CodesWhat · scttbnsn · Jun 16, 2026 · Jun 16, 2026
@@ -40,7 +40,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Verify dependencies
         run: go mod verify
@@ -82,7 +82,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee  # v9.2.1
@@ -105,7 +105,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Install govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@v1.2.0
@@ -195,7 +195,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Run GoReleaser check
         uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89  # v7.2.2
@@ -239,7 +239,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Build Go
         run: go build ./...
@@ -305,7 +305,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Fuzz ${{ matrix.fuzzer.name }}
         env:

@@ -47,7 +47,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Run benchmarks
         run: |

@@ -67,7 +67,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Resolve fuzz budget
         id: budget

@@ -57,7 +57,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Resolve fuzz budget
         id: budget

@@ -53,7 +53,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Verify Docker daemon is reachable
         run: |

@@ -59,7 +59,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Install Gremlins
         run: go install github.com/go-gremlins/gremlins/cmd/gremlins@"${GREMLINS_VERSION}"

@@ -65,7 +65,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Resolve soak parameters
         id: params

@@ -38,7 +38,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          go-version: "1.26"
+          go-version-file: go.mod
 
       - name: Install cosign
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6  # v4.1.2

@@ -54,11 +54,10 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
         with:
-          # go.mod declares only the language version (`go 1.26.0`) with no
-          # `toolchain` directive, so go-version-file would pin govulncheck to
-          # 1.26.0 and report stdlib advisories already fixed in 1.26.1+. Track
-          # the latest 1.26.x like the build and the gating ci.yml scan do.
-          go-version: "1.26"
+          # Reads the `toolchain go1.26.4` directive from go.mod (setup-go honors
+          # toolchain over the `go` line), so the scan runs on the same pinned,
+          # patched toolchain the binary is built with — one source of truth.
+          go-version-file: go.mod
 
       - name: Install govulncheck
         run: go install "golang.org/x/vuln/cmd/govulncheck@${GOVULNCHECK_VERSION}"

@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - **Standardized dependency/CVE scanning on Grype + govulncheck; Snyk stays off Portwing.** Snyk's GitHub SCM integration scans the full Go *module requirement graph* (`go mod graph`) instead of the compiled build graph, so it flags advisories in modules that transitive deps merely *require* but the binary never links in (nothing in `go list -deps ./...`, nothing reachable per govulncheck, clean under Grype). That's a methodology gap, not staleness, so it's being decommissioned org-wide. Portwing never wired Snyk into the repo (no `.snyk` policy, no workflow step, no README badge), so there was nothing to strip out on the repo side. govulncheck (Go call-graph reachability) and Grype (the built image's binary build-info, plus `go.mod`/`go.sum` and the npm lockfiles) already cover dependencies accurately. The existing weekly scan is consolidated into `security-grype.yml`, which now also runs on pull requests (path-filtered to source/deps/Dockerfile/the workflow itself), keeps the weekly cron and manual dispatch, guards the heavy container build off PRs (govulncheck plus the dependency scan give fast PR coverage), gives each scanner a distinct code-scanning `category` so the Grype image and dependency SARIF no longer clobber each other in the Security tab, and runs gosec in report-only mode (`-no-fail`) so its heuristic findings still feed the Security tab without gating the build (CodeQL, Grype, and govulncheck handle the gating).
+- **Pinned the Go toolchain to `go1.26.4` and made it the single source of truth for CI.** `go.mod` now carries a `toolchain go1.26.4` directive (it previously declared only `go 1.26.0`), so every build — local, CI, and release — runs on a stdlib past the reachable `crypto/x509` / `net/url` advisories (GO-2026-4599/4600/4601, fixed in 1.26.1) instead of whatever 1.26.x a runner happened to install. Every workflow's `setup-go` step switched from the floating `go-version: "1.26"` to `go-version-file: go.mod`, so the pin now governs the build, the govulncheck/Grype scans, and the release in lockstep — bump the toolchain in one place to move them all. `govulncheck ./...` is clean on 1.26.4.
 
 ## [0.3.0] - 2026-06-15
 

@@ -2,6 +2,8 @@ module github.com/codeswhat/portwing
 
 go 1.26.0
 
+toolchain go1.26.4
+
 require (
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3