improvement - **`ValidateSpec`** — replaces hand-rolled regex-based cron validation (~120 lines removed) with go-cron's parser, fixing false negatives (month/day names, wraparound ranges) and false positives - **`IsJobRunningByName`** — exposes job running status through the web API (`running` field on job objects) - **`WaitForJobByName`** — waits for in-flight executions before removing jobs, eliminating races during shutdown and job replacement - **`JobWithContext`** — implements `cron.JobWithContext` on `jobWrapper` so per-entry context (canceled on entry removal) propagates through the middleware chain - **`UpsertJob`** — replaces fragile polling retry loop in `EnableJob` with atomic create-or-update - **`UpdateEntryJobByName`** — adds atomic schedule+job replacement used by the web API's update handler ### Intentionally deferred | Feature | Reason | |---------|--------| | `WithMissedPolicy` | Requires persistent last-run times (ofelia is stateless) | | `RetryOnError` | Ofelia's `RetryExecutor` is deeply integrated with middleware, metrics, and per-job config | ## Test plan - [x] All existing tests pass (`go test ./...`) - [x] `golangci-lint run` clean (0 issues) - [x] `go vet ./...` clean - [x] CI pipeline passes
5 tasks
github-merge-queue bot
pushed a commit
that referenced
this pull request
Feb 15, 2026
## Summary Modernize dependency usage following the Go 1.26 and dependency upgrades in #475: - **go-flags v1.6**: Use `WroteHelp()` helper, `AllowBoolValues` parser option, and `description:` tags for CLI help output - **Docker API**: Remove deprecated fields (`KernelMemory`, `BridgeNfIptables`, `BridgeNfIP6tables`) dropped in API v1.42+ - **mapstructure**: Migrate from archived `mitchellh/mapstructure` to maintained `go-viper/mapstructure` v1.6.0 fork via `replace` directive - **Label decoding**: Unify Docker label and INI config decoding paths to use consistent case-insensitive matching with unknown key detection - **go-dockerclient**: Remove legacy `fsouza/go-dockerclient` dependency — rewrite benchmarks to use the official Docker SDK already used everywhere else ## Commits 1. `refactor: adopt go-flags v1.6 features` — `WroteHelp()`, `AllowBoolValues`, `description:` tags, `default-mask:"-"` for secrets 2. `refactor: remove deprecated Docker API fields` — drop 3 fields removed from Docker API v1.42+ 3. `chore(deps): migrate mapstructure to go-viper fork` — drop-in `replace` directive, API-compatible 4. `refactor: unify Docker label decoding` — consistent decoding options between label and INI paths, unknown key warnings 5. `refactor: remove go-dockerclient dependency` — rewrite benchmarks to official SDK, remove transitive deps ## Test plan - [x] `go test -count=1 -timeout=60s ./...` — all packages pass - [x] `golangci-lint run --timeout=3m ./...` — 0 issues - [x] `go build ./...` — compiles cleanly - [x] `go vet ./...` — no issues - [ ] CI workflow passes
|
🚀 Released in v0.20.0 Thank you for your contribution! 🙏 This is now available in the latest release. Please test and verify everything works as expected in your environment. If you encounter any issues, please open a new issue. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
go-version-file: go.mod— no workflow changes neededDependency upgrades
Supersedes #469, #470, #471, #472, #473.
Test plan
go build ./...passesgo vet ./...passesgo test -short ./...— all tests pass