Skip to content

build(deps): bump actions/setup-go from 6 to 7#1299

Merged
alexeykazakov merged 1 commit into
masterfrom
dependabot/github_actions/actions/setup-go-7
Jul 16, 2026
Merged

build(deps): bump actions/setup-go from 6 to 7#1299
alexeykazakov merged 1 commit into
masterfrom
dependabot/github_actions/actions/setup-go-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-go from 6 to 7.

Release notes

Sourced from actions/setup-go's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/setup-go@v6...v7.0.0

v6.5.0

What's Changed

Dependency update

New Contributors

Full Changelog: actions/setup-go@v6...v6.5.0

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated the Go setup used by continuous integration and end-to-end test publishing workflows.
    • Maintained existing workflow triggers and pipeline behavior.

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6 to 7.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v6...v7)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 16, 2026
@openshift-ci
openshift-ci Bot requested review from fbm3307 and metlos July 16, 2026 13:12
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Walkthrough

GitHub Actions workflows update their Go toolchain setup action from actions/setup-go@v6 to actions/setup-go@v7 for linting, unit tests, and end-to-end publishing.

Changes

Go setup action upgrade

Layer / File(s) Summary
Update Go setup actions
.github/workflows/ci-build.yml, .github/workflows/publish-components-for-e2e-tests.yml
The golangci, unit-tests, and end-to-end publishing jobs switch from actions/setup-go@v6 to actions/setup-go@v7.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: fbm3307

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: upgrading actions/setup-go from v6 to v7.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/setup-go-7

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 58-60: Disable setup-go caching in the publish-components workflow
by setting the cache option to false in the actions/setup-go configuration. Also
update the adjacent explicit cache step to restore only or restrict cache saves
to trusted refs, ensuring PR-controlled code cannot persist cache data.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 6aa9eba4-9c83-4c75-be9a-8c0631aa8223

📥 Commits

Reviewing files that changed from the base of the PR and between 016a456 and 59cbc35.

📒 Files selected for processing (2)
  • .github/workflows/ci-build.yml
  • .github/workflows/publish-components-for-e2e-tests.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

📜 Review details
⏰ Context from checks skipped due to timeout. (3)
  • GitHub Check: GolangCI Lint
  • GitHub Check: govulncheck
  • GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/ci-build.yml

[error] 21-21: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)


[error] 41-41: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🔇 Additional comments (1)
.github/workflows/ci-build.yml (1)

21-23: LGTM!

Also applies to: 41-43

Comment on lines +58 to 60
uses: actions/setup-go@v7
with:
go-version-file: go.mod

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable cache writes in this privileged PR workflow.

This job runs under pull_request_target while checking out PR-controlled code. setup-go caches Go modules and build outputs by default, so cache data derived from the untrusted checkout can be persisted for later runs. (github.com)

Set cache: false here, and make the explicit cache step at Lines 62-68 restore-only or gate cache saves to trusted refs.

Proposed fix
       uses: actions/setup-go@v7
       with:
         go-version-file: go.mod
+        cache: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/setup-go@v7
with:
go-version-file: go.mod
uses: actions/setup-go@v7
with:
go-version-file: go.mod
cache: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-components-for-e2e-tests.yml around lines 58 - 60,
Disable setup-go caching in the publish-components workflow by setting the cache
option to false in the actions/setup-go configuration. Also update the adjacent
explicit cache step to restore only or restrict cache saves to trusted refs,
ensuring PR-controlled code cannot persist cache data.

Source: Linters/SAST tools

@rajivnathan

Copy link
Copy Markdown
Contributor

/ok-to-test

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, dependabot[bot], rajivnathan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [alexeykazakov,rajivnathan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@alexeykazakov
alexeykazakov merged commit 3e6eab6 into master Jul 16, 2026
8 of 10 checks passed
@alexeykazakov
alexeykazakov deleted the dependabot/github_actions/actions/setup-go-7 branch July 16, 2026 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code ok-to-test

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants