.github: pin actions/setup-go usage to latest 5.x (#13553)

Pin actions/checkout usage to latest 5.x. These were previously pointing to `@4` which pulls in the latest v4 as they are released, with the potential to break our workflows if a breaking change or malicious version on the `@4` stream is ever pushed. Changing this to a pinned version also means that dependabot will keep this in the pinend version format (e.g., referencing a SHA) when it opens a PR to bump the dependency. The breaking change between v4 and v5 is that v5 requires Node 20 which should be a non-issue where it is used. Updates #cleanup Signed-off-by: Mario Minardi <mario@tailscale.com>
2 months ago · 2c1bbfb902
parent 07991dec83
commit 2c1bbfb902
3 changed files with 3 additions and 3 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -49,7 +49,7 @@ jobs:
    # Install a more recent Go that understands modern go.mod content.
    - name: Install Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
        go-version-file: go.mod
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -25,7 +25,7 @@ jobs:
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
          go-version-file: go.mod
          cache: false
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -153,7 +153,7 @@ jobs:
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Install Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
      with:
        go-version-file: go.mod
        cache: false