-
Notifications
You must be signed in to change notification settings - Fork 496
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setup-go does not pick up recent Go version leading to create vulnerable builds #434
Comments
Hello, @szuecs! Thank you for creating this issue, we will investigate it further and see what can be done :) |
hello @szuecs , This is expected behaviour. According to the README
Checking for the other path versions would have unacceptably slowed down the builds. However, if it is critical to check setup-go for the most recent version, use the check-latest input. Alternatively, it is possible to set the desired version with the Did it help? |
@dsame the unexpected thing is the ttl. I would expect that either on change caches are invalidated or every time duration like every hour or every day. My example showed 1.21 and recent version was 1.23 so there are weeks in between.... |
Is there something we could do to help get go-versions updated more often? We see this with every release. Example: actions/go-versions#94 is g2g but hasn't been merged yet. |
Hello everyone. For now I'm going to close the issue because the behaviour of the action was described in the comment. The toolcache directory is updated during new images rollout and you can use |
Is there anything we can do to help merge PR's to go-versions? At $day_job we've had build failures for a few hours while waiting on a merge to go-versions. go-versions also does not have an issue tracker, so that's why I'm replying here. |
Description:
The setup-go runs build with outdated Go version, even if there is a security vulnerability reported.
For us setup-go ran with Go-1.21.1 instead of Go-1.21.3.
Action version:
Specify the action version
Platform:
Runner type:
Tools version:
latest release: 93397be
latest commit in main: bfd2fb3
both have the issue.
Repro steps:
https://github.com/zalando/skipper/actions/runs/6536557643/job/17748524812#step:4:5
Expected behavior:
Invalidate the cache and run Go-1.21.3, once there is a new release of the Go runtime.
Actual behavior:
Work around
zalando/skipper#2688
set
check-latest: true
, which leads to:The text was updated successfully, but these errors were encountered: