Skip to content

fix(ci): unblock checks + patch dep CVEs#19

Merged
yshengliao merged 1 commit intomainfrom
claude/lucid-fermat-abeb8d
Apr 21, 2026
Merged

fix(ci): unblock checks + patch dep CVEs#19
yshengliao merged 1 commit intomainfrom
claude/lucid-fermat-abeb8d

Conversation

@yshengliao
Copy link
Copy Markdown
Owner

@yshengliao yshengliao commented Apr 21, 2026

Summary

Follow-up to #18. The CI check on that PR failed for two independent reasons, both addressed here.

1. CI — inline checkout + Go install

The repo's Actions policy (Settings → Actions → Allow actions) only permits actions owned by yshengliao, so actions/checkout@v4 and actions/setup-go@v5 are rejected:

The actions actions/checkout@v4 and actions/setup-go@v5 are not allowed …
because all actions must be from a repository owned by yshengliao.

Rewritten .github/workflows/ci.yml with no third-party actions:

  • Go 1.25.0 installed via curl https://go.dev/dl/go1.25.0.linux-amd64.tar.gz.
  • Repo checked out with git init + git fetch --depth=1 $GITHUB_SHA + git checkout FETCH_HEAD (works for both push and pull_request events because GITHUB_SHA resolves to the merge/head commit).
  • Same downstream steps: go mod download/verify/tidy -diff, go vet ./..., go test ./... -race -count=1.

The long-term cleaner fix is to whitelist GitHub's first-party actions in repo settings; this commit unblocks CI without requiring the settings change.

2. Dependencies — patch 4 Dependabot CVEs

Pre-existing alerts on main, not introduced by #18:

Package From To CVE
go.opentelemetry.io/otel/sdk 1.37.0 1.43.0 PATH hijack via BSD kenv (2× high)
golang.org/x/crypto 0.40.0 0.50.0 SSH unbounded memory + agent panic (2× moderate)
go.opentelemetry.io/otel{,/trace,/metric} 1.37.0 1.43.0 consistency with sdk
transitive latest go mod tidy pulled in xxhash/v2, sync 0.20, sys 0.43, net 0.52, etc.

go.mod's go directive bumps 1.24 → 1.25.0 because go.opentelemetry.io/otel/sdk@v1.43.0 requires it. The CI workflow installs Go 1.25.0 to match.

Reviewer notes

  • No API or behaviour changes — only toolchain and dependency versions.
  • stretchr/testify 1.10.0 → 1.11.1 and otel/auto/sdk 1.1.0 → 1.2.1 were pulled in by go mod tidy as minimum-version-selection side effects; harmless.
  • The only source change is .github/workflows/ci.yml; go.mod / go.sum are mechanical.

Test plan

  • go build ./...
  • go vet ./...
  • go test ./... -race -count=1 — all 20 packages green on Go 1.25.0
  • CI green on PR (the whole point)

🤖 Generated with Claude Code

@claude
fix(ci): inline checkout + Go install; bump vulnerable deps
2ce2d8d 
Two unrelated-but-blocking issues surfaced by the initial CI run:

1. Repo Actions policy allows only yshengliao-owned actions, so
   actions/checkout@v4 and actions/setup-go@v5 were rejected. Replace
   them with plain shell: curl the Go 1.25.0 tarball from go.dev and
   `git fetch --depth=1 $GITHUB_SHA` instead of actions/checkout.

2. Four Dependabot alerts on go.mod (not introduced by this PR):
   - go.opentelemetry.io/otel/sdk PATH hijack via BSD kenv (2× high)
   - golang.org/x/crypto/ssh unbounded memory + agent panic (2× moderate)

   Bumped:
   - go.opentelemetry.io/otel{,sdk,trace,metric}  1.37.0 → 1.43.0
   - golang.org/x/crypto                          0.40.0 → 0.50.0
   - go.mod's `go` directive                      1.24   → 1.25.0 (required
     by the new otel/sdk release)
   - Transitive bumps pulled in by `go mod tidy`

Verified: go build, go vet, go test ./... -race -count=1 — all 20
packages green on 1.25.0.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 21, 2026 15:02
@yshengliao yshengliao merged commit f16ed23 into main Apr 21, 2026
1 check passed
@yshengliao yshengliao deleted the claude/lucid-fermat-abeb8d branch April 21, 2026 15:04
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Unblocks CI under a restricted GitHub Actions policy and updates Go module dependencies to address existing security alerts by moving to a newer Go toolchain and patched library versions.

Changes:

  • Replace actions/checkout and actions/setup-go with inline git checkout and manual Go 1.25.0 installation in CI.
  • Bump go.mod Go version and upgrade OpenTelemetry + x/crypto (and related) dependencies; refresh go.sum.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/ci.yml Removes disallowed third-party actions; installs Go via curl and checks out code via git to restore CI.
go.mod Updates Go version and bumps direct/indirect dependencies to patched versions.
go.sum Synchronizes module checksums with the upgraded dependency graph.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/ci.yml
Comment on lines +20 to +26
run: |
set -euo pipefail
curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -o /tmp/go.tgz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf /tmp/go.tgz
echo "/usr/local/go/bin" >> "$GITHUB_PATH"
echo "$HOME/go/bin" >> "$GITHUB_PATH"
Comment thread .github/workflows/ci.yml
Comment on lines +35 to +36
git remote add origin "https://github.com/${GITHUB_REPOSITORY}.git"
git -c protocol.version=2 fetch --depth=1 origin "${GITHUB_SHA}"
Comment thread go.mod
module github.com/yshengliao/gortex

go 1.24
go 1.25.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yshengliao