fix(deps): update dependency go to v1.26.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
go (source)		patch	1.26.0 → 1.26.2
go		patch	1.26.1 → 1.26.2
go (source)	golang	patch	1.26.0 → 1.26.2

---

Release Notes

golang/go (go)

v1.26.2

v1.26.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Go 1.26.1 (Released 2026-03-05)

• Security fixes: crypto/x509, html/template, net/url, os
• Bug fixes: go command, go fix command, compiler, os, and reflect packages

Go 1.26.2 (Released 2026-04-07)

• 10 Security Fixes addressing critical CVEs:
  • CVE-2026-32283 (cmd/go): SWIG trust layer bypass allowing arbitrary code execution during build time
  • CVE-2026-32282 (html/template): XSS vulnerability from incorrect context tracking in JS template literals
  • CVE-2026-27144 (cmd/compile): Memory corruption from incorrect bounds checking on slices/arrays with induction variables
  • CVE-2026-27140 (crypto/x509): Denial of Service when building certificate chains with large numbers of intermediates
  • Additional CVEs: CVE-2026-32280, CVE-2026-32281
• Affected packages: go command, compiler, archive/tar, crypto/tls, crypto/x509, html/template, os
• Bug fixes: go command, go fix command, compiler, linker, runtime, net, net/http, net/url
• Notable regression fixes: macOS build cache blocking, MongoDB connection string parsing in net/url, Windows runtime crashes

Breaking Changes: None - this is a backward-compatible patch release

Security Priority: HIGH - Critical security vulnerabilities in trust-boundary packages (TLS, X.509, HTML templates, and the toolchain itself) make this a high-priority update for production systems

🎯 Impact Scope Investigation

Direct Codebase Usage:

• The sandbox codebase does NOT directly import any of the security-patched packages (crypto/x509, crypto/tls, html/template, archive/tar)
• These packages may be used transitively through dependencies (e.g., golang.org/x/net for TLS)
• Security fixes in the toolchain (cmd/go, cmd/compile) benefit all Go code

Files Modified by PR:

1. Dockerfile (line 50): Updates ARG GO_VERSION from 1.26.0 to 1.26.2
2. go.mod (line 3): Updates Go directive from 1.26.0 to 1.26.2
3. internal/sandbox/defaults/go/go.mod.tmpl (line 3): Updates template from 1.26.0 to 1.26.2
4. mise.toml (line 2): Updates from 1.26.1 to 1.26.2

Critical Issue Identified:

• ❌ E2E Test Failures: The PR's E2E tests are failing because of a version mismatch
• The builder stage in Dockerfile (line 78) uses FROM golang:1.26.1-bookworm but the updated go.mod requires Go 1.26.2
• Error message: go: go.mod requires go >= 1.26.2 (running go 1.26.1; GOTOOLCHAIN=local)
• Root cause: Renovate updated the Go version in multiple places but missed the Docker base image for the builder stage

Testing Results:

• ✅ Build: PASS (22s)
• ✅ Lint: PASS (28s)
• ✅ Unit Test: PASS (26s)
• ✅ hadolint: PASS (7s)
• ❌ E2E Test (ubuntu-latest): FAIL - Docker build fails at go mod download
• ❌ E2E Test (ubuntu-24.04-arm): FAIL - Docker build fails at go mod download

💡 Recommended Actions

Required Fix:

1. Update Dockerfile line 78 to use Go 1.26.2:

   FROM golang:1.26.2-bookworm@sha256:<new-sha256> AS builder

2. The SHA256 digest needs to be updated to match the golang:1.26.2-bookworm image
3. Consider adding a Renovate configuration to keep the builder stage Go version in sync with the main Go version

Manual Steps:

1. Find the correct SHA256 for golang:1.26.2-bookworm from Docker Hub
2. Update line 78 of the Dockerfile with the new version and digest
3. Re-run E2E tests to verify the fix

Alternative Approach:
Instead of pinning the builder stage to a specific minor version, consider using the same Go version variable:

ARG GO_VERSION=1.26.2
FROM golang:${GO_VERSION}-bookworm AS builder

However, this would require removing the SHA256 pin or using a different pinning strategy.

Post-Merge Actions:

• Once fixed and merged, this is a high-priority security update
• The update is backward compatible and requires no code changes
• All existing tests pass with the new Go version
• The security fixes protect against real vulnerabilities in production environments

🔗 Reference Links

• Go 1.26 Release Notes
• Go Release History
• Go 1.26.2 Release Announcement
• Go 1.26.2 Detailed Analysis
• CVE-2026-32283 Details
• Go 1.26.2 GitHub Milestone

Generated by koki-develop/claude-renovate-review