Suppress CVE-2026-32282 (Go stdlib Root.Chmod) and bump shfmt/actionlint

cspell.json

@@ -25,6 +25,7 @@
     "startswith",
     "stdlib",
     "stylelint",
+    "syscall",
     "tinyglobby",
     "trivy",
     "xmlstarlet"

images/ci-tools/.trivyignore

@@ -3,19 +3,27 @@
 # Tracking issue: #NN
 # CVE-YYYY-NNNNN
 
-# actionlint v1.7.11 (Go 1.25.7)
-# Go stdlib CVE — waiting on upstream release built with Go >= 1.25.8 or 1.26.1.
+# actionlint v1.7.12 (Go 1.25.7 for CVE-2026-25679; Go 1.26.1 for CVE-2026-32282)
+# Go stdlib CVEs — waiting on upstream releases built with a patched Go toolchain.
 #
 # actionlint is a lint tool that runs offline against local files.
-# It does not use net/url for parsing untrusted URLs at runtime,
-# so the practical risk is negligible.
-# Remove this entry once actionlint ships a build on Go >= 1.25.8 or 1.26.1.
+# It does not parse untrusted URLs with net/url, and it does not use
+# os.Root.Chmod on untrusted filesystem input, so the practical risk
+# for both CVEs is negligible.
 
 # net/url: Incorrect parsing of IPv6 host literals (fixed in Go 1.25.8 / 1.26.1)
 # Affects: actionlint (Go 1.25.7)
+# Remove this entry once actionlint ships a build on Go >= 1.25.8 or 1.26.1.
 # Tracking issue: #96
 CVE-2026-25679
 
+# internal/syscall/unix: Root.Chmod can follow symlinks out of the root
+# (fixed in Go 1.25.9 / 1.26.2)
+# Affects: actionlint (Go 1.25.7), shfmt v3.13.1 (Go 1.26.1), yq v4.52.5 (Go 1.26.1)
+# Remove this entry once all three ship builds on Go >= 1.25.9 or 1.26.2.
+# Tracking issue: #96
+CVE-2026-32282
+
 # picomatch: ReDoS via crafted extglob patterns (fixed in 4.0.4 / 3.0.2 / 2.3.2)
 # Affects: npm 11.12.1 bundled tinyglobby → picomatch 4.0.3
 # npm bundles its own dependencies; global install cannot override them.

images/ci-tools/versions.lock

@@ -1,10 +1,10 @@
 NPM_VERSION=11.12.1
-SHFMT_VERSION=v3.13.0
-SHFMT_SHA256_AMD64=70aa99784703a8d6569bbf0b1e43e1a91906a4166bf1a79de42050a6d0de7551
-SHFMT_SHA256_ARM64=2091a31afd47742051a77bf7cfd175533ab07e924c20ef3151cd108fa1cab5b0
-ACTIONLINT_VERSION=1.7.11
-ACTIONLINT_SHA256_AMD64=900919a84f2229bac68ca9cd4103ea297abc35e9689ebb842c6e34a3d1b01b0a
-ACTIONLINT_SHA256_ARM64=21bc0dfb57a913fe175298c2a9e906ee630f747cb66d0a934d0d4b69f4ee1235
+SHFMT_VERSION=v3.13.1
+SHFMT_SHA256_AMD64=fb096c5d1ac6beabbdbaa2874d025badb03ee07929f0c9ff67563ce8c75398b1
+SHFMT_SHA256_ARM64=32d92acaa5cd8abb29fc49dac123dc412442d5713967819d8af2c29f1b3857c7
+ACTIONLINT_VERSION=1.7.12
+ACTIONLINT_SHA256_AMD64=8aca8db96f1b94770f1b0d72b6dddcb1ebb8123cb3712530b08cc387b349a3d8
+ACTIONLINT_SHA256_ARM64=325e971b6ba9bfa504672e29be93c24981eeb1c07576d730e9f7c8805afff0c6
 HADOLINT_VERSION=v2.14.0
 HADOLINT_SHA256_AMD64=6bf226944684f56c84dd014e8b979d27425c0148f61b3bd99bcc6f39e9dc5a47
 HADOLINT_SHA256_ARM64=331f1d3511b84a4f1e3d18d52fec284723e4019552f4f47b19322a53ce9a40ed