Update to go1.24.6 (#8330)

aarongable · web-flow · commit 1f88abb48973 · 2025-08-06T16:33:29.000-07:00
This version includes security fixes to the database/sql package, which may affect us. https://groups.google.com/g/golang-announce/c/x5MKroML2yM > database/sql: incorrect results returned from Rows.Scan > > Cancelling a query (e.g. by cancelling the context passed to one of the query > methods) during a call to the Scan method of the returned Rows can result in > unexpected results if other queries are being made in parallel. This can result > in a race condition that may overwrite the expected results with those of > another query, causing the call to Scan to return either unexpected results > from the other query or an error. > > We believe this affects most database/sql drivers. > > Thanks to Spike Curtis from Coder for reporting this issue. > > This is CVE-2025-47907 and https://go.dev/issue/74831.
diff --git a/.github/workflows/boulder-ci.yml b/.github/workflows/boulder-ci.yml
@@ -36,7 +36,7 @@ jobs:
       matrix:
         # Add additional docker image tags here and all tests will be run with the additional image.
         BOULDER_TOOLS_TAG:
-          - go1.24.4_2025-06-06
+          - go1.24.6_2025-08-06
         # Tests command definitions. Use the entire "docker compose" command you want to run.
         tests:
           # Run ./test.sh --help for a description of each of the flags.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,7 +15,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - "1.24.4"
+          - "1.24.6"
     runs-on: ubuntu-24.04
     permissions:
       contents: write
diff --git a/.github/workflows/try-release.yml b/.github/workflows/try-release.yml
@@ -10,13 +10,16 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   try-release:
     strategy:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - "1.24.4"
+          - "1.24.6"
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -8,7 +8,7 @@ services:
       context: test/boulder-tools/
       # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
       args:
-        GO_VERSION: 1.24.1
+        GO_VERSION: 1.24.6
     environment:
       # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
       # to the IP address where your ACME client's solver is listening. This is
diff --git a/test/boulder-tools/tag_and_upload.sh b/test/boulder-tools/tag_and_upload.sh
@@ -12,7 +12,7 @@ DOCKER_REPO="letsencrypt/boulder-tools"
 # .github/workflows/release.yml,
 # .github/workflows/try-release.yml if appropriate,
 # and .github/workflows/boulder-ci.yml with the new container tag.
-GO_CI_VERSIONS=( "1.24.4" )
+GO_CI_VERSIONS=( "1.24.6" )
 
 echo "Please login to allow push to DockerHub"
 docker login
