Bump Go to 1.26.0 (#4040)

Author: rdimitrov

.github/workflows/verify-gen.yml

@@ -14,6 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        id: setup-go
         with:
           go-version-file: go.mod
           cache: true  # Cache go modules
@@ -23,9 +24,9 @@ jobs:
         uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
         with:
           path: ~/go/bin
-          key: ${{ runner.os }}-go-codegen-tools-${{ hashFiles('go.mod') }}-mockgen
+          key: ${{ runner.os }}-go-codegen-tools-${{ steps.setup-go.outputs.go-version }}-${{ hashFiles('go.mod') }}-mockgen
           restore-keys: |
-            ${{ runner.os }}-go-codegen-tools-
+            ${{ runner.os }}-go-codegen-tools-${{ steps.setup-go.outputs.go-version }}-
 
       - name: Install Task
         uses: arduino/setup-task@v2

.golangci.yml

@@ -67,6 +67,17 @@ linters:
     gosec:
       excludes:
         - G601
+        # The following rules were introduced in gosec v2.22+ (shipped with
+        # golangci-lint alongside Go 1.26). They flag pre-existing patterns
+        # across the codebase. Exclude them here and address in a follow-up PR.
+        - G117 # Marshaled struct field matches secret pattern
+        - G118 # Context cancellation / goroutine context issues
+        - G120 # Form parsing without body size limit
+        - G122 # Filesystem race in filepath.Walk
+        - G703 # Path traversal via taint analysis
+        - G704 # SSRF via taint analysis
+        - G705 # XSS via taint analysis
+        - G706 # Log injection via taint analysis
     lll:
       line-length: 130
     revive:

go.mod

@@ -1,6 +1,6 @@
 module github.com/stacklok/toolhive
 
-go 1.25.7
+go 1.26
 
 require (
 	dario.cat/mergo v1.0.2

pkg/transport/proxy/transparent/transparent_proxy.go

@@ -467,31 +467,27 @@ func (p *TransparentProxy) Start(ctx context.Context) error {
 	}
 
 	// Create a reverse proxy
-	proxy := httputil.NewSingleHostReverseProxy(targetURL)
-	proxy.FlushInterval = -1
-
-	// Store the original director
-	originalDirector := proxy.Director
-
-	// Override director to handle remote base path rewriting and trace propagation
-	proxy.Director = func(req *http.Request) {
-		// Apply original director logic first (rewrites scheme + host)
-		originalDirector(req)
-
-		// Rewrite path to the remote server's path when configured.
-		// When the remote URL has a path (e.g., /v2/mcp), the target URI only
-		// contains the scheme+host. The client sends to /mcp (default MCP
-		// endpoint) but the remote server expects /v2/mcp. We replace the
-		// request path with the remote server's configured path.
-		if p.remoteBasePath != "" {
-			req.URL.Path = p.remoteBasePath
-			req.URL.RawPath = ""
-		}
+	proxy := &httputil.ReverseProxy{
+		FlushInterval: -1,
+		Rewrite: func(pr *httputil.ProxyRequest) {
+			pr.SetURL(targetURL)
+			pr.SetXForwarded()
+
+			// Rewrite path to the remote server's path when configured.
+			// When the remote URL has a path (e.g., /v2/mcp), the target URI only
+			// contains the scheme+host. The client sends to /mcp (default MCP
+			// endpoint) but the remote server expects /v2/mcp. We replace the
+			// request path with the remote server's configured path.
+			if p.remoteBasePath != "" {
+				pr.Out.URL.Path = p.remoteBasePath
+				pr.Out.URL.RawPath = ""
+			}
 
-		// Inject OpenTelemetry trace propagation headers for downstream tracing
-		if req.Context() != nil {
-			otel.GetTextMapPropagator().Inject(req.Context(), propagation.HeaderCarrier(req.Header))
-		}
+			// Inject OpenTelemetry trace propagation headers for downstream tracing
+			if pr.Out.Context() != nil {
+				otel.GetTextMapPropagator().Inject(pr.Out.Context(), propagation.HeaderCarrier(pr.Out.Header))
+			}
+		},
 	}
 
 	proxy.Transport = &tracingTransport{base: http.DefaultTransport, p: p}

pkg/transport/proxy/transparent/transparent_test.go

@@ -70,15 +70,15 @@ func TestStreamingSessionIDDetection(t *testing.T) {
 }
 
 func createBasicProxy(p *TransparentProxy, targetURL *url.URL) *httputil.ReverseProxy {
-	proxy := httputil.NewSingleHostReverseProxy(targetURL)
-	proxy.Director = func(r *http.Request) {
-		r.URL.Scheme = targetURL.Scheme
-		r.URL.Host = targetURL.Host
-		r.Host = targetURL.Host
+	proxy := &httputil.ReverseProxy{
+		Rewrite: func(pr *httputil.ProxyRequest) {
+			pr.SetURL(targetURL)
+			pr.SetXForwarded()
+		},
+		FlushInterval:  -1,
+		Transport:      &tracingTransport{base: http.DefaultTransport, p: p},
+		ModifyResponse: p.modifyResponse,
 	}
-	proxy.FlushInterval = -1
-	proxy.Transport = &tracingTransport{base: http.DefaultTransport, p: p}
-	proxy.ModifyResponse = p.modifyResponse
 	return proxy
 }
 
@@ -157,22 +157,18 @@ func TestTracePropagationHeaders(t *testing.T) {
 	targetURL, err := url.Parse(downstream.URL)
 	assert.NoError(t, err)
 
-	// Create reverse proxy with the same director logic as the main code
-	reverseProxy := httputil.NewSingleHostReverseProxy(targetURL)
-	reverseProxy.FlushInterval = -1
-
-	// Store the original director
-	originalDirector := reverseProxy.Director
+	// Create reverse proxy with the same rewrite logic as the main code
+	reverseProxy := &httputil.ReverseProxy{
+		FlushInterval: -1,
+		Rewrite: func(pr *httputil.ProxyRequest) {
+			pr.SetURL(targetURL)
+			pr.SetXForwarded()
 
-	// Override director to inject trace propagation headers (same as main code)
-	reverseProxy.Director = func(req *http.Request) {
-		// Apply original director logic first
-		originalDirector(req)
-
-		// Inject OpenTelemetry trace propagation headers for downstream tracing
-		if req.Context() != nil {
-			otel.GetTextMapPropagator().Inject(req.Context(), propagation.HeaderCarrier(req.Header))
-		}
+			// Inject OpenTelemetry trace propagation headers for downstream tracing
+			if pr.Out.Context() != nil {
+				otel.GetTextMapPropagator().Inject(pr.Out.Context(), propagation.HeaderCarrier(pr.Out.Header))
+			}
+		},
 	}
 
 	reverseProxy.Transport = &tracingTransport{base: http.DefaultTransport, p: proxy}