From 7dd375fc5404c2d0eb0385bf1a5895c70742450c Mon Sep 17 00:00:00 2001 From: Davanum Srinivas Date: Thu, 7 May 2026 11:36:23 -0400 Subject: [PATCH] .github/workflows/test.yml: pin actions to commit SHAs and bump apidiff Go version The repo's CI policy now rejects unpinned GitHub Actions: any uses clause referring to a tag (vN) instead of a full-length commit SHA fails Set up job with "are not allowed in kubernetes/utils because all actions must be pinned to a full-length commit SHA." Pins all references to current major-version commits and standardizes the action versions across jobs: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6 Also bumps the apidiff job's Go version from 1.23.x to 1.25.x. The job installs golang.org/x/exp/cmd/apidiff@latest, which now requires Go 1.25.0 to build: golang.org/x/exp/cmd/apidiff@latest: golang.org/x/exp@v0.0.0-... requires go >= 1.25.0 (running go 1.23.12; GOTOOLCHAIN=local) The Go version used to build the apidiff tool is independent of the module's go directive, so 1.25.x for that one job is safe. Signed-off-by: Davanum Srinivas --- .github/workflows/test.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ccabc7e2..c72e88ea 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,11 +9,11 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go - uses: actions/setup-go@v3 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Build run: | go build ./... @@ -29,11 +29,11 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go - uses: actions/setup-go@v3 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Test run: | make test @@ -45,11 +45,11 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go - uses: actions/setup-go@v3 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: ${{ matrix.go-version }} - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Verify go directive run: | make verify-go-directive @@ -57,13 +57,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: go-version: v1.23 - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6 with: version: v1.60.1 args: --disable-all -v -E govet -E misspell -E gofmt -E ineffassign -E revive @@ -72,20 +72,20 @@ jobs: if: github.base_ref steps: - name: Install Go - uses: actions/setup-go@v3 + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: - go-version: 1.23.x + go-version: 1.25.x - name: Add GOBIN to PATH run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH - name: Install dependencies run: go install golang.org/x/exp/cmd/apidiff@latest - name: Checkout old code - uses: actions/checkout@v2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: ref: ${{ github.base_ref }} path: "old" - name: Checkout new code - uses: actions/checkout@v2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: path: "new" - name: APIDiff