fix(security): upgrade Go to 1.25.5 to fix CVE-2025-61729#1072
fix(security): upgrade Go to 1.25.5 to fix CVE-2025-61729#1072GrammaTonic wants to merge 7 commits intomainfrom
Conversation
- Add detailed squash merge benefits (7 key advantages) - Include recommended gh pr create commands with markdown file usage - Add explicit merge instructions for CLI and Web UI - Expand back-sync section with mandatory warnings and step-by-step guide - Add alternative back-sync method using GitHub CLI - Include verification commands and troubleshooting steps - Apply updates to both AI instructions and actual PR template - Ensure consistency between Copilot guidance and user-facing template This update ensures all PRs display comprehensive squash merge and back-sync instructions, preventing common issues like 'ahead' status and merge conflicts.
Phase 1 implementation complete with all code tasks validated. Testing to be completed in develop branch.
….28.0 to 0.33.1 Automatically merged Dependabot PR after CI validation.
Automatically merged Dependabot PR after CI validation.
Automatically merged Dependabot PR after CI validation.
- Update Go version from 1.25.4 to 1.25.5 in Dockerfile.chrome-go - Fixes HIGH severity vulnerability in stdlib HostnameError.Error() - Prevents excessive resource consumption from malicious certificates - Resolves quadratic runtime issue in error string construction Fixes: CVE-2025-61729 Related: https://github.com/GrammaTonic/github-runner/security/code-scanning/5682
Summary of ChangesHello @GrammaTonic, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a substantial set of new functionalities and updates, despite its title indicating solely a security fix. While it does include an essential upgrade of the Go version to 1.25.5 to patch a high-severity CVE, the primary focus of the changes is on enhancing development workflows through new AI chat modes and prompts, alongside integrating robust Prometheus-based monitoring for GitHub Actions self-hosted runners. These additions aim to improve planning, documentation, and observability within the development environment. Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces several new chat modes for planning, PRD generation, technical spike research, and task planning/research, alongside updates to existing chat mode tool lists. A significant portion of the changes involves the implementation of a Prometheus metrics endpoint and Grafana dashboard for GitHub Actions self-hosted runners. The core of the review comments highlights a critical inconsistency: while the implementation plan and spike documents initially recommended a netcat-based bash scripting approach for metrics collection, the actual code implements a Go-based metrics exporter. This discrepancy leads to numerous outdated tasks, dependencies, risks, and documentation examples across various planning and specification files, which need to be reconciled to accurately reflect the Go implementation. Additionally, several review comments point out minor inconsistencies in tool listings within chat mode frontmatters, incorrect code block language declarations in documentation templates, and a hardcoded Go version in the new go.mod file.
| - **TEST-001**: **Metrics Server Script** - Test that `/tmp/metrics-server.sh` responds to HTTP requests on port 9091 with HTTP 200 and valid Prometheus format. Mock netcat with controlled input/output. | ||
|
|
There was a problem hiding this comment.
TEST-001 and TEST-002 describe testing metrics-server.sh and metrics-collector.sh (bash scripts). These tests are no longer relevant as the implementation uses a Go binary. The testing plan needs to be updated to reflect tests for the Go metrics exporter.
| ## 3. HTTP Server Options Research | ||
|
|
||
| ### 3.1 Netcat HTTP Server | ||
|
|
||
| **Capabilities:** | ||
|
|
||
| - Serves simple HTTP responses using `nc -l` (listen mode) | ||
| - Can send static HTTP responses (headers + body) | ||
| - Supports basic HTTP/1.1 protocol with proper headers | ||
| - Single connection per invocation (requires loop for persistent serving) | ||
| - Available in all major Linux distributions including Ubuntu | ||
|
|
||
| **Syntax:** | ||
|
|
||
| ```bash | ||
| # Basic single-response pattern (from implementation plan) | ||
| echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\n\r\nmetrics_here" | nc -l -p 9091 | ||
|
|
||
| # Persistent server loop pattern (required for Prometheus scraping) | ||
| while true; do | ||
| echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r\n$(cat /tmp/runner_metrics.prom)" | nc -l -p 9091 | ||
| done | ||
| ``` | ||
|
|
||
| **Pros:** | ||
|
|
||
| - ✅ Extremely lightweight (<1MB memory footprint) | ||
| - ✅ Pre-installed on most Linux systems (including ubuntu:questing) | ||
| - ✅ Simple syntax, easy to understand and maintain | ||
| - ✅ No compilation required (pure shell command) | ||
| - ✅ Meets constraint CON-002 requirement ("Must use netcat (nc) for HTTP server") | ||
| - ✅ Minimal CPU overhead (suitable for <1% CPU requirement) | ||
| - ✅ File-based metrics serving (reads from /tmp/runner_metrics.prom) | ||
| - ✅ Proper Prometheus text format support via Content-Type header | ||
|
|
||
| **Cons:** | ||
|
|
||
| - ❌ Single connection per invocation (requires `while true` loop) | ||
| - ❌ No built-in HTTP parsing (assumes all requests are GET /metrics) | ||
| - ❌ No request validation (serves same response to all requests) | ||
| - ❌ Blocks until connection closes (each scrape requires new nc process) | ||
| - ❌ No error handling (crashes exit the loop, requires restart logic) | ||
| - ❌ No logging of requests (difficult to debug scrape issues) | ||
|
|
||
| **Suitability Assessment:** | ||
|
|
||
| - ✅ **SUITABLE** for Prometheus metrics endpoint (Requirement REQ-001, REQ-002) | ||
| - ✅ Meets performance requirements (NFR-001: <1% CPU, NFR-002: <50MB memory) | ||
| - ✅ Satisfies constraint CON-002 (netcat requirement) | ||
| - ⚠️ Requires wrapper for reliability (restart on failure, signal handling) | ||
| - ⚠️ Should include basic error handling in loop structure | ||
| - ✅ Simple enough to maintain in bash (aligns with CON-001: no Python/Node.js) | ||
|
|
There was a problem hiding this comment.
The 'HTTP Server Options Research' section extensively details the netcat-based approach. However, the final implementation uses a Go HTTP server. This section is now misleading given the chosen implementation and should be updated or removed to reflect the actual solution.
| - ✅ All tests pass with <1% CPU overhead | ||
|
|
||
| ### 🔗 Dependencies | ||
| - Technical spike SPIKE-001 (APPROVED) - netcat-based approach validated |
There was a problem hiding this comment.
The dependency on 'Technical spike SPIKE-001 (APPROVED) - netcat-based approach validated' is listed. This spike's recommendation for a netcat-based approach directly contradicts the Go implementation. This dependency should be updated to reflect the actual implementation or a new spike for the Go approach.
| - [ ] **TASK-001**: Create metrics HTTP server script (`/tmp/metrics-server.sh`) using netcat that listens on port 9091 and serves `/tmp/runner_metrics.prom` file in Prometheus text format | ||
| - [ ] **TASK-002**: Create metrics collector script (`/tmp/metrics-collector.sh`) that updates metrics every 30 seconds by reading `/tmp/jobs.log` and system stats |
There was a problem hiding this comment.
TASK-001 and TASK-002 describe creating bash scripts (/tmp/metrics-server.sh, /tmp/metrics-collector.sh). However, the actual implementation uses a Go binary (cmd/metrics-exporter/main.go). These tasks are now misaligned with the implemented solution and should be updated to reflect the Go implementation.
|
|
||
| ### Phase 1: Custom Metrics Endpoint (Week 1) | ||
|
|
||
| **Objective:** Deploy basic monitoring stack with Prometheus, Grafana, Node Exporter, and cAdvisor. |
There was a problem hiding this comment.
Phase 1 of the implementation plan is described as 'Deploy basic monitoring stack with Prometheus, Grafana, Node Exporter, and cAdvisor.' This contradicts the plan/feature-prometheus-monitoring-1.md document, which defines Phase 1 as 'Custom Metrics Endpoint - Standard Runner' and explicitly states that Prometheus/Grafana deployment is out of scope. This is a major inconsistency that needs to be reconciled.
| @@ -0,0 +1,169 @@ | |||
| --- | |||
| description: 'Systematically research and validate technical spike documents through exhaustive investigation and controlled experimentation.' | |||
| tools: ['runCommands', 'runTasks', 'edit', 'runNotebooks', 'search', 'extensions', 'usages', 'vscodeAPI', 'think', 'problems', 'changes', 'testFailure', 'openSimpleBrowser', 'fetch', 'githubRepo', 'todos', 'Microsoft Docs', 'search'] | |||
There was a problem hiding this comment.
The tools array lists Microsoft Docs as a tool. This is not a standard tool name. If the intention is to search or fetch content from Microsoft Docs, it should be represented by search or fetch with appropriate context or parameters, or a dedicated tool if one exists and is properly defined.
| @@ -0,0 +1,169 @@ | |||
| --- | |||
| description: 'Systematically research and validate technical spike documents through exhaustive investigation and controlled experimentation.' | |||
| tools: ['runCommands', 'runTasks', 'edit', 'runNotebooks', 'search', 'extensions', 'usages', 'vscodeAPI', 'think', 'problems', 'changes', 'testFailure', 'openSimpleBrowser', 'fetch', 'githubRepo', 'todos', 'Microsoft Docs', 'search'] | |||
There was a problem hiding this comment.
The tools array lists edit and search twice. This is redundant and should be cleaned up to list each tool only once.
| --- | ||
|
|
||
| description: 'Generate a comprehensive Product Requirements Document (PRD) in Markdown, detailing user stories, acceptance criteria, technical considerations, and metrics. Optionally create GitHub issues upon user confirmation.' | ||
| tools: ['codebase', 'edit/editFiles', 'fetch', 'findTestFiles', 'list_issues', 'githubRepo', 'search', 'add_issue_comment', 'create_issue', 'update_issue', 'get_issue', 'search_issues'] |
There was a problem hiding this comment.
The tools array lists github as a tool, alongside more specific GitHub-related tools like create_issue, search_issues, update_issue, and add_issue_comment. If github is meant to be a general wrapper, it might be redundant or its scope needs clarification. It's generally better to list specific tools for clarity and to avoid ambiguity in agent capabilities.
| - **External Research**: Use `fetch` to access external documentation and resources | ||
| - **Repository Context**: Use `githubRepo` to understand project history and collaboration patterns | ||
| - **VSCode Integration**: Use `vscodeAPI` and `extensions` tools for IDE-specific insights | ||
| - **External Services**: Use MCP tools like `mcp-atlassian` for project management context and `browser-automation` for web-based research |
There was a problem hiding this comment.
The 'Information Gathering Tools' section mentions mcp-atlassian and browser-automation as external services. However, these tools are not listed in the tools array in the frontmatter. Please ensure all mentioned tools are either included in the tools array or clarified as conceptual capabilities not directly mapped to a tool.
| @@ -0,0 +1,114 @@ | |||
| --- | |||
| description: 'Strategic planning and architecture assistant focused on thoughtful analysis before implementation. Helps developers understand codebases, clarify requirements, and develop comprehensive implementation strategies.' | |||
| tools: ['codebase', 'extensions', 'fetch', 'findTestFiles', 'githubRepo', 'problems', 'search', 'searchResults', 'usages', 'vscodeAPI'] | |||
There was a problem hiding this comment.
The tools array in the frontmatter does not include edit/editFiles, which is a common and useful tool for agents to modify files. Given that a 'planning' mode might involve generating or updating files, this tool seems relevant and should be included if intended for use.
|
Closing this PR as it contains unrelated changes beyond the security fix. Creating a clean PR with only the CVE-2025-61729 fix. |
1 participant
📋 Pull Request Description
🔀 Merge Strategy
This repository uses SQUASH MERGE as the standard merge strategy.
Summary
This PR fixes CVE-2025-61729, a HIGH severity security vulnerability in Go's standard library affecting version 1.25.4.
Type of Change
Related Issues
🔄 Changes Made
Files Modified
docker/Dockerfile.chrome-go- Updated Go version from 1.25.4 to 1.25.5Key Changes
Vulnerability Details
🧪 Testing
Testing Performed
Test Coverage
🔒 Security Considerations
📚 Documentation
🚀 Deployment Notes
✅ Checklist
🤖 AI Review Request
/cc @copilot
Note for Reviewers:
This is a critical security fix that should be merged and deployed promptly. The change is minimal (single line) and low-risk, upgrading Go to the patched version that resolves CVE-2025-61729.