Skip to content

chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0#35

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-go-6.4.0
Open

chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0#35
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-go-6.4.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026

Copy link
Copy Markdown

Bumps actions/setup-go from 5.6.0 to 6.5.0.

Release notes

Sourced from actions/setup-go's releases.

v6.5.0

What's Changed

Dependency update

New Contributors

Full Changelog: actions/setup-go@v6...v6.5.0

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

Enhancements

Dependency updates

... (truncated)

Commits

@dependabot @github

dependabot Bot commented on behalf of github Jun 3, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner June 3, 2026 00:23
@github-actions github-actions Bot added the size/XS PR size: XS label Jun 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-go-6.4.0 branch 9 times, most recently from 3bce3eb to 312fc7c Compare June 9, 2026 10:05
@github-actions

Copy link
Copy Markdown

This pull request has been automatically marked as stale due to inactivity. Please add an update or it will be closed.

@github-actions github-actions Bot added the stale label Jun 24, 2026
@dependabot dependabot Bot changed the title chore(ci): bump actions/setup-go from 5.6.0 to 6.4.0 chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0 Jun 25, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-go-6.4.0 branch 3 times, most recently from 6094e7a to 864a2e6 Compare June 25, 2026 12:21
@github-actions github-actions Bot removed the stale label Jun 26, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-go-6.4.0 branch from 864a2e6 to 8af1cf5 Compare June 27, 2026 07:51
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Dispatch

  • Assigned to: reviewer-qa
  • Stage: review
  • Reason: PR chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0 #35 is a Dependabot bump of actions/setup-go from 5.6.0 to 6.5.0 (CI workflow dependency). Open, not draft, not merged. PR review fan-out per routing rule §7.
  • Waiting on: QA verdict (CLEARED / PASS / FAIL / BLOCKED / CLEARED_WITH_RISK)

PR Context

  • Change: .github/workflows/*.ymlactions/setup-go version bump (2 lines changed)
  • CI status: check-sprint failing (pre-existing, unrelated to this diff)
  • Size: XS (additions: 2, deletions: 2)

Please review for correctness, test coverage implications, and regression risk.

@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Dispatch

  • Assigned to: reviewer-security
  • Stage: review
  • Reason: PR chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0 #35 is a Dependabot bump of actions/setup-go from 5.6.0 to 6.5.0 (CI workflow dependency). Open, not draft, not merged. PR review fan-out per routing rule §7.
  • Waiting on: Security verdict (CLEARED / PASS / FAIL / BLOCKED / CLEARED_WITH_RISK)

PR Context

  • Change: .github/workflows/*.ymlactions/setup-go version bump (2 lines changed)
  • Supply chain: Major version bump (5.x → 6.x) of a GitHub Action — verify no supply-chain risk
  • Size: XS (additions: 2, deletions: 2)

Please review for supply-chain security, action integrity, and CI/CD security implications.

@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Dispatch

  • Assigned to: reviewer-code
  • Stage: review
  • Reason: PR chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0 #35 is a Dependabot bump of actions/setup-go from 5.6.0 to 6.5.0 (CI workflow dependency). Open, not draft, not merged. PR review fan-out per routing rule §7.
  • Waiting on: Code review verdict (CLEARED / PASS / FAIL / BLOCKED / CLEARED_WITH_RISK)

PR Context

  • Change: .github/workflows/*.ymlactions/setup-go version bump (2 lines changed)
  • Size: XS (additions: 2, deletions: 2)
  • Note: Major version bump (5.x → 6.x). Check for breaking changes in action behavior.

Please review for code correctness and workflow configuration accuracy.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-go-6.4.0 branch 2 times, most recently from b24f8fa to b17d2c1 Compare June 27, 2026 10:28
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.6.0 to 6.5.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@40f1582...924ae3a)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-go-6.4.0 branch from b17d2c1 to 3ec0c48 Compare June 27, 2026 12:54
@lml2468 lml2468 added the review:running:qa qa-engineer review in progress label Jun 27, 2026
@lml2468 lml2468 added review:running:security security-engineer review in progress review:running:code code-reviewer review in progress stage:review PR is in review phase labels Jun 27, 2026

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA Verdict: PASS

Persona: qa-engineer (embedded by review-lead in pr-tick-octo-cli)

Read (linked context)

  • PR is a Dependabot bump; no Fixes #N linked issue (CI dependency update, not driven by an issue).
  • Diff scope: .github/workflows/ci.yml and .github/workflows/release-publish.ymlactions/setup-go SHA pin only.

Verify

  • Local checkout skipped: change touches only CI YAML pins; no application code, no test surface.
  • CI evidence on this PR's head: npm test ✅, Detect changed paths ✅, sanity / actionlint ✅, sanity / No tabs in workflow files ✅, label ✅, scan-pr / osv-scan ✅, history / Common ancestor check ✅. build & test (1.24.x) still in progress at review time — Go build invokes the bumped action and is the canonical regression signal; an autopilot follow-up tick will re-examine it if it lands red.
  • check-sprint / check-sprint failure is a sprint-label governance check unrelated to setup-go (consistent across other open PRs in the queue).

Findings

  • Test coverage: No code-under-test changed — coverage delta = 0. No new tests required.
  • Flaky risk: actions/setup-go v6.5.0 release notes contain only dependency updates + cache-key default change (now keyed by go.mod). The cache-key change can produce a one-time cache miss on the first run; no functional regression risk.
  • Edge cases: Both call sites bumped consistently (matrix build & test and release-publish). Pinned SHA matches upstream v6.5.0 release commit (verified via gh api /repos/actions/setup-go/git/ref/tags/v6.5.0).

Verdict

PASS — purely a CI action pin bump; behavior preserved, both call sites consistent, Go build job validates real-world usage in CI.

@lml2468 lml2468 added review:done:qa:approve qa-engineer PASS and removed review:running:qa qa-engineer review in progress labels Jun 27, 2026

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Verdict: CLEARED

Persona: security-engineer (embedded by review-lead in pr-tick-octo-cli)

Supply-chain checks

  • Action: actions/setup-go — official GitHub-maintained action under the actions/ org. Trusted source.
  • Pin discipline: Pre-bump and post-bump both use immutable SHA pins (@40f1582…@924ae3a…) with a trailing # vX.Y.Z comment. This matches OpenSSF / GitHub-hardening guidance — no float to @v6 or @main.
  • SHA integrity (verified): Queried gh api /repos/actions/setup-go/git/ref/tags/v6.5.0 → SHA 924ae3a1cded613372ab5595356fb5720e22ba16 matches the SHA in this PR exactly. No SHA spoofing / typo-squat.
  • Diff scope: Only .github/workflows/{ci,release-publish}.yml. No new permissions block, no new secrets reference, no new step. Same with: go-version, cache: true inputs.

STRIDE

  • Spoofing: N/A — same upstream action, verified SHA.
  • Tampering: SHA pin prevents pin float; no tampering vector introduced.
  • Repudiation: N/A.
  • Information disclosure: No new logging / secret usage.
  • Denial of service: Release notes describe a cache-key default change (now keyed by go.mod) — could cause one cold-cache CI run but no DoS exposure.
  • Elevation of privilege: No change to permissions:, pull_request_target, workflow_run, or anywhere a third-party PR could exploit elevated tokens. The action runs inside the existing job with its existing token grant.

OSV-Scanner

  • scan-pr / osv-scan ✅ on this PR head — no known vulnerable advisories on the new pin.

Release note review (v6.0.0 → v6.5.0)

  • v6.0.0 was the major bump from v5; release notes for v6.x focus on dependency updates (@actions/cache@5, minimatch, js-yaml, types/node) and an opt-in go-download-base-url input. No new network egress by default, no new env exfil surface.

Verdict

CLEARED — official action, SHA-pinned, SHA verified against upstream tag, no permission/secret changes, OSV scan green.

@lml2468 lml2468 added review:done:security:approve security-engineer CLEARED and removed review:running:security security-engineer review in progress labels Jun 27, 2026

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Verdict: APPROVED

Persona: code-reviewer (embedded by review-lead in pr-tick-octo-cli)

  • Must Fix: 0
  • Should Fix: 0
  • Nit: 0
  • Question: 0

Correctness

  • Diff is exactly 2 lines: same uses: key on both sites, only the SHA + version comment change. Both files updated consistently — no skew between matrix build & test (ci.yml) and the release-publish job (release-publish.yml).
  • Inputs untouched: go-version: ${{ matrix.go-version }} in ci.yml and go-version: "1.24.x" + cache: true in release-publish.yml. v6.5.0 accepts the same inputs (no breaking input rename per release notes).

Consistency / maintainability

  • SHA-pin-with-version-comment style is preserved (matches the rest of the repo's actions/checkout@…# v4, goreleaser/… pins seen in other Dependabot PRs in the queue).
  • No straggler references to setup-go@v5 or the old SHA elsewhere in .github/workflows/ based on diff scope (Dependabot only modifies what it pinned).

Behavior delta from upstream notes

  • Cache default switched to go.mod-keyed (v6.3.0). Compatible with this repo's standalone go.mod consumers; first run after merge will warm a new cache key.
  • New go-download-base-url input is opt-in; not used here.

Verdict

APPROVED — minimal, mechanically correct, well-pinned dependency bump. No nits worth holding the PR for.

@lml2468 lml2468 added review:done:code:approve code-reviewer APPROVED and removed review:running:code code-reviewer review in progress labels Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Aggregate Verdict: APPROVED — 等人工合并

All three reviewer personas approved this dependency bump (actions/setup-go 5.6.0 → 6.5.0).

Role Verdict Reviewed at
qa-engineer ✅ PASS 2026-06-27T12:56:11Z
security-engineer ✅ CLEARED 2026-06-27T12:56:35Z
code-reviewer ✅ APPROVED 2026-06-27T12:56:53Z

Decision: No blocking issues found. Ready for human merge.

Aggregated by review-lead autopilot (pr-tick-octo-cli).

@lml2468 lml2468 added the review:complete 3 verdicts aggregated, awaiting human merge label Jun 27, 2026
@lml2468

lml2468 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Formal Verdict Aggregate Report — Round 1 — HEAD 3ec0c48

Formal Verdict: APPROVE

Reviewer Summary

Reviewer Verdict Headline finding
qa-engineer pass-with-risk Dependabot bump actions/setup-go v5.6.0 → v6.5.0; SHA-pin correct, functional CI green (build & test (1.24.x) ran the action successfully); capped at pass-with-risk per fail-closed dep-bump policy with two known non-blocking risks.
security-engineer cleared Pure CI action version bump; new 40-char SHA 924ae3a1… verified to point exactly at upstream official actions/setup-go v6.5.0 tag; SHA-pin discipline intact, no new trust boundary / permission / data flow, supply-chain integrity passes.
code-reviewer approved Two single-line SHA-pin replacements across ci.yml:106 + release-publish.yml:81; version comment consistent with SHA, no with: / permission / trigger change; five-dimension review clean (Must=0 · Should=0 · Nit=0).

Critical Findings (P0-P1)

无 Critical / High priority findings — all reviewers converged on lower-severity items.

Should-Fix (P2)

无 P2 findings.

Suggestions (P3)

  • [P3-1] v5→v6 是 major 升级:v6 默认 Go module 缓存改为按 go.mod 键控(上游 #705),@actions/cache 升至 v5。影响仅限首次运行缓存 miss/重建(构建时长,非正确性);build & test (1.24.x) 已实跑绿收敛,无需 follow-up。(flagged by qa/risk-1;code Contrarian pass 已复核,证伪其为缺陷)
  • [P3-2] release-publish.yml:81 的 setup-go 仅在 release 事件触发,本 PR CI 未覆盖 cache: true + fetch-depth: 0 组合下的 v6 行为。建议下次发布前留意首个 release 工作流运行的缓存/下载步骤。可选,不强制。(flagged by qa/risk-2)

Questions for Author

  • [Q-1](非阻断)check-sprint / check-sprint 门红,原因为缺 Closes #issue 引用——属项目看板 sprint 归属治理门(pull_request_target metadata-only automation),非功能/安全/代码质量门。Dependabot PR 天然无法附带 Closes #。合并前由人类按团队惯例豁免/处理即可。(from qa + security + code 三方一致标注为非阻断旁注)

Verdict Rationale

三名上游 reviewer 完全收敛:security cleared(0 findings,供应链完整性六项核验全过)、code approved(Must=0 · Should=0 · Nit=0,五维 + Bug Pattern Library + Contrarian pass 均无发现)、qa pass-with-risk(无功能 Must Fix,仅两点已知非阻断风险 + 一项治理门旁注)。无任何 P0/P1/P2 finding,无阻断性作者问题。按 deterministic Formal Verdict 规则表首匹配 No P0/P1/P2 + only P3 + no blocking Q → APPROVE

唯一「红」信号 check-sprint 经三方独立核实为看板治理自动化门而非功能/安全门,且为 Dependabot PR 常态,不构成裁定依据。QA 的 pass-with-risk 封顶源自 fail-closed dep-bump 白名单策略而非实质缺陷——无 reviewer 分歧需在此明示。

Round Context

First-round review — no prior round context.


Generated by review-leader · v5.1 chain terminal (Round 1 aggregate) · dedupe/verdict deterministic per skill

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APPROVE — Round 1 · Formal Verdict aggregate

All three reviewers converged with zero blocking findings: security cleared, code approved (Must=0/Should=0/Nit=0), qa pass-with-risk (SHA-pin bump of actions/setup-go v5.6.0 → v6.5.0, functional CI green; only non-blocking risks). No P0/P1/P2, no blocking question.

Top notes: v5→v6 default cache-key change (build & test green, no follow-up needed); check-sprint red is a board governance gate (missing Closes #, normal for Dependabot), not a functional/security gate.

See the full aggregate comment on this PR for details. Automated bot review; human sign-off still required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

review:complete 3 verdicts aggregated, awaiting human merge review:done:code:approve code-reviewer APPROVED review:done:qa:approve qa-engineer PASS review:done:security:approve security-engineer CLEARED size/XS PR size: XS stage:review PR is in review phase

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant