constellation/dev-docs/workflows/bump-go-version.md

Bump Go version

govulncheck from the bazel check target will fail if our code is vulnerable, which is often the case when a patch version was released with security fixes.

Steps

Replace "1.xx.x" with the new version in MODULE.bazel:

go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk")
go_sdk.download(
    name = "go_sdk",
    patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
    version = "1.xx.x", <--- Replace this one
              ~~~~~~~~
)

Replace go-version: "1.xx.x" with the new version in all GitHub actions/workflows, our go.mod files and Containerfiles. You can use the following command to find replace all instances of go-version: "1.xx.x" in the .github directory:

OLD_VERSION="1.xx.x"
NEW_VERSION="1.xx.y"
find .github -type f -exec sed -i "s/go-version: \"${OLD_VERSION}\"/go-version: \"${NEW_VERSION}\"/g" {} \;
sed -i "s/go ${OLD_VERSION}/go ${NEW_VERSION}/g" go.mod
sed -i "s/go ${OLD_VERSION}/go ${NEW_VERSION}/g" hack/tools/go.mod
sed -i "s/${OLD_VERSION}/${NEW_VERSION}/g" go.work
sed -i "s/GO_VER=${OLD_VERSION}/GO_VER=${NEW_VERSION}/g" 3rdparty/gcp-guest-agent/Dockerfile

Or manually:

- name: Setup Go environment
  uses: actions/setup-go@v5
  with:
  go-version: "1.xx.x" <--- Replace this one
              ~~~~~~~~