Merge pull request #723 from doringeman/bump-go

chore(go): 1.26

Author: doringeman

.github/workflows/ci.yml

@@ -19,13 +19,13 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
         with:
-          go-version: 1.25.6
+          go-version: 1.26.0
           cache: true
 
       - name: Install golangci-lint
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20
         with:
-          version: v2.7.2
+          version: v2.10.1
           install-only: true
 
       - name: Run linting for ${{ matrix.goos }}
@@ -45,7 +45,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
         with:
-          go-version: 1.25.6
+          go-version: 1.26.0
           cache: true
 
       - name: Check go mod tidy

.github/workflows/integration-test.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
         with:
-          go-version: 1.25.6
+          go-version: 1.26.0
           cache: true
 
       - name: Set up Docker Buildx

.github/workflows/release.yml

@@ -208,7 +208,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
         with:
-          go-version: 1.25.6
+          go-version: 1.26.0
           cache: true
 
       - name: Run tests

.golangci.yml

@@ -141,13 +141,17 @@ linters:
       excludes:
         - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
         - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/moby/moby/issues/48358)
+        - G117 # G117: Exported struct field matches secret pattern; false positives on legitimate API types.
         - G204 # G204: Subprocess launched with variable; too many false positives.
         - G301 # G301: Expect directory permissions to be 0750 or less (also EXC0009); too restrictive
         - G302 # G302: Expect file permissions to be 0600 or less (also EXC0009); too restrictive
         - G304 # G304: Potential file inclusion via variable.
         - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
         - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
         - G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
+        - G703 # G703: Path traversal via taint analysis; too many false positives.
+        - G704 # G704: SSRF via taint analysis; too many false positives on internal HTTP clients.
+        - G705 # G705: XSS via taint analysis; too many false positives.
 
     govet:
       enable-all: true

Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.25
+ARG GO_VERSION=1.26
 ARG LLAMA_SERVER_VERSION=latest
 ARG LLAMA_SERVER_VARIANT=cpu
 ARG LLAMA_BINARY_PATH=/com.docker.llama-server.native.linux.${LLAMA_SERVER_VARIANT}.${TARGETARCH}

Makefile

@@ -1,6 +1,6 @@
 # Project variables
 APP_NAME := model-runner
-GO_VERSION := 1.25.6
+GO_VERSION := 1.26.0
 LLAMA_SERVER_VERSION := latest
 LLAMA_SERVER_VARIANT := cpu
 BASE_IMAGE := ubuntu:24.04

cmd/cli/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.25
+ARG GO_VERSION=1.26
 ARG ALPINE_VERSION=3.23
 
 ARG DOCS_FORMATS="md,yaml"

cmd/cli/commands/show.go

@@ -45,17 +45,17 @@ func formatModelInfo(model dmrm.Model) string {
 	var sb strings.Builder
 
 	// Model ID
-	sb.WriteString(fmt.Sprintf("Model:       %s\n", model.ID))
+	fmt.Fprintf(&sb, "Model:       %s\n", model.ID)
 
 	// Tags
 	if len(model.Tags) > 0 {
-		sb.WriteString(fmt.Sprintf("Tags:        %s\n", strings.Join(model.Tags, ", ")))
+		fmt.Fprintf(&sb, "Tags:        %s\n", strings.Join(model.Tags, ", "))
 	}
 
 	// Created date
 	if model.Created > 0 {
 		created := time.Unix(model.Created, 0)
-		sb.WriteString(fmt.Sprintf("Created:     %s\n", created.Format(time.RFC3339)))
+		fmt.Fprintf(&sb, "Created:     %s\n", created.Format(time.RFC3339))
 	}
 
 	// Config details
@@ -77,20 +77,20 @@ func formatModelInfo(model dmrm.Model) string {
 
 			for _, field := range fields {
 				if field.value != "" {
-					sb.WriteString(fmt.Sprintf("%-14s%s\n", field.label, field.value))
+					fmt.Fprintf(&sb, "%-14s%s\n", field.label, field.value)
 				}
 			}
 
 			if cfg.ContextSize != nil {
-				sb.WriteString(fmt.Sprintf("%-14s%d\n", "Context Size:", *cfg.ContextSize))
+				fmt.Fprintf(&sb, "%-14s%d\n", "Context Size:", *cfg.ContextSize)
 			}
 
 			// Helper function to print metadata sections
 			printMetadata := func(title string, data map[string]string) {
 				if len(data) > 0 {
-					sb.WriteString(fmt.Sprintf("\n%s:\n", title))
+					fmt.Fprintf(&sb, "\n%s:\n", title)
 					for k, v := range data {
-						sb.WriteString(fmt.Sprintf("  %s: %s\n", k, v))
+						fmt.Fprintf(&sb, "  %s: %s\n", k, v)
 					}
 				}
 			}

go.mod

@@ -1,6 +1,6 @@
 module github.com/docker/model-runner
 
-go 1.25.6
+go 1.26.0
 
 require (
 	github.com/charmbracelet/glamour v0.10.0

pkg/inference/scheduling/runner.go

@@ -122,16 +122,16 @@ func run(
 	if err != nil {
 		return nil, fmt.Errorf("unable to parse virtual backend URL: %w", err)
 	}
-	proxy := httputil.NewSingleHostReverseProxy(upstream)
-	standardDirector := proxy.Director
-	proxy.Director = func(r *http.Request) {
-		standardDirector(r)
-		// HACK: Most backends will be happier with a "localhost" hostname than
-		// an "inference.docker.internal" hostname (which they may reject).
-		r.Host = "localhost"
-		// Remove the prefix up to the OpenAI API root.
-		r.URL.Path = trimRequestPathToOpenAIRoot(r.URL.Path)
-		r.URL.RawPath = trimRequestPathToOpenAIRoot(r.URL.RawPath)
+	proxy := &httputil.ReverseProxy{
+		Rewrite: func(pr *httputil.ProxyRequest) {
+			pr.SetURL(upstream)
+			// HACK: Most backends will be happier with a "localhost" hostname than
+			// an "inference.docker.internal" hostname (which they may reject).
+			pr.Out.Host = "localhost"
+			// Remove the prefix up to the OpenAI API root.
+			pr.Out.URL.Path = trimRequestPathToOpenAIRoot(pr.Out.URL.Path)
+			pr.Out.URL.RawPath = trimRequestPathToOpenAIRoot(pr.Out.URL.RawPath)
+		},
 	}
 	proxy.ModifyResponse = func(resp *http.Response) error {
 		// CORS headers are set by the CorsMiddleware from pkg/inference/cors.go,