chore: upgrade and SHA-pin GitHub Actions dependencies#263
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Greptile SummaryThis PR SHA-pins all GitHub Actions workflow dependencies to specific commit hashes and upgrades them to their latest versions, following supply chain security best practices. The changes are purely in CI/CD workflow files with no application code changes. All SHAs have been verified against their corresponding version tags — Confidence Score: 5/5Safe to merge — all SHA pins verified against upstream tags, no application code changed. All SHAs were independently verified against their upstream version tags. The only finding is a P2 note about a one-time cache miss from the setup-go v6 cache key change, which has no correctness impact. No blocking issues. No files require special attention.
|
| Filename | Overview |
|---|---|
| .github/workflows/ci.yml | SHA-pinned all actions and upgraded to latest: checkout@v6.0.2, setup-go@v6.4.0, setup-task@v2.0.0, setup-protoc@v3.0.0, golangci-lint-action@v9.2.0; all SHAs verified. |
| .github/workflows/release.yml | SHA-pinned checkout@v6.0.2, changelog-reader-action@v2.2.3, action-gh-release@v2.6.1; all SHAs verified. |
| .github/workflows/sync_specs.yaml | SHA-pinned checkout@v6.0.2, update-git-submodules upgraded from v2.1.1 to v2.1.3, setup-go@v6.4.0, setup-task@v2.0.0, setup-protoc@v3.0.0, create-pull-request@v8.1.0; all SHAs verified. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Push / PR Event] --> B{Workflow Triggered}
B --> C[ci.yml]
B --> D[release.yml]
B --> E[sync_specs.yaml]
C --> C1[build-examples job\ncheckout@v6.0.2\nsetup-go@v6.4.0\nsetup-task@v2.0.0\nsetup-protoc@v3.0.0]
C --> C2[test job\ncheckout@v6.0.2\nsetup-go@v6.4.0\nsetup-task@v2.0.0\nsetup-protoc@v3.0.0]
C --> C3[integration job\ncheckout@v6.0.2\nsetup-go@v6.4.0\nsetup-task@v2.0.0\nsetup-protoc@v3.0.0]
C --> C4[lint job\ncheckout@v6.0.2\nsetup-go@v6.4.0\ngolangci-lint-action@v9.2.0]
C --> C5[bento-integration job\ncheckout@v6.0.2\nsetup-go@v6.4.0]
D --> D1[release job\ncheckout@v6.0.2\nchangelog-reader-action@v2.2.3\naction-gh-release@v2.6.1]
E --> E1[sync job\ncheckout@v6.0.2\nupdate-git-submodules@v2.1.3\nsetup-go@v6.4.0\nsetup-task@v2.0.0\nsetup-protoc@v3.0.0\ncreate-pull-request@v8.1.0]
Comments Outside Diff (1)
-
.github/workflows/ci.yml, line 47-50 (link)actions/setup-go@v6cache key breaking changeactions/setup-go@v6changed the default cache key fromgo.sum-based togo.mod-based. Existing caches keyed ongo.sumwill miss on first run after this upgrade, causing a cold-cache build. This is a one-time cost and won't affect correctness, but worth being aware of if CI appears slower after merging.Prompt To Fix With AI
This is a comment left during a code review. Path: .github/workflows/ci.yml Line: 47-50 Comment: **`actions/setup-go@v6` cache key breaking change** `actions/setup-go@v6` changed the default cache key from `go.sum`-based to `go.mod`-based. Existing caches keyed on `go.sum` will miss on first run after this upgrade, causing a cold-cache build. This is a one-time cost and won't affect correctness, but worth being aware of if CI appears slower after merging. How can I resolve this? If you propose a fix, please make it concise.
Prompt To Fix All With AI
This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 47-50
Comment:
**`actions/setup-go@v6` cache key breaking change**
`actions/setup-go@v6` changed the default cache key from `go.sum`-based to `go.mod`-based. Existing caches keyed on `go.sum` will miss on first run after this upgrade, causing a cold-cache build. This is a one-time cost and won't affect correctness, but worth being aware of if CI appears slower after merging.
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "ci: upgrade and SHA-pin GitHub Actions" | Re-trigger Greptile
actions/setup-go v6 changed the default GOTOOLCHAIN from 'auto' to 'local', which prevents Go from auto-downloading a newer toolchain when a dependency (bento) requires it. Restore the v5 behavior for this job. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The step-level env only applies to the setup-go step itself, not to subsequent steps that run go commands. Moving it to job level ensures all steps in the bento-integration job can auto-download newer Go toolchains when dependencies require them. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
setup-go v6 exports GOTOOLCHAIN=local, overriding job-level env. Set it directly on the step that needs to auto-download Go 1.25 for the bento dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 participants
Summary
🤖 Generated with Claude Code