Update yq and actionlint to remove suppressed Go stdlib CVEs

[lex57ukr]

Goal

Remove the .trivyignore suppressions for CVE-2026-25679 and CVE-2026-27137 by updating yq and actionlint to versions built with Go >= 1.26.1.

Scope

• Watch for a yq release built with Go >= 1.26.1 (currently v4.52.4 on Go 1.26.0)
• Watch for an actionlint release built with Go >= 1.26.1 (currently v1.7.11 on Go 1.25.7)
• Run make resolve TOOLS=yq and/or make resolve TOOLS=actionlint to pin the new versions
• Remove the corresponding CVE entries from images/ci-tools/.trivyignore
• Verify with make scan

Outcome

The ci-tools image passes Trivy scans without suppressions for these two CVEs.

Notes

Suppressed in #95. The CVE monitor will continue to flag these until this follow-up is completed, but the suppressions keep CI green in the interim.

[lex57ukr]

actionlint still on Go 1.25.7, no new release yet

[lex57ukr]

Adding CVE-2026-32282 to the same tracking scope — it surfaced today on make scan and affects all three Go binaries in the image:

• actionlint v1.7.11 (Go 1.25.7)
• shfmt v3.13.0 (Go 1.26.1)
• yq v4.52.5 (Go 1.26.1)

Fixed in Go 1.25.9 / 1.26.2. Upstream actions/setup-go with go-version: '1.26' was still pulling 1.26.1 as of 2026-04-06 (shfmt v3.13.1 release, built on go1.26.1) and 2026-03-30 (actionlint v1.7.12 release run #23759174226).

Bumping to the latest releases (shfmt v3.13.1, actionlint v1.7.12) does not fix this CVE, so the new entry in .trivyignore will need to stick around until upstream rebuilds pick up Go 1.25.9 / 1.26.2.

Fold-in checklist:

• Watch for yq, shfmt, and actionlint releases built with Go >= 1.25.9 or 1.26.2
• Remove CVE-2026-32282 from images/ci-tools/.trivyignore

[lex57ukr]

Status update as of 2026-04-18:

The original scope (removing CVE-2026-25679 and CVE-2026-27137 suppressions) has shifted as new Go stdlib CVEs landed. Current state of .trivyignore suppressions tracked here:

CVE	Affected	Fixed in Go	Status
CVE-2026-25679	actionlint v1.7.12	1.25.8 / 1.26.1	upstream still on Go 1.26.1 — suppression may now be stale
CVE-2026-32282	actionlint, shfmt	1.25.9 / 1.26.2	waiting on upstream rebuild
CVE-2026-32280	actionlint, shfmt	1.25.9 / 1.26.2	waiting on upstream rebuild (suppressed in #118)
CVE-2026-33810	actionlint, shfmt	1.26.2	waiting on upstream rebuild (suppressed in #118)

Current upstream versions:

• actionlint v1.7.12 — released 2026-03-30, built on Go 1.26.1
• shfmt v3.13.1 — released 2026-04-06, built on Go 1.26.1

yq was bumped to v4.53.2 in #118 and is off the list entirely.

Next action: all four suppressions should clear once both tools ship releases on Go ≥ 1.26.2. CVE-2026-25679 may already be removable — worth testing on the next scan.