From a0273ec8372b263f6aeaab90c44bde55125edcec Mon Sep 17 00:00:00 2001
From: Mike Eltsufin <meltsufin@google.com>
Date: Wed, 22 Apr 2026 13:35:44 -0400
Subject: [PATCH] impl: upgrade Go to fix Bazelisk vulnerabilities

Upgrades Go to the latest stable version to build Bazelisk, resolving vulnerabilities in the Go standard library (e.g., CVE-2026-32289).

Bazelisk remains available at /tools/bazelisk.
---
 infrastructure/googleapis/Dockerfile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/infrastructure/googleapis/Dockerfile b/infrastructure/googleapis/Dockerfile
index 487ca511..e23f3d5c 100644
--- a/infrastructure/googleapis/Dockerfile
+++ b/infrastructure/googleapis/Dockerfile
@@ -27,10 +27,10 @@ RUN apt-get update && \
 
 RUN mkdir -p /tools
 
-# Install Go and build Bazelisk from source to fix vulnerabilities in Go stdlib.
-RUN curl -sL https://golang.org/dl/go1.24.8.linux-amd64.tar.gz | tar -C /usr/local -xz
-ENV PATH="/usr/local/go/bin:${PATH}"
-RUN git clone https://github.com/bazelbuild/bazelisk.git /tmp/bazelisk && \
+# Install Go, build Bazelisk from source, and clean up in a single layer to avoid leaving Go in intermediate layers.
+RUN curl -sL https://golang.org/dl/go1.26.2.linux-amd64.tar.gz | tar -C /usr/local -xz && \
+    export PATH="/usr/local/go/bin:${PATH}" && \
+    git clone https://github.com/bazelbuild/bazelisk.git /tmp/bazelisk && \
     cd /tmp/bazelisk && \
     git checkout v${BAZELISK_VERSION} && \
     go build -o /tools/bazelisk && \