build(deps): bump actions/setup-go from 6 to 7#751
Conversation
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6 to 7. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v6...v7) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
WalkthroughFour GitHub Actions workflows update their Go toolchain setup steps from ChangesGo Action Version Updates
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
|
/ok-to-test |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 54-56: Update the actions/setup-go configuration in the
publish-components workflow to set its cache option to false. Keep the existing
go-version-file setting and separate actions/cache step unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 2c36e3d1-9555-469c-8aea-cd8bd9249d35
📒 Files selected for processing (4)
.github/workflows/ci-golang-sbom.yml.github/workflows/operator-cd.yml.github/workflows/publish-components-for-e2e-tests.yml.github/workflows/test-with-coverage.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
codeready-toolchain/api(manual)codeready-toolchain/toolchain-common(manual) → reviewed against open PR#538dependabot/github_actions/actions/setup-go-7instead of the default branchcodeready-toolchain/host-operator(manual) → reviewed against open PR#1277dependabot/github_actions/actions/setup-go-7instead of the default branchcodeready-toolchain/toolchain-e2e(manual) → reviewed against open PR#1299dependabot/github_actions/actions/setup-go-7instead of the default branch
📜 Review details
⏰ Context from checks skipped due to timeout. (3)
- GitHub Check: test
- GitHub Check: GolangCI Lint
- GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/test-with-coverage.yml
[error] 22-22: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
.github/workflows/operator-cd.yml
[error] 24-24: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
.github/workflows/ci-golang-sbom.yml
[error] 21-21: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e
Linked repositories findings
codeready-toolchain/api
.github/workflows/ci-build.yml:21and.github/workflows/verify-dependencies.yml:17still useactions/setup-go@v6, unlike the reviewed change and the other repositories. This is a workflow-version inconsistency only; both workflows usego-version-file: go.mod.[::codeready-toolchain/api::]
codeready-toolchain/toolchain-common
- On the branch of open PR
#538, all observedsetup-gousages useactions/setup-go@v7, includingverify-dependencies.yml:17,test-with-coverage.yml:22, andlinters.yml:21. Each usesgo-version-file: go.mod.[::codeready-toolchain/toolchain-common::]
codeready-toolchain/host-operator
- On the branch of open PR
#1277, all observed usages in the workflows—including the four files changed by this PR—useactions/setup-go@v7andgo-version-file: go.mod.[::codeready-toolchain/host-operator::]
codeready-toolchain/toolchain-e2e
- On the branch of open PR
#1299, all observedsetup-gousages useactions/setup-go@v7, withgo-version-file: go.modin each occurrence.[::codeready-toolchain/toolchain-e2e::]
🔇 Additional comments (3)
.github/workflows/ci-golang-sbom.yml (1)
21-23: LGTM!.github/workflows/operator-cd.yml (1)
24-26: LGTM!.github/workflows/test-with-coverage.yml (1)
22-24: LGTM!
| uses: actions/setup-go@v7 | ||
| with: | ||
| go-version-file: go.mod |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "## Workflow trigger and setup-go context"
sed -n '1,220p' .github/workflows/publish-components-for-e2e-tests.yml
echo
echo "## Search for explicit setup-go cache settings in this repo"
rg -n "actions/setup-go@v7|actions/setup-go@v6|cache:\s*false|cache:\s*true" .github/workflows -nRepository: codeready-toolchain/member-operator
Length of output: 4649
🏁 Script executed (no clone):
#!/bin/bash
set -euo pipefail
curl -Lfs https://raw.githubusercontent.com/actions/setup-go/v7/README.md | \
sed -n '1,220p' | \
rg -n "cache|default|false|true" -n
Length of output: 1503
Disable setup-go caching in this privileged workflow.
This pull_request_target/issue_comment job checks out PR-controlled code and already uses a separate actions/cache step for ~/go/pkg/mod; set cache: false on actions/setup-go so untrusted PR code can’t populate the extra Go module/build cache in a privileged run.
Proposed fix
with:
go-version-file: go.mod
+ cache: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/setup-go@v7 | |
| with: | |
| go-version-file: go.mod | |
| uses: actions/setup-go@v7 | |
| with: | |
| go-version-file: go.mod | |
| cache: false |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish-components-for-e2e-tests.yml around lines 54 - 56,
Update the actions/setup-go configuration in the publish-components workflow to
set its cache option to false. Keep the existing go-version-file setting and
separate actions/cache step unchanged.
Source: Linters/SAST tools
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexeykazakov, dependabot[bot], rajivnathan The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |



Bumps actions/setup-go from 6 to 7.
Release notes
Sourced from actions/setup-go's releases.
... (truncated)
Commits
b7ad1dachore(deps): bump@actions/cacheto 6.2.0 (#771)0778a10Migrate to ESM and upgrade dependencies (#763)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit