build(deps): bump actions/setup-go from 6 to 7#1299
Conversation
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6 to 7. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v6...v7) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
WalkthroughGitHub Actions workflows update their Go toolchain setup action from ChangesGo setup action upgrade
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 58-60: Disable setup-go caching in the publish-components workflow
by setting the cache option to false in the actions/setup-go configuration. Also
update the adjacent explicit cache step to restore only or restrict cache saves
to trusted refs, ensuring PR-controlled code cannot persist cache data.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 6aa9eba4-9c83-4c75-be9a-8c0631aa8223
📒 Files selected for processing (2)
.github/workflows/ci-build.yml.github/workflows/publish-components-for-e2e-tests.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual) → reviewed against open PR#538dependabot/github_actions/actions/setup-go-7instead of the default branchcodeready-toolchain/host-operator(manual) → reviewed against open PR#1277dependabot/github_actions/actions/setup-go-7instead of the default branchcodeready-toolchain/toolchain-e2e(manual)
📜 Review details
⏰ Context from checks skipped due to timeout. (3)
- GitHub Check: GolangCI Lint
- GitHub Check: govulncheck
- GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/ci-build.yml
[error] 21-21: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
[error] 41-41: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
🔇 Additional comments (1)
.github/workflows/ci-build.yml (1)
21-23: LGTM!Also applies to: 41-43
| uses: actions/setup-go@v7 | ||
| with: | ||
| go-version-file: go.mod |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Disable cache writes in this privileged PR workflow.
This job runs under pull_request_target while checking out PR-controlled code. setup-go caches Go modules and build outputs by default, so cache data derived from the untrusted checkout can be persisted for later runs. (github.com)
Set cache: false here, and make the explicit cache step at Lines 62-68 restore-only or gate cache saves to trusted refs.
Proposed fix
uses: actions/setup-go@v7
with:
go-version-file: go.mod
+ cache: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/setup-go@v7 | |
| with: | |
| go-version-file: go.mod | |
| uses: actions/setup-go@v7 | |
| with: | |
| go-version-file: go.mod | |
| cache: false |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish-components-for-e2e-tests.yml around lines 58 - 60,
Disable setup-go caching in the publish-components workflow by setting the cache
option to false in the actions/setup-go configuration. Also update the adjacent
explicit cache step to restore only or restrict cache saves to trusted refs,
ensuring PR-controlled code cannot persist cache data.
Source: Linters/SAST tools
|
/ok-to-test |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexeykazakov, dependabot[bot], rajivnathan The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |



Bumps actions/setup-go from 6 to 7.
Release notes
Sourced from actions/setup-go's releases.
... (truncated)
Commits
b7ad1dachore(deps): bump@actions/cacheto 6.2.0 (#771)0778a10Migrate to ESM and upgrade dependencies (#763)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit