From 15884fe755aa181bc8b281e97f9d69d77173bd7d Mon Sep 17 00:00:00 2001 From: Alper Rifat Ulucinar Date: Thu, 21 May 2026 22:36:49 +0000 Subject: [PATCH 1/3] fix(security): remediate CVE vulnerabilities - Update Go version to 1.25.10 (fixes CVE-2026-39820, CVE-2026-42499, CVE-2026-39836, CVE-2026-33814, CVE-2026-33811, CVE-2026-42501, CVE-2026-39817, CVE-2026-39826, CVE-2026-39825, CVE-2026-39823, CVE-2026-39819) - Update GO_VERSION in CI workflow to match Signed-off-by: Alper Rifat Ulucinar --- .github/workflows/ci.yml | 2 +- go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 696e097..dbee7c3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ on: env: # Common versions - GO_VERSION: '1.25.9' + GO_VERSION: '1.25.10' GOLANGCI_VERSION: 'v2.11.3' DOCKER_BUILDX_VERSION: 'v0.23.0' diff --git a/go.mod b/go.mod index c47828f..9008e89 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/crossplane/function-auto-ready -go 1.25.9 +go 1.25.10 require ( github.com/alecthomas/kong v1.12.0 From a34975481ab342384ef901f72754dcad81a17e51 Mon Sep 17 00:00:00 2001 From: Alper Rifat Ulucinar Date: Thu, 21 May 2026 23:09:59 +0000 Subject: [PATCH 2/3] fix(ci): update Crossplane CLI to stable channel The 'current' version is no longer available on the 'master' channel. Update to use the 'stable' channel with 'stable' version to get the latest stable Crossplane CLI release. Signed-off-by: Alper Rifat Ulucinar --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dbee7c3..78a6e30 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,8 +20,8 @@ env: # These environment variables are important to the Crossplane CLI install.sh # script. They determine what version it installs. - XP_CHANNEL: master # TODO(negz): Pin to stable once v1.14 is released. - XP_VERSION: current # TODO(negz): Pin to a version once v1.14 is released. + XP_CHANNEL: stable + XP_VERSION: stable # This CI job will automatically push new builds to xpkg.upbound.io if the # XPKG_ACCESS_ID and XPKG_TOKEN secrets are set in the GitHub respository (or From 85bb5f90f118572d2e963c3055670c4da716ee47 Mon Sep 17 00:00:00 2001 From: Alper Rifat Ulucinar Date: Thu, 21 May 2026 23:41:46 +0000 Subject: [PATCH 3/3] fix(ci): use empty XP_VERSION for latest stable The value 'stable' is not a valid version. Use an empty string to get the latest version from the stable channel. Signed-off-by: Alper Rifat Ulucinar --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 78a6e30..e206def 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ env: # These environment variables are important to the Crossplane CLI install.sh # script. They determine what version it installs. XP_CHANNEL: stable - XP_VERSION: stable + XP_VERSION: '' # This CI job will automatically push new builds to xpkg.upbound.io if the # XPKG_ACCESS_ID and XPKG_TOKEN secrets are set in the GitHub respository (or