build: bump Go toolchain to 1.26.3

[ziggie1984]

This PR replaces #10566 with a narrower Go version update that separates the build toolchain from the module language/minimum Go version.

The build toolchain pins move from Go 1.25.5 to Go 1.26.3 across:

• Makefile and CI/release workflow Go version pins
• Docker image tags used for builds, release helpers, tools, and protobuf generation
• golangci-lint's configured Go version

The module language/minimum Go version stays on the Go 1.25 line and is updated only to the latest patch release:

• all tracked go.mod files now use go 1.25.10
• install documentation and Go tarball checksums now reference Go 1.25.10

It also carries forward the compatibility fix discussed in #10566: Go 1.26 no longer supports the windows/arm port, so the release target and CI arm matrix now use windows-arm64 instead.

This PR also adds a dedicated govulncheck workflow that builds the release-style lnd binary and scans it in binary mode. The workflow runs weekly, can be started manually, and runs on PRs/pushes that touch Go dependency or Go build-version surfaces. This avoids making every ordinary PR fail because the external vulnerability database changed, while still catching newly published vulnerabilities on a schedule.

No functional lnd code changes are included.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a comprehensive upgrade of the project's Go toolchain to version 1.26.3. The changes ensure consistency across the build environment, CI pipelines, and documentation. Additionally, it addresses the removal of the windows/arm port in newer Go versions by migrating to windows-arm64, ensuring continued cross-platform support.

Highlights

• Go Version Upgrade: Updated the project-wide Go version from 1.25.5 to 1.26.3 across all build configurations, Dockerfiles, and module definitions.
• Windows ARM Compatibility: Updated release targets and CI matrices to use windows-arm64, replacing the deprecated windows-arm port.
• Documentation and Tooling: Refreshed installation documentation, including updated Go tarball checksums, and synchronized linter configurations.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/main.yml
  • .github/workflows/release.yaml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🟡 PR Severity: MEDIUM

Automated classification | 17 files | 54 lines changed (2 lines in non-LOW files)

🟡 Medium (1 file)

• go.mod - Root Go module file; not in a LOW-classified directory (docs/, scripts/, tools/, make/, docker/*) → falls into "Other Go files not categorized above"

🟢 Low (16 files)

• .github/actions/setup-go/action.yml - CI/CD configuration
• .github/workflows/main.yml - CI/CD configuration
• .github/workflows/release.yaml - CI/CD configuration
• .golangci.yml - Linter tooling configuration
• Dockerfile - Docker image definition
• dev.Dockerfile - Docker image definition
• docker/btcd/Dockerfile - docker/*
• lnrpc/Dockerfile - Docker image definition
• make/builder.Dockerfile - make/*
• make/release_flags.mk - make/*
• Makefile - make/*
• docs/INSTALL.md - docs/*
• lnrpc/gen_protos_docker.sh - Script file
• tools/Dockerfile - tools/*
• tools/go.mod - tools/*
• tools/linters/go.mod - tools/*

Analysis

This PR appears to be a Go toolchain/version bump across the repository. All 17 files have small, uniform changes (1–2 lines each), consistent with updating a Go version string or toolchain reference in build and configuration files.

The vast majority of files fall under LOW-severity categories (CI/CD configs, Dockerfiles, Makefiles, docs, and tool subdirectories). The only file that elevates severity above LOW is the root go.mod, which is classified as MEDIUM since it doesn't fall into any explicitly LOW-categorized directory.

Bump check: Only 1 non-LOW file with 2 lines changed — no severity bump triggered.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}
<!-- pr-severity-bot -->

[github-actions]

⚠️ Severity changed: severity-medium → severity-high (files changed since last classification)

🟠 PR Severity: HIGH

Highest package path match | 17 files | 59 lines changed

🟠 High (2 files)

• lnrpc/Dockerfile - falls under lnrpc/* (RPC/API tooling directory)
• lnrpc/gen_protos_docker.sh - falls under lnrpc/* (proto generation script)

🟡 Medium (2 files)

• go.mod - module dependency file, not categorized as a specific high-severity package
• .golangci.yml - linter configuration, not categorized above

🟢 Low (13 files)

• .github/actions/setup-go/action.yml - CI/CD configuration
• .github/workflows/main.yml - CI/CD configuration
• .github/workflows/release.yaml - CI/CD configuration
• Dockerfile - Docker build tooling
• dev.Dockerfile - Docker build tooling
• docker/btcd/Dockerfile - Docker build tooling
• docs/INSTALL.md - documentation
• make/builder.Dockerfile - make tooling
• make/release_flags.mk - make tooling
• Makefile - make tooling
• tools/Dockerfile - tools directory
• tools/go.mod - tools directory
• tools/linters/go.mod - tools directory

Analysis

This PR appears to be a Go version bump across the repository — updating the Go toolchain version in GitHub Actions workflows, Dockerfiles, go.mod, and related build infrastructure. While the bulk of changes are LOW (CI config, docs, Dockerfiles in build directories) or MEDIUM (root go.mod, linter config), the presence of lnrpc/Dockerfile and lnrpc/gen_protos_docker.sh under the lnrpc/* path triggers a HIGH classification per package path rules.

Note: These two files are build/tooling files (a Docker container for generating protobufs and a shell script orchestrating that generation), not RPC API definitions themselves. A reviewer familiar with the lnrpc package should confirm the Go version update doesn't affect proto generation compatibility.

Severity bump check: 17 non-test/non-generated files (< 20 threshold) and 59 lines changed (< 500 threshold) — no bump applied.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}
<!-- pr-severity-bot -->

[gemini-code-assist]

Code Review

This pull request updates the Go version from 1.25.5 to 1.26.3 across the entire repository, including CI configurations, Dockerfiles, build scripts, and documentation. Additionally, the Windows ARM release target was updated to 64-bit to align with Go 1.26's platform support. I have no feedback to provide.

[github-actions]

⚠️ Severity changed: severity-high → severity-critical (files changed since last classification)

🔴 PR Severity: CRITICAL

Path-based classification + >20 files bump | 28 files | 81 lines changed

🟠 High (4 files — base severity)

• cert/go.mod - cert/* → HIGH (auth/security module)
• sqldb/go.mod - sqldb/* → HIGH
• lnrpc/Dockerfile - lnrpc/* → HIGH (RPC/API definitions)
• lnrpc/gen_protos_docker.sh - lnrpc/* → HIGH (RPC/API definitions)

🟡 Medium (12 files)

• go.mod - root module dependency file
• kvdb/go.mod - kvdb/* → MEDIUM
• fn/go.mod - fn/* → MEDIUM
• tlv/go.mod - tlv/* → MEDIUM
• tor/go.mod - tor/* → MEDIUM
• actor/go.mod - MEDIUM
• clock/go.mod - MEDIUM
• healthcheck/go.mod - MEDIUM
• queue/go.mod - MEDIUM
• ticker/go.mod - MEDIUM
• .golangci.yml - MEDIUM
• Makefile - MEDIUM

🟢 Low (12 files)

• .github/actions/setup-go/action.yml - .github/* → LOW
• .github/workflows/main.yml - .github/* → LOW
• .github/workflows/release.yaml - .github/* → LOW
• Dockerfile - docker → LOW
• dev.Dockerfile - docker → LOW
• docker/btcd/Dockerfile - docker/* → LOW
• docs/INSTALL.md - docs/* → LOW
• make/builder.Dockerfile - make/* → LOW
• make/release_flags.mk - make/* → LOW
• tools/Dockerfile - tools/* → LOW
• tools/go.mod - tools/* → LOW
• tools/linters/go.mod - tools/* → LOW

Analysis

This PR appears to be a Go version bump across the entire repository, updating go.mod files and Dockerfiles. While each individual change is trivial (mostly 1-line version string updates), the PR touches 28 non-excluded files, which exceeds the 20-file threshold and triggers a severity bump.

The base severity is HIGH due to files in cert/* (authentication/security module), sqldb/*, and lnrpc/*. Applying the >20-file bump rule raises this to CRITICAL.

Note: Although the actual risk of a Go version bump is low, the automated classification rules are applied strictly by file path and file count thresholds. A reviewer with knowledge of the change scope may apply a severity-override-high or severity-override-medium label if appropriate.

---

_{To override, add a severity-override-{critical,high,medium,low} label.}
<!-- pr-severity-bot -->

[ziggie1984]

/gemini review

[gemini-code-assist]

Code Review

This pull request updates the Go toolchain and module versions across the repository, bumping the release version to 1.26.3 and the module versions to 1.25.10. The changes span Dockerfiles, CI configurations, documentation, and various sub-module go.mod files. Additionally, the Windows ARM release target was updated to windows-arm64. Feedback was provided to improve the maintenance instructions in the root go.mod file by adding a reminder to keep all sub-module versions in sync when making future updates.

[ziggie1984]

/gemini review

[gemini-code-assist]

Code Review

This pull request updates the Go version across the repository, bumping the release build toolchain to 1.26.3 and the module versions to 1.25.10 in various configuration files, Dockerfiles, and documentation. It also updates the Windows ARM release target to windows-arm64. A review comment correctly identified a missing sudo command in the ARMv6 installation instructions within docs/INSTALL.md, which would otherwise lead to permission errors during the extraction process.

[gemini-code-assist]

The tar command in the ARMv6 installation instructions is missing sudo. Since it extracts files into /usr/local, it will likely fail due to insufficient permissions. This is inconsistent with the x86-64 instructions on line 112 which correctly include sudo for both the rm and tar commands.

Suggested change

	sudo rm -rf /usr/local/go && tar -C /usr/local -xzf go1.25.10.linux-armv6l.tar.gz
	sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.25.10.linux-armv6l.tar.gz