Skip to content

chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0#83

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-go-6.5.0
Open

chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0#83
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-go-6.5.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown

Bumps actions/setup-go from 5.6.0 to 6.5.0.

Release notes

Sourced from actions/setup-go's releases.

v6.5.0

What's Changed

Dependency update

New Contributors

Full Changelog: actions/setup-go@v6...v6.5.0

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

Enhancements

Dependency updates

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.6.0 to 6.5.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@40f1582...924ae3a)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.5.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner June 29, 2026 22:34
@github-actions github-actions Bot added the size/S PR size: S label Jun 29, 2026
@lml2468 lml2468 added review:running:qa qa-engineer review in progress review:running:security security-engineer review in progress review:running:code code-reviewer review in progress labels Jun 29, 2026
@lml2468

lml2468 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

QA handoff: no acceptance criteria found.

I did not write a QA verdict because this PR has no linked issue and the PR description does not include an acceptance-criteria checklist. The diff is a Dependabot workflow update from actions/setup-go v5.6.0 to v6.5.0 across CI/release workflows, but the qa-engineer workflow requires explicit AC evidence instead of inferring it.

I am moving this PR to needs-human-review for review-lead/human handling.

@lml2468 lml2468 added needs-human-review and removed review:running:qa qa-engineer review in progress labels Jun 29, 2026
@lml2468

lml2468 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Formal Verdict Aggregate Report — Round 1 — HEAD aadc340

Formal Verdict: APPROVE

Reviewer Summary

Reviewer Verdict Headline finding
qa-engineer pass-with-risk 纯 CI 依赖升级 actions/setup-go v5→v6.5.0;5 处引用一致 SHA-pin,Go 工具链作业全绿;2 个与本 diff 无关的红灯(sprint 门禁 + gitleaks 误报)非阻断。
security-engineer cleared-with-risk 供应链完整性已核验:pinned SHA 924ae3a1 == 上游 v6.5.0 tag commit,精确匹配;最小权限、无凭据、无新可利用面;唯一残余为预存在的 gitleaks 误报(假夹具),非可利用。
code-reviewer approved 5/5 引用(ci.yml×4 + release-publish.yml×1)一致改到已核验 SHA;go-version 显式 pin 完全隔离 v6 行为变更(node24 / go.mod 缓存);无 Must/Should/Nit。

Critical Findings (P0-P1)

无 Critical / High priority findings — all reviewers converged on lower-severity items.

Should-Fix (P2)

无 P2 findings。

Suggestions (P3)

  • [P3-1] internal/plugin_upgrade_ccocto_test.go:54 — CI secret-scan (gitleaks) 命中合成假密钥 sk-test1234567890abcdefTestRedactSecretBeforeTruncation 的 redaction 回归夹具)。该行不在本 PR diff 内,非真实凭据、非本次引入,属预存在扫描噪声。Fix: 为该行加 # gitleaks:allow 或在 gitleaks allowlist 登记该测试文件,建议单独提 issue,不阻断本 PR。(flagged by qa/risk-2 + security/risk-1)

Questions for Author

  • 无阻断性问题。CI check-sprint 红灯(No linked issue found)系 Dependabot PR 结构性无法携带 Closes #<issue> 所致,为看板流程门禁而非代码缺陷,由 Maintainer 合并时人工处理。(from qa/risk-1 + security/risk-2)

Verdict Rationale

三位 reviewer 结论完全收敛,任一优先级桶均无 finding:code-reviewer approved(零 Must/Should/Nit),qa pass-with-risk,security cleared-with-risk(Low)。核心正确性/安全属性——pinned SHA 924ae3a1cded613372ab5595356fb5720e22ba16 与上游 actions/setup-go v6.5.0 release commit 精确匹配、5/5 引用一致、无残留 v5 pin——已由三方独立核验一致确认。major bump 的行为变更(runner node20→node24、默认缓存改用 go.mod 推断)被现有的显式 go-version pin 完全隔离,Go 工具链作业(Build/Test/Vet/Lint/npm packaging)实跑全绿。

无 reviewer 分歧。两处 CI 红灯(check-sprint 门禁、gitleaks 误报)均为预存在、与本 diff 无关的项:前者为 Dependabot PR 无关联 issue 的流程门禁,后者命中一个不在本 PR 变更范围内的测试假夹具,皆非本次变更引入的缺陷。按 Formal Verdict 规则表(无 P0/P1/P2 + 无阻断性 Question),判定 APPROVE

Round Context

First-round review — no prior round context.


Generated by review-leader · v5.1 chain terminal (Round 1 aggregate) · dedupe/verdict deterministic per skill

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APPROVE — Round 1

纯 CI 供应链依赖升级 actions/setup-go v5→v6.5.0:pinned SHA 924ae3a1 经核验 == 上游 v6.5.0 tag,5/5 引用一致,Go 工具链作业全绿;三位 reviewer 收敛,零 P0/P1/P2 finding。

两处 CI 红灯(check-sprint 门禁、gitleaks 测试假夹具误报)均为预存在、与本 diff 无关,非阻断。完整 findings 见本 PR 的 aggregate 评论。

Automated bot review; human sign-off still required.

@OctoBoooot OctoBoooot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: chore(ci): bump actions/setup-go from 5.6.0 to 6.5.0 (#83)

Verdict: Comment — clean dependency bump; all code-relevant checks pass (Build/Test/Vet/Lint exercise this action and are green). Verdict floors at COMMENT only because CI is red on the two governance checks (gitleaks fixture, check-sprint) — neither caused by this diff.
Risk tier: infra (2 GitHub Actions workflow files). Dependabot-authored.

What changed

  • actions/setup-go pinned SHA 40f1582… (v5) → 924ae3a1… across 5 call sites (4 in ci.yml, 1 in release-publish.yml). SHA verified: 924ae3a1cded613372ab5595356fb5720e22ba16 is the commit tag v6.5.0 points at. Pin correct, all 5 sites consistent, # v6.5.0 comment synced (incl. the site that previously read # v5.6.0).
  • go-version still sourced from env.GO_VERSION (unchanged) — no toolchain version drift from this bump.

Note vs #49

  • This supersedes the open PR #49 (same actions/setup-go bump but →6.4.0, one minor older). Dependabot re-targeted to 6.5.0. If #49 is still open, close it in favor of this so the two don't both land as redundant bumps — same duplication situation as #51/#82.

Compatibility check

  • setup-go v5→v6 keeps caching-on-by-default and reads go-version/go.mod the same way; no with:-block change here. The Build/Test/Vet/Lint jobs that invoke setup-go are green on this head, so v6.5.0 ran successfully on the runners.

CI status

  • Build/Test/Vet/Lint/npm packaging/sanity / actionlint/scan-pr / osv-scan/pr-title-lint — all SUCCESS. ✓
  • Only secret-scan / gitleaks (pre-existing plugin_upgrade_ccocto_test.go:54 fixture) + check-sprint (board sync) red — unrelated to this diff.

Mergeable on the merits once the two governance checks clear (and the #49/#83 duplication is resolved).

Praise

  • 5-call-site bump kept fully consistent (same SHA + synced # v6.5.0 comment everywhere), and the action actually ran green on the build/test path — exercised, not blind-pinned.

Comment thread .github/workflows/ci.yml
@@ -30,7 +30,7 @@ jobs:
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[praise] SHA verified (924ae3a1… = v6.5.0), bump consistent across all 5 call sites with the # v6.5.0 comment synced (incl. the release-publish site that previously read # v5.6.0). go-version still from env.GO_VERSION, so no toolchain drift. Build/Test/Vet/Lint are green on this head → v6.5.0 is exercised, not blind-pinned. Note: this supersedes the open PR #49 (same bump →6.4.0) — worth closing #49 so the two don't both land.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-human-review review:running:code code-reviewer review in progress review:running:security security-engineer review in progress size/S PR size: S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants