Go: Update to 1.26

[jketema]

No description provided.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

go

Generated file changes for go

• Changes to framework-coverage-go.rst:

-    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,609,104
+    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,612,104
-    Totals,,688,1069,1557
+    Totals,,688,1072,1557

• Changes to framework-coverage-go.csv:

- ,,,8,,,,,,,,,,,,,,,,,,,,,,,3,5
+ ,,,9,,,,,,,,,,,,,,,,,,,,,,,3,6
- bytes,,,43,,,,,,,,,,,,,,,,,,,,,,,43,
+ bytes,,,44,,,,,,,,,,,,,,,,,,,,,,,44,
- errors,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
+ errors,,,4,,,,,,,,,,,,,,,,,,,,,,,4,

[owen-mc]

Go 1.26 has been released.

[owen-mc]

I've rebased this on main. The one failing test is expected. I think this is ready to merge, possibly pending the CI of the companion PR.

[Copilot]

Pull request overview

Updates the Go extractor/tests/tooling to support Go 1.26, and extends Go dataflow models/tests to cover newly supported standard-library/builtin flows (including pointer dereference modeling).

Changes:

• Bump Go versions/toolchains across the extractor, Bazel module, CI action, docs, and Go test modules to Go 1.26.
• Extend external flow model validation to accept Dereference content specs (pointer content).
• Add/adjust external flow models and tests for errors.AsType, bytes.Buffer.Peek, and the builtin new dereference/value behavior.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/go.mod	Bumps test module Go version to 1.26.
go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Errors.go	Adds taint-step test for errors.AsType.
go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Bytes.go	Adds taint-step test for bytes.Buffer.Peek.
go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Builtin.go	Adds builtin flow test cases (append/copy/max/min/new).
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go	Adds sink expressions involving new(src) / *new(src).
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected	Updates expected source locations due to added lines.
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected	Updates expected sinks to include new(...) and *new(...).
go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/go.mod	Bumps test module Go version to 1.26.
go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go	Adds inline taint-flow expectations for new(src) / *new(src).
go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected	Updates expected source locations due to added lines.
go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.expected	Updates expected sinks to include new(...) and *new(...).
go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/go.mod	Bumps test module Go version to 1.26.
go/ql/lib/semmle/go/dataflow/ExternalFlow.qll	Allows Dereference spec component during model validation.
go/ql/lib/ext/errors.model.yml	Adds taint model for errors.AsType return value.
go/ql/lib/ext/bytes.model.yml	Adds taint model for bytes.Buffer.Peek return value.
go/ql/lib/ext/builtin.model.yml	Adds a value summary for builtin new via ReturnValue.Dereference.
go/ql/lib/change-notes/2026-01-20-go-version-1-26.md	Adds changelog entry announcing Go 1.26 support.
go/extractor/go.mod	Updates extractor module Go version and toolchain to 1.26.
go/extractor/autobuilder/build-environment.go	Updates max supported Go version to 1.26.
go/actions/test/action.yml	Updates test action default Go version to ~1.26.0.
docs/codeql/reusables/supported-versions-compilers.rst	Updates documentation to “Go up to 1.26”.
MODULE.bazel	Updates downloaded Go SDK version to 1.26.0.