Skip to content

Update go and protobuf tooling #1681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
janezpodhostnik wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Update go and protobuf tooling #1681

janezpodhostnik wants to merge 3 commits into from

Conversation

@janezpodhostnik
Copy link
Contributor

@janezpodhostnik janezpodhostnik commented Feb 4, 2026

Closes: #???

Description

For contributor use:

  • Targeted PR against master branch
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
  • Updated relevant documentation
  • Re-reviewed Files changed in the Github PR explorer
  • Added appropriate labels

@janezpodhostnik janezpodhostnik self-assigned this Feb 4, 2026
@github-actions
Copy link

github-actions bot commented Feb 4, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
gomod/golang.org/x/net 0.49.0 UnknownUnknown
gomod/golang.org/x/sys 0.40.0 UnknownUnknown
gomod/golang.org/x/text 0.33.0 UnknownUnknown
gomod/google.golang.org/genproto/googleapis/rpc 0.0.0-20251029180050-ab9386a59fda 🟢 6.7
Details
CheckScoreReason
Maintained🟢 1016 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy🟢 10security policy file detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 2SAST tool is not run on all commits -- score normalized to 2
Vulnerabilities🟢 100 existing vulnerabilities detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
gomod/google.golang.org/grpc 1.78.0 🟢 7.9
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 9security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Binary-Artifacts🟢 10no binaries found in the repo
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST🟢 7SAST tool detected but not run on all commits
gomod/google.golang.org/protobuf 1.36.11 UnknownUnknown

Scanned Files

  • protobuf/go.mod
  • protobuf/go/flow/go.mod

@github-actions
Copy link

github-actions bot commented Feb 4, 2026

⚠️ Security Dependency Review Failed ⚠️

This pull request introduces dependencies with security vulnerabilities of moderate severity or higher.

Vulnerable Dependencies:

📦 golang.org/x/net@0.34.0

What to do next?

  1. Review the vulnerability details in the Dependency Review Comment above, specifically the "Vulnerabilities" section
  2. Click on the links in the "Vulnerability" section to see the details of the vulnerability
  3. If multiple versions of the same package are vulnerable, please update to the common latest non-vulnerable version
  4. If you are unsure about the vulnerability, please contact the security engineer
  5. If the vulnerability cannot be avoided (can't upgrade, or need to keep), contact #security on slack to get it added to the allowlist

Security Engineering contact: #security on slack

@janezpodhostnik
Copy link
Contributor Author

janezpodhostnik commented Feb 6, 2026

⚠️ Security Dependency Review Failed ⚠️

This pull request introduces dependencies with security vulnerabilities of moderate severity or higher.

Vulnerable Dependencies:

📦 golang.org/x/net@0.34.0

What to do next?

  1. Review the vulnerability details in the Dependency Review Comment above, specifically the "Vulnerabilities" section
  2. Click on the links in the "Vulnerability" section to see the details of the vulnerability
  3. If multiple versions of the same package are vulnerable, please update to the common latest non-vulnerable version
  4. If you are unsure about the vulnerability, please contact the security engineer
  5. If the vulnerability cannot be avoided (can't upgrade, or need to keep), contact #security on slack to get it added to the allowlist

Security Engineering contact: #security on slack

Updated, but the comment wont go away...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@janezpodhostnik janezpodhostnik

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@janezpodhostnik