From d6e9a5608030b210782de71478c948c45e046b18 Mon Sep 17 00:00:00 2001 From: ziggie Date: Tue, 26 May 2026 15:01:23 -0300 Subject: [PATCH 1/3] discovery: fix graph bootstrapper test stub The tor v2 cleanup backport added a graph bootstrapper regression test from master. Master already has the newer autopilot.ChannelGraph interface, where ForEachNodesChannels passes a NodeID. The v0.21.x branch still uses the older interface, where ForEachNodesChannels passes the full autopilot.Node. Adapt only the local test stub so this backport remains scoped. This avoids pulling in the broader autopilot graph-cache refactor from PR #10796 just to satisfy the release-branch test build. --- discovery/bootstrapper_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/discovery/bootstrapper_test.go b/discovery/bootstrapper_test.go index a323b460eb..f01e67bc75 100644 --- a/discovery/bootstrapper_test.go +++ b/discovery/bootstrapper_test.go @@ -49,7 +49,7 @@ func (s *stubChannelGraph) ForEachNode(ctx context.Context, // ForEachNodesChannels is a no-op stub; SampleNodeAddrs does not exercise // the channel iteration path. func (s *stubChannelGraph) ForEachNodesChannels(_ context.Context, - _ func(context.Context, autopilot.NodeID, + _ func(context.Context, autopilot.Node, []*autopilot.ChannelEdge) error, _ func()) error { return nil From 29e32fc918f9cb494add82c69c7fa7f511be4fdc Mon Sep 17 00:00:00 2001 From: ziggie Date: Fri, 22 May 2026 23:08:15 -0300 Subject: [PATCH 2/3] build: bump Go version to 1.26.3 --- .github/actions/setup-go/action.yml | 4 ++-- .github/workflows/main.yml | 4 ++-- .github/workflows/release.yaml | 2 +- .golangci.yml | 2 +- Dockerfile | 2 +- Makefile | 2 +- actor/go.mod | 2 +- cert/go.mod | 2 +- clock/go.mod | 2 +- dev.Dockerfile | 2 +- docker/btcd/Dockerfile | 2 +- docs/INSTALL.md | 18 +++++++++--------- fn/go.mod | 2 +- go.mod | 8 ++++---- healthcheck/go.mod | 2 +- kvdb/go.mod | 2 +- lnrpc/Dockerfile | 2 +- lnrpc/gen_protos_docker.sh | 2 +- make/builder.Dockerfile | 2 +- make/release_flags.mk | 2 +- queue/go.mod | 2 +- sqldb/go.mod | 2 +- sqldb/v2/go.mod | 2 +- ticker/go.mod | 2 +- tlv/go.mod | 2 +- tools/Dockerfile | 2 +- tools/go.mod | 2 +- tools/linters/go.mod | 2 +- tor/go.mod | 2 +- 29 files changed, 42 insertions(+), 42 deletions(-) diff --git a/.github/actions/setup-go/action.yml b/.github/actions/setup-go/action.yml index 09f47d7697..7a086886b6 100644 --- a/.github/actions/setup-go/action.yml +++ b/.github/actions/setup-go/action.yml @@ -52,8 +52,8 @@ runs: # The key is used to create and later look up the cache. It's made of # four parts: # - The base part is made from the OS name, Go version and a - # job-specified key prefix. Example: `linux-go-1.25.5-unit-test-`. - # It ensures that a job running on Linux with Go 1.25 only looks for + # job-specified key prefix. Example: `linux-go-1.26.3-unit-test-`. + # It ensures that a job running on Linux with Go 1.26 only looks for # caches from the same environment. # - The unique part is the `hashFiles('**/go.sum')`, which calculates a # hash (a fingerprint) of the go.sum file. diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0ae01923c9..929a46ce71 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -40,7 +40,7 @@ env: # If you change this please also update GO_VERSION in Makefile (then run # `make lint` to see where else it needs to be updated as well). - GO_VERSION: 1.25.5 + GO_VERSION: 1.26.3 jobs: static-checks: @@ -176,7 +176,7 @@ jobs: - name: amd64 sys: darwin-amd64 freebsd-amd64 linux-amd64 netbsd-amd64 openbsd-amd64 windows-amd64 - name: arm - sys: darwin-arm64 freebsd-arm linux-armv6 linux-armv7 linux-arm64 windows-arm + sys: darwin-arm64 freebsd-arm linux-armv6 linux-armv7 linux-arm64 windows-arm64 steps: - name: Git checkout uses: actions/checkout@v5 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 012a716287..818281047e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,7 +12,7 @@ defaults: env: # If you change this please also update GO_VERSION in Makefile (then run # `make lint` to see where else it needs to be updated as well). - GO_VERSION: 1.25.5 + GO_VERSION: 1.26.3 jobs: ######################## diff --git a/.golangci.yml b/.golangci.yml index 22a7c38ded..7d3b1a54f2 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -3,7 +3,7 @@ version: "2" run: # If you change this please also update GO_VERSION in Makefile (then run # `make lint` to see where else it needs to be updated as well). - go: "1.25.5" + go: "1.26.3" # Abort after 10 minutes. timeout: 10m diff --git a/Dockerfile b/Dockerfile index 9cbe35463d..30353ad5ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # If you change this please also update GO_VERSION in Makefile (then run # `make lint` to see where else it needs to be updated as well). -FROM golang:1.25.5-alpine as builder +FROM golang:1.26.3-alpine as builder # Force Go to use the cgo based DNS resolver. This is required to ensure DNS # queries required to connect to linked containers succeed. diff --git a/Makefile b/Makefile index 3ee1ee403a..559a2e08fa 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ ACTIVE_GO_VERSION_MINOR := $(shell echo $(ACTIVE_GO_VERSION) | cut -d. -f2) # GO_VERSION is the Go version used for the release build, docker files, and # GitHub Actions. This is the reference version for the project. All other Go # versions are checked against this version. -GO_VERSION = 1.25.5 +GO_VERSION = 1.26.3 GOBUILD := $(GOCC) build -v GOINSTALL := $(GOCC) install -v diff --git a/actor/go.mod b/actor/go.mod index c762776791..bf5a392e2c 100644 --- a/actor/go.mod +++ b/actor/go.mod @@ -1,6 +1,6 @@ module github.com/lightningnetwork/lnd/actor -go 1.25.5 +go 1.25.10 require ( github.com/btcsuite/btclog/v2 v2.0.1-0.20250602222548-9967d19bb084 diff --git a/cert/go.mod b/cert/go.mod index 13208c3e49..5bef04180b 100644 --- a/cert/go.mod +++ b/cert/go.mod @@ -1,6 +1,6 @@ module github.com/lightningnetwork/lnd/cert -go 1.25.5 +go 1.25.10 require github.com/stretchr/testify v1.8.2 diff --git a/clock/go.mod b/clock/go.mod index a81ac570ce..ed65a5ba01 100644 --- a/clock/go.mod +++ b/clock/go.mod @@ -1,6 +1,6 @@ module github.com/lightningnetwork/lnd/clock -go 1.25.5 +go 1.25.10 require github.com/stretchr/testify v1.8.2 diff --git a/dev.Dockerfile b/dev.Dockerfile index 4d681d8de1..999b2e768d 100644 --- a/dev.Dockerfile +++ b/dev.Dockerfile @@ -1,6 +1,6 @@ # If you change this please also update GO_VERSION in Makefile (then run # `make lint` to see where else it needs to be updated as well). -FROM golang:1.25.5-alpine AS builder +FROM golang:1.26.3-alpine AS builder LABEL maintainer="Olaoluwa Osuntokun " diff --git a/docker/btcd/Dockerfile b/docker/btcd/Dockerfile index 6e4ba5854a..a4b2301fdc 100644 --- a/docker/btcd/Dockerfile +++ b/docker/btcd/Dockerfile @@ -1,6 +1,6 @@ # If you change this please also update GO_VERSION in Makefile (then run # `make lint` to see where else it needs to be updated as well). -FROM golang:1.25.5-alpine AS builder +FROM golang:1.26.3-alpine AS builder LABEL maintainer="Olaoluwa Osuntokun " diff --git a/docs/INSTALL.md b/docs/INSTALL.md index b038dc9b1a..0c2f33bc6b 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -93,7 +93,7 @@ following build dependencies are required: ### Installing Go -`lnd` is written in Go, with a minimum version of `1.25.5` (or, in case this +`lnd` is written in Go, with a minimum version of `1.25.10` (or, in case this document gets out of date, whatever the Go version in the main `go.mod` file requires). To install, run one of the following commands for your OS: @@ -101,15 +101,15 @@ requires). To install, run one of the following commands for your OS: Linux (x86-64) ``` - wget https://dl.google.com/go/go1.25.5.linux-amd64.tar.gz - echo "9e9b755d63b36acf30c12a9a3fc379243714c1c6d3dd72861da637f336ebb35b go1.25.5.linux-amd64.tar.gz" | sha256sum --check + wget https://dl.google.com/go/go1.25.10.linux-amd64.tar.gz + echo "42d4f7a32316aa66591eca7e89867256057a4264451aca10570a715b3637ba70 go1.25.10.linux-amd64.tar.gz" | sha256sum --check ``` - The command above should output `go1.25.5.linux-amd64.tar.gz: OK`. If it + The command above should output `go1.25.10.linux-amd64.tar.gz: OK`. If it doesn't, then the target REPO HAS BEEN MODIFIED, and you shouldn't install this version of Go. If it matches, then proceed to install Go: ``` - sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.25.5.linux-amd64.tar.gz + sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.25.10.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin ``` @@ -118,15 +118,15 @@ requires). To install, run one of the following commands for your OS: Linux (ARMv6) ``` - wget https://dl.google.com/go/go1.25.5.linux-armv6l.tar.gz - echo "0b27e3dec8d04899d6941586d2aa2721c3dee67c739c1fc1b528188f3f6e8ab5 go1.25.5.linux-armv6l.tar.gz" | sha256sum --check + wget https://dl.google.com/go/go1.25.10.linux-armv6l.tar.gz + echo "39f168f158e693887d3ad006168af1b1a3007b19c5993cae4d9d57f82f52aaf8 go1.25.10.linux-armv6l.tar.gz" | sha256sum --check ``` - The command above should output `go1.25.5.linux-armv6l.tar.gz: OK`. If it + The command above should output `go1.25.10.linux-armv6l.tar.gz: OK`. If it isn't, then the target REPO HAS BEEN MODIFIED, and you shouldn't install this version of Go. If it matches, then proceed to install Go: ``` - sudo rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.5.linux-armv6l.tar.gz + sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.25.10.linux-armv6l.tar.gz export PATH=$PATH:/usr/local/go/bin ``` diff --git a/fn/go.mod b/fn/go.mod index 41d1a61be9..471655de56 100644 --- a/fn/go.mod +++ b/fn/go.mod @@ -1,6 +1,6 @@ module github.com/lightningnetwork/lnd/fn/v2 -go 1.25.5 +go 1.25.10 require ( github.com/stretchr/testify v1.8.1 diff --git a/go.mod b/go.mod index 89e0edbbec..4f948393ca 100644 --- a/go.mod +++ b/go.mod @@ -221,9 +221,9 @@ replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 // allows us to specify that as an option. replace google.golang.org/protobuf => github.com/lightninglabs/protobuf-go-hex-display v1.33.0-hex-display -// If you change this please also update docs/INSTALL.md and GO_VERSION in -// Makefile (then run `make lint` to see where else it needs to be updated as -// well). -go 1.25.5 +// If you change this please also update docs/INSTALL.md and all other go.mod +// files. The release build toolchain version is tracked separately by +// GO_VERSION in Makefile. +go 1.25.10 retract v0.0.2 diff --git a/healthcheck/go.mod b/healthcheck/go.mod index e563bfa310..8ff703a8ac 100644 --- a/healthcheck/go.mod +++ b/healthcheck/go.mod @@ -24,4 +24,4 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect ) -go 1.25.5 +go 1.25.10 diff --git a/kvdb/go.mod b/kvdb/go.mod index f0361dde8e..5e2a3cbb20 100644 --- a/kvdb/go.mod +++ b/kvdb/go.mod @@ -147,4 +147,4 @@ replace github.com/ulikunitz/xz => github.com/ulikunitz/xz v0.5.11 // https://deps.dev/advisory/OSV/GO-2021-0053?from=%2Fgo%2Fgithub.com%252Fgogo%252Fprotobuf%2Fv1.3.1 replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2 -go 1.25.5 +go 1.25.10 diff --git a/lnrpc/Dockerfile b/lnrpc/Dockerfile index 680a774e87..cd51a12b59 100644 --- a/lnrpc/Dockerfile +++ b/lnrpc/Dockerfile @@ -1,6 +1,6 @@ # If you change this please also update GO_VERSION in Makefile (then run # `make lint` to see where else it needs to be updated as well). -FROM golang:1.25.5-bookworm +FROM golang:1.26.3-bookworm RUN apt-get update && apt-get install -y \ git \ diff --git a/lnrpc/gen_protos_docker.sh b/lnrpc/gen_protos_docker.sh index 68c65581a2..4b4071df16 100755 --- a/lnrpc/gen_protos_docker.sh +++ b/lnrpc/gen_protos_docker.sh @@ -6,7 +6,7 @@ set -e DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # golang docker image version used in this script. -GO_IMAGE=docker.io/library/golang:1.25.5-alpine +GO_IMAGE=docker.io/library/golang:1.26.3-alpine PROTOBUF_VERSION=$(docker run --rm -v $DIR/../:/lnd -w /lnd $GO_IMAGE \ go list -f '{{.Version}}' -m google.golang.org/protobuf) diff --git a/make/builder.Dockerfile b/make/builder.Dockerfile index 99d4aec556..4e043a0459 100644 --- a/make/builder.Dockerfile +++ b/make/builder.Dockerfile @@ -1,6 +1,6 @@ # If you change this please also update GO_VERSION in Makefile (then run # `make lint` to see where else it needs to be updated as well). -FROM golang:1.25.5-bookworm +FROM golang:1.26.3-bookworm MAINTAINER Olaoluwa Osuntokun diff --git a/make/release_flags.mk b/make/release_flags.mk index 1e74b299f7..d0631943f5 100644 --- a/make/release_flags.mk +++ b/make/release_flags.mk @@ -26,7 +26,7 @@ netbsd-amd64 \ openbsd-amd64 \ windows-386 \ windows-amd64 \ -windows-arm +windows-arm64 RELEASE_TAGS = autopilotrpc signrpc walletrpc chainrpc invoicesrpc watchtowerrpc neutrinorpc monitoring peersrpc kvdb_postgres kvdb_etcd kvdb_sqlite diff --git a/queue/go.mod b/queue/go.mod index aab97704db..93cde11e27 100644 --- a/queue/go.mod +++ b/queue/go.mod @@ -1,6 +1,6 @@ module github.com/lightningnetwork/lnd/queue -go 1.25.5 +go 1.25.10 require ( github.com/lightningnetwork/lnd/fn/v2 v2.0.8 diff --git a/sqldb/go.mod b/sqldb/go.mod index 776776a687..0ac3305b5f 100644 --- a/sqldb/go.mod +++ b/sqldb/go.mod @@ -75,4 +75,4 @@ require ( modernc.org/token v1.1.0 // indirect ) -go 1.25.5 +go 1.25.10 diff --git a/sqldb/v2/go.mod b/sqldb/v2/go.mod index 7e987ca314..8e276d2680 100644 --- a/sqldb/v2/go.mod +++ b/sqldb/v2/go.mod @@ -74,4 +74,4 @@ require ( // did not yet make it into the upstream repository. replace github.com/golang-migrate/migrate/v4 => github.com/lightninglabs/migrate/v4 v4.18.2-9023d66a-fork-pr-2.0.20251211093704-71c1eef09789 -go 1.23.12 +go 1.25.10 diff --git a/ticker/go.mod b/ticker/go.mod index 868a66c7bd..9c5a63469a 100644 --- a/ticker/go.mod +++ b/ticker/go.mod @@ -1,3 +1,3 @@ module github.com/lightningnetwork/lnd/ticker -go 1.25.5 +go 1.25.10 diff --git a/tlv/go.mod b/tlv/go.mod index 365968f42d..ccfaca5e91 100644 --- a/tlv/go.mod +++ b/tlv/go.mod @@ -22,4 +22,4 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect ) -go 1.25.5 +go 1.25.10 diff --git a/tools/Dockerfile b/tools/Dockerfile index 986eddae6a..eb60bc76cd 100644 --- a/tools/Dockerfile +++ b/tools/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.25.5 +FROM golang:1.26.3 RUN apt-get update && apt-get install -y git ENV GOCACHE=/tmp/build/.cache diff --git a/tools/go.mod b/tools/go.mod index fbd1b80f05..077c83b6f5 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -1,6 +1,6 @@ module github.com/lightningnetwork/lnd/tools -go 1.25.5 +go 1.25.10 require ( 4d63.com/gocheckcompilerdirectives v1.3.0 // indirect diff --git a/tools/linters/go.mod b/tools/linters/go.mod index 76add991cc..82ce03dcdf 100644 --- a/tools/linters/go.mod +++ b/tools/linters/go.mod @@ -1,6 +1,6 @@ module github.com/lightningnetwork/lnd/tools/linters -go 1.25.5 +go 1.25.10 require ( github.com/golangci/plugin-module-register v0.1.1 diff --git a/tor/go.mod b/tor/go.mod index 1af867f5b3..198a0b2785 100644 --- a/tor/go.mod +++ b/tor/go.mod @@ -23,4 +23,4 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect ) -go 1.25.5 +go 1.25.10 From 529dced1ebbabf851517508f6187d91be95f5db5 Mon Sep 17 00:00:00 2001 From: ziggie Date: Mon, 25 May 2026 10:17:25 -0300 Subject: [PATCH 3/3] ci: add govulncheck binary scan --- .github/workflows/govulncheck.yml | 109 ++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 .github/workflows/govulncheck.yml diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml new file mode 100644 index 0000000000..ec18b109f0 --- /dev/null +++ b/.github/workflows/govulncheck.yml @@ -0,0 +1,109 @@ +name: Vulnerability scan + +on: + workflow_dispatch: + schedule: + # Run weekly to catch newly published vulnerabilities even when the code + # does not change. + - cron: "0 9 * * 1" + pull_request: + paths: + - ".github/workflows/govulncheck.yml" + - ".github/actions/setup-go/action.yml" + - "Makefile" + - "make/release_flags.mk" + - "**/*.go" + - "**/go.mod" + - "**/go.sum" + push: + branches: + - "master" + paths: + - ".github/workflows/govulncheck.yml" + - ".github/actions/setup-go/action.yml" + - "Makefile" + - "make/release_flags.mk" + - "**/*.go" + - "**/go.mod" + - "**/go.sum" + merge_group: + branches: + - "master" + +permissions: + contents: read + +defaults: + run: + shell: bash + +env: + # If you change this please also update GO_VERSION in Makefile (then run + # `make lint` to see where else it needs to be updated as well). + GO_VERSION: 1.26.3 + +jobs: + govulncheck: + name: Scan release binaries + runs-on: ubuntu-latest + steps: + - name: Git checkout + uses: actions/checkout@v5 + with: + fetch-depth: 0 + + - name: Setup Go ${{ env.GO_VERSION }} + uses: ./.github/actions/setup-go + with: + go-version: '${{ env.GO_VERSION }}' + key-prefix: govulncheck + use-build-cache: 'no' + + - name: Install govulncheck + run: go install golang.org/x/vuln/cmd/govulncheck@v1.3.0 + + - name: Build release binaries + run: make release-install + + - name: Run govulncheck + run: | + set +e + + gopath="$(go env GOPATH)" + final_exit_code=0 + advisory_findings=0 + + for binary in lnd lncli; do + output="govulncheck-${binary}.txt" + "${gopath}/bin/govulncheck" \ + -mode=binary \ + "${gopath}/bin/${binary}" 2>&1 | tee "${output}" + exit_code=${PIPESTATUS[0]} + + { + echo "### govulncheck ${binary}" + echo + echo '```' + sed -n '1,200p' "${output}" + echo '```' + } >> "$GITHUB_STEP_SUMMARY" + + if [ "$exit_code" -eq 3 ]; then + advisory_findings=1 + continue + fi + + if [ "$exit_code" -ne 0 ] && [ "$final_exit_code" -eq 0 ]; then + final_exit_code="$exit_code" + fi + done + + if [ "$advisory_findings" -eq 1 ]; then + echo "::warning title=govulncheck findings::govulncheck found vulnerabilities; see the job summary for details." + { + echo + echo "> govulncheck exited with code 3 for one or more release binaries. This job is advisory while the existing vulnerability baseline is remediated." + } >> "$GITHUB_STEP_SUMMARY" + fi + + exit "$final_exit_code"