From 679066d9f01883f2fec8c86da5929291bb5fd7f8 Mon Sep 17 00:00:00 2001
From: Oleksandr Akhtyrskiy <lex57ukr@gmail.com>
Date: Mon, 13 Apr 2026 06:22:06 -0600
Subject: [PATCH] Bump shfmt/actionlint and suppress CVE-2026-32282 (Go stdlib)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Roll shfmt v3.13.0 → v3.13.1 and actionlint 1.7.11 → 1.7.12 for the
non-security content in both releases. Neither upstream build carries
a patched Go toolchain yet (both on go1.26.1), so CVE-2026-32282
(internal/syscall/unix: Root.Chmod symlink escape, fixed in Go 1.25.9
or 1.26.2) still trips the scan against all three Go binaries.

Suppress CVE-2026-32282 for actionlint, shfmt, and yq under the
existing stdlib tracker. None of the three binaries call os.Root.Chmod
on untrusted filesystem input — they operate offline on local files
under the user's own permissions — so the practical risk is negligible.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 cspell.json                   |  1 +
 images/ci-tools/.trivyignore  | 18 +++++++++++++-----
 images/ci-tools/versions.lock | 12 ++++++------
 3 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/cspell.json b/cspell.json
index da2068a..aa3be42 100644
--- a/cspell.json
+++ b/cspell.json
@@ -25,6 +25,7 @@
     "startswith",
     "stdlib",
     "stylelint",
+    "syscall",
     "tinyglobby",
     "trivy",
     "xmlstarlet"
diff --git a/images/ci-tools/.trivyignore b/images/ci-tools/.trivyignore
index 70941ce..ab29d44 100644
--- a/images/ci-tools/.trivyignore
+++ b/images/ci-tools/.trivyignore
@@ -3,19 +3,27 @@
 # Tracking issue: #NN
 # CVE-YYYY-NNNNN
 
-# actionlint v1.7.11 (Go 1.25.7)
-# Go stdlib CVE — waiting on upstream release built with Go >= 1.25.8 or 1.26.1.
+# actionlint v1.7.12 (Go 1.25.7 for CVE-2026-25679; Go 1.26.1 for CVE-2026-32282)
+# Go stdlib CVEs — waiting on upstream releases built with a patched Go toolchain.
 #
 # actionlint is a lint tool that runs offline against local files.
-# It does not use net/url for parsing untrusted URLs at runtime,
-# so the practical risk is negligible.
-# Remove this entry once actionlint ships a build on Go >= 1.25.8 or 1.26.1.
+# It does not parse untrusted URLs with net/url, and it does not use
+# os.Root.Chmod on untrusted filesystem input, so the practical risk
+# for both CVEs is negligible.
 
 # net/url: Incorrect parsing of IPv6 host literals (fixed in Go 1.25.8 / 1.26.1)
 # Affects: actionlint (Go 1.25.7)
+# Remove this entry once actionlint ships a build on Go >= 1.25.8 or 1.26.1.
 # Tracking issue: #96
 CVE-2026-25679
 
+# internal/syscall/unix: Root.Chmod can follow symlinks out of the root
+# (fixed in Go 1.25.9 / 1.26.2)
+# Affects: actionlint (Go 1.25.7), shfmt v3.13.1 (Go 1.26.1), yq v4.52.5 (Go 1.26.1)
+# Remove this entry once all three ship builds on Go >= 1.25.9 or 1.26.2.
+# Tracking issue: #96
+CVE-2026-32282
+
 # picomatch: ReDoS via crafted extglob patterns (fixed in 4.0.4 / 3.0.2 / 2.3.2)
 # Affects: npm 11.12.1 bundled tinyglobby → picomatch 4.0.3
 # npm bundles its own dependencies; global install cannot override them.
diff --git a/images/ci-tools/versions.lock b/images/ci-tools/versions.lock
index e0e89c3..0f032e0 100644
--- a/images/ci-tools/versions.lock
+++ b/images/ci-tools/versions.lock
@@ -1,10 +1,10 @@
 NPM_VERSION=11.12.1
-SHFMT_VERSION=v3.13.0
-SHFMT_SHA256_AMD64=70aa99784703a8d6569bbf0b1e43e1a91906a4166bf1a79de42050a6d0de7551
-SHFMT_SHA256_ARM64=2091a31afd47742051a77bf7cfd175533ab07e924c20ef3151cd108fa1cab5b0
-ACTIONLINT_VERSION=1.7.11
-ACTIONLINT_SHA256_AMD64=900919a84f2229bac68ca9cd4103ea297abc35e9689ebb842c6e34a3d1b01b0a
-ACTIONLINT_SHA256_ARM64=21bc0dfb57a913fe175298c2a9e906ee630f747cb66d0a934d0d4b69f4ee1235
+SHFMT_VERSION=v3.13.1
+SHFMT_SHA256_AMD64=fb096c5d1ac6beabbdbaa2874d025badb03ee07929f0c9ff67563ce8c75398b1
+SHFMT_SHA256_ARM64=32d92acaa5cd8abb29fc49dac123dc412442d5713967819d8af2c29f1b3857c7
+ACTIONLINT_VERSION=1.7.12
+ACTIONLINT_SHA256_AMD64=8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8
+ACTIONLINT_SHA256_ARM64=325e971b6ba9bfa504672e29be93c24981eeb1c07576d730e9f7c8805afff0c6
 HADOLINT_VERSION=v2.14.0
 HADOLINT_SHA256_AMD64=6bf226944684f56c84dd014e8b979d27425c0148f61b3bd99bcc6f39e9dc5a47
 HADOLINT_SHA256_ARM64=331f1d3511b84a4f1e3d18d52fec284723e4019552f4f47b19322a53ce9a40ed