Skip to content

chore(deps): bump actions/setup-go from 6 to 7#1277

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/setup-go-7
Open

chore(deps): bump actions/setup-go from 6 to 7#1277
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/setup-go-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-go from 6 to 7.

Release notes

Sourced from actions/setup-go's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/setup-go@v6...v7.0.0

v6.5.0

What's Changed

Dependency update

New Contributors

Full Changelog: actions/setup-go@v6...v6.5.0

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated automated workflows to use the latest Go setup action version.
    • Maintained existing Go version configuration, testing, coverage, SBOM, and publishing processes.

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6 to 7.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v6...v7)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 16, 2026
@openshift-ci
openshift-ci Bot requested review from alexeykazakov and fbm3307 July 16, 2026 12:32
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Walkthrough

GitHub Actions workflows now use actions/setup-go@v7 instead of @v6 across Go linting, SBOM generation, operator CD, E2E component publishing, and coverage jobs.

Changes

Go toolchain action updates

Layer / File(s) Summary
Update Go setup actions
.github/workflows/ci-golang-sbom.yml, .github/workflows/operator-cd.yml, .github/workflows/publish-components-for-e2e-tests.yml, .github/workflows/test-with-coverage.yml
Go installation steps are updated from actions/setup-go@v6 to actions/setup-go@v7 without changing workflow logic.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Suggested labels: dependencies

Suggested reviewers: fbm3307, matousjobanek

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely summarizes the main change: upgrading actions/setup-go from v6 to v7.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/setup-go-7

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/operator-cd.yml:
- Line 24: Disable caching on actions/setup-go@v7 and remove the explicit
actions/cache step in both publishing workflows:
.github/workflows/operator-cd.yml lines 24-34 and
.github/workflows/publish-components-for-e2e-tests.yml lines 56-66. Apply the
same change at each site, ensuring these artifact-publishing jobs do not restore
or share broad Go module caches.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c72d6d2d-391c-43bc-8f50-4ee7206d4c12

📥 Commits

Reviewing files that changed from the base of the PR and between f1b715f and 489f7f1.

📒 Files selected for processing (4)
  • .github/workflows/ci-golang-sbom.yml
  • .github/workflows/operator-cd.yml
  • .github/workflows/publish-components-for-e2e-tests.yml
  • .github/workflows/test-with-coverage.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • codeready-toolchain/registration-service (manual)
  • codeready-toolchain/member-operator (manual)
  • codeready-toolchain/api (manual)
  • codeready-toolchain/toolchain-common (manual) → reviewed against open PR #538 dependabot/github_actions/actions/setup-go-7 instead of the default branch
  • codeready-toolchain/host-operator (manual)
  • codeready-toolchain/toolchain-e2e (manual)
📜 Review details
⏰ Context from checks skipped due to timeout. (4)
  • GitHub Check: test
  • GitHub Check: GolangCI Lint
  • GitHub Check: govulncheck
  • GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/test-with-coverage.yml

[error] 22-22: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

.github/workflows/ci-golang-sbom.yml

[error] 21-21: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)


[error] 45-45: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

.github/workflows/operator-cd.yml

[error] 24-24: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🔀 Multi-repo context codeready-toolchain/toolchain-common, codeready-toolchain/member-operator, codeready-toolchain/api, codeready-toolchain/toolchain-e2e, codeready-toolchain/registration-service

Linked repositories findings

codeready-toolchain/toolchain-common

  • On the checked-out branch for PR #538 (51f14d2), workflows already use actions/setup-go@v7 with the same go-version-file: go.mod configuration in test-with-coverage.yml:22-24, verify-dependencies.yml:17-19, and linters.yml:21-23. [::codeready-toolchain/toolchain-common::]

Other linked repositories

  • member-operator, api, and toolchain-e2e still use actions/setup-go@v6 with go-version-file: go.mod; no changed API or shared contract is involved. [::codeready-toolchain/member-operator::] [::codeready-toolchain/api::] [::codeready-toolchain/toolchain-e2e::]
  • registration-service retains actions/cache@v5 in its caching workflows; the PR only changes setup-go, so cache configuration is unaffected. [::codeready-toolchain/registration-service::]
🔇 Additional comments (2)
.github/workflows/ci-golang-sbom.yml (1)

21-21: LGTM!

Also applies to: 45-45

.github/workflows/test-with-coverage.yml (1)

22-22: LGTM!


- name: Install Go
uses: actions/setup-go@v6
uses: actions/setup-go@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

for f in .github/workflows/operator-cd.yml .github/workflows/publish-components-for-e2e-tests.yml; do
  echo "===== $f ====="
  nl -ba "$f" | sed -n '1,220p'
  echo
done

Repository: codeready-toolchain/host-operator

Length of output: 257


🏁 Script executed:

#!/bin/bash
set -euo pipefail

for f in .github/workflows/operator-cd.yml .github/workflows/publish-components-for-e2e-tests.yml; do
  echo "===== $f ====="
  sed -n '1,220p' "$f" | cat -n
  echo
done

Repository: codeready-toolchain/host-operator

Length of output: 6216


🌐 Web query:

actions/setup-go@v7 caching default go-version-file cache false documentation

💡 Result:

In actions/setup-go, including the v7 release, caching is enabled by default [1][2][3]. To disable caching, you must explicitly set the cache input to false (i.e., cache: false) [1][4][3]. Regarding your specific configuration questions: 1. Caching Behavior: The action provides built-in caching for Go modules and build outputs [1][2]. If caching is enabled, the action automatically attempts to find a dependency file in the repository root to generate a cache key [1][2]. 2. Default Dependency File: As of recent updates (introduced in v6.3.0), the action defaults to using go.mod as the dependency file for the cache key [2][5][6]. Previously, it defaulted to go.sum [7][6]. 3. Interaction with go-version-file: The go-version-file input is used to specify the file from which the action should detect the Go version (e.g., go.mod,.go-version, or.tool-versions) [1][2]. This is distinct from the cache-dependency-path input, which is used to specify which file(s) (like go.mod or go.sum) should trigger cache invalidation [1][2]. If you need to use a specific file for caching that differs from the default, or if your dependencies are in a subdirectory, you can use the cache-dependency-path input [1][2][3]. If the action encounters issues while caching, it will issue a warning in the logs and continue the workflow execution [7][3].

Citations:


🏁 Script executed (no clone):

#!/bin/bash
set -euo pipefail

tmp=$(mktemp -d)
cd "$tmp"

curl -Ls https://raw.githubusercontent.com/actions/setup-go/v7/README.md -o setup-go-README.md

echo "===== cache-related lines ====="
grep -n -i -E 'cache|go-version-file|cache-dependency-path' setup-go-README.md | head -n 80

echo
echo "===== surrounding excerpt ====="
grep -n -i -A4 -B4 -E 'cache|go-version-file' setup-go-README.md | head -n 120

Length of output: 5182


Avoid shared Go caches in these publishing workflows

actions/setup-go@v7 now caches by default, and both jobs also restore ~/go/pkg/mod with a broad restore-keys fallback. In these artifact-publishing paths, disable setup-go caching (cache: false) and remove the explicit actions/cache step, or scope caching to trusted branches only.

  • .github/workflows/operator-cd.yml#L24-L34
  • .github/workflows/publish-components-for-e2e-tests.yml#L56-L66
🧰 Tools
🪛 zizmor (1.26.1)

[error] 24-24: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

📍 Affects 2 files
  • .github/workflows/operator-cd.yml#L24-L24 (this comment)
  • .github/workflows/publish-components-for-e2e-tests.yml#L56-L56
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/operator-cd.yml at line 24, Disable caching on
actions/setup-go@v7 and remove the explicit actions/cache step in both
publishing workflows: .github/workflows/operator-cd.yml lines 24-34 and
.github/workflows/publish-components-for-e2e-tests.yml lines 56-66. Apply the
same change at each site, ensuring these artifact-publishing jobs do not restore
or share broad Go module caches.

Source: Linters/SAST tools

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, dependabot[bot], rajivnathan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [alexeykazakov,rajivnathan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@alexeykazakov

Copy link
Copy Markdown
Contributor

/ok-to-test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code ok-to-test

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants