github/workflows: Use Go version in go.mod rather than static version

[echarrod]

Update GitHub Actions workflow to use standardized Go versions ['1.24', '1'] instead of ['1.23', '1'].

This change:

• Uses Go 1.24 as the specific version for testing
• Uses Go '1' to always test against the latest stable version
• Removes older Go version (1.23) that is no longer needed

Summary by CodeRabbit

• Chores
  • Continuous integration now derives the Go version directly from the project configuration, ensuring the build environment always matches the declared toolchain and reducing maintenance overhead.
  • Test pipelines have been updated to run against the latest supported Go versions, improving coverage and compatibility signalling across environments.
  • Overall CI reliability is enhanced with more consistent version management, enabling smoother upgrades and reducing the risk of version drift between local development and automated workflows.

[coderabbitai]

Warning

Rate limit exceeded

@echarrod has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 8 minutes and 8 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between a48667d and 26265d7.

📒 Files selected for processing (2)

• .github/workflows/sonar.yml (1 hunks)
• .github/workflows/test.yml (2 hunks)

Walkthrough

The Sonar workflow now sets the Go version by reading from go.mod using go-version-file instead of a hard-coded 1.24. The Test workflow updates its Go matrix to use Go 1.24 (and 1). No other steps or commands were changed in these workflows.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• go: Update to 1.24 #32 — Also aligns CI with go.mod by setting Go 1.24 and adjusting the CI matrix, mirroring the workflow updates here.

Suggested reviewers

• ScaleneZA
• wesrobin
• andrewwormald
• wenkanglu
• adamhicks

Poem

I thump my paws on CI ground,
Go hops from 1.23 to 1.24 around.
Sonar sniffs go.mod to know,
Which burrowed version we should grow.
Pipelines hum, carrots high—
Green checks sprout beneath the sky! 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "github/workflows: Use Go version in go.mod rather than static version" is concise and accurately reflects a primary change in the diff—switching the Sonar workflow to read the Go version from go.mod instead of using a hard-coded value—and aligns with the PR objectives to adjust workflow Go versions. It clearly identifies the area affected (github/workflows) and the intent (use go.mod for the Go version), making it easy for reviewers scanning history to understand the primary change. The title is specific and not vague or noisy.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[echarrod]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/test.yml (1)

32-36: Upgrade Actions and modernise dependency install.

• actions/setup-go@v1 and actions/checkout@v2 are outdated; align with v5 and v4 respectively (we already use v5 in sonar.yml).
• Prefer go mod download over go get -d in CI.

Apply this diff:

-    - name: Set up Go
-      uses: actions/setup-go@v1
+    - name: Set up Go
+      uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go }}
       id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v4

     - name: Get dependencies
-      run: |
-        go get -v -t -d ./...
+      run: |
+        go mod download

Also applies to: 38-43

.github/workflows/sonar.yml (1)

9-13: Tighten default token permissions (defence in depth).

Set minimal permissions at workflow/job scope.

Apply one of:

 name: Sonar Report

 on:
   push:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
 
 jobs:
 
   build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest

Or at the top-level:

 name: Sonar Report
+permissions:
+  contents: read

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between aef53b3 and a48667d.

📒 Files selected for processing (2)

• .github/workflows/sonar.yml (1 hunks)
• .github/workflows/test.yml (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: echarrod
PR: luno/shift#32
File: .github/workflows/test.yml:18-18
Timestamp: 2025-05-01T10:01:27.992Z
Learning: In GitHub Actions with Go, using '1' as a version number refers to the latest stable version of Go 1.x (for example, 1.24 if that's the latest release). This allows workflows to automatically test against the latest version without explicitly updating version numbers.

📚 Learning: 2025-05-01T10:01:27.992Z

Learnt from: echarrod
PR: luno/shift#32
File: .github/workflows/test.yml:18-18
Timestamp: 2025-05-01T10:01:27.992Z
Learning: In GitHub Actions with Go, using '1' as a version number refers to the latest stable version of Go 1.x (for example, 1.24 if that's the latest release). This allows workflows to automatically test against the latest version without explicitly updating version numbers.

Applied to files:

• .github/workflows/sonar.yml

🪛 actionlint (1.7.7)

.github/workflows/test.yml

49-49: property access of object must be type of string but got "number"

(expression)

🪛 YAMLlint (1.37.1)

.github/workflows/test.yml

[error] 49-49: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (2)

.github/workflows/test.yml (1)

18-18: Matrix bump to Go 1.24 and latest looks good.

Using ['1.24', '1'] is aligned with our earlier guidance; '1' tracks the latest stable Go 1.x.

.github/workflows/sonar.yml (1)

30-30: Good switch to go-version-file.

Deriving Go from go.mod removes version drift between CI and the module.

Please confirm go.mod declares the intended Go version (e.g., go 1.24) so Sonar runs against the expected toolchain.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud