ci: bump the github-actions group with 3 updates#116
Merged
Conversation
Bumps the github-actions group with 3 updates: [actions/setup-go](https://github.com/actions/setup-go), [anchore/sbom-action](https://github.com/anchore/sbom-action) and [securego/gosec](https://github.com/securego/gosec). Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4b73464...4a36011) Updates `anchore/sbom-action` from 0.23.1 to 0.24.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@57aae52...e22c389) Updates `securego/gosec` from 2.24.7 to 2.25.0 - [Release notes](https://github.com/securego/gosec/releases) - [Commits](securego/gosec@bb17e42...223e19b) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: anchore/sbom-action dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: securego/gosec dependency-version: 2.25.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 3 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yml">
<violation number="1" location=".github/workflows/release.yml:44">
P3: Update the inline version comment to match the v6.4.0 commit hash so the pinned action version is accurately documented.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Collaborator
|
@dependabot rebase |
Contributor
Author
|
Looks like this PR is already up-to-date with master! If you'd still like to recreate it from scratch, overwriting any edits, you can request |
There was a problem hiding this comment.
Pull request overview
This PR updates three GitHub Actions used in CI/CD workflows to their latest minor versions. These are dependency maintenance updates that improve tooling capabilities and fix security-related issues without introducing breaking changes.
Changes:
- Update
actions/setup-gofrom v6.3.0 to v6.4.0 across four workflow jobs - Update
securego/gosecfrom v2.24.7 to v2.25.0 in the security workflow - Update
anchore/sbom-actionfrom v0.23.1 to v0.24.0 in the release workflow
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/test.yml |
Updates actions/setup-go to v6.4.0 in four jobs (test, lint, security, race-check) |
.github/workflows/security.yml |
Updates securego/gosec to v2.25.0 for improved security analysis |
.github/workflows/release.yml |
Updates actions/setup-go to v6.4.0 and anchore/sbom-action to v0.24.0 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
robzolkos
deleted the
dependabot/github_actions/github-actions-9da08e39e5
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-actions group with 3 updates: actions/setup-go, anchore/sbom-action and securego/gosec.
Updates
actions/setup-gofrom 6.3.0 to 6.4.0Release notes
Sourced from actions/setup-go's releases.
Commits
4a36011docs: fix Microsoft build of Go link (#734)8f19afcfeat: add go-download-base-url input for custom Go distributions (#721)27fdb26Bump minimatch from 3.1.2 to 3.1.5 (#727)def8c39Rearrange README.md, add advanced-usage.md (#724)Updates
anchore/sbom-actionfrom 0.23.1 to 0.24.0Release notes
Sourced from anchore/sbom-action's releases.
Commits
e22c389chore(deps): update Syft to v1.42.3 (#615)36a5fdechore: update to node 24 + deps (#614)a0a6512chore(deps): bump actions/setup-node from 6.2.0 to 6.3.0 (#608)Updates
securego/gosecfrom 2.24.7 to 2.25.0Release notes
Sourced from securego/gosec's releases.
Commits
223e19bchore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#1617)b23a9e5fix: allow barry action to access secrets on fork PRs (#1616)355cfa5fix: reduce G117 false positives for custom marshalers and transformed values...744bfb5Add barry security scanner as a step in the CI (#1612)4fde15dchore(deps): update all dependencies (#1611)dec52c4fix: prevent taint analysis hang on packages with many CHA call graph edges (...a0de8b6Add some skills for claude code to automate some tasks (#1609)c2dfcecAdd G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#1606)8aec3f4fix: skip SSA analysis on ill-typed packages to prevent panic (#1607)1ced32dPort G120 from SSA-based to taint analysis (fixes #1600, #1603) (#1605)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsSummary by cubic
Update CI workflows to newer minor versions of
actions/setup-go,anchore/sbom-action, andsecurego/gosecto improve reliability and security scans. Also fixes theactions/setup-goversion comment in the workflows.actions/setup-go: 6.3.0 → 6.4.0 — adds custom download URL support and minor fixes.anchore/sbom-action: 0.23.1 → 0.24.0 — updates to Node 24 and bumps Syft to v1.42.3.securego/gosec: 2.24.7 → 2.25.0 — improved analysis and fewer false positives.Written for commit a4897de. Summary will update on new commits.