Closed saurori closed 2 days ago
The version is already bumped in the CI scripts to 1.22.5. This will be fixed with the next release when a new docker image will be released with an updated Go version.
In the meantime, you can build a new docker image from master.
@ccojocar please release a new patch for the gosec docker image, using action.yaml
from master still gives the hardcoded image
perhaps master should use latest image and the tagged versions will reference the specific versions
but for now please just release a patch so to unclog CIs around the world :)
I'll release soon a new version. Usually we keep a 3 months cadence.
perhaps master should use latest image and the tagged versions will reference the specific versions
The latest
tag is alway pointing to last released version. There ins't a continuous build of the latest image from master. We try to keep the version of the action is sync with the version of the image, this is why is hardcoded. I didn't find an automatic way to do this. Happy to have some suggestions how this could be automated.
but for now please just release a patch so to unclog CIs around the world :)
This sounds like a happy end for these CIs. In this case, they should consider sponsoring the project if is so critical for them ;-).
I would suggest releasing patch / hotfix versions (e.g. 2.20.1
) for security issues in either Go versions or versions of dependencies. Those releases should only contain version updates separate from any feature releases. Then you can stick to a 3 month release cadence without falling behind on security issues.
@ccojocar Any update on this? We're now on to go1.23
and it's causing issues across even more repos. Can we please at least get a hotfix release with just go version updates if other features/fixes aren't ready to release?
Summary
I'm running into a version mismatch when running gosec in Github Actions. I have a dependency ariga.io/atlas v0.25.0 which is forcing my
go.mod
file to specify the Go version asgo 1.22.5
. It appear the Docker imagesecurego/gosec:2.20.0
was built iwth go 1.22.3. This results in my CI action failing with errors such as:I'm not sure if there is a workaround or if a new Docker image could be built with the latest Go version.
Steps to reproduce the behavior
Use Github Action (setup-go may not be needed):
gosec version
2.20.0
Go version (output of 'go version')
go version go1.22.5 linux/amd64