Skip to content

[https://nvbugs/6467684][fix] Bump the golang image tag to 1.23 and the license_checker pin to v0.3.1#16531

Open
trtllm-agent wants to merge 1 commit into
NVIDIA:mainfrom
tensorrt-cicd:repair-bot-bug6467684
Open

[https://nvbugs/6467684][fix] Bump the golang image tag to 1.23 and the license_checker pin to v0.3.1#16531
trtllm-agent wants to merge 1 commit into
NVIDIA:mainfrom
tensorrt-cicd:repair-bot-bug6467684

Conversation

@trtllm-agent

@trtllm-agent trtllm-agent commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Root cause: Jenkins pinned docker/golang:1.22 and license_checker@v0.3.0, both of which transitively bundle the vulnerable golang.org/x/net@v0.51.0 (CVE-2026-39821).
  • Fix: Bump the golang image tag to 1.23 and the license_checker pin to v0.3.1 so both artifacts pull x/net >= 0.55.0.
  • Automated fix generated by repair-bot

Test plan

  • Verify fix on the same GPU type as the original failure
  • Check for regressions in related tests

Links

Summary by CodeRabbit

  • Chores
    • Updated release checks to use the latest license-checking tool version.
    • Upgraded the Kubernetes package-stage environment to Go 1.23.

… >= 0.55.0

The Jenkins release-check pod pinned golang:1.22 (Go 1.22 bundles the
vulnerable golang.org/x/net@v0.51.0, CVE-2026-39821) and installed
license_checker@v0.3.0 built against that toolchain. Bump both pins:

- golang image tag 1.22 -> 1.23 (Go 1.23 ships x/net >= 0.55.0)
- license_checker@v0.3.0 -> v0.3.1 (rebuilt against the newer toolchain
  so the transitive x/net pin lands >= 0.55.0)

Signed-off-by: trtllm-agent <296075020+trtllm-agent@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Release-Check now installs license_checker v0.3.1 and uses the Go 1.23 package-stage container image.

Changes

Release-Check

Layer / File(s) Summary
Update Release-Check tool versions
jenkins/L0_MergeRequest.groovy
Updates license_checker from v0.3.0 to v0.3.1 and the package-stage image from Go 1.22 to Go 1.23.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: mzweilz

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is specific and matches the main change: updating the golang image and license_checker pin.
Description check ✅ Passed The description covers the fix, root cause, test plan, and bug link, but it omits the template's explicit Description and PR Checklist sections.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@jenkins/L0_MergeRequest.groovy`:
- Line 525: Update the image assignment in the release-check pod configuration
to use a supported Go image instead of the pinned golang:1.23 private image; if
retaining that image, document its security backports and license_checker
compatibility.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2e6d56f5-638c-4594-9456-3eadf5009554

📥 Commits

Reviewing files that changed from the base of the PR and between ed1a0b9 and b424a63.

📒 Files selected for processing (1)
  • jenkins/L0_MergeRequest.groovy

}

def image = "urm.nvidia.com/docker/golang:1.22"
def image = "urm.nvidia.com/docker/golang:1.23"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the referenced line and nearby context.
sed -n '480,560p' jenkins/L0_MergeRequest.groovy

# Find other Go image pins and any license_checker compatibility references.
rg -n "golang:1\.23|license_checker|Go 1\.23|golang:" -S jenkins . || true

Repository: NVIDIA/TensorRT-LLM

Length of output: 4625


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n### jenkins/L0_MergeRequest.groovy (around line 525)\n'
sed -n '500,545p' jenkins/L0_MergeRequest.groovy

printf '\n### repository matches\n'
rg -n "urm\.nvidia\.com/docker/golang:1\.23|license_checker|golang:" -S jenkins . || true

Repository: NVIDIA/TensorRT-LLM

Length of output: 3070


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Repo-wide Go version references and toolchain declarations.
rg -n --hidden --glob '!**/.git/**' '\bgo1?\.23\b|\bgolang:1\.23\b|\bGo 1\.23\b|\bGOVERSION\b|\btoolchain\b|\bgo\s+[0-9]+\.[0-9]+' -S .

printf '\n### Relevant version files\n'
git ls-files | rg '(^|/)(go\.mod|go\.work|Makefile|README|Dockerfile|.*\.md|.*\.yml|.*\.yaml|.*\.groovy)$' || true

Repository: NVIDIA/TensorRT-LLM

Length of output: 50375


🌐 Web query:

Go release policy two latest versions supported July 2026 Go 1.26 1.25 official

💡 Result:

As of July 17, 2026, the official Go release policy dictates that each major Go release is supported until there are two newer major releases [1][2]. Under this policy, the two latest major versions of Go currently supported are Go 1.26 and Go 1.25 [3]. Go 1.26 is the most recent major release (initially released February 10, 2026), and Go 1.25 (released August 12, 2025) remains under support [1][2][3]. Previous versions, such as Go 1.24, have reached their end-of-life and are no longer receiving security updates or patches [3]. Active support for these versions includes the issuance of minor revisions to address critical stability or security issues [1][4].

Citations:


Bump the release-check pod to a supported Go image. If the private image stays pinned, document the security backports and license_checker compatibility.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@jenkins/L0_MergeRequest.groovy` at line 525, Update the image assignment in
the release-check pod configuration to use a supported Go image instead of the
pinned golang:1.23 private image; if retaining that image, document its security
backports and license_checker compatibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants