Skip to content

chore(ci): bump golangci/golangci-lint-action from 9.2.0 to 9.3.0#81

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/golangci/golangci-lint-action-9.3.0
Open

chore(ci): bump golangci/golangci-lint-action from 9.2.0 to 9.3.0#81
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/golangci/golangci-lint-action-9.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown

Bumps golangci/golangci-lint-action from 9.2.0 to 9.3.0.

Release notes

Sourced from golangci/golangci-lint-action's releases.

v9.3.0

What's Changed

Changes

Dependencies

Full Changelog: golangci/golangci-lint-action@v9.2.1...v9.3.0

v9.2.1

What's Changed

IMPORTANT: this is the first immutable release.

Changes

Dependencies

... (truncated)

Commits
  • ba0d7d2 chore: prepare release v9.3.0
  • efd0857 feat: add no-run-logs-group as experimental option (#1403)
  • ed485de build(deps): bump undici from 6.24.0 to 6.27.0
  • 8872e8d build(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 (#1400)
  • b163415 build(deps): bump tmp from 0.2.6 to 0.2.7 (#1399)
  • e52a9f8 build(deps): bump github/codeql-action from 4.35.5 to 4.36.0 in the github-ac...
  • 8182aa3 build(deps): bump tmp from 0.2.5 to 0.2.6 (#1397)
  • 5403a41 build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 in the github-ac...
  • 82606bf chore: prepare release v9.2.1
  • 97c8387 chore: improve workflows (#1394)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 9.2.0 to 9.3.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@1e7e51e...ba0d7d2)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-version: 9.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner June 29, 2026 22:34
@github-actions github-actions Bot added the size/XS PR size: XS label Jun 29, 2026
@lml2468 lml2468 added review:running:qa qa-engineer review in progress review:running:security security-engineer review in progress review:running:code code-reviewer review in progress labels Jun 29, 2026
@lml2468

lml2468 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

QA Review - needs human review

No canonical QA verdict was emitted because this PR has no linked issue and the PR description does not contain an explicit AC checklist.

Evidence reviewed:

  • Diff: one workflow dependency bump in .github/workflows/ci.yml, changing golangci/golangci-lint-action from pinned v9.2.0 SHA 1e7e51e771db61008b38414a730f564565cf7c20 to pinned v9.3.0 SHA ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a.
  • AC source: none confirmed. GitHub reports no closing issue references, and the Dependabot body describes the bump but does not provide an AC checklist.
  • Test evidence: no test-file diff, allowed only as a dependency/config-only category if policy accepts the PR description as sufficient scope.
  • CI evidence: core CI jobs passed, including Test, Build, Vet, Lint, and npm packaging tests; the changed Lint workflow path executed successfully.
  • Blocking evidence for automated QA closure: overall checks are red. Check Sprint failed because no linked issue was found, and Secret Scan failed with one redacted gitleaks finding in the PR commit.
  • Regression/observability scope: .github/workflows/ci.yml changed 7 times in the last 30 days, so the touched CI workflow is active. No application runtime path, CLI contract, logging, metric, trace, or audit behavior is changed by this diff.

Human review needed:

  1. Confirm whether this Dependabot PR can be accepted with the PR body as its AC, or add/link an issue with explicit AC.
  2. Resolve the red Check Sprint and Secret Scan checks before treating QA evidence as complete.

Labels: needs-human-review - generated by qa-engineer - not a merge decision.

@lml2468 lml2468 added needs-human-review and removed review:running:qa qa-engineer review in progress labels Jun 29, 2026
@lml2468

lml2468 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Formal Verdict Aggregate Report — Round 1 — HEAD 4e8ad16

Formal Verdict: APPROVE

Reviewer Summary

Reviewer Verdict Headline finding
qa-engineer pass-with-risk Config-only/dep-bump 豁免;test 作业全绿,2 个非测试门禁红灯(check-sprint 流程门 + gitleaks 预存假密钥),均非本 PR 引入、不阻断。
security-engineer cleared 纯 CI Action 版本升级,SHA pin ba0d7d2 经上游 v9.3.0 annotated tag 逐字节校验;无凭据泄露、无权限面扩张;gitleaks 命中确认为预存测试 fixture false-positive。
code-reviewer approved 单行 SHA-pinned action bump,注释与实际版本一致、无遗留旧引用、行为面不变;5 维全绿,零 finding。

Critical Findings (P0-P1)

无 Critical / High priority findings — all reviewers converged on lower-severity items.

Should-Fix (P2)

无 — 三位 reviewer 均报告零 functional/结构性 finding。

Suggestions (P3)

  • [P3-1] internal/plugin_upgrade_ccocto_test.go:54 — (可选降噪,非阻断)CI secret-scan (gitleaks) 命中测试 fixture 假密钥 sk-test1234567890abcdefTestRedactSecretBeforeTruncation 的脱敏回归夹具)。该行不在本 PR diff 内、非真实凭据、非本次引入。Fix: 为该行加 // gitleaks:allow 或纳入 .gitleaksignore;此为代码库既有项、与本升级无关,交由 maintainer 择机处理。(flagged by qa/risk-3 + security/残余风险)

Questions for Author

无 — 无待澄清的 material question。CI check-sprint 红灯(No linked issue found)系 Dependabot PR 结构性无法携带 Closes #<issue> 所致,为看板流程门禁而非代码缺陷,由 maintainer 合并时人工处理。(from qa/risk-2)

Verdict Rationale

三位 reviewer(QA / Security / Code)在同一 HEAD 4e8ad162 上完全收敛,findings 计数为 P0=0 / P1=0 / P2=0 / P3=1(可选降噪建议)、无 material Question。变更为 Dependabot 单行 CI action 版本升级(golangci/golangci-lint-action 9.2.0 → 9.3.0),diff +1/-1,仅触 .github/workflows/ci.yml:159,无应用/运行时代码。SHA pin ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a 经上游 refs/tags/v9.3.0 annotated tag 解引用逐字节校验一致,供应链完整性良好;底层 golangci-lint v2.12.2with.version)与 args: --timeout=5m 未变,行为面不扩张。按 Formal Verdict 规则表首匹配(无 P0、无 P1、无 ≥3 P2、无 material Question)→ APPROVE

跨 reviewer 无分歧。QA 记录的两处 CI 红灯均为非本 PR 归因的非阻断项:check-sprint 是要求 Closes #<issue> 的流程门禁(Dependabot PR 天然不带,属预期),gitleaks 命中为预存于 main、不在本 diff 内的合成测试假密钥(Security 已独立复核确认 false-positive)。二者均属人类 maintainer 合并前的门禁豁免职责,不构成 reviewer 的阻断 finding。

Round Context

First-round review — no prior round context.


Generated by review-leader · v5.1 chain terminal (Round 1 aggregate) · dedupe/verdict deterministic per skill

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APPROVE — Round 1

All three reviewers converged with zero blocking findings: SHA-pinned bump of golangci/golangci-lint-action 9.2.0 → 9.3.0, pinned SHA ba0d7d2 verified byte-for-byte against upstream v9.3.0 annotated tag; no functional, security, or supply-chain concerns (P0/P1/P2 = 0).

Two red CI checks (check-sprint process gate, gitleaks pre-existing test-fixture false-positive) are unrelated to this diff and non-blocking. Full findings: the aggregate comment on this PR and multica tracker OCTO-1756.

Automated bot review; human sign-off still required.

@OctoBoooot OctoBoooot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: chore(ci): bump golangci/golangci-lint-action from 9.2.0 to 9.3.0 (#81)

Verdict: Comment — clean minor bump; all code-relevant checks pass (including the Lint job this action runs). Verdict floors at COMMENT only because CI is red on the two governance/infra checks (gitleaks fixture, check-sprint) — neither caused by this diff.
Risk tier: infra (1 GitHub Actions workflow). Dependabot-authored.

What changed

  • golangci/golangci-lint-action pinned SHA 1e7e51e… (v9.2.0) → ba0d7d2e… in ci.yml. SHA verified (with care — v9.3.0 is an annotated tag: the tag object is d583c34f… but it points at commit ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a, the "prepare release v9.3.0" commit, which is exactly what Dependabot pinned). Pinning the commit rather than the tag object is correct.
  • The with: block is unchanged — version: v2.12.2 (the golangci-lint binary), args: --timeout=5m. Same as the goreleaser pattern: the action version bumps, the linter binary stays pinned independently, so no lint-rule churn from this bump.

Compatibility check

  • 9.2.0→9.3.0 is a minor action bump with golangci-lint itself held at v2.12.2, so the actual lint ruleset is unchanged — no new findings can appear from this diff. The Lint job (which runs this action) is green on this head, so v9.3.0 executed successfully. Lowest-risk of the recent Dependabot batch.

CI status

  • Build/Test/Vet/Lint/npm packaging/sanity / actionlint/scan-pr / osv-scan/pr-title-lint — all SUCCESS. ✓
  • Only secret-scan / gitleaks (pre-existing plugin_upgrade_ccocto_test.go:54 fixture) + check-sprint (board sync) red — unrelated to this diff. lml2468's approve note ("CI failure unrelated") is accurate.

Mergeable on the merits once the two governance checks clear.

Praise

  • SHA pinned to the release commit (correctly handling the annotated-tag indirection) with the # v9.3.0 comment synced, and version: v2.12.2 held in with: — so the action bump doesn't silently shift the golangci-lint binary version and surface new lint findings. The action ran green here, so it's exercised, not blind-pinned.

Comment thread .github/workflows/ci.yml

- name: Lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9.3.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[praise] SHA pin verified correct — v9.3.0 is an annotated tag (tag object d583c34f…) that points at commit ba0d7d2e…, and Dependabot pinned the commit, which is the right thing. with: version: v2.12.2 (the golangci-lint binary) is held unchanged, so this action-version bump can't surface new lint findings — the ruleset is fixed independently of the action. The Lint job is green on this head, so v9.3.0 is actually exercised.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-human-review review:running:code code-reviewer review in progress review:running:security security-engineer review in progress size/XS PR size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants