chore(ci): bump actions/setup-go from 5.6.0 to 6.4.0#23
Conversation
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.6.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@40f1582...4a36011) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
This pull request has been automatically marked as stale due to inactivity. Please add an update or it will be closed. |
lml2468
left a comment
There was a problem hiding this comment.
QA Engineer Verdict: APPROVE
Change scope: Single-line bump of actions/setup-go from v5 (pinned SHA 40f1582) to v6.4.0 (pinned SHA 4a3601121dd0) in .github/workflows/ci.yml.
Verification:
- Inputs
go-version: '1.21'andcache: trueare compatible with setup-go v6 - No application code changed β only CI workflow reference
- CI failures (
build-and-test,add-to-project,check-sprint) are all pre-existing: go.mod requires go 1.26.1 while CI pins go 1.21; GraphQL infra errors. Not caused by this PR. - SHA is pinned (not floating tag) β reproducible builds
Test coverage: N/A for CI config change. CI itself is the validation mechanism.
Risk: Low. Well-known upstream GitHub Action with 20k+ stars. Pinning to full SHA is best practice.
lml2468
left a comment
There was a problem hiding this comment.
Security Engineer Verdict: APPROVE
Supply chain analysis:
- Source:
actions/setup-goβ GitHub-owned official action (20k+ stars, actively maintained) - Previous:
@40f1582b2485089dde7abd97c1529aa768e1baff(v5) - New:
@4a3601121dd01d1626a1e23e1354c1c06c(v6.4.0) - SHA-pinned β β prevents tag mutation attacks
STRIDE assessment: Not applicable β CI action with no auth flow, no secrets handling, sandboxed runner execution.
Runtime change: v6 uses Node.js 20 (v5 used Node 16). Node 20 is actively supported. No known CVEs against setup-go v6.x.
Permissions diff: No new permissions introduced. The uses: line change does not alter permissions: block or add secret access.
SBOM impact: Changes one action dependency in CI toolchain only. No application dependency changes.
Verdict: Clean supply chain update. No security concerns.
lml2468
left a comment
There was a problem hiding this comment.
Code Reviewer Verdict: APPROVE
Correctness: Single-line uses: reference update. YAML syntax valid. SHA pinning maintained (@4a3601121dd0...).
Readability: No impact β version string change only.
Maintainability: setup-go v6 is the current major version. Bumping from v5 is good dependency hygiene β ensures continued security patches and compatibility.
Design fit: Consistent with existing Dependabot automation pattern. The repo already uses Dependabot for dependency management.
Behavioral note: setup-go v6 changes default cache key from go.sum to go.mod. This workflow uses cache: true without a custom key, so the v6 default applies β this is fine and actually more correct (cache invalidates on dependency changes rather than lockfile changes).
No concerns identified.
Aggregate Verdict: APPROVED β awaiting human merge
CI note: 3 CI checks fail but all are pre-existing (go.mod version mismatch, infra GraphQL errors) β not caused by this PR. Next step: Human merge. |
|
Superseded by #39. |
Bumps actions/setup-go from 5.6.0 to 6.4.0.
Release notes
Sourced from actions/setup-go's releases.
... (truncated)
Commits
4a36011docs: fix Microsoft build of Go link (#734)8f19afcfeat: add go-download-base-url input for custom Go distributions (#721)27fdb26Bump minimatch from 3.1.2 to 3.1.5 (#727)def8c39Rearrange README.md, add advanced-usage.md (#724)4b73464Fix golang download url to go.dev (#469)a5f9b05Update default Go module caching to use go.mod (#705)7a3fe6cBump qs from 6.14.0 to 6.14.1 (#703)b9adafdBump actions/checkout from 5 to 6 (#686)d73f6bcREADME.md: correct to actions/checkout@v6 (#683)ae252eeBump@βactions/cacheto v5 (#695)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)