From 8c739c7a552d546b3229865e91ff6cee0783ee26 Mon Sep 17 00:00:00 2001
From: Miguel Martinez <miguel@chainloop.dev>
Date: Wed, 4 Feb 2026 12:37:01 +0100
Subject: [PATCH 1/3] build(deps): upgrade Atlas image to v1.0.1

Upgrade Atlas migrations image to latest canary build which addresses
Go stdlib CVEs (CVE-2025-61726, CVE-2025-61728, CVE-2025-61730) by
using Go 1.25.6. Also aligns test workflow Atlas version to v1.0.0.

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
---
 .github/workflows/test.yml             | 2 +-
 app/controlplane/Dockerfile.migrations | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 603b1d941..ed49d645b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -42,7 +42,7 @@ jobs:
       - name: Generate migrations
         if: ${{ matrix.app == 'controlplane' }}
         env:
-          ATLAS_VERSION: v0.36.0
+          ATLAS_VERSION: v1.0.0
         run: |
           wget -q https://release.ariga.io/atlas/atlas-linux-amd64-$ATLAS_VERSION -O /tmp/atlas
           sudo install /tmp/atlas /usr/local/bin/atlas
diff --git a/app/controlplane/Dockerfile.migrations b/app/controlplane/Dockerfile.migrations
index 255aa751f..9ef0ef32e 100644
--- a/app/controlplane/Dockerfile.migrations
+++ b/app/controlplane/Dockerfile.migrations
@@ -1,9 +1,9 @@
 # Container image built by go-releaser that's used to run migrations against the database during deployment
 # See https://atlasgo.io/guides/deploying/image
-# from: arigaio/atlas:1.0.0
-# docker run arigaio/atlas@sha256:0c5585e0768aeb500c1322e056caafe8a01c6cfc7cf2e5430ec26a6fc9541c09 version
-# atlas version v1.0.0
-FROM arigaio/atlas@sha256:0c5585e0768aeb500c1322e056caafe8a01c6cfc7cf2e5430ec26a6fc9541c09 as base
+# from: arigaio/atlas:latest
+# docker run arigaio/atlas@sha256:4716ae18b1cd81ae15052acd21b0d8f93b3b2ecc95d82989f52bf78a7ebfb017 version
+# atlas version v1.0.1-63583e5-canary
+FROM arigaio/atlas@sha256:4716ae18b1cd81ae15052acd21b0d8f93b3b2ecc95d82989f52bf78a7ebfb017 as base
 
 FROM scratch
 # Update permissions to make it readable by the user

From 4446a3a0cf32bb6a3958bf09c606cb4fe5a4e289 Mon Sep 17 00:00:00 2001
From: Miguel Martinez <miguel@chainloop.dev>
Date: Thu, 5 Feb 2026 22:10:53 +0100
Subject: [PATCH 2/3] build(deps): upgrade Atlas image to v1.1.0

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
---
 app/controlplane/Dockerfile.migrations | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/controlplane/Dockerfile.migrations b/app/controlplane/Dockerfile.migrations
index 9ef0ef32e..4ad30f3c0 100644
--- a/app/controlplane/Dockerfile.migrations
+++ b/app/controlplane/Dockerfile.migrations
@@ -1,9 +1,9 @@
 # Container image built by go-releaser that's used to run migrations against the database during deployment
 # See https://atlasgo.io/guides/deploying/image
 # from: arigaio/atlas:latest
-# docker run arigaio/atlas@sha256:4716ae18b1cd81ae15052acd21b0d8f93b3b2ecc95d82989f52bf78a7ebfb017 version
-# atlas version v1.0.1-63583e5-canary
-FROM arigaio/atlas@sha256:4716ae18b1cd81ae15052acd21b0d8f93b3b2ecc95d82989f52bf78a7ebfb017 as base
+# docker run arigaio/atlas@sha256:779e402cb5e93982271474834c4f0a89b5edf714b21dbc1770661e86e68db1ed version
+# atlas version v1.1.0
+FROM arigaio/atlas@sha256:779e402cb5e93982271474834c4f0a89b5edf714b21dbc1770661e86e68db1ed as base
 
 FROM scratch
 # Update permissions to make it readable by the user

From 50b705a3c683efa24cbf58f0b49f358c3ed18efe Mon Sep 17 00:00:00 2001
From: Miguel Martinez <miguel@chainloop.dev>
Date: Thu, 5 Feb 2026 22:13:50 +0100
Subject: [PATCH 3/3] build(deps): upgrade Atlas CLI to v1.1.0

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
---
 .github/workflows/test.yml | 2 +-
 common.mk                  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ed49d645b..fa704b78a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -42,7 +42,7 @@ jobs:
       - name: Generate migrations
         if: ${{ matrix.app == 'controlplane' }}
         env:
-          ATLAS_VERSION: v1.0.0
+          ATLAS_VERSION: v1.1.0
         run: |
           wget -q https://release.ariga.io/atlas/atlas-linux-amd64-$ATLAS_VERSION -O /tmp/atlas
           sudo install /tmp/atlas /usr/local/bin/atlas
diff --git a/common.mk b/common.mk
index 59c1b98bc..9e6461152 100644
--- a/common.mk
+++ b/common.mk
@@ -9,7 +9,7 @@ init: init-api-tools
 	# in the community version anymore https://github.com/ariga/atlas/issues/2388#issuecomment-1864287189
 	# install golangci-lint with Go 1.25 support
 	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$(go env GOPATH)/bin v2.4.0
-	curl -sSf https://atlasgo.sh | ATLAS_VERSION=v1.0.0 sh -s -- -y
+	curl -sSf https://atlasgo.sh | ATLAS_VERSION=v1.1.0 sh -s -- -y
 
 # initialize API tooling
 .PHONY: init-api-tools