Skip to content

chore(ci): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.3#82

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/goreleaser/goreleaser-action-7.2.3
Open

chore(ci): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.3#82
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/goreleaser/goreleaser-action-7.2.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown

Bumps goreleaser/goreleaser-action from 6.4.0 to 7.2.3.

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v7.2.3

What's Changed

Full Changelog: goreleaser/goreleaser-action@v7.2.2...v7.2.3

v7.2.2

What's Changed

New Contributors

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.2

v7.2.1

This fully removes the usage of the old nightly moving tag.

Full Changelog: goreleaser/goreleaser-action@v7.2.0...v7.2.1

v7.2.0

What's Changed

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.0

v7.1.0

What's Changed

New Contributors

... (truncated)

Commits
  • f06c13b chore: update dist
  • d393459 ci: fix job
  • ee731b1 chore: workflow dispatch
  • 55de448 chore(deps): bump js-yaml from 4.1.1 to 4.2.0
  • a4f614e ci: use a GitHub App token to rebuild dist on dependabot PRs (#569)
  • d2d17a6 ci: auto-rebuild dist on dependabot PRs (#568)
  • d13def3 build: regenerate dist after undici 6.27.0 bump (#567)
  • 21549b6 chore(deps): bump undici from 6.24.1 to 6.27.0 (#565)
  • 47c416d ci(deps): bump the actions group with 3 updates (#563)
  • 5daf1e9 fix: nightly resolution to select newest published release (#562)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 6.4.0 to 7.2.3.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@e435ccd...f06c13b)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-version: 7.2.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner June 29, 2026 22:34
@github-actions github-actions Bot added the size/XS PR size: XS label Jun 29, 2026
@lml2468 lml2468 added review:running:qa qa-engineer review in progress review:running:security security-engineer review in progress review:running:code code-reviewer review in progress labels Jun 29, 2026
@lml2468

lml2468 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

QA Review - pass-with-risk

Verdict: pass-with-risk
AC source: PR description only (Dependabot workflow action bump)
CI status: failing overall; QA-relevant CI Build, Test, Vet, Lint, npm packaging tests, and workflow sanity passed. Non-test failures remain in Check Sprint and Secret Scan.
Test diff: +0 files, ~0 lines (exempted: dependency/config-only workflow action bump)

Summary

The requested bump is present and the normal build/test workflow plus workflow sanity checks passed, but this is a major release-action upgrade in a release workflow that PR CI does not execute directly, and the PR check state is still red from non-test gates.

AC Coverage Matrix

AC # Description Code path Test / CI evidence Assertion strength Status
AC1 Bump goreleaser/goreleaser-action in release-publish.yml from v6.4.0 to v7.2.3 .github/workflows/release-publish.yml Build with GoReleaser step Workflow Sanity / actionlint, Workflow Sanity / No tabs, and CI / Build/Test/Vet/Lint passed Medium: validates YAML and repo tests, not the actual release job execution OK with risk

Boundary / Edge Cases

Path Boundary category Tested
release-publish.yml Build with GoReleaser Major action-version compatibility with existing distribution, version, and args inputs No direct PR execution evidence
release-publish.yml release artifact path Manual workflow_dispatch release path and upload handoff No direct PR execution evidence

Regression Risk

  • Touched module: .github/workflows/release-publish.yml
  • Recent change frequency: 3 commits touching this workflow in the last 30 days
  • Public contract change: release/publish workflow behavior
  • Risk rating: High for release automation, mitigated by passing syntax/workflow sanity and normal CI checks

Observability

Not an application runtime path. Failures would surface through GitHub Actions logs; no new app telemetry is applicable.

Test Execution

  • Existence: No test-file diff; exempted as a dependency/config-only workflow action bump
  • CI: Main CI workflow passed, including Test; workflow sanity passed. Overall PR checks are still red from Check Sprint and Secret Scan.
  • Coverage change: n/a
  • Flaky evidence: Secret Scan has recent failures on main, so I am treating it as a non-QA risk rather than proof this dependency bump broke tests.

Risks

  1. The actual release-publish.yml GoReleaser step is not executed by PR CI, so the v7.2.3 major upgrade should be validated with a controlled release workflow run before relying on it for production release publishing.
  2. The PR remains blocked by non-test checks (Check Sprint and Secret Scan), so this QA verdict is not a merge recommendation.

Labels: review:done:qa:risk - generated by qa-engineer; merge remains a human decision.

@lml2468 lml2468 added review:done:qa:risk qa-engineer completed review with pass-with-risk verdict and removed review:running:qa qa-engineer review in progress labels Jun 29, 2026
@lml2468

lml2468 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

πŸ” Security Review β€” verdict: cleared

PR #82 β€” chore(ci): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.3

Single-line dependency bump of the goreleaser/goreleaser-action GitHub Action used in the release-publish workflow's build step.

Findings

Dimension Result
Credential / secret scan βœ… No secrets, tokens, or keys in the diff
Supply-chain integrity βœ… Action is SHA-pinned; pinned commit f06c13b6… verified to match upstream tag v7.2.3 exactly
STRIDE (Tampering / EoP) βœ… No permissions: changes, no new secret references, no new attack surface introduced
OWASP A06 (vulnerable components) βœ… Bump moves to a newer maintained release; no injection / access-control surface added

Notes (non-blocking)

  • The PR check rollup is red from Check Sprint and Secret Scan (gitleaks). Neither is attributable to this diff β€” the changed line introduces no secret material, and gitleaks operates over repo history rather than this single action-ref change. From a security standpoint the change itself is clean; the red Secret Scan signal is environmental/pre-existing and is for the build/QA lane to triage, not a vulnerability in this PR.

No new exploitable risk introduced; existing supply-chain threats (action pinning) remain adequately mitigated.

@lml2468 lml2468 added review:done:security:approve security-engineer CLEARED and removed review:running:security security-engineer review in progress labels Jun 29, 2026
@lml2468

lml2468 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Code Review - approved

Verdict: approved
Scope: 1 file / 1+ / 1- (full review)
Counts: Must Fix 0 | Should Fix 0 | Nit 0 | Question 0

Summary

Reviewed the one-line SHA-pinned goreleaser/goreleaser-action bump in .github/workflows/release-publish.yml. The existing distribution, version, and args inputs remain unchanged, and the diff does not alter triggers, permissions, secret usage, or the release handoff. I did not find code-level blockers; the red Check Sprint and Secret Scan checks are outside this diff and have already been called out by QA/security.

Must Fix (0)

None.

Should Fix (0)

None.

Nit (0)

None.

Question (0)

None.

Dimension Coverage

Dimension Coverage Findings
Correctness full 0
Readability full 0
Maintainability full 0
Test Coverage full 0

Labels: review:done:code:approve | generated by code-reviewer; merge remains a human decision.

@lml2468 lml2468 added review:done:code:approve code-reviewer APPROVED review:complete 3 verdicts aggregated, awaiting human merge and removed review:running:code code-reviewer review in progress labels Jun 29, 2026
@lml2468

lml2468 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Formal Verdict Aggregate Report β€” Round 1 β€” HEAD fbe0a5a

Formal Verdict: APPROVE

Reviewer Summary

Reviewer Verdict Headline finding
qa-engineer pass-with-risk Upgrade landed SHA-pinned; normal Build/Test/Vet/Lint + workflow-sanity green, but the GoReleaser release path is not exercised by PR CI (major v6β†’v7 bump).
security-engineer cleared Pinned commit f06c13b6… verified to resolve exactly to upstream v7.2.3 tag; token scope, distribution/version/args unchanged β€” no exploitable delta.
code-reviewer approved Single-line full-SHA action ref bump; inputs and surrounding workflow hardening intact β€” 0 Must/Should/Nit/Question.

Critical Findings (P0-P1)

ζ—  Critical / High priority findings β€” all reviewers converged on lower-severity items.

Should-Fix (P2)

ζ—  P2 findings.

Suggestions (P3)

ζ—  P3 findings.

Questions for Author

ζ—  blocking questions. (See Verdict Rationale for the non-blocking follow-up recommendation the reviewers converged on.)

Verdict Rationale

All three reviewers converged: the change is a one-line, full-SHA-pinned GitHub-Actions bump of goreleaser/goreleaser-action v6.4.0 β†’ v7.2.3 in .github/workflows/release-publish.yml, with distribution / version: "~> v2" / args inputs and GITHUB_TOKEN scope all unchanged. Security independently verified the pinned commit f06c13b6… resolves exactly to the upstream v7.2.3 tag (no tag-hijack / branch-substitution) and cleared it; code-reviewer found 0 findings across all five dimensions. Finding counts: P0=0, P1=0, P2=0, P3=0, blocking Questions=0 β†’ deterministic rule table yields APPROVE.

The only non-blocking notes, raised by QA as pass-with-risk and echoed by security/code as follow-up-not-blocker: (1) this is a major (v6β†’v7) bump to the release workflow, and PR CI does not execute the GoReleaser release job, so the actual v7 publish path is unverified β€” a controlled workflow_dispatch release dry-run before relying on it for production releases is recommended; (2) the overall PR check set is red on non-test gates (Check Sprint, Secret Scan / gitleaks), which QA and code-reviewer both attribute to pre-existing/environmental signals, not this bump. Neither is a code- or security-level blocker, so neither downgrades the verdict β€” both are captured here as follow-up for the build/QA lane and human sign-off.

Round Context

First-round review β€” no prior round context.


Generated by review-leader Β· v5.1 chain terminal (Round 1 aggregate) Β· dedupe/verdict deterministic per skill

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APPROVE β€” Round 1

All three reviewers converged: single-line full-SHA-pinned bump of goreleaser/goreleaser-action v6.4.0 β†’ v7.2.3, pin verified against the upstream v7.2.3 tag, inputs/token scope unchanged β€” 0 critical/high/medium/low findings.

Non-blocking follow-up: the v7 GoReleaser release path is not exercised by PR CI (major bump) β€” a controlled workflow_dispatch dry-run is recommended before relying on it for production releases.

See the Formal Verdict Aggregate comment on this PR for full findings.

Automated bot review; human sign-off still required.

@OctoBoooot OctoBoooot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: chore(ci): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.3 (#82)

Verdict: Comment β€” clean 1-line dependency bump; all code/release-relevant checks pass. Verdict floors at COMMENT only because CI is red on the two governance/infra checks (gitleaks fixture, check-sprint) β€” neither caused by this diff.
Risk tier: infra (1 GitHub Actions workflow). Dependabot-authored.

What changed

  • goreleaser/goreleaser-action pinned SHA e435ccd… (v6.4.0) β†’ f06c13b… in release-publish.yml. SHA verified: f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 is exactly the commit tag v7.2.3 points at. Pin correct.
  • The with: block is unchanged β€” distribution: goreleaser, version: "~> v2". As with the sibling #51 (β†’7.2.2), the action-wrapper major bump is decoupled from the GoReleaser engine, which stays pinned at ~> v2.

Note vs #51

  • This is the same goreleaser-action bump as PR #51 but one patch newer (7.2.2 β†’ 7.2.3) β€” Dependabot superseded #51's target. If both are open, close #51 in favor of this; landing both would just be a redundant no-op second bump. Worth confirming which one the team wants to merge so they don't both go in.

Compatibility check

  • goreleaser-action v7 keeps the Node 20+ runtime; version: "~> v2" decouples the GoReleaser binary from the action version, so v7.2.3 invoking GoReleaser v2 is the same release engine as before. Low risk.
  • This action only runs in release-publish (tag-triggered), so PR CI doesn't exercise it β€” lml2468's suggestion to workflow_dispatch a v7 dry-run before the next production release is a reasonable pre-flight, since the release path can't be smoke-tested from a PR. Not a merge blocker, but a good release-time check.

CI status

  • All code/release-relevant checks green: Build, Test, Vet, Lint, npm packaging, sanity / actionlint, scan-pr / osv-scan, pr-title-lint. βœ“
  • Only secret-scan / gitleaks (pre-existing plugin_upgrade_ccocto_test.go:54 fixture) + check-sprint (board sync) red β€” unrelated to this diff.

Mergeable on the merits once the two governance checks clear (and the #51/#82 duplication is resolved).

Praise

  • SHA pin verified with # v7.2.3 comment synced, and version: "~> v2" held in the with: block β€” so the action-version bump doesn't silently drag the GoReleaser engine to a new major. Same correct shape as #51.


- name: Build with GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7.2.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[praise] SHA pin verified (f06c13b… = v7.2.3), comment synced, and with: version: "~> v2" unchanged β€” so this action-wrapper major bump (6β†’7) doesn't drag the GoReleaser engine to a new major; the two are versioned independently. Note: this is the same bump as the open PR #51 (β†’7.2.2) one patch newer β€” worth closing #51 in favor of this so the two don't both land as redundant bumps. Since the action only runs on tag-triggered release, a workflow_dispatch v7 dry-run before the next prod release (as lml2468 suggested) is a sensible pre-flight the PR CI can't cover.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

review:complete 3 verdicts aggregated, awaiting human merge review:done:code:approve code-reviewer APPROVED review:done:qa:risk qa-engineer completed review with pass-with-risk verdict review:done:security:approve security-engineer CLEARED size/XS PR size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants