CI run #484's Go Build & Test job failed govulncheck (M-024 hard
gate). Six standard-library CVEs land in go1.25.9 + one
golang.org/x/net CVE in v0.49.0; all are fixed in go1.25.10 + x/net
v0.53.0 respectively. The advisories that fired were:
GO-2026-4986 Quadratic string concat in net/mail.consumeComment
— called via internal/api/handler/validation.go's
ValidateCommonName -> mail.ParseAddress
GO-2026-4977 Quadratic string concat in net/mail.consumePhrase
— same call site
GO-2026-4982 Bypass of meta-content URL escaping in html/template
— called via internal/service/digest.go's
RenderDigestHTML -> Template.Execute
GO-2026-4980 Escaper bypass in html/template
— same call site
GO-2026-4971 Panic in net.Dial / LookupPort on Windows NUL bytes
— many call sites (email notifier, SSH connector,
ACME validators, validation.ValidateSafeURL, ...)
GO-2026-4918 Infinite loop in net/http2 transport on bad
SETTINGS_MAX_FRAME_SIZE
— called via internal/connector/target/f5.go's
F5Client.Authenticate -> http.Client.Do
Bumps applied:
* `go.mod`: `go 1.25.9` -> `go 1.25.10`; `golang.org/x/net v0.49.0`
-> `v0.53.0` (kept indirect — the upgrade is force-pulled by the
module-version directive; transitive deps will pick the higher).
* `.github/workflows/{ci,codeql,release}.yml`: setup-go pin and the
release.yml `GO_VERSION` env var bumped to 1.25.10. The
security-deep-scan.yml workflow uses the major-minor `1.25` pin
which auto-resolves to the latest 1.25.x and is unaffected.
* `Dockerfile` + `Dockerfile.agent`: `golang:1.25-alpine@sha256:5caa...`
re-pinned to `golang:1.25.10-alpine@sha256:8d22e29d960bc50cd0...`
(digest looked up against `registry-1.docker.io/v2/library/golang/
manifests/1.25.10-alpine`; verified by the digest-validity ci-guard).
The explicit `1.25.10-alpine` tag form replaces the moving
`1.25-alpine` pin so the image-spec is reproducible end-to-end
even without the digest reference.
* `deploy/test/f5-mock-icontrol/Dockerfile`: `golang:1.25.9-bookworm
@sha256:1a14...` re-pinned to `golang:1.25.10-bookworm@sha256:
e3a54b77385b4f8a31c1...` (looked up the same way).
* `deploy/test/f5-mock-icontrol/go.mod`: `go 1.25.9` -> `go 1.25.10`.
* `internal/api/handler/version.go` + `api/openapi.yaml`: the
`runtime.Version()`-shape comment + OpenAPI `example: go1.25.9`
bumped to keep doc/example freshness.
* `docs/contributor/ci-pipeline.md` + `docs/reference/connectors/
iis.md`: doc-only `Go 1.25.9` -> `Go 1.25.10` references.
Verification done in-tree:
* All `scripts/ci-guards/*.sh` pass locally including
`digest-validity.sh` (the new digests resolve cleanly against
Docker Hub).
* `S-1-hardcoded-source-counts.sh` clean (the false-positive on
"Bundle 1 migrations" was fixed in the prior commit).
Operator step required post-push (sandbox has no Go toolchain):
cd certctl && go mod tidy
This regenerates go.sum's `golang.org/x/net v0.49.0` h1: lines into
v0.53.0 ones. CI's `go mod tidy && git diff --exit-code go.mod
go.sum` step will catch the drift if missed; in that case run the
command, commit, and push the go.sum-only delta.
Phase 4 structural (commit 633e440) moved 6 connector files into the
new docs/reference/connectors/ subdirectory but didn't update all
inter-doc references for the new path layout. Phase 11 caught the
high-traffic ones; this sweep gets the rest, found by the Phase 4
follow-on verification pass.
Mappings applied (relative to docs/reference/connectors/):
deployment-atomicity.md → ../deployment-model.md
deployment-vendor-matrix.md → ../vendor-matrix.md
architecture.md → ../architecture.md
est.md → ../protocols/est.md
scep-intune.md → ../protocols/scep-intune.md
async-polling.md → ../protocols/async-ca-polling.md
quickstart.md → ../../getting-started/quickstart.md
demo-advanced.md → ../../getting-started/advanced-demo.md
legacy-est-scep.md → ../protocols/scep-server.md
connectors.md → index.md
Plus prose backtick references (`docs/architecture.md` etc.) updated
to the new subdirectory paths.
Files touched: apache, f5, iis, k8s, nginx, index. 33 line changes.
Full link-check across docs/reference/connectors/*.md is now clean
(0 broken inter-doc references).
Per Phase 1 audit at cowork/docs-overhaul-phase-1-audit-2026-05-04/.
Phase 4 in the audit recommended a full split of connectors.md (2055
lines) into an index + 27 per-connector pages (12 issuer + 15 target).
This commit lands the structural half of that work; full per-target
page extraction is deferred to follow-up commits.
Renames (all blame-preserving):
docs/connectors.md → docs/reference/connectors/index.md
docs/connector-apache.md → docs/reference/connectors/apache.md
docs/connector-f5.md → docs/reference/connectors/f5.md
docs/connector-iis.md → docs/reference/connectors/iis.md
docs/connector-k8s.md → docs/reference/connectors/k8s.md
docs/connector-nginx.md → docs/reference/connectors/nginx.md
Edits:
- docs/reference/connectors/index.md gets a top-of-doc note
explaining the per-connector deep-dive sibling pattern + a forward
list of the 5 per-target pages.
- The 5 per-connector deep-dive pages each get a `Last reviewed:
2026-05-05` header + a back-link to the index.
Deferred to future commits (Phase 4b/c follow-on):
- Extracting the 12 issuer sections from index.md into per-issuer
pages at reference/connectors/{acme,awsacmpca,digicert,ejbca,
entrust,globalsign,googlecas,local,openssl,sectigo,stepca,vault}.md
- Extracting the 10 remaining target sections from index.md into
per-target pages at reference/connectors/{caddy,traefik,envoy,
haproxy,postfix-dovecot,ssh,javakeystore,wincertstore,awsacm,
azurekv}.md
The pragmatic split makes this Phase 4 work incrementally landable —
each per-connector extraction is a small follow-up commit that doesn't
change the docs/ tree shape further. Cross-references from README.md
and other docs to docs/connectors.md still need fixing in Phase 11.
shankar0123