docs: record gosec toolchain fix
This commit is contained in:
Micheal Wilkinson
@@ -39,6 +39,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
|
|||||||
- Fixed docs-only detection in `decorate-pr` changelog gate: file list was iterated in a piped subshell so `docs_only` never propagated to the parent scope; replaced pipe with process substitution.
|
- Fixed docs-only detection in `decorate-pr` changelog gate: file list was iterated in a piped subshell so `docs_only` never propagated to the parent scope; replaced pipe with process substitution.
|
||||||
- Pinned `securego/gosec` and `golang/govulncheck-action` to concrete version tags (`v2.22.4` and `v1.0.4`) so self-hosted Gitea runners can resolve them via direct git clone without relying on the GitHub Actions floating-tag API.
|
- Pinned `securego/gosec` and `golang/govulncheck-action` to concrete version tags (`v2.22.4` and `v1.0.4`) so self-hosted Gitea runners can resolve them via direct git clone without relying on the GitHub Actions floating-tag API.
|
||||||
- Added `GOTOOLCHAIN: auto` environment variable to `gosec` and `govulncheck-action` steps in `push-validation` and `prepare-release` workflows to prevent Go toolchain version mismatches inside the act runner container.
|
- Added `GOTOOLCHAIN: auto` environment variable to `gosec` and `govulncheck-action` steps in `push-validation` and `prepare-release` workflows to prevent Go toolchain version mismatches inside the act runner container.
|
||||||
|
- Replaced `securego/gosec` composite action with a direct `go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4 && gosec ./...` run step so gosec uses the Go 1.26 toolchain installed by `setup-go` rather than the action's bundled Go 1.24 binary which ignores `GOTOOLCHAIN=auto`.
|
||||||
|
|
||||||
## [1.0.2] - 2026-03-21
|
## [1.0.2] - 2026-03-21
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user