Upgrade: Bump actions/setup-go from 5.0.2 to 5.1.0

[dependabot]

Bumps actions/setup-go from 5.0.2 to 5.1.0.

Release notes

Sourced from actions/setup-go's releases.

v5.1.0

What's Changed

• Add workflow file for publishing releases to immutable action package by @​Jcambass in actions/setup-go#500
• Upgrade IA Publish by @​Jcambass in actions/setup-go#502
• Add architecture to cache key by @​Zxilly in actions/setup-go#493 This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts. Note: This change may break previous cache keys as they will no longer be compatible with the new format.
• Enhance workflows and Upgrade micromatch Dependency by @​priyagupta108 in actions/setup-go#510

Bug Fixes

• Revise isGhes logic by @​jww3 in actions/setup-go#511

New Contributors

• @​Zxilly made their first contribution in actions/setup-go#493
• @​Jcambass made their first contribution in actions/setup-go#500
• @​jww3 made their first contribution in actions/setup-go#511
• @​priyagupta108 made their first contribution in actions/setup-go#510

Full Changelog: actions/setup-go@v5...v5.1.0

Commits

• 41dfa10 Enhance workflows and Upgrade micromatch Dependency (#510)
• 9419772 Revise isGhes logic (#511)
• d60b41a Merge pull request #502 from actions/Jcambass-patch-1
• e09f57f Upgrade IA Publish
• df1a117 Merge pull request #500 from actions/Jcambass-patch-1
• 49582f6 Add workflow file for publishing releases to immutable action package
• b26d402 fix: add arch to cache key (#493)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the security and quality of the codebase by incorporating various static analysis and vulnerability scanning tools, updating the Go version, and integrating Cosign and Syft for container image signing and Software Bill of Materials (SBOM) generation.

Expand for full summary

Summary:

The changes in this pull request focus on improving the security and quality of the codebase by incorporating various static analysis and vulnerability scanning tools into the CI/CD pipeline. The key changes include updating the Go version used in the workflows, integrating Cosign and Syft for container image signing and Software Bill of Materials (SBOM) generation, and using up-to-date versions of the GitHub Actions used in the workflows.

These changes are positive from an application security perspective, as they help catch potential issues early in the development lifecycle, ensure the integrity and transparency of the released artifacts, and keep the project's dependencies up-to-date with the latest security fixes. The use of Cosign and Syft, in particular, is a notable security enhancement, as it helps mitigate risks related to supply chain attacks.

Overall, the changes in this pull request demonstrate a strong focus on improving the security and quality of the codebase, which is a crucial aspect of developing and maintaining a secure application.

Files Changed:

1. .github/workflows/ci.yaml:

   • The version of the actions/setup-go action has been updated from v5 to v5.1.0.
   • The workflow includes steps for running the Trivy vulnerability scanner, the GolangCI-Lint tool, and the Dominikh Staticcheck tool, which help identify potential security vulnerabilities and maintain code quality.
   • The Go version used in the workflow has been updated from an unspecified version to Go 1.22, which is important for security as newer versions often include bug fixes and security patches.

2. .github/workflows/release.yaml:

   • The Go version used for the build has been updated from 1.18 to 1.22, which is a minor version update and a good practice to keep dependencies up-to-date.
   • The workflow integrates the use of Cosign and Syft, which are tools for signing and verifying container images, and generating Software Bill of Materials (SBOM), respectively. This is a positive security practice that helps ensure the integrity and transparency of the released artifacts.
   • The workflow uses the GoReleaser tool to handle the release process, which is a common practice for automating Go project releases.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.