chore(deps): bump go to v1.26.3

Kai Armstrongrequested to merge
karmstrong/bump-go-1.26.3 into main

Description

Bumps Go from 1.26.1 to 1.26.3.

1.26.3 is a patch release containing fixes for several CVEs reachable from this codebase:

  • Reachable in stdlib (fixed in 1.26.2): crypto/x509 chain building (GO-2026-4947), x509 policy validation (GO-2026-4946), x509 name constraint case bypass (GO-2026-4866), crypto/tls TLS 1.3 KeyUpdate DoS (GO-2026-4870), archive/tar unbounded alloc (GO-2026-4869).
  • Reachable in stdlib (fixed in 1.26.3): net.Dialer/DialContext (GO-2026-4954), net/http2 SETTINGS infinite loop (GO-2026-4918).

Reachability confirmed via govulncheck.

Updates go.mod, .gitlab-ci.yml, and .tool-versions in lockstep so scripts/check-go-version.sh passes (the renovate-authored !3111 (closed) missed .tool-versions).

Related Issues

Supersedes !3111 (closed).

How has this been tested?

  • scripts/check-go-version.sh passes.
  • go build ./... clean.
  • make test-race — 3165 tests, 7 skipped, 0 failures (~129s locally).
  • The TestRotateGroupAccessToken race seen on !3111 (closed) was unrelated and has since been fixed by d14064ca (fix(cmdutils): Avoid race on global viper state in GroupOverride).

Merge request reports