setup-go does not pick up recent Go version leading to create vulnerable builds

[szuecs]

Description:

The setup-go runs build with outdated Go version, even if there is a security vulnerability reported.
For us setup-go ran with Go-1.21.1 instead of Go-1.21.3.

Action version:
Specify the action version

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:

latest release: 93397be
latest commit in main: bfd2fb3

both have the issue.

Repro steps:

https://github.com/zalando/skipper/actions/runs/6536557643/job/17748524812#step:4:5

Expected behavior:

Invalidate the cache and run Go-1.21.3, once there is a new release of the Go runtime.

Actual behavior:

Run actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
Setup go version spec ^1.20
Found in cache @ /opt/hostedtoolcache/go/1.21.1/x64
Added go to the path
Successfully set up Go version ^1.20
/opt/hostedtoolcache/go/1.21.1/x64/bin/go env GOMODCACHE
/opt/hostedtoolcache/go/1.21.1/x64/bin/go env GOCACHE
/home/runner/go/pkg/mod
/home/runner/.cache/go-build
Cache is not found
go version go1.21.1 linux/amd64

Work around

zalando/skipper#2688
set check-latest: true, which leads to:

Run go version
go version go1.21.3 linux/amd64

[dusan-trickovic]

Hello, @szuecs! Thank you for creating this issue, we will investigate it further and see what can be done :)

[dsame]

hello @szuecs ,

This is expected behaviour. According to the README

The action will first check the local cache for a version match. If a version is not found locally ...

Checking for the other path versions would have unacceptably slowed down the builds. However, if it is critical to check setup-go for the most recent version, use the check-latest input.

Alternatively, it is possible to set the desired version with the go-version input.

Did it help?

[szuecs]

@dsame the unexpected thing is the ttl. I would expect that either on change caches are invalidated or every time duration like every hour or every day.

My example showed 1.21 and recent version was 1.23 so there are weeks in between....

[adamdecaf]

Is there something we could do to help get go-versions updated more often? We see this with every release.

Example: actions/go-versions#94 is g2g but hasn't been merged yet.

[dmitry-shibanov]

Hello everyone. For now I'm going to close the issue because the behaviour of the action was described in the comment. The toolcache directory is updated during new images rollout and you can use check-latest: true to install Go from go-versions repository.

[adamdecaf]

Is there anything we can do to help merge PR's to go-versions? At $day_job we've had build failures for a few hours while waiting on a merge to go-versions. go-versions also does not have an issue tracker, so that's why I'm replying here.