stackrox · janisz · Jun 25, 2026 · Jun 25, 2026 · Jun 25, 2026
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,7 +1,7 @@
 version: "2"
 run:
   timeout: 240m
-  go: "1.25"
+  go: "1.26"
   build-tags:
     - integration
     - scanner_db_integration

@@ -0,0 +1,29 @@
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.26@sha256:aa2429f5dcf086b4edb2251f0cea19d54c60638aaedc03a1384d26ec3754cebc
+
+WORKDIR /workspace
+
+# Copy only go.mod to check version compatibility
+COPY go.mod .
+
+# Validate Go version compatibility
+# go mod tidy will fail if go.mod requires a Go version higher than available in the builder
+RUN echo "Go version of the builder:" && \
+    go version 2>/dev/null
+RUN echo "go.mod version requirement:" && \
+    grep -E '^(go|toolchain) ' go.mod
+RUN echo "If the following command fails, either roll back your changes to go.mod or update the openshift-golang-builder base images."
+RUN echo "Checking go.mod compatibility..." && \
+    go mod tidy
+RUN echo "SUCCESS: Go version is compatible with go.mod"
+
+# Test that go mod tidy actually fails on incompatible versions
+# This validates we're not relying on behavior that silently changed
+RUN echo "Testing go mod tidy failure detection..."
+RUN go mod edit -go=1.200.0 2>/dev/null
+RUN if go mod tidy; then \
+        echo "ERROR: go mod tidy succeeded with incompatible version"; \
+        echo "Our assumption about go mod tidy behavior is broken!"; \
+        exit 1; \
+    else \
+        echo "SUCCESS: go mod tidy correctly detects an incompatible Go version"; \
+    fi
@@ -0,0 +1,152 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "500"
+    pipelinesascode.tekton.dev/on-comment: "/konflux-retest checks"
+    pipelinesascode.tekton.dev/on-cel-expression: |
+      (event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$")) ||
+      (event == "pull_request" && body.action != "ready_for_review")
+  labels:
+    appstudio.openshift.io/application: acs
+  name: checks
+  namespace: rh-acs-tenant
+
+spec:
+
+  params:
+
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-operator-bundle
+
+  timeouts:
+    tasks: 10m
+    finally: 2m
+    pipeline: 12m
+
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+
+  pipelineSpec:
+
+    finally:
+    - name: slack-notification
+      params:
+      - name: message
+        value: ':x: `{{event_type}}` pipeline for <https://konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com/ns/$(context.pipelineRun.namespace)/pipelinerun/$(context.pipelineRun.name)|$(context.pipelineRun.name)> (revision <$(params.git-url)/commit/$(params.revision)|$(params.revision)>) has failed.'
+      - name: key-name
+        value: 'acs-konflux-notifications'
+      when:
+      - input: $(tasks.status)
+        operator: in
+        values: ["Failed"]
+      taskRef:
+        params:
+        - name: name
+          value: slack-webhook-notification
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-slack-webhook-notification:0.1@sha256:d34a3789505f829493636a265eb04790695dba84bbb2bb716a7551a6911f2816
+        - name: kind
+          value: task
+        resolver: bundles
+
+    - name: post-metric-end
+      params:
+      - name: AGGREGATE_TASKS_STATUS
+        value: $(tasks.status)
+      taskRef: &post-bigquery-metrics-ref
+        params:
+        - name: name
+          value: post-bigquery-metrics
+        - name: bundle
+          value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:72c050dbc90421d03a703c742151cdbec441d1fda072ae2d611962d6d3a8ffbd
+        - name: kind
+          value: task
+        resolver: bundles
+
+    params:
+    - default: "{{source_url}}"
+      description: Source Repository URL
+      name: git-url
+      type: string
+    - default: "{{revision}}"
+      description: Revision of the Source Repository
+      name: revision
+      type: string
+    - default: quay.io/rhacs-eng/konflux-checks
+      description: Output Image Repository (for OCI artifacts)
+      name: output-image-repo
+      type: string
+    - default: "1d"
+      description: This sets the expiration time for intermediate OCI artifacts produced and used during builds after which they can be garbage collected.
+      name: oci-artifact-expires-after
+      type: string
+
+
+    workspaces:
+    - name: git-auth
+
+    tasks:
+
+    - name: post-metric-start
+      taskRef: *post-bigquery-metrics-ref
+
+    - name: clone-repository
+      params:
+      - name: url
+        value: $(params.git-url)
+      - name: revision
+        value: $(params.revision)
+      - name: depth
+        value: "1"
+      - name: fetchTags
+        value: "false"
+      - name: ociStorage
+        value: $(params.output-image-repo):konflux-$(params.revision).git
+      - name: ociArtifactExpiresAfter
+        value: $(params.oci-artifact-expires-after)
+      taskRef:
+        params:
+        - name: name
+          value: git-clone-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d30f13dd15daf89dd6dc645243b3444d35570d13f7840c3fd65e366022515205
+        - name: kind
+          value: task
+        resolver: bundles
+      workspaces:
+      - name: basic-auth
+        workspace: git-auth
+
+    - name: check-go-builder-version
+      params:
+      - name: IMAGE
+        value: $(params.output-image-repo):$(params.revision)-check-go-builder-version
+      - name: DOCKERFILE
+        value: .konflux/konflux.check-go-builder-version.Dockerfile
+      - name: CONTEXT
+        value: .
+      - name: IMAGE_EXPIRES_AFTER
+        value: $(params.oci-artifact-expires-after)
+      - name: COMMIT_SHA
+        value: $(params.revision)
+      - name: SOURCE_ARTIFACT
+        value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+      - name: HERMETIC
+        value: "true"
+      taskRef:
+        params:
+        - name: name
+          value: buildah-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.10@sha256:1d633027ed426996720890ec9a74576ae264d711a177bf18f39a5a9e8023435c
+        - name: kind
+          value: task
+        resolver: bundles
diff --git a/Makefile b/Makefile
@@ -351,11 +351,9 @@ deps: $(shell find $(BASE_DIR) -name "go.sum")
 	@echo "+ $@"
 	$(SILENT)$(eval GOMOCK_REFLECT_DIRS=`find . -type d -name 'gomock_reflect_*'`)
 	$(SILENT)test -z $(GOMOCK_REFLECT_DIRS) || { echo "Found leftover gomock directories. Please remove them and rerun make deps!"; echo $(GOMOCK_REFLECT_DIRS); exit 1; }
+	$(SILENT)go mod tidy
 ifdef CI
-	$(SILENT)GOTOOLCHAIN=local go mod tidy || { >&2 echo "Go toolchain does not match with installed Go version. This is a compatibility check that prevents breaking downstream builds. If you really need to update the toolchain version, ask in #forum-acs-golang" ; exit 1 ; }
 	$(SILENT)git diff --exit-code -- go.mod go.sum || { echo "go.mod/go.sum files were updated after running 'go mod tidy', run this command on your local machine and commit the results." ; exit 1 ; }
-else
-	$(SILENT)go mod tidy
 endif
 	$(SILENT)touch $@
 

diff --git a/central/processindicator/datastore/datastore_impl_test.go b/central/processindicator/datastore/datastore_impl_test.go
@@ -340,7 +340,7 @@ func (suite *IndicatorDataStoreTestSuite) TestPruning() {
 	mockPruner.EXPECT().Prune(matcher(expectedIndicators...)).Return([]string{indicators[0].GetId()})
 	prunedSignal.Reset()
 	pruneTurnstile.AllowOne()
-	suite.True(concurrency.WaitWithTimeout(&prunedSignal, 3*prunePeriod))
+	suite.True(concurrency.WaitWithTimeout(&prunedSignal, 5*prunePeriod))
 	expectedIndicators = []*storage.ProcessIndicator{extraIndicator}
 	expectedIndicators = append(expectedIndicators, indicators[1:]...)
 	suite.verifyIndicatorsAre(expectedIndicators...)

@@ -1,6 +1,6 @@
 module github.com/stackrox/rox
 
-go 1.25.0
+go 1.26.3
 
 require (
 	cloud.google.com/go/artifactregistry v1.17.2

@@ -1,6 +1,6 @@
 module github.com/stackrox/rox/operator/tools/controller-gen
 
-go 1.25
+go 1.26.3
 
 require sigs.k8s.io/controller-tools v0.19.0
 

@@ -1,6 +1,6 @@
 module github.com/stackrox/rox/operator/tools/envtest
 
-go 1.25.0
+go 1.26.3
 
 require sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20260209172322-2053ba3d414e
 

@@ -1,6 +1,6 @@
 module github.com/stackrox/rox/operator/tools/kustomize
 
-go 1.25
+go 1.26.3
 
 require sigs.k8s.io/kustomize/kustomize/v5 v5.7.1
 

@@ -1,6 +1,6 @@
 module github.com/stackrox/rox/operator/tools/kuttl
 
-go 1.25
+go 1.26.3
 
 require github.com/kudobuilder/kuttl v0.22.0
 

@@ -1,6 +1,6 @@
 module github.com/stackrox/rox/operator/tools/operator-sdk
 
-go 1.25.0
+go 1.26.3
 
 require (
 	github.com/operator-framework/operator-lifecycle-manager v0.30.0

@@ -1,6 +1,6 @@
 module github.com/stackrox/rox/operator/tools/yq
 
-go 1.25
+go 1.26.3
 
 require github.com/mikefarah/yq/v4 v4.47.2
 

diff --git a/pkg/clientconn/client_test.go b/pkg/clientconn/client_test.go
@@ -120,7 +120,7 @@ func (t *ClientTestSuite) TestAuthenticatedHTTPTransport_WebSocket() {
 				t.NoError(err)
 			} else {
 				errEndpoint := `"https://` + testcase.scheme + `:%2F%2Fcentral.stackrox.svc:443/hello/howdy?file=rhelv2%2Frepository-to-cpe.json&uuid=f81dbc6b-5899-433b-bc86-9127219a9d89"`
-				errString := `parse ` + errEndpoint + `: invalid URL escape "%2F"`
+				errString := `parse ` + errEndpoint + `: invalid port ":%2F%2Fcentral.stackrox.svc:443" after host`
 				t.EqualError(err, errString)
 				return
 			}

diff --git a/pkg/env/integersetting.go b/pkg/env/integersetting.go
@@ -104,7 +104,7 @@ func (s *IntegerSetting) mustValidate() *IntegerSetting {
 			panic(fmt.Errorf("programmer error: no values are allowed - allow-list is empty for %q."+
 				"`DisallowAllOther` must be called after `AllowExplicitly`", s.envVar).Error())
 		}
-		panic(fmt.Errorf("programmer error: default value %d is not on allow-list: %q for %q", s.defaultValue,
+		panic(fmt.Errorf("programmer error: default value %d is not on allow-list: %v for %q", s.defaultValue,
 			s.allowList, s.envVar,
 		).Error())
 	}

diff --git a/pkg/tlscheck/tlscheck_test.go b/pkg/tlscheck/tlscheck_test.go
@@ -23,6 +23,11 @@ func Test_addrValid(t *testing.T) {
 		" example.com",
 		"example.com ",
 		"exam ple.com/abc",
+		// Go 1.26 url.Parse rejects unbracketed IPv6 addresses (ROX-35006)
+		"1::",
+		"1::/path",
+		"2001:0db8:0000:0000:0000:ff00:0042:8329",
+		"2001:0db8:0000:0000:0000:ff00:0042:8329:61273",
 	}
 
 	for _, addr := range badAddrs {
@@ -35,16 +40,9 @@ func Test_addrValid(t *testing.T) {
 		"example.com:80/abc",
 		"127.0.0.1:8080",
 		"example.com/repo/path",
-		"1::",
-		"1::/path",
 		"[1::]:80",
 		"[1::]:80/path",
-		"2001:0db8:0000:0000:0000:ff00:0042:8329",
 		"[2001:0db8:0000:0000:0000:ff00:0042:8329]:61273",
-		// RFC2732 says we MAY use the format with `[IPv6addr]:port`,
-		// but it does not explicitly define the following as invalid.
-		// For the sake of simplicity (in using url.Parse), we treat the following as valid.
-		"2001:0db8:0000:0000:0000:ff00:0042:8329:61273",
 	}
 
 	for _, addr := range goodAddrs {

@@ -132,7 +132,6 @@ endif
 	@echo "+ $@"
 	$(SILENT)go mod tidy
 ifdef CI
-	$(SILENT)GOTOOLCHAIN=local go mod tidy || { >&2 echo "Go toolchain does not match with installed Go version. This is a compatibility check that prevents breaking downstream builds. If you really need to update the toolchain version, ask in #forum-acs-golang" ; exit 1 ; }
 	$(SILENT)git diff --exit-code -- ../go.mod ../go.sum || { echo "go.mod/go.sum files were updated after running 'go mod tidy', run this command on your local machine and commit the results." ; exit 1 ; }
 endif
 	$(SILENT)go mod verify

@@ -1,5 +1,3 @@
 module github.com/stackrox/rox/scanner/hack/quay
 
-go 1.24
-
-toolchain go1.23.2
+go 1.26.3
@@ -1,6 +1,6 @@
 module github.com/stackrox/stackrox/tools/check-workflow-run
 
-go 1.25
+go 1.26.3
 
 require github.com/google/go-github/v61 v61.0.0
 

@@ -1,6 +1,6 @@
 module github.com/stackrox/stackrox/tools/linters
 
-go 1.25
+go 1.26.3
 
 require (
 	github.com/golangci/golangci-lint/v2 v2.5.0

@@ -1,6 +1,6 @@
 module github.com/stackrox/stackrox/tools/proto
 
-go 1.25
+go 1.26.3
 
 require (
 	github.com/bufbuild/buf v1.57.2

@@ -1,6 +1,6 @@
 module github.com/stackrox/stackrox/tools/test
 
-go 1.25
+go 1.26.3
 
 require (
 	github.com/jstemmer/go-junit-report/v2 v2.1.0