Skip to content

chore(deps): bump actions/setup-go from 5 to 6 #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
todd2982 merged 1 commit into from
Dec 17, 2025
Merged

chore(deps): bump actions/setup-go from 5 to 6 #48

todd2982 merged 1 commit into from
Dec 17, 2025

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Dec 15, 2025

Bumps actions/setup-go from 5 to 6.

Release notes

Sourced from actions/setup-go's releases.

v6.0.0

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

New Contributors

Full Changelog: actions/setup-go@v5...v6.0.0

v5.5.0

What's Changed

Bug fixes:

Dependency updates:

New Contributors

Full Changelog: actions/setup-go@v5...v5.5.0

v5.4.0

What's Changed

Dependency updates :

... (truncated)

Commits
  • 4dc6199 Bump semver and @​types/semver (#652)
  • f3787be Add comprehensive breaking changes documentation for v6 (#674)
  • 3a0c2c8 Bump actions/publish-action from 0.3.0 to 0.4.0 (#641)
  • faf5242 Add support for .tool-versions file in setup-go, update workflow (#673)
  • 7bc60db Fall back to downloading from go.dev/dl instead of storage.googleapis.com/gol...
  • c0137ca Bump eslint-config-prettier from 10.0.1 to 10.1.8 and document breaking chang...
  • 4469467 Bump actions/checkout from 4 to 5 (#631)
  • e093d1e Node 24 upgrade (#624)
  • 1d76b95 Improve toolchain handling (#460)
  • e75c3e8 Bump form-data to bring in fix for critical vulnerability (#618)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump actions/setup-go from 5 to 6
55193b6 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 15, 2025
@claude
Copy link

claude bot commented Dec 17, 2025

PR Review: actions/setup-go v5 → v6 Upgrade

Summary

This Dependabot PR upgrades actions/setup-go from v5 to v6 across all three GitHub Actions workflows. Overall, this is a low-risk, recommended upgrade with important breaking changes to be aware of.

✅ Positive Aspects

  1. Security Improvements: Includes critical vulnerability fixes in dependencies (notably form-data)
  2. Improved Toolchain Handling: Better reliability and consistency in Go version selection
  3. Modern Runtime: Upgrades from Node 20 to Node 24
  4. Consistent Application: All three workflows updated uniformly

⚠️ Critical Breaking Changes & Compatibility Requirements

Runner Version Requirement

  • Required: GitHub Actions runner v2.327.1 or later
  • Risk: Workflows will fail on older runners
  • Recommendation: Verify your runner versions before merging. For GitHub-hosted runners, this should not be an issue. For self-hosted runners, check with: 
    # On self-hosted runner
./bin/Runner.Listener --version

Toolchain Handling Changes

The v6 release includes breaking changes to toolchain handling that may affect behavior:

  • More strict and consistent Go version selection
  • Changes to how go.mod toolchain directives are processed
  • Potential impact on builds that relied on previous version resolution behavior

🔍 Code Quality Assessment

Changes Made:

  • .github/workflows/pull-request.yml: 2 instances updated
  • .github/workflows/release-dev.yaml: 2 instances updated
  • .github/workflows/release.yml: 2 instances updated

Quality: ✅ Clean, mechanical version bump with no code logic changes

🧪 Testing Considerations

Pre-Merge Verification Checklist:

  1. CI Passes: Ensure all workflow checks pass (build, test, linting)
  2. Go Version Consistency: Verify Go 1.23.x still installs correctly
  3. Self-Hosted Runners (if applicable): Confirm runner version ≥ v2.327.1
  4. Build Artifacts: Check that goreleaser builds complete successfully in release workflow

Post-Merge Monitoring:

  • Watch the first production release after merge
  • Verify multi-platform builds (Linux, Windows: amd64, 386, arm, arm64) still work
  • Confirm Docker image builds to Docker Hub and GHCR succeed

🔒 Security Assessment

Security Positive: This upgrade includes fixes for critical vulnerabilities

  • form-data vulnerability patched
  • Multiple dependency security updates included

No new security risks identified in this upgrade.

⚡ Performance Considerations

  • Node 24 Runtime: May have slight performance improvements over Node 20
  • Caching Behavior: No changes expected to Go module caching
  • Network Calls: New fallback to go.dev/dl instead of storage.googleapis.com/golang for downloads (more reliable)

📋 Recommendations

Approval Status: ✅ Approve with monitoring

Before Merging:

  1. ✅ Verify all CI checks pass
  2. ⚠️ Confirm runner compatibility (especially if using self-hosted runners)
  3. ✅ Review that Go 1.23.x installation succeeds in test runs

After Merging:

  1. Monitor the next release workflow execution
  2. Watch for any unexpected toolchain selection behavior
  3. Document any observed changes in Go version resolution

📚 Additional Notes

  • Dependabot Quality: Well-formed PR with detailed changelog
  • Rollback Plan: If issues arise, revert is straightforward (change v6 back to v5)
  • Future Maintenance: Consider enabling Dependabot auto-merge for low-risk dependency updates like this

Verdict

LGTM ✅ with the caveat that runner version compatibility should be verified before merge, particularly for any self-hosted runners in use.

The upgrade brings security fixes and improvements that outweigh the minimal risk, provided the runner version requirement is met.

@todd2982 todd2982 merged commit b6a0191 into main Dec 17, 2025
1 of 10 checks passed
@dependabot dependabot bot deleted the dependabot/github_actions/actions/setup-go-6 branch December 17, 2025 06:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@todd2982