Skip to content

chore(ci): pin actions and add tools module for CI #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 8, 2025
Merged

chore(ci): pin actions and add tools module for CI #102

merged 1 commit into from
Sep 8, 2025

Conversation

SVilgelm
Copy link
Member

@SVilgelm SVilgelm commented Sep 8, 2025
edited
Loading

Update GitHub Actions workflows to use action SHAs foractions/checkout actions/setup-go, reproducible runner
behavior. Replace direct golangci-lint action usage with explicit linter
commands that run via the project's tools module. Change test reporting
and lint invocations to use go tool -modfile=".github/tools/go.mod" so
they use pinned tool dependencies.

Add .github/tools/go.mod to pin CI tool dependencies (golangci-lint,
go-junit-report, and many lint rules/plugins) and add dependabot config
to keep the tools module up to date weekly. Rename the GolangCI-Lint job
to Lint and split its steps into a config verification and an explicit
run step.

These changes improve CI stability, reproducibility, and dependency
management for tooling.

@Copilot Copilot AI review requested due to automatic review settings September 8, 2025 14:07
Copilot

This comment was marked as outdated.

Sign in to view

@SVilgelm SVilgelm changed the title build(ci): actions by commit and run tools chore(ci): pin actions and add tools module for CI Sep 8, 2025
@SVilgelm
chore(ci): pin actions and add tools module for CI
a927221 
Update GitHub Actions workflows to use action SHAs foractions/checkout actions/setup-go, reproducible runner
behavior. Replace direct golangci-lint action usage with explicit linter
commands that run via the project's tools module. Change test reporting
and lint invocations to use go tool -modfile=".github/tools/go.mod" so
they use pinned tool dependencies.

Add .github/tools/go.mod to pin CI tool dependencies (golangci-lint,
go-junit-report, and many lint rules/plugins) and add dependabot config
to keep the tools module up to date weekly. Rename the GolangCI-Lint job
to Lint and split its steps into a config verification and an explicit
run step.

These changes improve CI stability, reproducibility, and dependency
management for tooling.
@SVilgelm SVilgelm force-pushed the ci-fix-use-immutable-actions branch from 5db6691 to a927221 Compare September 8, 2025 14:10
@SVilgelm SVilgelm requested a review from Copilot September 8, 2025 14:14
Copilot
Copilot AI reviewed Sep 8, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR improves CI stability and reproducibility by pinning GitHub Actions to specific SHAs and consolidating tool dependencies into a dedicated module. The changes replace version-based action references with immutable SHA references and introduce a tools module to manage CI tool dependencies like golangci-lint and go-junit-report.

  • Pin GitHub Actions (checkout, setup-go) to specific commit SHAs for reproducible builds
  • Add .github/tools/go.mod module to manage CI tool dependencies with pinned versions
  • Replace direct tool installations with go tool -modfile commands for consistent tooling

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

File Description
.github/workflows/release.yaml Pin actions/checkout and actions/setup-go to commit SHAs
.github/workflows/checks.yaml Pin actions, replace golangci-lint action with explicit commands, use tools module
.github/tools/go.mod New tools module defining CI dependencies for golangci-lint and go-junit-report
.github/dependabot.yml Add dependabot config for tools module with weekly updates

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@SVilgelm SVilgelm merged commit cb1f5f2 into main Sep 8, 2025
8 checks passed
@SVilgelm SVilgelm deleted the ci-fix-use-immutable-actions branch September 8, 2025 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SVilgelm