Hive
fix(grafana-datasource): build with Go 1.26.4 to patch stdlib vulnerabilities
GitHub issue · Closed
Addresses the warnings from Grafana’s catalog review of the plugin (ticket #232399).
1. Security: build with Go 1.26.4 (govulncheck)
Grafana’s review flagged govulncheck findings in the published 0.1.0 backend binaries:
| OSV | Package | Fixed in |
|---|---|---|
| GO-2026-5037 | crypto/x509 |
go1.26.4 |
| GO-2026-5038 | mime |
go1.26.4 |
| GO-2026-5039 | net/textproto |
go1.26.4 |
All three are Go standard-library vulnerabilities, compiled into the binary by the toolchain — the only fix is rebuilding with a patched Go. Bumps the Go pin 1.26.3 → 1.26.4 in all four places it’s set: go.work, go.mod, grafana-datasource/mise.toml (CI checks via mise-action), and the release workflow’s setup-go (published binaries).
Verified: rebuilt binary is go1.26.4, govulncheck -mode binary => “No vulnerabilities found” (was 3), go vet + go test ./... pass.
2. Build provenance attestation
The review also noted no provenance attestation (“Cannot verify plugin build”). Adds actions/attest-build-provenance to the release workflow so each published zip gets an OIDC-signed build-provenance attestation (gh attestation verify <zip> --repo tuist/tuist). Grants the job id-token: write + attestations: write.
Also addressed outside this PR (no code change)
- source-code-not-provided: the submission used a commit-SHA tree URL; Grafana clones with
git clone --branch <ref>, which rejects SHAs. Resubmit with the tag form, confirmed working against@grafana/plugin-validator:https://github.com/tuist/tuist/tree/grafana-datasource@0.1.1/grafana-datasource.
Release
The fix: commit touches grafana-datasource/**, so merging auto-cuts an unsigned 0.1.1 with the patched binaries + provenance (signing stays deferred until Grafana grants a signature level). The 0.1.1 zip + tag-form source URL are what get resubmitted to the review.
🤖 Generated with Claude Code
No GitHub comments yet.