chore(deps): bump actions/setup-go from 6 to 7#1277
Conversation
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6 to 7. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v6...v7) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
WalkthroughGitHub Actions workflows now use ChangesGo toolchain action updates
Estimated code review effort: 1 (Trivial) | ~3 minutes Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/operator-cd.yml:
- Line 24: Disable caching on actions/setup-go@v7 and remove the explicit
actions/cache step in both publishing workflows:
.github/workflows/operator-cd.yml lines 24-34 and
.github/workflows/publish-components-for-e2e-tests.yml lines 56-66. Apply the
same change at each site, ensuring these artifact-publishing jobs do not restore
or share broad Go module caches.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: c72d6d2d-391c-43bc-8f50-4ee7206d4c12
📒 Files selected for processing (4)
.github/workflows/ci-golang-sbom.yml.github/workflows/operator-cd.yml.github/workflows/publish-components-for-e2e-tests.yml.github/workflows/test-with-coverage.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/registration-service(manual)codeready-toolchain/member-operator(manual)codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual) → reviewed against open PR#538dependabot/github_actions/actions/setup-go-7instead of the default branchcodeready-toolchain/host-operator(manual)codeready-toolchain/toolchain-e2e(manual)
📜 Review details
⏰ Context from checks skipped due to timeout. (4)
- GitHub Check: test
- GitHub Check: GolangCI Lint
- GitHub Check: govulncheck
- GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/test-with-coverage.yml
[error] 22-22: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
.github/workflows/ci-golang-sbom.yml
[error] 21-21: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
[error] 45-45: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
.github/workflows/operator-cd.yml
[error] 24-24: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
🔀 Multi-repo context codeready-toolchain/toolchain-common, codeready-toolchain/member-operator, codeready-toolchain/api, codeready-toolchain/toolchain-e2e, codeready-toolchain/registration-service
Linked repositories findings
codeready-toolchain/toolchain-common
- On the checked-out branch for PR
#538(51f14d2), workflows already useactions/setup-go@v7with the samego-version-file: go.modconfiguration intest-with-coverage.yml:22-24,verify-dependencies.yml:17-19, andlinters.yml:21-23. [::codeready-toolchain/toolchain-common::]
Other linked repositories
member-operator,api, andtoolchain-e2estill useactions/setup-go@v6withgo-version-file: go.mod; no changed API or shared contract is involved. [::codeready-toolchain/member-operator::] [::codeready-toolchain/api::] [::codeready-toolchain/toolchain-e2e::]registration-serviceretainsactions/cache@v5in its caching workflows; the PR only changessetup-go, so cache configuration is unaffected. [::codeready-toolchain/registration-service::]
🔇 Additional comments (2)
.github/workflows/ci-golang-sbom.yml (1)
21-21: LGTM!Also applies to: 45-45
.github/workflows/test-with-coverage.yml (1)
22-22: LGTM!
|
|
||
| - name: Install Go | ||
| uses: actions/setup-go@v6 | ||
| uses: actions/setup-go@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
for f in .github/workflows/operator-cd.yml .github/workflows/publish-components-for-e2e-tests.yml; do
echo "===== $f ====="
nl -ba "$f" | sed -n '1,220p'
echo
doneRepository: codeready-toolchain/host-operator
Length of output: 257
🏁 Script executed:
#!/bin/bash
set -euo pipefail
for f in .github/workflows/operator-cd.yml .github/workflows/publish-components-for-e2e-tests.yml; do
echo "===== $f ====="
sed -n '1,220p' "$f" | cat -n
echo
doneRepository: codeready-toolchain/host-operator
Length of output: 6216
🌐 Web query:
actions/setup-go@v7 caching default go-version-file cache false documentation
💡 Result:
In actions/setup-go, including the v7 release, caching is enabled by default [1][2][3]. To disable caching, you must explicitly set the cache input to false (i.e., cache: false) [1][4][3]. Regarding your specific configuration questions: 1. Caching Behavior: The action provides built-in caching for Go modules and build outputs [1][2]. If caching is enabled, the action automatically attempts to find a dependency file in the repository root to generate a cache key [1][2]. 2. Default Dependency File: As of recent updates (introduced in v6.3.0), the action defaults to using go.mod as the dependency file for the cache key [2][5][6]. Previously, it defaulted to go.sum [7][6]. 3. Interaction with go-version-file: The go-version-file input is used to specify the file from which the action should detect the Go version (e.g., go.mod,.go-version, or.tool-versions) [1][2]. This is distinct from the cache-dependency-path input, which is used to specify which file(s) (like go.mod or go.sum) should trigger cache invalidation [1][2]. If you need to use a specific file for caching that differs from the default, or if your dependencies are in a subdirectory, you can use the cache-dependency-path input [1][2][3]. If the action encounters issues while caching, it will issue a warning in the logs and continue the workflow execution [7][3].
Citations:
- 1: https://github.com/actions/setup-go/blob/main/README.md
- 2: https://github.com/actions/setup-go/tree/v6.3.0
- 3: https://github.com/actions/setup-go/blob/4a360112/README.md
- 4: https://github.com/actions/setup-go
- 5: Update default Go module caching to use go.mod actions/setup-go#705
- 6: actions/setup-go@v6.2.0...v6.3.0
- 7: https://github.com/actions/setup-go/blob/fdc0d672a12b8fc05ef4c549c3fd5b0f03ebeb4c/README.md
🏁 Script executed (no clone):
#!/bin/bash
set -euo pipefail
tmp=$(mktemp -d)
cd "$tmp"
curl -Ls https://raw.githubusercontent.com/actions/setup-go/v7/README.md -o setup-go-README.md
echo "===== cache-related lines ====="
grep -n -i -E 'cache|go-version-file|cache-dependency-path' setup-go-README.md | head -n 80
echo
echo "===== surrounding excerpt ====="
grep -n -i -A4 -B4 -E 'cache|go-version-file' setup-go-README.md | head -n 120
Length of output: 5182
Avoid shared Go caches in these publishing workflows
actions/setup-go@v7 now caches by default, and both jobs also restore ~/go/pkg/mod with a broad restore-keys fallback. In these artifact-publishing paths, disable setup-go caching (cache: false) and remove the explicit actions/cache step, or scope caching to trusted branches only.
.github/workflows/operator-cd.yml#L24-L34.github/workflows/publish-components-for-e2e-tests.yml#L56-L66
🧰 Tools
🪛 zizmor (1.26.1)
[error] 24-24: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
📍 Affects 2 files
.github/workflows/operator-cd.yml#L24-L24(this comment).github/workflows/publish-components-for-e2e-tests.yml#L56-L56
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/operator-cd.yml at line 24, Disable caching on
actions/setup-go@v7 and remove the explicit actions/cache step in both
publishing workflows: .github/workflows/operator-cd.yml lines 24-34 and
.github/workflows/publish-components-for-e2e-tests.yml lines 56-66. Apply the
same change at each site, ensuring these artifact-publishing jobs do not restore
or share broad Go module caches.
Source: Linters/SAST tools
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexeykazakov, dependabot[bot], rajivnathan The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/ok-to-test |



Bumps actions/setup-go from 6 to 7.
Release notes
Sourced from actions/setup-go's releases.
... (truncated)
Commits
b7ad1dachore(deps): bump@actions/cacheto 6.2.0 (#771)0778a10Migrate to ESM and upgrade dependencies (#763)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit