ci: lint with go vet, pin Go from go.mod#21
Conversation
The build was failing on every PR: golangci-lint (latest, built on go1.24) refuses to lint a module targeting go1.25, and setup-go was pinned to a stale 1.23.0. Switch the lint step to `go vet` (matching the Makefile/AGENTS.md lint command) and read the Go version from go.mod so it can't drift again. Bump the deprecated actions/cache@v3 to v4. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XmZfFD3t4UYB7TKstGj8QP
📝 WalkthroughWalkthroughUpdates the Go GitHub Actions workflow: bumps ChangesCI Workflow Update
Estimated code review effort: 1 (Trivial) | ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/go.yml:
- Line 24: The workflow uses unpinned GitHub Actions references, so update both
actions/cache and actions/setup-go in the go workflow to be pinned to specific
commit SHAs instead of version tags. Follow the existing actions/checkout
pattern in the same file by replacing the tag-based references with SHA-pinned
ones and adding the version comment convention used in the repo. Focus on the
cache and Go setup steps so the workflow remains functionally the same while
satisfying the supply-chain hardening rule.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 02cc8fb5-0cfe-42e1-9f6d-684e15645a5e
📒 Files selected for processing (1)
.github/workflows/go.yml
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
- GitHub Check: build
🧰 Additional context used
🪛 zizmor (1.26.1)
.github/workflows/go.yml
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔇 Additional comments (1)
.github/workflows/go.yml (1)
34-39: LGTM!
|
|
||
| - name: Cache Go modules | ||
| uses: actions/cache@v3 | ||
| uses: actions/cache@v4 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | 💤 Low value
Pin actions to a commit SHA for supply-chain hardening.
zizmor flags both actions/cache@v4 and actions/setup-go@v5 as unpinned. Tag references can be moved/re-tagged; pinning to a commit SHA (with a version comment) is the recommended hardening practice. This mirrors the existing actions/checkout@v4 pattern in the file, so it's a repo-wide convention rather than a new regression, but worth addressing given the blanket policy the linter is enforcing.
🔒 Example of SHA-pinning
- uses: actions/cache@v4
+ uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf22 # v4.2.0- uses: actions/setup-go@v5
+ uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0Also applies to: 34-34
🧰 Tools
🪛 zizmor (1.26.1)
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/go.yml at line 24, The workflow uses unpinned GitHub
Actions references, so update both actions/cache and actions/setup-go in the go
workflow to be pinned to specific commit SHAs instead of version tags. Follow
the existing actions/checkout pattern in the same file by replacing the
tag-based references with SHA-pinned ones and adding the version comment
convention used in the repo. Focus on the cache and Go setup steps so the
workflow remains functionally the same while satisfying the supply-chain
hardening rule.
Source: Linters/SAST tools
Why
Every PR (including Dependabot #20) has been failing its
buildcheck — but not because of the change. The lint step dies with:golangci-lint-action@v4 + version: latestinstalls a linter built on go1.24, which refuses to lint a module targeting go 1.25, andsetup-gowas pinned to a stale 1.23.0.What
golangci-lintstep withgo vet ./...— matches themake lintcommand documented in the Makefile/AGENTS.md, and removes the linter-vs-Go-version treadmill.go.mod(go-version-file) so it can't drift again.actions/cache@v3→v4.Verified locally (go1.25.0)
go build,go test -race, andgo vetall pass.Unblocks #20.
Summary by CodeRabbit