From 1f84e15773b8068ec1e7a55c7c3de5ed77ba014f Mon Sep 17 00:00:00 2001 From: Giovanni Ferri Date: Sat, 4 Jul 2026 03:43:00 +0100 Subject: [PATCH] build: pin reproducible go 1.26.4 toolchain and neutralize stale host GOROOT MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move to a reproducible, host-independent Go toolchain via go.mod's `toolchain go1.26.4` directive: with GOTOOLCHAIN=auto, every go command fetches (checksum-verified via the module mirror) and runs exactly go1.26.4 regardless of the host's installed Go. Aligns go.mod, .mise.toml, and CI GO_VERSION on 1.26, which also lets setup-envtest@latest install (it now requires go >= 1.26), fixing the CI unit-test job. Makefile unexports GOROOT and .mise.toml unsets it so a stale host GOROOT (pointing at a different Go install/patch) cannot cause 'compile: version mismatch' — still needed on 1.26 since the host GOROOT patch may differ from the pinned toolchain. --- .github/workflows/ci.yml | 2 +- .github/workflows/nightly-e2e-cilium-heavy.yml | 2 +- .github/workflows/nightly-e2e.yml | 2 +- .github/workflows/release.yml | 2 +- .mise.toml | 10 +++++++++- Dockerfile | 2 +- Dockerfile.agent | 4 ++-- Dockerfile.operator | 2 +- Makefile | 7 +++++++ go.mod | 6 ++++-- 10 files changed, 28 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ca64a28..5e14bac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,7 +7,7 @@ on: branches: [main] env: - GO_VERSION: "1.25" + GO_VERSION: "1.26" jobs: lint: diff --git a/.github/workflows/nightly-e2e-cilium-heavy.yml b/.github/workflows/nightly-e2e-cilium-heavy.yml index 68ed4d8..75fe35e 100644 --- a/.github/workflows/nightly-e2e-cilium-heavy.yml +++ b/.github/workflows/nightly-e2e-cilium-heavy.yml @@ -11,7 +11,7 @@ concurrency: cancel-in-progress: false env: - GO_VERSION: "1.25" + GO_VERSION: "1.26" jobs: e2e-kind-cilium-heavy: diff --git a/.github/workflows/nightly-e2e.yml b/.github/workflows/nightly-e2e.yml index e547ee5..4fab2f3 100644 --- a/.github/workflows/nightly-e2e.yml +++ b/.github/workflows/nightly-e2e.yml @@ -11,7 +11,7 @@ concurrency: cancel-in-progress: false env: - GO_VERSION: "1.25" + GO_VERSION: "1.26" jobs: e2e-kind-smoke: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index be8c97c..9a3b95c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ on: type: string env: - GO_VERSION: "1.25" + GO_VERSION: "1.26" REGISTRY: ghcr.io IMAGE_BASE: ghcr.io/syscode-labs diff --git a/.mise.toml b/.mise.toml index 93a6068..dfed3f4 100644 --- a/.mise.toml +++ b/.mise.toml @@ -1,3 +1,11 @@ [tools] -go = "1.25.8" +go = "1.26.4" kind = "0.20.0" + +# Unset any GOROOT exported by the host shell so mise's managed Go toolchain is +# always used, independent of the host's Go install. A host GOROOT pointing at a +# different Go version than the pinned toolchain causes "compile: version +# mismatch" errors. The Makefile also does `unexport GOROOT` for make-driven +# builds that don't go through mise activation. +[env] +GOROOT = false diff --git a/Dockerfile b/Dockerfile index aa9ee14..f57cc5a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Build the manager binary -FROM golang:1.25 AS builder +FROM golang:1.26 AS builder ARG TARGETOS ARG TARGETARCH diff --git a/Dockerfile.agent b/Dockerfile.agent index f125d1d..8375a40 100644 --- a/Dockerfile.agent +++ b/Dockerfile.agent @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM golang:1.25-alpine AS agent-builder +FROM golang:1.26-alpine AS agent-builder WORKDIR /workspace COPY go.mod go.sum ./ RUN --mount=type=cache,id=agent-gomod,target=/root/go/pkg/mod go mod download @@ -12,7 +12,7 @@ RUN --mount=type=cache,id=agent-gomod,target=/root/go/pkg/mod \ --mount=type=cache,id=agent-gobuild,target=/root/.cache/go-build \ CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -o agent ./cmd/agent -FROM golang:1.25-alpine AS guest-agent-builder +FROM golang:1.26-alpine AS guest-agent-builder WORKDIR /workspace COPY go.mod go.sum ./ RUN --mount=type=cache,id=guest-gomod,target=/root/go/pkg/mod go mod download diff --git a/Dockerfile.operator b/Dockerfile.operator index a3e4825..2ca4a51 100644 --- a/Dockerfile.operator +++ b/Dockerfile.operator @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM golang:1.25-alpine AS builder +FROM golang:1.26-alpine AS builder WORKDIR /workspace COPY go.mod go.sum ./ diff --git a/Makefile b/Makefile index f5d1fcd..f8554a0 100644 --- a/Makefile +++ b/Makefile @@ -19,6 +19,13 @@ CONTAINER_TOOL ?= docker SHELL = /usr/bin/env bash -o pipefail .SHELLFLAGS = -ec +# A stale GOROOT inherited from the host shell (e.g. a Homebrew Go install +# pointing at a different version than the `go` binary on PATH) causes +# "compile: version X does not match go tool version Y". Strip it so every +# recipe uses the go binary's own GOROOT. The toolchain version is pinned +# reproducibly via .mise.toml and go.mod, independent of the host's Go. +unexport GOROOT + .PHONY: all all: build diff --git a/go.mod b/go.mod index 134a094..1841041 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,8 @@ module github.com/syscode-labs/imp -go 1.25.6 +go 1.26.0 + +toolchain go1.26.4 require ( github.com/firecracker-microvm/firecracker-go-sdk v1.0.0 @@ -24,6 +26,7 @@ require ( go.opentelemetry.io/otel/metric v1.42.0 go.opentelemetry.io/otel/sdk v1.42.0 go.opentelemetry.io/otel/sdk/metric v1.42.0 + go.opentelemetry.io/otel/trace v1.42.0 golang.org/x/oauth2 v0.35.0 google.golang.org/grpc v1.79.2 google.golang.org/protobuf v1.36.11 @@ -104,7 +107,6 @@ require ( go.mongodb.org/mongo-driver v1.8.3 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.42.0 // indirect - go.opentelemetry.io/otel/trace v1.42.0 // indirect go.opentelemetry.io/proto/otlp v1.9.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect