chore: auto-bump golang patch versions #6711
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The following change will help to solve an issue of auto-bump golang patch versions.
Current behaviour
up to now that auto-bump golang patch versions was using the:
This setting assumes that the go.mod file of Trivy is configured with a partial Go version
<major>.<minor>
for instance,go 1.22
.The Problem
It has been observed that if a go.mod file includes a dependency like
github.com/aquasecurity/trivy-kubernetes
, and that dependency's go.mod file specifies a full Go version<major>.<minor>.<patch>
such asgo 1.22.0
, then the Go version of this dependency will replace the Go version specified in trivy go.mod file.therefore the above
actions/setup-go
cannot be used withgo-version-file: 'go.mod'
param.Workaround
The workaround will be to use the following
go-version
param with partial version, which will auto bump patch version without relating to go mod file.