EOL go version is used for v1.3.3 release

[akhilerm]

The release v1.3.3 uses an EOL version of go for compiling the release binaries.

akhil@akhil-ThinkPad-L14:/t/tmp.JOq4mE9wEl $ ./runc --version
runc version 1.3.3
commit: v1.3.3-0-gd842d771
spec: 1.2.1
go: go1.23.12
libseccomp: 2.5.6

Was expected to use 1.24 version of since we wont be receiving any updates / CVE reports for the out of support branch.

[akhilerm]

/cc @AkihiroSuda

[cyphar]

We need #4851 (specifically 26602650adf2ce42ee8f38e0de66653c507d4d38) backported to release-1.3 and release-1.2 then.

[tianon]

Probably just the CI portions of that, right? (Not bumping the project minimum Go version, just the version used to build the releases)

[cyphar]

Yeah, just the Dockerfile bits. Maybe we should have make releaseall do a build with GO_VERSION=latest...

[cyphar]

While thinking about this some more, I've started to wonder how important this actually is:

That being said, I do somewhat question how important it is if our release binaries are built with EOL'd Go versions -- we don't rebuild old release binaries, so every binary we release is destined to have been built by an EOL'd compiler (or an older release with a security issue) at some point.

I guess trying to go for the newest one from the start is the least bad option, but I do wonder how helpful this is in general.

Originally posted by @cyphar in https://github.com/opencontainers/runc/pull/4986#discussion_r2508323369

[kolyshkin]

Implemented what I had in mind in:

• #4997
• #5000
• #4999
• #4998

The idea is to test that what Go version we have in Dockerfile is supported and is being used by tests. If not, we need to bump it to make CI green again. PTAL @cyphar

[akhilerm]

Closing this as the fixes to use only supported go version has been merged.