chore(ci): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.3#82
chore(ci): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.3#82dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 6.4.0 to 7.2.3. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@e435ccd...f06c13b) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
QA Review - pass-with-riskVerdict: SummaryThe requested bump is present and the normal build/test workflow plus workflow sanity checks passed, but this is a major release-action upgrade in a release workflow that PR CI does not execute directly, and the PR check state is still red from non-test gates. AC Coverage Matrix
Boundary / Edge Cases
Regression Risk
ObservabilityNot an application runtime path. Failures would surface through GitHub Actions logs; no new app telemetry is applicable. Test Execution
Risks
Labels: |
π Security Review β verdict:
|
| Dimension | Result |
|---|---|
| Credential / secret scan | β No secrets, tokens, or keys in the diff |
| Supply-chain integrity | β
Action is SHA-pinned; pinned commit f06c13b6β¦ verified to match upstream tag v7.2.3 exactly |
| STRIDE (Tampering / EoP) | β
No permissions: changes, no new secret references, no new attack surface introduced |
| OWASP A06 (vulnerable components) | β Bump moves to a newer maintained release; no injection / access-control surface added |
Notes (non-blocking)
- The PR check rollup is red from
Check SprintandSecret Scan (gitleaks). Neither is attributable to this diff β the changed line introduces no secret material, and gitleaks operates over repo history rather than this single action-ref change. From a security standpoint the change itself is clean; the red Secret Scan signal is environmental/pre-existing and is for the build/QA lane to triage, not a vulnerability in this PR.
No new exploitable risk introduced; existing supply-chain threats (action pinning) remain adequately mitigated.
Code Review - approvedVerdict: SummaryReviewed the one-line SHA-pinned Must Fix (0)None. Should Fix (0)None. Nit (0)None. Question (0)None. Dimension Coverage
Labels: |
Formal Verdict Aggregate Report β Round 1 β HEAD fbe0a5aFormal Verdict: Reviewer Summary
Critical Findings (P0-P1)ζ Critical / High priority findings β all reviewers converged on lower-severity items. Should-Fix (P2)ζ P2 findings. Suggestions (P3)ζ P3 findings. Questions for Authorζ blocking questions. (See Verdict Rationale for the non-blocking follow-up recommendation the reviewers converged on.) Verdict RationaleAll three reviewers converged: the change is a one-line, full-SHA-pinned GitHub-Actions bump of The only non-blocking notes, raised by QA as Round ContextFirst-round review β no prior round context. Generated by review-leader Β· v5.1 chain terminal (Round 1 aggregate) Β· dedupe/verdict deterministic per skill |
lml2468
left a comment
There was a problem hiding this comment.
APPROVE β Round 1
All three reviewers converged: single-line full-SHA-pinned bump of goreleaser/goreleaser-action v6.4.0 β v7.2.3, pin verified against the upstream v7.2.3 tag, inputs/token scope unchanged β 0 critical/high/medium/low findings.
Non-blocking follow-up: the v7 GoReleaser release path is not exercised by PR CI (major bump) β a controlled workflow_dispatch dry-run is recommended before relying on it for production releases.
See the Formal Verdict Aggregate comment on this PR for full findings.
Automated bot review; human sign-off still required.
OctoBoooot
left a comment
There was a problem hiding this comment.
Review: chore(ci): bump goreleaser/goreleaser-action from 6.4.0 to 7.2.3 (#82)
Verdict: Comment β clean 1-line dependency bump; all code/release-relevant checks pass. Verdict floors at COMMENT only because CI is red on the two governance/infra checks (gitleaks fixture, check-sprint) β neither caused by this diff.
Risk tier: infra (1 GitHub Actions workflow). Dependabot-authored.
What changed
goreleaser/goreleaser-actionpinned SHAe435ccdβ¦(v6.4.0) βf06c13bβ¦inrelease-publish.yml. SHA verified:f06c13b6b1a9625abc9e6e439d9c05a8f2190e94is exactly the commit tagv7.2.3points at. Pin correct.- The
with:block is unchanged βdistribution: goreleaser,version: "~> v2". As with the sibling #51 (β7.2.2), the action-wrapper major bump is decoupled from the GoReleaser engine, which stays pinned at~> v2.
Note vs #51
- This is the same goreleaser-action bump as PR #51 but one patch newer (7.2.2 β 7.2.3) β Dependabot superseded #51's target. If both are open, close #51 in favor of this; landing both would just be a redundant no-op second bump. Worth confirming which one the team wants to merge so they don't both go in.
Compatibility check
- goreleaser-action v7 keeps the Node 20+ runtime;
version: "~> v2"decouples the GoReleaser binary from the action version, so v7.2.3 invoking GoReleaser v2 is the same release engine as before. Low risk. - This action only runs in
release-publish(tag-triggered), so PR CI doesn't exercise it β lml2468's suggestion toworkflow_dispatcha v7 dry-run before the next production release is a reasonable pre-flight, since the release path can't be smoke-tested from a PR. Not a merge blocker, but a good release-time check.
CI status
- All code/release-relevant checks green:
Build,Test,Vet,Lint,npm packaging,sanity / actionlint,scan-pr / osv-scan,pr-title-lint. β - Only
secret-scan / gitleaks(pre-existingplugin_upgrade_ccocto_test.go:54fixture) +check-sprint(board sync) red β unrelated to this diff.
Mergeable on the merits once the two governance checks clear (and the #51/#82 duplication is resolved).
Praise
- SHA pin verified with
# v7.2.3comment synced, andversion: "~> v2"held in thewith:block β so the action-version bump doesn't silently drag the GoReleaser engine to a new major. Same correct shape as #51.
|
|
||
| - name: Build with GoReleaser | ||
| uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 | ||
| uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7.2.3 |
There was a problem hiding this comment.
[praise] SHA pin verified (f06c13bβ¦ = v7.2.3), comment synced, and with: version: "~> v2" unchanged β so this action-wrapper major bump (6β7) doesn't drag the GoReleaser engine to a new major; the two are versioned independently. Note: this is the same bump as the open PR #51 (β7.2.2) one patch newer β worth closing #51 in favor of this so the two don't both land as redundant bumps. Since the action only runs on tag-triggered release, a workflow_dispatch v7 dry-run before the next prod release (as lml2468 suggested) is a sensible pre-flight the PR CI can't cover.
Bumps goreleaser/goreleaser-action from 6.4.0 to 7.2.3.
Release notes
Sourced from goreleaser/goreleaser-action's releases.
... (truncated)
Commits
f06c13bchore: update distd393459ci: fix jobee731b1chore: workflow dispatch55de448chore(deps): bump js-yaml from 4.1.1 to 4.2.0a4f614eci: use a GitHub App token to rebuild dist on dependabot PRs (#569)d2d17a6ci: auto-rebuild dist on dependabot PRs (#568)d13def3build: regenerate dist after undici 6.27.0 bump (#567)21549b6chore(deps): bump undici from 6.24.1 to 6.27.0 (#565)47c416dci(deps): bump the actions group with 3 updates (#563)5daf1e9fix: nightly resolution to select newest published release (#562)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)