toil(bootstrapper): fix CVE-2025-22868, bump go to 1.23 (#444)

skipi · web-flow · commit 3dc98d61830f · 2025-07-23T08:32:20.000-03:00
## 📝 Description - Fixes CVE-2025-22868 - Bumps golang to 1.23 ## ✅ Checklist - [x] I have tested this change - [ ] This change requires documentation update
diff --git a/bootstrapper/Dockerfile b/bootstrapper/Dockerfile
@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.22
+ARG GO_VERSION=1.23
 ARG UBUNTU_VERSION=3.17.7
 ARG ALPINE_VERSION=3.20.3
 ARG BUILDER_IMAGE="golang:${GO_VERSION}"
@@ -12,7 +12,7 @@ ENV APP_NAME=${APP_NAME}
 RUN echo "Build of $APP_NAME started"
 
 RUN apt-get update -y && apt-get install --no-install-recommends -y ca-certificates unzip curl libc-bin libc6 \
-    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
 
 WORKDIR /app
 COPY pkg pkg
@@ -63,4 +63,4 @@ COPY --from=builder --chown=nobody:root /app/build/${APP_NAME} /app/build/${APP_
 
 USER nobody
 
-CMD [ "/bin/sh",  "-c", "/app/build/${APP_NAME}" ]
+CMD [ "/bin/sh",  "-c", "/app/build/${APP_NAME}" ]
diff --git a/bootstrapper/go.mod b/bootstrapper/go.mod
@@ -1,8 +1,8 @@
 module github.com/semaphoreio/semaphore/bootstrapper
 
-go 1.22.7
+go 1.23.0
 
-toolchain go1.22.9
+toolchain go1.24.3
 
 require (
 	github.com/golang/protobuf v1.5.4
@@ -43,7 +43,7 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/oauth2 v0.23.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
diff --git a/bootstrapper/go.sum b/bootstrapper/go.sum
@@ -116,8 +116,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
