chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0#83
Conversation
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.6.0 to 6.5.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@40f1582...924ae3a) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.5.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
QA handoff: no acceptance criteria found. I did not write a QA verdict because this PR has no linked issue and the PR description does not include an acceptance-criteria checklist. The diff is a Dependabot workflow update from I am moving this PR to |
Formal Verdict Aggregate Report — Round 1 — HEAD aadc340Formal Verdict: Reviewer Summary
Critical Findings (P0-P1)无 Critical / High priority findings — all reviewers converged on lower-severity items. Should-Fix (P2)无 P2 findings。 Suggestions (P3)
Questions for Author
Verdict Rationale三位 reviewer 结论完全收敛,任一优先级桶均无 finding:code-reviewer 无 reviewer 分歧。两处 CI 红灯( Round ContextFirst-round review — no prior round context. Generated by review-leader · v5.1 chain terminal (Round 1 aggregate) · dedupe/verdict deterministic per skill |
lml2468
left a comment
There was a problem hiding this comment.
APPROVE — Round 1
纯 CI 供应链依赖升级 actions/setup-go v5→v6.5.0:pinned SHA 924ae3a1 经核验 == 上游 v6.5.0 tag,5/5 引用一致,Go 工具链作业全绿;三位 reviewer 收敛,零 P0/P1/P2 finding。
两处 CI 红灯(check-sprint 门禁、gitleaks 测试假夹具误报)均为预存在、与本 diff 无关,非阻断。完整 findings 见本 PR 的 aggregate 评论。
Automated bot review; human sign-off still required.
OctoBoooot
left a comment
There was a problem hiding this comment.
Review: chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0 (#83)
Verdict: Comment — clean dependency bump; all code-relevant checks pass (Build/Test/Vet/Lint exercise this action and are green). Verdict floors at COMMENT only because CI is red on the two governance checks (gitleaks fixture, check-sprint) — neither caused by this diff.
Risk tier: infra (2 GitHub Actions workflow files). Dependabot-authored.
What changed
actions/setup-gopinned SHA40f1582…(v5) →924ae3a1…across 5 call sites (4 inci.yml, 1 inrelease-publish.yml). SHA verified:924ae3a1cded613372ab5595356fb5720e22ba16is the commit tagv6.5.0points at. Pin correct, all 5 sites consistent,# v6.5.0comment synced (incl. the site that previously read# v5.6.0).go-versionstill sourced fromenv.GO_VERSION(unchanged) — no toolchain version drift from this bump.
Note vs #49
- This supersedes the open PR #49 (same
actions/setup-gobump but →6.4.0, one minor older). Dependabot re-targeted to 6.5.0. If #49 is still open, close it in favor of this so the two don't both land as redundant bumps — same duplication situation as #51/#82.
Compatibility check
- setup-go v5→v6 keeps caching-on-by-default and reads
go-version/go.modthe same way; nowith:-block change here. The Build/Test/Vet/Lint jobs that invoke setup-go are green on this head, so v6.5.0 ran successfully on the runners.
CI status
Build/Test/Vet/Lint/npm packaging/sanity / actionlint/scan-pr / osv-scan/pr-title-lint— all SUCCESS. ✓- Only
secret-scan / gitleaks(pre-existingplugin_upgrade_ccocto_test.go:54fixture) +check-sprint(board sync) red — unrelated to this diff.
Mergeable on the merits once the two governance checks clear (and the #49/#83 duplication is resolved).
Praise
- 5-call-site bump kept fully consistent (same SHA + synced
# v6.5.0comment everywhere), and the action actually ran green on the build/test path — exercised, not blind-pinned.
| @@ -30,7 +30,7 @@ jobs: | |||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |||
There was a problem hiding this comment.
[praise] SHA verified (924ae3a1… = v6.5.0), bump consistent across all 5 call sites with the # v6.5.0 comment synced (incl. the release-publish site that previously read # v5.6.0). go-version still from env.GO_VERSION, so no toolchain drift. Build/Test/Vet/Lint are green on this head → v6.5.0 is exercised, not blind-pinned. Note: this supersedes the open PR #49 (same bump →6.4.0) — worth closing #49 so the two don't both land.
Bumps actions/setup-go from 5.6.0 to 6.5.0.
Release notes
Sourced from actions/setup-go's releases.
... (truncated)
Commits
924ae3achore: bump version to 6.5.0 in package.json and package-lock.json (#762)e91cc3bBump@actions/cacheto 5.1.0, log cache write denied (#758)4a2405echore: update@types/nodeand@typescript-eslintdependencies to latest versi...78961f6chore: update@actionsdependencies and refresh license cache (#744)4a36011docs: fix Microsoft build of Go link (#734)8f19afcfeat: add go-download-base-url input for custom Go distributions (#721)27fdb26Bump minimatch from 3.1.2 to 3.1.5 (#727)def8c39Rearrange README.md, add advanced-usage.md (#724)4b73464Fix golang download url to go.dev (#469)a5f9b05Update default Go module caching to use go.mod (#705)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)