Skip to content

Bump Go toolchain to 1.25 to unblock dependabot updates (was #3955) #3991

Description

@piotr-roslaniec

Background

Dependabot PR #3955 ostensibly bumped github.com/ipld/go-ipld-prime from 0.21.0 → 0.23.0, but in practice it pulled in a much larger change set that we can't accept passively. The PR has been closed; this issue tracks the work needed to land the underlying upgrades intentionally.

What #3955 actually changed

  • go.mod: go 1.24 / toolchain go1.24.1go 1.25.7 (raises the minimum Go version by a full minor)
  • golang.org/x/crypto 0.32.0 → 0.50.0 (18 minors; needs API-break review)
  • golang.org/x/sync 0.10.0 → 0.20.0
  • golang.org/x/term 0.28.0 → 0.42.0
  • New indirect dep: golang.org/x/telemetry v0.0.0-20260311193753-579e4da9a98c
  • Transitive bumps across the IPFS/libp2p stack: go-cid 0.5→0.6, multibase 0.2→0.3, multicodec 0.9→0.10, varint 0.0.7→0.1, mr-tron/base58 1.2→1.3, polydawn/refmt 0.89.0 → 0.89.1-pre, plus the originally-targeted go-ipld-prime 0.21→0.23

Why CI fails

go: go.mod requires go >= 1.25.7 (running go 1.24.11; GOTOOLCHAIN=local)
ERROR: failed to build: process "/bin/sh -c go mod download" did not complete successfully

The client-build-test-publish job uses golang:1.24-alpine3.21 (and golang:1.24-bullseye for the binary stage) with GOTOOLCHAIN=local, so Go cannot auto-download a newer toolchain.

Proposed work, in order

  1. Toolchain upgrade PR (standalone)

    • Update Dockerfile: golang:1.24-alpine3.21golang:1.25-alpine (line 1) and golang:1.24-bullseyegolang:1.25-bookworm (line 111)
    • Audit .github/workflows/*.yml for any pinned Go version (e.g. go-version: inputs)
    • Bump go.mod go directive to 1.25 (keep toolchain only if we want to pin)
    • Verify actions/setup-go usage matches
    • Smoke-test the full Docker build, go test ./..., and a release build
  2. golang.org/x/crypto 0.32 → 0.50 PR (standalone, after Initial CircleCI setup #1)

    • Review the changelog for breaking changes in ed25519, ssh, acme, chacha20, etc.
    • Search call sites in pkg/, internal/, cmd/ for affected APIs
    • Run the full test suite incl. integration
  3. Telemetry decision

    • Decide whether to accept golang.org/x/telemetry as an indirect dep, or pin/replace it. (It is the Go toolchain's opt-in telemetry; usually benign as an indirect, but worth a deliberate ack.)
  4. Regenerate the IPLD / libp2p stack bumps

    • Once Initial CircleCI setup #1 lands, Dependabot will reopen with a cleaner diff. Review go-ipld-prime 0.21→0.23 changelog (we use it transitively via libp2p/IPFS).

Acceptance

  • client-build-test-publish is green on main after each step.
  • go version in built images matches go.mod.
  • No silent toolchain or x/crypto API regressions in the client.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions