Bump Go v1.24.4 to fix CVEs #69
Conversation
Signed-off-by: Viet Nguyen Duc <[email protected]>
Signed-off-by: Viet Nguyen Duc <[email protected]>
bumped up golang to v1.24.4 for CVE-2025-4673 , CVE-2025-0913 and CVE-2025-22874 Signed-off-by: Amar Deep Singh <[email protected]>
Signed-off-by: Viet Nguyen Duc <[email protected]>
Signed-off-by: Viet Nguyen Duc <[email protected]>
Signed-off-by: Viet Nguyen Duc <[email protected]>
Signed-off-by: Viet Nguyen Duc <[email protected]>
Signed-off-by: Viet Nguyen Duc <[email protected]>
|
@a8m FYI |
Signed-off-by: Viet Nguyen Duc <[email protected]>
Signed-off-by: Viet Nguyen Duc <[email protected]>
Signed-off-by: Viet Nguyen Duc <[email protected]>
|
Can we merge this? @VietND96 ? |
Toda Raba! |
There was a problem hiding this comment.
Pull request overview
This pull request aims to address security vulnerabilities by bumping the Go version and introduces automated GitHub Actions workflows for creating releases and building binaries across multiple platforms. However, there's a critical mismatch between the PR title (mentioning Go v1.24.4) and the actual changes (updating to nonexistent Go v1.25.5).
Key Changes:
- Go version update in go.mod and test workflow (though to nonexistent versions)
- New
create-release.ymlworkflow for automated tag and release creation - Enhanced
binaries.ymlworkflow with manual trigger support and improved checkout logic
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| go.mod | Updates Go version from 1.24 to 1.25.5 (version does not exist) |
| .github/workflows/test.yml | Updates test matrix to include Go 1.25 (version does not exist) |
| .github/workflows/create-release.yml | Adds new workflow for creating GitHub releases and tags via manual dispatch |
| .github/workflows/binaries.yml | Enhances binary release workflow with manual trigger support and tag-based checkout |
| README.md | Adds comprehensive documentation for the new release workflows and procedures |
Critical Issues Found:
- The Go versions specified (1.25.5 and 1.25) do not exist as of January 2025. The latest stable versions are in the 1.23.x series.
- Several outdated GitHub Actions are used (actions/checkout@v2, actions/create-release@v1).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| 1. **Tag Creation**: Creates a git tag with the specified version | ||
| 2. **Release Creation**: Creates a GitHub release with optional title/description | ||
| 3. **Binary Building**: Automatically triggers binary builds for all platforms: |
There was a problem hiding this comment.
The documentation states "Binary Building: Automatically triggers binary builds for all platforms" but according to the workflow changes, the binaries.yml workflow needs to be manually triggered via workflow_dispatch or automatically triggers only when a release is created/published. The wording suggests it always automatically triggers, which could be misleading. Consider clarifying: "Binary Building: Automatically triggers when a release is created, or can be manually triggered to build binaries for all platforms".
| 3. **Binary Building**: Automatically triggers binary builds for all platforms: | |
| 3. **Binary Building**: Automatically triggers when a release is created, or can be manually triggered to build binaries for all platforms: |
| id: create_release | ||
| uses: actions/create-release@v1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| with: | ||
| tag_name: ${{ inputs.tag_name }} | ||
| release_name: ${{ inputs.release_title || inputs.tag_name }} | ||
| body: ${{ inputs.release_body }} | ||
| draft: false | ||
| prerelease: false |
There was a problem hiding this comment.
The actions/create-release@v1 action is deprecated and unmaintained. GitHub recommends using the GitHub CLI (gh release create) or the REST API instead. Consider replacing this with:
- name: Create Release
run: |
gh release create "${{ inputs.tag_name }}" \
--title "${{ inputs.release_title || inputs.tag_name }}" \
--notes "${{ inputs.release_body }}" \
${draft:+--draft} \
${prerelease:+--prerelease}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true| id: create_release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ inputs.tag_name }} | |
| release_name: ${{ inputs.release_title || inputs.tag_name }} | |
| body: ${{ inputs.release_body }} | |
| draft: false | |
| prerelease: false | |
| run: | | |
| gh release create "${{ inputs.tag_name }}" \ | |
| --title "${{ inputs.release_title || inputs.tag_name }}" \ | |
| --notes "${{ inputs.release_body }}" \ | |
| --draft=false \ | |
| --prerelease=false | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| name: release linux/amd64 | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 |
There was a problem hiding this comment.
Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12). This applies to all checkout actions in this file.
| name: release linux/arm64 | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 |
There was a problem hiding this comment.
Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12).
| name: release darwin/amd64 | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 |
There was a problem hiding this comment.
Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12).
| name: release darwin/arm64 | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 |
There was a problem hiding this comment.
Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12).
| name: release windows | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 |
There was a problem hiding this comment.
Using actions/checkout@v2 is outdated. Consider upgrading to actions/checkout@v4 for better performance, security updates, and Node.js 20 support (v2 uses the deprecated Node.js 12).
|
|
||
| permissions: | ||
| contents: write | ||
| packages: write |
There was a problem hiding this comment.
The packages: write permission is not needed for this workflow. It's only used for publishing packages to GitHub Packages. This workflow only creates releases and tags, which only requires contents: write. Consider removing this unnecessary permission to follow the principle of least privilege.
| packages: write |
|
@a8m, it is good to go. Since this is used in my fork to deploy a few recent releases https://github.com/NDViet/envsubst/releases |
4 participants
Checkout result: https://github.com/NDViet/envsubst/actions/runs/16096050069
Checkout result: https://github.com/NDViet/envsubst/actions/runs/16096060363