build: upgrade Go toolchain from 1.25.7 to 1.26.1

[lklimek]

Summary

• Upgrades Go toolchain from 1.25.7 to 1.26.1 across all 15 files: go.mod, CI workflows, Dockerfiles, BLS action, docs, and README
• Required for oasis-core/go v0.2600.0 which declares go 1.26.0 in its module directive
• No application code changes — purely version string replacements

Files changed

• go.mod — go directive
• .github/workflows/ — 6 workflow files + BLS composite action
• DOCKER/Dockerfile, test/docker/Dockerfile, test/e2e/docker/Dockerfile
• README.md, docs/tutorials/go-built-in.md, docs/tutorials/go.md, test/fuzz/README.md

Test plan

• All CI workflows pass with Go 1.26.1
• Docker images build successfully
• After merge, dependabot PR build(deps): Bump github.com/oasisprotocol/oasis-core/go from 0.2509.0 to 0.2600.0 #1283 (oasis-core bump) should become viable

_{🤖 Co-authored by Claudius the Magnificent AI Agent}

Summary by CodeRabbit

• Chores
  • Updated Go toolchain version from 1.25.7 to 1.26.1 across CI/CD workflows, build configurations, Docker images, and documentation.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the Go toolchain version from 1.25.7 to 1.26.1 across all GitHub Actions workflows, Docker configurations, go.mod, and documentation files. No functional changes or logic modifications are present.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/build.yml, .github/workflows/check-generated.yml, .github/workflows/e2e.yml, .github/workflows/lint.yml, .github/workflows/release.yml, .github/workflows/tests.yml	Updated Go version from 1.25.7 to 1.26.1 in setup-go steps across all workflows.
GitHub Actions Configuration .github/actions/bls/action.yml	Updated Go version from 1.25.7 to 1.26.1 in action configuration.
Docker Configurations DOCKER/Dockerfile, test/docker/Dockerfile, test/e2e/docker/Dockerfile	Updated base Docker image Go version from 1.25.7 to 1.26.1 in GOLANG_VERSION ARG declarations.
Go Module & Documentation go.mod, README.md, docs/tutorials/go.md, docs/tutorials/go-built-in.md, test/fuzz/README.md	Updated Go version references from 1.25.7 to 1.26.1 in module file and documentation examples.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 From twenty-five point seven we hop,
To twenty-six point one, we won't stop!
Across workflows and dockerfiles we go,
With consistency, steady and slow.
Go forth with the new, the updated, the bright! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading the Go toolchain version from 1.25.7 to 1.26.1 across the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/upgrade-go-1.26.1

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

test/docker/Dockerfile (1)

1-42: Run the test image as a non-root user.

From Line 1 onward, there is no USER instruction, so runtime defaults to root. This can fail policy gates and hide permission issues during tests.

🔒 Proposed hardening

 # Now copy in the code # NOTE: this will overwrite whatever is in vendor/ COPY . $REPO +RUN useradd --create-home --uid 10001 tenderdash && \ + chown -R tenderdash:tenderdash $REPO +USER tenderdash + # expose the volume for debugging VOLUME $REPO

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@test/docker/Dockerfile` around lines 1 - 42, The Dockerfile currently leaves the container running as root; create and switch to a non-root user (e.g., add a dedicated user/group and use USER) and ensure $REPO ownership/permissions are set so that subsequent runtime operations (tenderdash testnet, VOLUME $REPO, exposed ports) work without root: during image build (before the final COPY/VOLUME/EXPOSE and before invoking tenderdash for the test data or at the end of the file) create the user/group, chown $REPO and any bin dirs (GOBIN) to that user, and add a USER instruction to run the container as that non-root user while keeping privileged install steps (make tools, make install, install_abci) executed as root earlier in the Dockerfile so builds succeed. 

.github/workflows/lint.yml (1)

43-43: Pin exact Go version in lint workflow for deterministic CI.

Line 43 uses ^1.26.1, which can drift to newer 1.x releases. All other workflows pin to "1.26.1" exactly; align this for consistency.

♻️ Proposed change

- go-version: "^1.26.1" + go-version: "1.26.1"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In @.github/workflows/lint.yml at line 43, The lint workflow currently pins Go using a caret range ("^1.26.1") which allows unintended upgrades; change the go-version setting from "^1.26.1" to the exact string "1.26.1" so it matches other workflows and ensures deterministic CI (update the value referenced as go-version in the lint workflow). 

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed. Inline comments: In @.github/actions/bls/action.yml: - Around line 16-19: Update the GitHub Action step that currently reads "uses: actions/setup-go@v2" to match other workflows by using the newer release tag (e.g., "actions/setup-go@v6.3.0"); keep the existing "with: go-version: \"1.26.1\"" input unchanged and ensure the surrounding step (the "uses: actions/checkout@v6" step) remains intact so the job configuration stays consistent. --- Nitpick comments: In @.github/workflows/lint.yml: - Line 43: The lint workflow currently pins Go using a caret range ("^1.26.1") which allows unintended upgrades; change the go-version setting from "^1.26.1" to the exact string "1.26.1" so it matches other workflows and ensures deterministic CI (update the value referenced as go-version in the lint workflow). In `@test/docker/Dockerfile`: - Around line 1-42: The Dockerfile currently leaves the container running as root; create and switch to a non-root user (e.g., add a dedicated user/group and use USER) and ensure $REPO ownership/permissions are set so that subsequent runtime operations (tenderdash testnet, VOLUME $REPO, exposed ports) work without root: during image build (before the final COPY/VOLUME/EXPOSE and before invoking tenderdash for the test data or at the end of the file) create the user/group, chown $REPO and any bin dirs (GOBIN) to that user, and add a USER instruction to run the container as that non-root user while keeping privileged install steps (make tools, make install, install_abci) executed as root earlier in the Dockerfile so builds succeed. 

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4d981bc6-9e6c-408f-abda-03e81c9a2040

📥 Commits

Reviewing files that changed from the base of the PR and between 297c65c and 0861100.

📒 Files selected for processing (15)

• .github/actions/bls/action.yml
• .github/workflows/build.yml
• .github/workflows/check-generated.yml
• .github/workflows/e2e.yml
• .github/workflows/lint.yml
• .github/workflows/release.yml
• .github/workflows/tests.yml
• DOCKER/Dockerfile
• README.md
• docs/tutorials/go-built-in.md
• docs/tutorials/go.md
• go.mod
• test/docker/Dockerfile
• test/e2e/docker/Dockerfile
• test/fuzz/README.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Verify all setup-go action versions used in repository workflows/actions rg -nP 'uses:\s*actions/setup-go@' .github

Repository: dashpay/tenderdash

Length of output: 767

---

Upgrade actions/setup-go to align with other workflows.

Line 16 uses actions/setup-go@v2 while all other workflows use @v6.3.0. Standardizing on the same major version prevents CI setup drift.

♻️ Proposed update

- - uses: actions/setup-go@v2 + - uses: actions/setup-go@v6.3.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/setup-go@v2
	with:
	go-version: "1.25.7"
	go-version: "1.26.1"
	- uses: actions/checkout@v6
	- uses: actions/setup-go@v6.3.0
	with:
	go-version: "1.26.1"
	- uses: actions/checkout@v6

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In @.github/actions/bls/action.yml around lines 16 - 19, Update the GitHub Action step that currently reads "uses: actions/setup-go@v2" to match other workflows by using the newer release tag (e.g., "actions/setup-go@v6.3.0"); keep the existing "with: go-version: \"1.26.1\"" input unchanged and ensure the surrounding step (the "uses: actions/checkout@v6" step) remains intact so the job configuration stays consistent.