Bump go version, add trivy

shawnburke · shawnburke · commit 7942d5e45d62 · 2025-12-10T06:35:14.000+11:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,7 +22,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.22.9'
+          go-version: '1.24.8'
 
       - name: Install dependencies
         run: |
@@ -48,7 +48,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: '1.22.9'
+          go-version: '1.24.8'
 
       - name: Install dependencies
         run: |
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -60,4 +60,19 @@ jobs:
           # arm64 is more expensive to build, so only build it on the default branch or for tags
           platforms: ${{ (env.IS_DEFAULT_BRANCH == 'true' || env.IS_TAG == 'true') && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
           cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache
+          load: ${{ env.IS_DEFAULT_BRANCH != 'true' && env.IS_TAG != 'true' }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/cortex-axon-agent:${{ steps.meta.outputs.version }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/agent/go.mod b/agent/go.mod
@@ -1,6 +1,6 @@
 module github.com/cortexapps/axon
 
-go 1.22.9
+go 1.24.8
 
 require (
 	github.com/google/uuid v1.6.0
diff --git a/agent/test/relay/docker-compose.yml b/agent/test/relay/docker-compose.yml
@@ -64,7 +64,7 @@ services:
     stop_grace_period: 1s  # SIGKILL after 1s
 
   cortex-fake:
-    image: golang:1.22-alpine
+    image: golang:1.24-alpine
     volumes:
       - .:/src
     environment:
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -10,7 +10,7 @@ ARG SNYK_BROKER_VERSION=4.203.4
 RUN wget -q -O - https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && apt install -y nodejs
 RUN npm install -g snyk-broker@${SNYK_BROKER_VERSION}
 
-ENV GOLANG_VERSION=1.22.9
+ENV GOLANG_VERSION=1.24.8
 # Install Go, this script will work for ARM or AMD64
 RUN wget -q -O /tmp/goinstall.sh https://raw.githubusercontent.com/canha/golang-tools-install-script/master/goinstall.sh && chmod +x /tmp/goinstall.sh && /tmp/goinstall.sh --version ${GOLANG_VERSION}
 
diff --git a/examples/go/axon-ev-sync/go.mod b/examples/go/axon-ev-sync/go.mod
@@ -1,6 +1,6 @@
 module github.com/cortexapps/axon_apps/axon-ev-sync
 
-go 1.22.9
+go 1.24.8
 
 require (
 	github.com/cortexapps/axon-go v0.0.0
diff --git a/scaffold/go/axon_client/go.mod b/scaffold/go/axon_client/go.mod
@@ -1,6 +1,6 @@
 module github.com/cortexapps/axon-go
 
-go 1.22.9
+go 1.24.8
 
 require (
 	github.com/google/uuid v1.6.0
diff --git a/scaffold/go/go.mod b/scaffold/go/go.mod
@@ -1,6 +1,6 @@
 module github.com/cortexapps/axon_apps/{{.ProjectName}}
 
-go 1.22.9
+go 1.24.8
 
 require (
 	github.com/google/uuid v1.6.0
diff --git a/sdks/go/go.mod b/sdks/go/go.mod
@@ -1,6 +1,6 @@
 module github.com/cortexapps/axon-go
 
-go 1.22.9
+go 1.24.8
 
 require (
 	github.com/google/uuid v1.6.0
diff --git a/sdks/python/poetry.lock b/sdks/python/poetry.lock
