Skip to content

build(deps): bump actions/setup-go from 6 to 7#751

Merged
alexeykazakov merged 1 commit into
masterfrom
dependabot/github_actions/actions/setup-go-7
Jul 16, 2026
Merged

build(deps): bump actions/setup-go from 6 to 7#751
alexeykazakov merged 1 commit into
masterfrom
dependabot/github_actions/actions/setup-go-7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-go from 6 to 7.

Release notes

Sourced from actions/setup-go's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/setup-go@v6...v7.0.0

v6.5.0

What's Changed

Dependency update

New Contributors

Full Changelog: actions/setup-go@v6...v6.5.0

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

  • Chores
    • Updated automated build, testing, linting, publishing, and deployment workflows to use the latest Go setup action version.
    • No changes to application functionality or workflow behavior.

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6 to 7.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v6...v7)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 16, 2026
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Walkthrough

Four GitHub Actions workflows update their Go toolchain setup steps from actions/setup-go@v6 to actions/setup-go@v7.

Changes

Go Action Version Updates

Layer / File(s) Summary
Update Go setup actions
.github/workflows/ci-golang-sbom.yml, .github/workflows/operator-cd.yml, .github/workflows/publish-components-for-e2e-tests.yml, .github/workflows/test-with-coverage.yml
Go installation steps now use actions/setup-go@v7 instead of actions/setup-go@v6.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: matousjobanek

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: upgrading actions/setup-go from v6 to v7.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/actions/setup-go-7

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@rajivnathan

Copy link
Copy Markdown
Contributor

/ok-to-test

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish-components-for-e2e-tests.yml:
- Around line 54-56: Update the actions/setup-go configuration in the
publish-components workflow to set its cache option to false. Keep the existing
go-version-file setting and separate actions/cache step unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 2c36e3d1-9555-469c-8aea-cd8bd9249d35

📥 Commits

Reviewing files that changed from the base of the PR and between 96b779e and b56ad0e.

📒 Files selected for processing (4)
  • .github/workflows/ci-golang-sbom.yml
  • .github/workflows/operator-cd.yml
  • .github/workflows/publish-components-for-e2e-tests.yml
  • .github/workflows/test-with-coverage.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

📜 Review details
⏰ Context from checks skipped due to timeout. (3)
  • GitHub Check: test
  • GitHub Check: GolangCI Lint
  • GitHub Check: Build & push operator bundles & dashboard image for e2e tests
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/test-with-coverage.yml

[error] 22-22: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

.github/workflows/operator-cd.yml

[error] 24-24: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

.github/workflows/ci-golang-sbom.yml

[error] 21-21: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default

(cache-poisoning)

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e

Linked repositories findings

codeready-toolchain/api

  • .github/workflows/ci-build.yml:21 and .github/workflows/verify-dependencies.yml:17 still use actions/setup-go@v6, unlike the reviewed change and the other repositories. This is a workflow-version inconsistency only; both workflows use go-version-file: go.mod. [::codeready-toolchain/api::]

codeready-toolchain/toolchain-common

  • On the branch of open PR #538, all observed setup-go usages use actions/setup-go@v7, including verify-dependencies.yml:17, test-with-coverage.yml:22, and linters.yml:21. Each uses go-version-file: go.mod. [::codeready-toolchain/toolchain-common::]

codeready-toolchain/host-operator

  • On the branch of open PR #1277, all observed usages in the workflows—including the four files changed by this PR—use actions/setup-go@v7 and go-version-file: go.mod. [::codeready-toolchain/host-operator::]

codeready-toolchain/toolchain-e2e

  • On the branch of open PR #1299, all observed setup-go usages use actions/setup-go@v7, with go-version-file: go.mod in each occurrence. [::codeready-toolchain/toolchain-e2e::]
🔇 Additional comments (3)
.github/workflows/ci-golang-sbom.yml (1)

21-23: LGTM!

.github/workflows/operator-cd.yml (1)

24-26: LGTM!

.github/workflows/test-with-coverage.yml (1)

22-24: LGTM!

Comment on lines +54 to 56
uses: actions/setup-go@v7
with:
go-version-file: go.mod

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "## Workflow trigger and setup-go context"
sed -n '1,220p' .github/workflows/publish-components-for-e2e-tests.yml

echo
echo "## Search for explicit setup-go cache settings in this repo"
rg -n "actions/setup-go@v7|actions/setup-go@v6|cache:\s*false|cache:\s*true" .github/workflows -n

Repository: codeready-toolchain/member-operator

Length of output: 4649


🏁 Script executed (no clone):

#!/bin/bash
set -euo pipefail

curl -Lfs https://raw.githubusercontent.com/actions/setup-go/v7/README.md | \
  sed -n '1,220p' | \
  rg -n "cache|default|false|true" -n

Length of output: 1503


Disable setup-go caching in this privileged workflow.

This pull_request_target/issue_comment job checks out PR-controlled code and already uses a separate actions/cache step for ~/go/pkg/mod; set cache: false on actions/setup-go so untrusted PR code can’t populate the extra Go module/build cache in a privileged run.

Proposed fix
       with:
         go-version-file: go.mod
+        cache: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/setup-go@v7
with:
go-version-file: go.mod
uses: actions/setup-go@v7
with:
go-version-file: go.mod
cache: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-components-for-e2e-tests.yml around lines 54 - 56,
Update the actions/setup-go configuration in the publish-components workflow to
set its cache option to false. Keep the existing go-version-file setting and
separate actions/cache step unchanged.

Source: Linters/SAST tools

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, dependabot[bot], rajivnathan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [alexeykazakov,rajivnathan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@alexeykazakov
alexeykazakov merged commit dfa7900 into master Jul 16, 2026
9 of 11 checks passed
@alexeykazakov
alexeykazakov deleted the dependabot/github_actions/actions/setup-go-7 branch July 16, 2026 20:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code ok-to-test

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants