From f95ea87565b41a80ff144735c56bc578922544c5 Mon Sep 17 00:00:00 2001
From: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
Date: Thu, 21 May 2026 22:37:49 +0000
Subject: [PATCH 1/2] fix(security): remediate CVE vulnerabilities

- Update Go version to 1.25.10 (fixes CVE-2026-39820, CVE-2026-42499,
  CVE-2026-39836, CVE-2026-33814, CVE-2026-33811, CVE-2026-42501,
  CVE-2026-39817, CVE-2026-39826, CVE-2026-39825, CVE-2026-39823,
  CVE-2026-39819)
- Update GO_VERSION in CI workflow to match

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
---
 .github/workflows/ci.yml | 2 +-
 go.mod                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0edaf9c..bd8c0bc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,7 +14,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.25.9'
+  GO_VERSION: '1.25.10'
   GOLANGCI_VERSION: 'v2.11.3'
   DOCKER_BUILDX_VERSION: 'v0.23.0'
 
diff --git a/go.mod b/go.mod
index 5a2473d..b5457c2 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/crossplane-contrib/function-go-templating
 
-go 1.25.9
+go 1.25.10
 
 require (
 	dario.cat/mergo v1.0.2

From 64419d715147df55cd64ec3e5e94f23fdeae8b75 Mon Sep 17 00:00:00 2001
From: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
Date: Thu, 21 May 2026 23:11:34 +0000
Subject: [PATCH 2/2] fix(ci): update Crossplane CLI to stable channel

- Use stable channel instead of master
- Pin to v1.18.2 instead of current
- Resolves Crossplane CLI download failure

Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bd8c0bc..b20d536 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,8 +20,8 @@ env:
 
   # These environment variables are important to the Crossplane CLI install.sh
   # script. They determine what version it installs.
-  XP_CHANNEL: master   # TODO(negz): Pin to stable once v1.14 is released.
-  XP_VERSION: current  # TODO(negz): Pin to a version once v1.14 is released.
+  XP_CHANNEL: stable
+  XP_VERSION: v1.18.2
 
   # This CI job will automatically push new builds to xpkg.upbound.io if the
   # XPKG_ACCESS_ID and XPKG_TOKEN secrets are set in the GitHub respository (or